Cisco CRS-1 - Carrier Routing System Router Configuration Manual page 16

Information About Configuring AAA Services
Authentication of Secure Domain Router User
Secure domain router user authentication is similar to owner secure domain router user authentication.
If the user is not found to be a member of the designated owner secure domain router user group or
root-system user group, the user is authenticated as a secure domain router user.
Authentication Flow of Control
AAA performs authentication according to the following process:
1.
2.
3.
•
•
•
Clients can obtain a user's permitted task IDs during authentication. This information is obtained by
forming a union of all task group definitions specified in the user groups to which the user belongs.
Clients using such information typically create a session for the user (such as an API session) in which
the task ID set remains static. Both the EXEC and external API clients can use this feature to optimize
their operations. EXEC can avoid displaying the commands that are not applicable and an EMS
application can, for example, disable graphical user interface (GUI) menus that are not applicable.
If the attributes of a user, such as user group membership and, consequently, task permissions, are
modified, those modified attributes are not reflected in the user's current active session; they take effect
in the user's next session.
Korn Shell Authentication
The korn shell (ksh) is the primary shell for the auxiliary port of the route processor (RP), standby RP,
and distributed RP cards and for console and auxiliary ports of line cards (LCs) and service processors
(SPs). The following are some of the characteristics of ksh authentication:
•
•
•
•
•
Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router
SC-10
A user requests authentication by providing a username and password (or secret).
AAA verifies the user's password and rejects the user if the password does not match what is in the
database.
AAA determines the role of the user (root system user, root SDR user, or SDR user).
If the user has been configured as a member of a root-system user group, then AAA authenticates
the user as a root-system user.
If the user has been configured as a member of an owner secure domain router user group, then AAA
authenticates the user as an owner secure domain router user.
If the user has not been configured as a member of a root-system user group or an owner secure
domain router user group, AAA authenticates the user as a secure domain router user.
For security reasons, ksh authentication allows only root-system users who have a secret configured.
A root-system user with a normal password will not be authenticated because the normal password
is two-way encrypted and poses a security risk because the password information is stored in the
flash disk, which can be easily decrypted.
Every time a root-system user with a secret is configured using the normal AAA CLI, that user is a
valid ksh user and no separate configuration is required.
Ksh does not authenticate TACACS+ or RADIUS users, even if they are root-system users.
Ksh authentication uses a single user password database, which means when a root-system user on
a dSC is configured using the normal AAA CLI, that user can log in using this username password
in any card. This includes the RP, standby RP, LC, and SP.
Ksh authentication cannot be turned off or bypassed after the card is booted. To bypass
authentication, a user needs a reload of the card. (See the
for details).
Configuring AAA Services on Cisco IOS XR Software
"Bypassing ksh Authentication" section
OL-20382-01