-
Cisco IOS XR System Security Command Reference, Release 3.2
-
Preface
-
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
-
Internet Key Exchange Security Protocol Commands on Cisco IOS XR Software
-
IPSec Network Security Commands on Cisco IOS XR Software
-
Public Key Infrastructure Commands on Cisco IOS XR Software
-
Secure Shell Commands on Cisco IOS XR Software
-
Secure Socket Layer Protocol Commands on Cisco IOS XR Software
-
Software Authentication Manager Commands on Cisco IOS XR Software
-
Index
-
Feedback
Table Of Contents
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
This chapter describes the Cisco IOS XR software commands used to configure authentication, authorization, and accounting (AAA) services.
For detailed information about AAA concepts, configuration tasks, and examples, see the Configuring AAA Services on Cisco IOS XR Software configuration module.
aaa accounting
To create a method list for accounting, use the aaa accounting command in global configuration mode. To remove a list name from the system, use the no form of this command.
aaa accounting {commands | exec} {default | list-name} {start-stop | stop-only}
{none | group {tacacs+ | radius | group-name}}no aaa accounting {commands | exec} {default | list-name}
Syntax Description
Defaults
AAA accounting is disabled.
Command Modes
Global configuration
Command History
Release 2.0
This command was introduced on the Cisco CRS-1.
Release 3.0
No modification.
Release 3.2
This command was supported on the Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the aaa accounting command to create default or named method lists defining specific accounting methods and that can be used on a per-line or per-interface basis. You can specify up to four methods in the method list. The list name can be applied to a line (console, aux, or vty template) to enable accounting on that particular line.
The Cisco IOS XR software supports both TACACS+ and RADIUS methods for accounting. The router reports user activity to the security server in the form of accounting records, which are stored on the security server.
Method lists for accounting define the way accounting is performed, enabling you to designate a particular security protocol to be used on specific lines or interfaces for particular types of accounting services.
For minimal accounting, include the stop-only keyword to send a "stop accounting" notice after the requested user process. For more accounting, you can include the start-stop keyword, so that TACACS+ or RADIUS sends a "start accounting" notice at the beginning of the requested process and a "stop accounting" notice after the process. The accounting record is stored only on the TACACS+ or RADIUS server.
The requested user process begins regardless of whether the "start accounting" notice was received by the accounting server.
Note
This command cannot be used with TACACS or extended TACACS.
Examples
The following example shows how to define a default commands accounting method list, where accounting services are provided by a TACACS+ security server, with a stop-only restriction:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# aaa accounting commands default stop-only group tacacs+Related Commands
aaa accounting system default
To enable authentication, authorization, and accounting (AAA) system accounting, use the aaa accounting system default command in global configuration mode. To disable system accounting, use the no form of this command.
aaa accounting system default {start-stop | stop-only} {none | group {tacacs+ | radius | group-name}}
no aaa accounting system default
Syntax Description
Defaults
AAA accounting is disabled.
Command Modes
Global configuration
Command History
Release 2.0
This command was introduced on the Cisco CRS-1.
Release 3.0
No modification.
Release 3.2
This command was supported on the Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
System accounting does not use named accounting lists; you can define only the default list for system accounting.
The default method list is automatically applied to all interfaces or lines. If no default method list is defined, then no accounting takes place.
You can specify up to four methods in the method list.
Examples
The following example shows how to cause a "start accounting" record to be sent to a TACACS+ server when a router initially boots. A "stop accounting" record is also sent when a router is shut down or reloaded.
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# aaa accounting system default start-stop group tacacs+Related Commands
Creates a method list for authentication.
Creates a method list for authorization.
aaa authentication
To create a method list for authentication, use the aaa authentication command in global configuration mode. To disable this authentication method, use the no form of this command.
aaa authentication {login | ppp} {default | remote | list-name} {local | line | group {tacacs+ | radius | group-name}}
no aaa authentication {login | ppp} {default | remote | list-name}
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Release 2.0
This command was introduced on the Cisco CRS-1.
Release 3.0
No modification.
Release 3.2
This command was supported on the Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the aaa authentication command to create a series of authentication methods, or method list. You can specify up to four methods in the method list. A method list is a named list describing the authentication methods to be used (such as TACACS+ or RADIUS), in sequence. The subsequent methods of authentication are used only if the initial method is not available, not if it fails.
