[c-nsp] IOS XR Security

Skeeve Stevens skeeve+cisconsp at eintellegonetworks.com
Sun Dec 17 14:51:08 EST 2017 

Hi all,

I am having a problem with IOS XR User Groups and Security.

Ideally, I am trying to create a 'read only' user that cannot change the
config , but can view it and do show commands.

But, I've run into some issues where it looks like even with no permissions
a user can still do some limited commands, and even change the config.

It looks like the user is limited to changing aliases, and services and
committing the changes... which alarms me a little.

I'd like to have a true READ ONLY user which cannot change the config of
the router but can see the entire config and do other show commands.  Is
this possible?

----
RP/0/RSP0/CPU0:ASR9k#show user tasks
Mon Dec 18 06:39:47.900 AEDT
No task ids available
RP/0/RSP0/CPU0:ASR9k#?
  clear       Reset functions
  configure   Enter configuration mode
  debug       Debugging functions (see also 'undebug')
  describe    Describe a command without taking real actions
  disconnect  Disconnect an existing network connection
  exit        Exit from the EXEC
  l2vpn       L2VPN exec commands
  logmsg      make the following message into a syslog message
  no          Disable debugging functions
  resume      Resume an active network connection
  show        Show running system information
  terminal    Set terminal line parameters
  undebug     Disable debugging functions (see also 'debug')
RP/0/RSP0/CPU0:ASR9k#conf te
Mon Dec 18 06:40:08.812 AEDT
RP/0/RSP0/CPU0:ASR9k(config)#alias exec blah show clock
RP/0/RSP0/CPU0:ASR9k(config)#commit
Mon Dec 18 06:40:27.601 AEDT
RP/0/RSP0/CPU0:ASR9k(config)#exit
RP/0/RSP0/CPU0:ASR9k#blah
% This command is not authorized
RP/0/RSP0/CPU0:ASR9k#show run
Mon Dec 18 06:41:10.934 AEDT
Building configuration...
!! IOS XR Configuration 5.3.4
!! Last configuration change at Mon Dec 18 06:40:27 2017 by test.user
!
alias exec ct config terminal
alias exec blah show clock
end

RP/0/RSP0/CPU0:ASR9k#ct
RP/0/RSP0/CPU0:ASR9k#config terminal
Mon Dec 18 06:47:00.158 AEDT
RP/0/RSP0/CPU0:ASR9k(config)#?
  abort         Abort this configuration session
  alias         Create an alias for entity
  clear         Clear the uncommitted configuration
  commit        Commit the configuration changes via pseudo-atomic operation
  describe      Describe a command without taking real actions
  do            Run an exec command
  end           Exit from configure mode
  exclude-item  Negate a command or set its defaults
  exit          Exit from configure mode
  no            Negate a command or set its defaults
  service       Modify use of network based services
  show          Show contents of configuration
RP/0/RSP0/CPU0:ASR9k(config)#


----

...Skeeve

*Skeeve Stevens - Founder & Chief Architect - *eintellego Networks Pty Ltd
skeeve at eintellegonetworks.com ; www.eintellegonetworks.com

Cumulus Linux / Open Networking - Cloud - Consulting - Juniper - Cisco - IPv4
Brokering

More information about the cisco-nsp mailing list