[c-nsp] AAA on IOS-XR (NCS540)

Dave Bell dave at geordish.org
Thu Dec 3 17:22:40 EST 2020 

This is our config to do just that. Running 7.0.2

aaa authorization exec LOCAL local
aaa authorization exec TACACS group TACACS local

aaa authentication login LOCAL local
aaa authentication login TACACS group TACACS local

aaa accounting exec default start-stop group TACACS
aaa accounting system default start-stop group TACACS
aaa accounting commands default start-stop group TACACS

aaa group server tacacs+ TACACS
 server 10.0.0.1
 server 10.0.0.2

tacacs-server host 10.0.0.1 port 49
 key 7 xxx
!
tacacs-server host 10.0.0.2 port 49
 key 7 xxx
!
username admin
 group root-lr
 secret 10 xxx

line console
 authorization exec LOCAL
 login authentication LOCAL
 exec-timeout 12 0
!
line default
 authorization exec TACACS
 login authentication TACACS
 exec-timeout 12 0
 transport input ssh

Regards,
Dave

On Thu, 3 Dec 2020 at 18:31, Eric Van Tol <eric at atlantech.net> wrote:

> Hi all,
> I’m going nuts here trying to get my AAA set up on an NCS. The goal is to
> authenticate against TACACS on VTY lines but either use the local user
> database or line/enable for console access and I cannot get it right.
> Sometimes my VTY authentication fails the first time and it requires you to
> put in your password a second time, even though the TACACS servers are
> definitely available. I cannot get console access to work properly at all.
> I’m running XR 7.1.1. Here’s the aaa portion of the config:
>
> tacacs source-interface Loopback1 vrf default
> tacacs-server host 192.168.45.126 port 49
> key 7 ******
> single-connection
> !
> tacacs-server host 192.168.46.126 port 49
> key 7 ******
> timeout 3
> single-connection
> !
> username admin
> group root-lr
> group cisco-support
> secret 10  $secretpass
> !
> aaa group server tacacs+ TACACS
> server 192.168.45.126
> server 192.168.46.126
> !
> aaa authorization exec CONSOLE local
> aaa authorization exec default group TACACS local
> aaa authentication login CONSOLE local line
> aaa authentication login default group TACACS line!
> !
> line console
> password 7 ******
> authorization exec CONSOLE
> login authentication CONSOLE
> !
> line default
> password 7 ******
> timeout login response 30
> authorization exec default
> login authentication default
> exec-timeout 0 0
> access-class ingress access-protect
> session-timeout 120
> transport input ssh
> !
>
> I’ve tried different permutations of the line console config and can’t get
> the right combination. Can someone point me in the right direction here?
>
> Thanks in advance,
> evt
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list