The default method list is applied for all interfaces for authentication, except when a different named method list is explicitly specified, in which case the explicitly specified method list overrides the default list.
For console access, if no authentication is configured, a default of local method is applied.
Note
Examples
The following example shows how to specify the default method list to be used for authentication, and also enable authentication for console:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# aaa authentication login default group tacacs+Related Commands
aaa authorization
To create a method list for authorization, use the aaa authorization command in global configuration mode. To disable authorization for a function, use the no form of this command.
aaa authorization {commands | exec | network} {default | list-name} {none | local | group {tacacs+ | radius | group-name}}
no aaa authorization {commands | exec | network} {default | list-name}
Syntax Description
Defaults
Authorization is disabled for all actions (equivalent to the method none keyword).
Command Modes
Global configuration
Command History
Release 2.0
This command was introduced on the Cisco CRS-1.
Release 3.0
No modification.
Release 3.2
This command was supported on the Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the aaa authorization command to create method lists defining specific authorization methods that can be used on a per-line or per-interface basis. You can specify up to four methods in the method list.
Note
Method lists for authorization define the ways authorization will be performed and the sequence in which these methods will be performed. A method list is a named list describing the authorization methods to be used (such as TACACS+), in sequence. Method lists enable you to designate one or more security protocols to be used for authorization, thus ensuring a backup system in case the initial method fails. The Cisco IOS XR software uses the first method listed to authorize users for specific network services; if that method fails to respond, the Cisco IOS XR software selects the next method listed in the method list. This process continues until there is successful communication with a listed authorization method or all methods defined have been exhausted.
Note
The Cisco IOS XR software supports the following methods for authorization:
•
•
•
•
•
Method lists are specific to the type of authorization being requested. The Cisco IOS XR software supports three types of AAA authorization:
•
Note
•
•
When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type. Once defined, method lists must be applied to specific lines or interfaces before any of the defined methods will be performed.
The aaa authorization commands command causes a request packet containing a series of AV pairs to be sent to the TACACS+ server as part of the authorization process. The server can do one of the following:
•
•
•
Examples
The following example shows how to define the network authorization method list named listname1, which specifies that TACACS+ authorization is used:
RP/0/RP0/CPU0:router(config)# aaa authorization commands listname1 group tacacs+Related Commands
aaa default-taskgroup
To specify a task group to be used for remote TACACS+ authentication, use the aaa default-taskgroup command in global configuration mode. To remove this default task group, enter the no form of this command.
aaa default-taskgroup taskgroup-name
no aaa default-taskgroup taskgroup-name
Syntax Description
Defaults
No default task group is assigned for remote authentication.
Command Modes
Global configuration
Command History
Release 3.2
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the aaa default-taskgroup command to specify an existing task group to be used for remote TACACS+ authentication.
Examples
The following example shows how to specify taskgroup1 as the default task group for remote TACACS+ authentication:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# aaa default-taskgroup taskgroup1aaa group server radius
To group different RADIUS server hosts into distinct lists, enter the aaa group server radius command in global configuration mode. To remove a group server from the configuration list, enter the no form of this command.
aaa group server radius group-name
no aaa group server radius group-name
Syntax Description
Defaults
This command is not enabled.
Command Modes
Global configuration
Command History
Release 3.2
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the aaa group server radius command to group existing server hosts, which allows you to select a subset of the configured server hosts and use them for a particular service. A server group is used in conjunction with a global server-host list. The server group lists the IP addresses or hostnames of the selected server hosts.
Server groups can also include multiple host entries for the same server, as long as each entry has a unique identifier. The combination of an IP address and User Datagram Protocol (UDP) port number creates a unique identifier, allowing different ports to individually defined as RADIUS hosts providing a specific authentication, authorization, and accounting (AAA) service. In other words, this unique identifier enables RADIUS requests to be sent to different UDP ports on a server at the same IP address. If two different host entries on the same RADIUS server are configured for the same service, for example, accounting, the second host entry acts as a failover backup to the first host entry. Using this example, if the first host entry fails to provide accounting services, the network access server will try the second host entry on the same device for accounting services. The RADIUS host entries are tried in the order in which they are configured in the server group.
