Cisco IOS XR Configuration Manual page 185

Configuring AAA Services on Cisco IOS XR Software
Administrative Access
Administrative access to the system can be lost if the following operations are not well understood and
carefully planned. A lockout of all root-system users is a serious issue that requires a system reload to
recover the password.
•
•
•
To avoid a lockout, we recommend one or both of the following:
•
•
AAA Database
The AAA database stores the users, groups, and task information that controls access to the system. The
AAA database can be either local or remote. The database that is used for a specific situation depends
on the AAA configuration.
Local Database
AAA data, such as users, user groups, and task groups, can be stored locally within a secure domain
router. The data is stored in the in-memory database and persists in the configuration file. The stored
passwords are encrypted.
The database is local to the specific SDR in which it is stored, and the defined users or groups are not
Note
visible to other secure domain routers in the same Cisco CRS-1.
Unlike releases earlier than Release 3.3.0, you are able to delete the last remaining user from the local
database. If all users are deleted and when the next user logs in, the setup dialog appears and prompts
you for a new username and password.
The setup dialog appears only when the user logs into the console.
Note
Configuring authentication that uses remote AAA servers that are not available, particularly
authentication for the console.
The none option for authentication is not supported in Cisco IOS XR software. Cisco IOS XR user
access is more secure than Cisco IOS software, and there is no way that a user can access the system
without a valid username and password.
Removing the flash card from disk0:, or a disk corruption, may deny auxiliary port authentication,
which can affect certain system debugging abilities. However, if the console is available, the system
is still accessible.
Configuring command authorization or EXEC authorization on the console should be done with
extreme care, because TACACS+ servers may not be available or may deny every command, which
locks the user out. This lockout can occur particularly if the authentication was done with a user not
known to the TACACS+ server, or if the TACACS+ user has most or all the commands denied for
one reason or another.
Before turning on TACACS+ command authorization or EXEC authorization on the console, make
sure that the user who is configuring the authorization is logged in using the appropriate user
permissions in the TACACS+ profile.
If the security policy of the site permits it, use the none option for command authorization or EXEC
authorization so that if the TACACS+ servers are not reachable, AAA rolls over to the none method,
which permits the user to run the command.
Information About Configuring AAA Services
Cisco IOS XR System Security Configuration Guide
SC-173