![]() ![]() NOTE: the syntax of "cisco-avpair" and the capitalization is dependent on the dictionary definition for the cisco avp.įor starters you need to point your user authentication to the external source for authentication:Īaa authorization exec default group tacacs+ localĪaa authentication login default group tacacs+ local Now with tacacs we can send the priv via the options in service-exec: You can also define a user group that imports several task groups:Īs mentioned, XR doesn't have priv levels, but in order to leverage the existing AAA profiles from TACACS used for IOS based routes, we can create user-groups that are named as the privilege levels: RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task debug bgp RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task write bgp RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task write bfd ![]() RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task write acl RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task read bgp RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task read bfd RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task read acl RP/0/RSP0/CPU0:A9K-TOP(config)# taskgroup basic-admin In regular IOS-XR configuration define your task-group with the permissions and tasks you like RP/0/RSP0/CPU0:A9K-TOP# describe process restart bgp Such as a Process restart, you can only do when you are member of cisco-support: It can also be the case that a particular user needs to be member of a particular (pre defined) task group. So in order to allow a user to do the command "show bgp summary", we would need to allow the following line in RP/0/RSP0/CPU0:A9K-TOP#describe show bgp summary If you are unsure as to what task group and permission level you need in order to allow a certain command, use the "describe" keyword. What task group is needed for what command? Operator: Operators performing day-to-day activitiesĬisco-support: highest level of privilege allowing lowest level access ![]() The following task-groups are predefined in IOS-XR Building blocks for on-box authorization scheme ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |