Cisco IOS XR administrative model

Administrative Model Overview

Cisco IOS XR uses an administrative model based on  task-authorisation rather than privilege levels which involves configuring user-groups and task-groups.

User-groups and task-groups are configured through the AAA command set, authentication commands are used to verify and identify a specific user while authorisation commands are used to verify that an authenticated user has permissions to perform a specific task. Accounting commands are used for logging and recording user or system actions.

AAA data, such as users, users-groups and task-groups can be stored locally, in the router in-memory database and will persist in the configuration file. AAA data can also be stored externally.

Task model

As illustrated in the following figure, users belong to user groups, user-groups get privileges to task-groups, task-groups contain one or more task  IDs.


Task: The operational tasks that enables a user to configure and monitor IOS XR are represented as Tasks IDs.

Task-groups: a set of one or  more Task-IDs.

User-groups: contain one or more users and have privileges to one or more Task-groups. User-groups can be user-defined or predefined. Cisco IOS XR has the following predefined groups:
RP/0/0/CPU0:ios#show aaa usergroup ?
  |              Output Modifiers
  root-lr        Name of the usergroup
  netadmin       Name of the usergroup
  operator       Name of the usergroup
  retrieve       Name of the usergroup
  sysadmin       Name of the usergroup
  maintenance    Name of the usergroup
  root-system    Name of the usergroup
  provisioning   Name of the usergroup
  read-only-tg   Name of the usergroup
  serviceadmin   Name of the usergroup
  cisco-support  Name of the usergroup
Users are classified in the following categories:

Root: users with complete administrative authority.

Root SDR: users with Secure domain router complete administrative authority.

SDR: users with access to a specific Secure domain router.

To show the current logged in user type:
RP/0/0/CPU0:ios#  show user
Wed Sep 25 20:17:03.403 UTC
gngogh
To show the user-group a user belongs to type:
RP/0/0/CPU0:ios#show user group 
Wed Sep 25 20:26:39.453 UTC
root-system
To show user allowed task IDs type:
RP/0/0/CPU0:ios#show user tasks 
Wed Sep 25 20:29:11.033 UTC
Task:                  aaa  : READ    WRITE    EXECUTE    DEBUG
Task:                  acl  : READ    WRITE    EXECUTE    DEBUG
...
...
...
The command "show aaa usedb [user-name]" will display the user group and related task IDs

Configure Users, User-groups and Task-groups.

configure a task-group
RP/0/0/CPU0:ios(config)#taskgroup monitors
RP/0/0/CPU0:ios(config-tg)#task read network
configure a user-group
RP/0/0/CPU0:ios(config)#usergroup monitors
RP/0/0/CPU0:ios(config-ug)#taskgroup monitors
configure a local user
RP/0/0/CPU0:ios(config)#username monitor
RP/0/0/CPU0:ios(config-un)#password cisco.123
RP/0/0/CPU0:ios(config-un)#group monitors

No comments:

Post a Comment