[c-nsp] AAA on IOS-XR (NCS540)

Scott Miller fordlove at gmail.com
Thu Dec 3 17:10:56 EST 2020


control-plane is like an access-list, only the specified IP's will be able
to ssh to the box.

On Thu, Dec 3, 2020 at 12:32 PM Eric Van Tol <eric at atlantech.net> wrote:

> Yes, that was a copy-paste typo.
>
>
>
> *From: *Aaron <dudepron at gmail.com>
> *Date: *Thursday, December 3, 2020 at 2:18 PM
> *To: *Eric Van Tol <eric at atlantech.net>
> *Cc: *Scott Miller <fordlove at gmail.com>, "cisco-nsp at puck.nether.net" <
> cisco-nsp at puck.nether.net>
> *Subject: *Re: [c-nsp] AAA on IOS-XR (NCS540)
>
>
>
> *EXTERNAL* - Do not click links or open attachments from an unverified
> source/sender.
>
> This isn't at typo is it?
>
>
>
> aaa authentication login default group TACACS line!
>
>
>
> should it be
>
> aaa authentication login default group TACACS line   <<< no !
>
>
>
> On Thu, Dec 3, 2020 at 2:13 PM Eric Van Tol <eric at atlantech.net> wrote:
>
> No, all I have is:
>
> control-plane
> management-plane
>   inband
>    interface TenGigE0/0/0/27
>     allow all
>    !
>    interface TenGigE0/0/0/23.1550
>     allow all
>    !
>    interface TenGigE0/0/0/25.1550
>     allow all
>    !
>   !
>
> What exactly does this do? I mean, I have an inkling, but I wouldn’t
> expect TACACS to work at all if I was missing a config to allow it to
> respond to the router.
>
> From: Scott Miller <fordlove at gmail.com>
> Date: Thursday, December 3, 2020 at 1:52 PM
> To: Eric Van Tol <eric at atlantech.net>
> Cc: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
> Subject: Re: [c-nsp] AAA on IOS-XR (NCS540)
>
>
> EXTERNAL - Do not click links or open attachments from an unverified
> source/sender.
> Do you have the control-plane set up?
>
> tacacs source-interface Loopback100 vrf default
> tacacs-server host 11.11.11.11 port 49
>  key 7 xxxxxxxxxxxxxxxxxxxxxxxx
> !
> tacacs-server host 22.22.22.22 port 49
>  key 7 xxxxxxxxxxxxxxxxxxxxxxxx
> !
>
> aaa accounting exec default start-stop group acs-tacacs
> aaa accounting system default start-stop group acs-tacacs
> aaa accounting commands default start-stop group acs-tacacs
> aaa group server tacacs+ acs-tacacs
>  server 11.11.11.11
>  server 22.22.22.22
> !
> aaa authorization exec default group acs-tacacs local
> aaa authorization commands default group acs-tacacs none
> aaa authentication login default group acs-tacacs local
>
> line console
>  exec-timeout 10 0
> !
> line default
>  password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
>  exec-timeout 30 0
>  session-timeout 30
>  transport input ssh
> !
> vty-pool default 0 20
>
> control-plane
>  management-plane
>   inband
>    interface all
>     allow all peer
>      address ipv4 11.12.12.12
>      address ipv4 11.13.13.13
>      address ipv4 11.14.14.14
>
>
>
> On Thu, Dec 3, 2020 at 11:33 AM Eric Van Tol <eric at atlantech.net<mailto:
> eric at atlantech.net>> wrote:
> Hi all,
> I’m going nuts here trying to get my AAA set up on an NCS. The goal is to
> authenticate against TACACS on VTY lines but either use the local user
> database or line/enable for console access and I cannot get it right.
> Sometimes my VTY authentication fails the first time and it requires you to
> put in your password a second time, even though the TACACS servers are
> definitely available. I cannot get console access to work properly at all.
> I’m running XR 7.1.1. Here’s the aaa portion of the config:
>
> tacacs source-interface Loopback1 vrf default
> tacacs-server host 192.168.45.126 port 49
> key 7 ******
> single-connection
> !
> tacacs-server host 192.168.46.126 port 49
> key 7 ******
> timeout 3
> single-connection
> !
> username admin
> group root-lr
> group cisco-support
> secret 10  $secretpass
> !
> aaa group server tacacs+ TACACS
> server 192.168.45.126
> server 192.168.46.126
> !
> aaa authorization exec CONSOLE local
> aaa authorization exec default group TACACS local
> aaa authentication login CONSOLE local line
> aaa authentication login default group TACACS line!
> !
> line console
> password 7 ******
> authorization exec CONSOLE
> login authentication CONSOLE
> !
> line default
> password 7 ******
> timeout login response 30
> authorization exec default
> login authentication default
> exec-timeout 0 0
> access-class ingress access-protect
> session-timeout 120
> transport input ssh
> !
>
> I’ve tried different permutations of the line console config and can’t get
> the right combination. Can someone point me in the right direction here?
>
> Thanks in advance,
> evt
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net<mailto:
> cisco-nsp at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>


More information about the cisco-nsp mailing list