Cisco IOS XR uses an administrative model based on task-authorisation rather than privilege levels which involves configuring user-groups and task-groups.
User-groups and task-groups are configured through the AAA command set, authentication commands are used to verify and identify a specific user while authorisation commands are used to verify that an authenticated user has permissions to perform a specific task. Accounting commands are used for logging and recording user or system actions.
AAA data, such as users, users-groups and task-groups can be stored locally, in the router in-memory database and will persist in the configuration file. AAA data can also be stored externally.
Task model
As illustrated in the following figure, users belong to user groups, user-groups get privileges to task-groups, task-groups contain one or more task IDs.
Task: The operational tasks that enables a user to configure and monitor IOS XR are represented as Tasks IDs.
Task-groups: a set of one or more Task-IDs.
User-groups: contain one or more users and have privileges to one or more Task-groups. User-groups can be user-defined or predefined. Cisco IOS XR has the following predefined groups:
RP/0/0/CPU0:ios#show aaa usergroup ? | Output Modifiers root-lr Name of the usergroup netadmin Name of the usergroup operator Name of the usergroup retrieve Name of the usergroup sysadmin Name of the usergroup maintenance Name of the usergroup root-system Name of the usergroup provisioning Name of the usergroup read-only-tg Name of the usergroup serviceadmin Name of the usergroup cisco-support Name of the usergroupUsers are classified in the following categories:
Root: users with complete administrative authority.
Root SDR: users with Secure domain router complete administrative authority.
SDR: users with access to a specific Secure domain router.
To show the current logged in user type:
RP/0/0/CPU0:ios# show user Wed Sep 25 20:17:03.403 UTC gngoghTo show the user-group a user belongs to type:
RP/0/0/CPU0:ios#show user group Wed Sep 25 20:26:39.453 UTC root-systemTo show user allowed task IDs type:
RP/0/0/CPU0:ios#show user tasks Wed Sep 25 20:29:11.033 UTC Task: aaa : READ WRITE EXECUTE DEBUG Task: acl : READ WRITE EXECUTE DEBUG ... ... ...The command "show aaa usedb [user-name]" will display the user group and related task IDs
Configure Users, User-groups and Task-groups.
configure a task-group
RP/0/0/CPU0:ios(config)#taskgroup monitors RP/0/0/CPU0:ios(config-tg)#task read networkconfigure a user-group
RP/0/0/CPU0:ios(config)#usergroup monitors RP/0/0/CPU0:ios(config-ug)#taskgroup monitorsconfigure a local user
RP/0/0/CPU0:ios(config)#username monitor RP/0/0/CPU0:ios(config-un)#password cisco.123 RP/0/0/CPU0:ios(config-un)#group monitors
No comments:
Post a Comment