All members of a server group must be the same type, that is, RADIUS.
The server group cannot be named radius or tacacs.
This command enters server group configuration mode, where the server command (associates a particular RADIUS server with the defined server group) is available.
Examples
The following example shows the configuration of an AAA group server named radgroup1, which comprises three member servers:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# aaa group server radius radgroup1RP/0/RP0/CPU0:router(config-sg-radius)# server 10.0.0.5 auth-port 1700 acct-port 1701RP/0/RP0/CPU0:router(config-sg-radius)# server 10.0.0.10 auth-port 1702 acct-port 1703RP/0/RP0/CPU0:router(config-sg-radius)# server 10.0.0.20 auth-port 1705 acct-port 1706
Note
Related Commands
aaa group server tacacs+
To group different TACACS+ server hosts into distinct lists, use the aaa group server tacacs+ command in global configuration mode. To remove a server group from the configuration list, enter the no form of this command.
aaa group server tacacs+ group-name
no aaa group server tacacs+ group-name
Syntax Description
Defaults
This command is not enabled.
Command Modes
Global configuration
Command History
Release 2.0
This command was introduced on the Cisco CRS-1.
Release 3.0
No modification.
Release 3.2
This command was supported on the Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The AAA server-group feature introduces a way to group existing server hosts. The feature enables you to select a subset of the configured server hosts and use them for a particular service.
The aaa group server tacacs+ command enters server group configuration mode, where the server command (associates a particular TACACS+ server with the defined server group) is available.
A server group is a list of server hosts of a particular type. The supported server host type is TACACS+ server hosts. A server group is used with a global server host list. The server group lists the IP addresses or hostnames of the selected server hosts.
The server group cannot be named radius or tacacs.
Note
Examples
The following example shows the configuration of an AAA group server named tacgroup1, which comprises three member servers:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# aaa group server tacacs+ tacgroup1RP/0/RP0/CPU0:router(config-sg-tacacs+)# server 192.168.200.226RP/0/RP0/CPU0:router(config-sg-tacacs+)# server 192.168.200.227RP/0/RP0/CPU0:router(config-sg-tacacs+)# server 192.168.200.228Related Commands
accounting
To enable authentication, authorization, and accounting (AAA) accounting services for a specific line or group of lines, use the accounting command in line configuration mode. To disable AAA accounting services, use the no form of this command.
accounting {commands | exec} {default | list-name}
no accounting {commands | exec} {default | list-name}
Syntax Description
Defaults
Accounting is disabled.
Command Modes
Line configuration
Command History
Release 2.0
This command was introduced on the Cisco CRS-1.
Release 3.0
No modification.
Release 3.2
This command was supported on the Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
After you enable the aaa accounting command and define a named accounting method list (or use the default method list) for a particular type of accounting, you must apply the defined lists to the appropriate lines for accounting services to take place. Use the accounting command to apply the specified method lists to the selected line or group of lines. If a method list is not specified this way, no accounting is applied to the selected line or group of lines.
Examples
The following example shows how to enable command accounting services using the accounting method list named listname2 on a line template named configure:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# line template configureRP/0/RP0/CPU0:router(config-line)# accounting commands listname2Related Commands
authorization
To enable authentication, authorization, and accounting (AAA) authorization for a specific line or group of lines, use the authorization command in line configuration mode. To disable authorization, use the no form of this command.
authorization {commands | exec} {default | list-name}
no authorization {commands | exec} {default | list-name}
Syntax Description
Defaults
Authorization is not enabled.
Command Modes
Line configuration
Command History
Release 2.0
This command was introduced on the Cisco CRS-1.
Release 3.0
No modification.
Release 3.2
This command was supported on the Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
After you use the aaa authorization command to define a named authorization method list (or use the default method list) for a particular type of authorization, you must apply the defined lists to the appropriate lines for authorization to take place. Use the authorization command to apply the specified method lists (or, if none is specified, the default method list) to the selected line or group of lines.
Examples
The following example shows how to enable command authorization using the method list named listname4 on a line template named configure:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# line template configureRP/0/RP0/CPU0:router(config-line)# authorization commands listname4Related Commands
description (AAA)
To create a description of a task group or user group during configuration, use the description command in task group configuration or user group configuration mode. To delete a task group description or user group description, use the no form of this command.
description string
no description
Syntax Description
Defaults
The default description is blank.
