Task Ids For Tacacs+ And Radius Authenticated Users - Cisco IOS XR Configuration Manual

System security configuration guide

Hide thumbs Also See for IOS XR:

Getting started manual (222 pages)

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

page of 254

/ 254
Contents
Table of Contents
Bookmarks

Table of Contents

Configuring AAA Services on Cisco IOS XR Software

Users may need to be associated to additional task IDs to use a command if the command is used in a

specific configuration submode. For example, to execute the show redundancy command, a user needs

to be associated to the system (read) task ID and operations as shown in the following example:

RP/0/RP0/CPU0:router# show redundancy

Whereas, in administration EXEC mode, a user needs to be associated to both admin and system (read)

task IDs and operations, as shown in the following example:

RP/0/RP0/CPU0:router# admin

RP/0/RP0/CPU0:router(admin)# show redundancy

Task IDs for TACACS+ and RADIUS Authenticated Users

Cisco IOS XR AAA provides the following means of assigning task permissions for users authenticated

with the TACACS+ and RADIUS methods:

•

Task Maps

For users who are authenticated using an external TACACS+ server and RADIUS server, Cisco IOS XR

AAA supports a method to define task IDs remotely.

Format of the Task String

The task string in the configuration file of the TACACS+ server consists of tokens delimited by a comma

(,). Each token contains either a task ID name and its permissions or the user group to include for this

particular user, as shown in the following example:

task = "<permissions>:<taskid name>, #<usergroup name>, ..."

Cisco IOS XR allows you to specify task IDs as an attribute in the external RADIUS or TACACS+

Note

server. If the server is also shared by non-Cisco IOS XR systems, these attributes are marked as optional

as indicated by the server documentation. For example, CiscoSecure ACS and the freeware TACACS+

server from Cisco require an asterisk (*) instead of an equal sign (=) before the attribute value for

optional attributes. If you want to configure attributes as optional, refer to the TACACS+ server

documentation.

Specify the text version of the task map directly in the configuration file of the external TACACS+

and RADIUS servers.

See the

"Task

Maps" section for more details.

Specify the privilege level in the configuration file of the external TACACS+ and RADIUS servers.

See the

"Privilege Level

Mapping" section for more details.

Create a local user with the same username as the user authenticating with the TACACS+ and

RADIUS methods.

Specify, by configuration, a default task group whose permissions are applied to any user

authenticating with the TACACS+ and RADIUS methods.

Information About Configuring AAA Services

Cisco IOS XR System Security Configuration Guide

SC-179

Table of Contents

Show Quick Links

Quick Links:
Prerequisites for Configuring Aaa Services

Hide quick links:

Chapters

Table of Contents

This manual is also suitable for:

Ios xr 3.5

Task Ids For Tacacs+ And Radius Authenticated Users - Cisco IOS XR Configuration Manual

Task IDs for TACACS+ and RADIUS Authenticated Users

Hide quick links:

Chapters

Related Manuals for Cisco IOS XR

Related Content for Cisco IOS XR

This manual is also suitable for:

Table of Contents