Command Modes
Task group configuration
User group configurationCommand History
Release 2.0
This command was introduced on the Cisco CRS-1.
Release 3.0
No modification.
Release 3.2
This command was supported on the Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the description command inside the task or user group configuration submode to define a description for the task or user group, respectively.
Examples
The following example shows the creation of a task group description:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# taskgroup alphaRP/0/RP0/CPU0:router(config-tg)# description this is a sample taskgroupThe following example shows the creation of a user group description:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# usergroup alphaRP/0/RP0/CPU0:router(config-ug)# description this is a sample user groupRelated Commands
group
To add a user to a group, use the group command in username configuration mode. To remove the user from a group, use the no form of this command.
group {root-system | root-lr | netadmin | sysadmin | operator | cisco-support | group-name}
no group {root-system | root-lr | netadmin | sysadmin | operator | cisco-support | group-name}
Syntax Description
Defaults
No default behavior or values
Command Modes
Username configuration
Command History
Release 2.0
This command was introduced on the Cisco CRS-1.
Release 3.0
No modification.
Release 3.2
This command was supported on the Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The predefined group root-system may be specified only by root-system users while configuring administration.
Use the group command in username configuration mode. To access username configuration mode, use the username command in global configuration mode.
If the group command is used in admin configuration mode, only root-system and cisco-support can be specified.
Examples
The following example shows how to assign the user group operator to the user named user1:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# username user1RP/0/RP0/CPU0:router(config-un)# group operatorRelated Commands
inherit taskgroup
To enable a task group to derive permissions from another task group, use the inherit taskgroup command in task group configuration mode.
inherit taskgroup {taskgroup-name | netadmin | operator | sysadmin | cisco-support | root-lr | root-system}
Syntax Description
Defaults
No default behavior or values
Command Modes
Task group configuration
Command History
Release 2.0
This command was introduced on the Cisco CRS-1.
Release 3.0
No modification.
Release 3.2
This command was supported on the Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the inherit taskgroup command to inherit the permissions (task IDs) from one task group into another task group.
Examples
In the following example, the permissions of task group tg2 are inherited by task group tg1:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# taskgroup tg1RP/0/RP0/CPU0:router(config-tg)# inherit taskgroup tg2 RP/0/RP0/CPU0:router(config-tg)# endinherit usergroup
To enable a user group to derive characteristics of another user group, use the inherit usergroup command in user group configuration mode.
inherit usergroup usergroup-name
Syntax Description
Defaults
No default behavior or values
Command Modes
User group configuration
Command History
Release 2.0
This command was introduced on the Cisco CRS-1.
Release 3.0
No modification.
Release 3.2
This command was supported on the Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Each user group is associated with a set of task groups applicable to the users in that group. A task group is defined by a collection of task IDs. Task groups contain task ID lists for each class of action. The task permissions for a user are derived (at the start of the EXEC or XML session) from the task groups associated with the user groups to which that user belongs.
User groups support inheritance from other user groups. Use the inherit usergroup command to copy permissions (task ID attributes) from one user group to another user group. The "destination" user group inherits the properties of the inherited group and forms a union of all task IDs specified in those groups. For example, when user group A inherits user group B, the task map of the user group A is a union of that of A and B. Cyclic inclusions are detected and rejected. User groups cannot inherit properties from predefined groups, such as root-system users, root-lr users, netadmin users, and so on.
Examples
The following example shows how to enable the purchasing user group to inherit properties from the sales user group:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# usergroup purchasingRP/0/RP0/CPU0:router(config-ug)# inherit usergroup salesRelated Commands
login authentication
To enable authentication, authorization, and accounting (AAA) authentication for logins, use the login authentication command in line configuration mode. To return to the default authentication settings, use the no form of this command.
login authentication {default | list-name}
no login authentication {default | list-name}
Syntax Description
Defaults
This command uses the default set with the aaa authentication login command.
Command Modes
Line configuration
Command History
Release 2.0
This command was introduced on the Cisco CRS-1.
Release 3.0
No modification.
Release 3.2
This command was supported on the Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The login authentication command is a per-line command used with AAA that specifies the name of a list of AAA authentication methods to try at login.
Caution
Entering the no form of the login authentication command has the same effect as entering the command with the default keyword.
Before issuing this command, create a list of authentication processes by using the aaa authentication login global configuration command.
Examples
The following example shows that the default AAA authentication is to be used for the line template template1:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# line template template1RP/0/RP0/CPU0:router(config-line)# login authentication defaultThe following example shows that the AAA authentication list called list1 is to be used for the line template template2:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# line template template2RP/0/RP0/CPU0:router(config-line)# login authentication list1Related Commands
password (AAA)
To create a login password for a user, use the password command in username or line configuration mode. To remove the password, use the no form of this command.
password {0 | 7} password
no password {0 | 7} password
Syntax Description
0
Specifies that an unencrypted (clear-text) password follows.
7
Specifies that a two-way encrypted password follows.
password
Character-string password to be entered by the user to log in.
Defaults
No password is specified.
Command Modes
Username configuration
Line configurationCommand History
Release 2.0
This command was introduced on the Cisco CRS-1.
Release 3.0
No modification.
Release 3.2
This command was supported on the Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
You can specify one of two types of passwords: encrypted or clear text.
When an EXEC process is started on a line that has password protection, the process prompts for the password. If the user enters the correct password, the process issues the prompt. The user can try three times to enter a password before the process exits and returns the terminal to the idle state.
Passwords are two-way encrypted and should be used for applications such as PPP that need decryptable passwords.
Examples
The following example shows how to establish the unencrypted password pwd1 for the user user1:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# username user1RP/0/RP0/CPU0:router(config-un)# password 0 pwd1Related Commands
radius-server host
To specify a RADIUS server host, use the radius-server host command in global configuration mode. To delete the specified RADIUS host, use the no form of this command.
radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string]
no radius-server host {hostname | ip-address}
Syntax Description
Defaults
No RADIUS host is specified; use global radius-server command values.
Command Modes
Global configuration
Command History
Release 3.2
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
You can use multiple radius-server host commands to specify multiple hosts. The Cisco IOS XR software searches for hosts in the order in which you specify them.
If no host-specific timeout, retransmit, or key values are specified, the global values apply to each host.
Examples
The following example shows how to establish host1 as the RADIUS server and use default ports for both accounting and authentication:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# radius-server host host1The following example shows how to establish port 1612 as the destination port for authentication requests and port 1616 as the destination port for accounting requests on the RADIUS host named host1:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# radius-server host host1 auth-port 1612 acct-port 1616Because entering a line resets all the port numbers, you must specify a host and configure accounting and authentication ports on a single line.
The following example shows how to establish the host with IP address 172.29.39.46 as the RADIUS server, use ports 1612 and 1616 as the authorization and accounting ports, set the timeout value to 6, set the retransmit value to 5, and set "rad123" as the encryption key, matching the key on the RADIUS server:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# radius-server host 172.29.39.46 auth-port 1612 acct-port 1616 timeout 6 retransmit 5 key rad123To use separate servers for accounting and authentication, use the zero port value as appropriate.
The following example shows how to establish that RADIUS server host1 be used for accounting but not for authentication, and specify that RADIUS server host2 be used for authentication but not for accounting:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# radius-server host host1.example.com auth-port 0RP/0/RP0/CPU0:router(config)# radius-server host host2.example.com acct-port 0Related Commands
radius-server key
To set the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon, use the radius-server key command in global configuration mode. To disable the key, use the no form of this command.
radius-server key {0 clear-text-key | 7 encrypted-key | clear-text-key}
no radius-server key
Syntax Description
0 clear-text-key
Specifies an unencrypted (cleartext) shared key.
7 encrypted-key
Specifies a encrypted shared key.
clear-text-key
Specifies an unencrypted (cleartext) shared key.
Defaults
The authentication and encryption key is disabled.
Command Modes
Global configuration
Command History
Release 3.2
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The key entered must match the key used on the RADIUS server. All leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.
Examples
The following example shows how to set the cleartext key to "samplekey":
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# radius-server key 0 samplekeyThe following example shows how to set the encrypted shared key to "anykey":
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# radius-server key 7 anykeyRelated Commands
radius-server retransmit
To specify the number of times the Cisco IOS XR software retransmits a packet to a server before giving up, use the radius-server retransmit command in global configuration mode. To disable retransmission, use the no form of this command.
radius-server retransmit retries
no radius-server retransmit
Syntax Description
Defaults
The RADIUS servers are retried three times, or until a response is received.
Command Modes
Global configuration
Command History
Release 3.2
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The RADIUS client tries all servers, allowing each one to time out before increasing the retransmit count.
Examples
The following example shows how to specify a retransmit counter value of five times:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# radius-server retransmit 5radius-server timeout
To set the interval for which a router waits for a server host to reply before timing out, use the radius-server timeout command in global configuration mode. To restore the default, use the no form of this command.
radius-server timeout seconds
no radius-server timeout
Syntax Description
Defaults
seconds: 5 seconds
Command Modes
Global configuration
Command History
Release 3.2
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the radius-server timeout command to set the number of seconds a router waits for a server host to reply before timing out.
Examples
The following example shows how to change the interval timer to 10 seconds:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# radius-server timeout 10Related Commands
Specifies a RADIUS server host.
Sets the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon.
radius source-interface
To force RADIUS to use the IP address of a specified interface or subinterface for all outgoing RADIUS packets, use the radius source-interface command in global configuration mode. To prevent RADIUS from using the IP address of a specified interface or subinterface for all outgoing RADIUS packets, use the no form of this command.
radius source-interface interface-name
no radius source-interface
Syntax Description
Defaults
If a specific source interface is not configured, or the interface is down or does not have an IP address configured, the system selects an IP address.
Command Modes
Global configuration
Command History
Release 3.2
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the radius source-interface command to set the IP address of the specified interface or subinterface for all outgoing RADIUS packets. This address is used as long as the interface or subinterface is in the up state. In this way, the RADIUS server can use one IP address entry for every network access client instead of maintaining a list of IP addresses.
The specified interface or subinterface must have an IP address associated with it. If the specified interface or subinterface does not have an IP address or is in the down state, then RADIUS reverts to the default. To avoid this, add an IP address to the interface or subinterface or bring the interface to the up state.
This command is especially useful in cases where the router has many interfaces or subinterfaces and you want to ensure that all RADIUS packets from a particular router have the same IP address.
Examples
The following example shows how to make RADIUS use the IP address of subinterface s2 for all outgoing RADIUS packets:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# radius source-interface s2secret
To create a secure login password for a user, use the secret command in username or line configuration mode. To remove the secure password, use the no form of this command.
secret {0 | 5} password
no secret {0 | 5} password
Syntax Description
0
Specifies that an unencrypted (clear text) secure password follows.
5
Specifies that one-way hash of the text follows.
password
Character-string password to be entered by the user to log in.
Defaults
No password is specified.
Command Modes
Username configuration
Line configurationCommand History
Release 2.0
This command was introduced on the Cisco CRS-1.
Release 3.0
No modification.
Release 3.2
This command was supported on the Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
You can specify one of two types of secure passwords: encrypted or clear text.
When an EXEC process is started on a line that has password protection, the process prompts for the password. If the user enters the correct password, the process issues the prompt. The user can try three times to enter a password before the process exits and returns the terminal to the idle state.
Secrets are one-way encrypted and should be used for applications such as login that do not need a decryptable secret.
Examples
The following example shows how to establish the secure encrypted password pwd2 for the user user2:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# username user2RP/0/RP0/CPU0:router(config-un)# secret 5 pwd2Related Commands
server (RADIUS)
To associate a particular RADIUS server with a defined server group, use the server command in server-group configuration mode. To remove the associated server from the server group, use the no form of this command.
server {hostname | ip-address} [auth-port port-number] [acct-port port-number]
no server {hostname | ip-address}
Syntax Description
Defaults
If no port attributes are defined, the defaults are as follows:
•
•
Command Modes
Server-group configuration
Command History
Release 3.2
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the server command to associate a particular RADIUS server with a defined server group.
There are two different ways in which you can identify a server, depending on the way you want to offer AAA services. You can identify the server simply by using its IP address, or you can identify multiple host instances or entries using the optional auth-port and acct-port keywords.
When you use the optional keywords, the network access server identifies RADIUS security servers and host instances associated with a group server based on their IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS host entries providing a specific AAA service. If two different host entries on the same RADIUS server are configured for the same service, for example, accounting, the second host entry configured acts as failover backup to the first one. Using this example, if the first host entry fails to provide accounting services, the network access server will try the second host entry configured on the same device for accounting services. (The RADIUS host entries are tried in the order they are configured.)
Examples
The following example shows the network access server configured to recognize several RADIUS host entries with the same IP address. Two different host entries on the same RADIUS server are configured for the same services—authentication and accounting. The second host entry configured acts as fail-over backup to the first one.
! This command configures default RADIUS parameters.aaa authentication ppp default group radius! The next set of commands configures multiple host entries for the same IP address.radius-server host 172.20.0.1 auth-port 1000 acct-port 1001radius-server host 172.20.0.1 auth-port 2000 acct-port 2001Related Commands
Groups different RADIUS server hosts into distinct lists and distinct methods.
Specifies a RADIUS server host.
server (TACACS+)
To associate a particular TACACS+ server with a defined server group, use the server command in TACACS+ server-group configuration mode. To remove the associated server from the server group, use the no form of this command.
server {hostname | ip-address}
no server {hostname | ip-address}
Syntax Description
Defaults
No default behavior or values
Command Modes
Server-group configuration
Command History
Release 2.0
This command was introduced on the Cisco CRS-1.
Release 3.0
No modification.
Release 3.2
This command was supported on the Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the server command to associate a particular TACACS+ server with a defined server group. The server need not be accessible during configuration. Later, you can reference the configured server group from the method lists used to configure authentication, authorization, and accounting (AAA).
Examples
The following example shows how to associate the TACACS+ server with the IP address 192.168.60.15 with the server group tac1:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# aaa group server tacacs+ tac1RP/0/RP0/CPU0:router(config-sg-tacacs+)# server 192.168.60.15Related Commands
show aaa
To display information about a user group, local user, or task group; to list all task IDs associated with all user groups, local users, or task groups in the system; or to list all task IDs for a specified user group, local user, or task group, use the show aaa command in EXEC mode.
show aaa {usergroup [usergroup-name] | userdb [username] | taskgroup [taskgroup-name]}
Syntax Description
Defaults
Details for all user groups, or all local users, or all task groups are listed if no argument is entered.
Command Modes
EXEC
Command History
Release 2.0
This command was introduced on the Cisco CRS-1.
Release 3.0
No modification.
Release 3.2
This command was supported on the Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the show aaa command to list details for all user groups, local users, or task groups in the system. Use the optional usergroup-name, username, or taskgroup-name argument to display the details for a specified user group, user, or task group, respectively.
Examples
The following sample output is from the show aaa usergroup command:
RP/0/RP0/CPU0:router# show aaa usergroup operatorUser group 'operator'Inherits from task group 'operator'User group 'operator' has the following combined setof task IDs (including all inherited groups):Task: basic-services : READ WRITE EXECUTE DEBUGTask: cdp : READTask: diag : READTask: ext-access : READ EXECUTETask: logging : READThe following sample output is from the show aaa taskgroup command:
RP/0/RP0/CPU0:router# show aaa taskgroup netadminTask group 'netadmin'Task group 'netadmin' has the following combined setof task IDs (including all inherited groups):Task: aaa : READTask: acl : READ WRITE EXECUTE DEBUGTask: admin : READTask: atm : READ WRITE EXECUTE DEBUGTask: basic-services : READ WRITE EXECUTE DEBUGTask: bcdl : READTask: bfd : READ WRITE EXECUTE DEBUGTask: bgp : READ WRITE EXECUTE DEBUGTask: boot : READ WRITE EXECUTE DEBUGTask: bundle : READ WRITE EXECUTE DEBUGTask: cdp : READ WRITE EXECUTE DEBUGTask: cef : READ WRITE EXECUTE DEBUGTask: cisco-support : READTask: config-mgmt : READ WRITE EXECUTE DEBUGTask: config-services : READ WRITE EXECUTE DEBUGTask: crypto : READ WRITE EXECUTE DEBUGTask: diag : READ WRITE EXECUTE DEBUGTask: disallowed : READTask: drivers : READTask: ext-access : READ WRITE EXECUTE DEBUGTask: fabric : READ WRITE EXECUTE DEBUGTask: fault-mgr : READ WRITE EXECUTE DEBUGTask: filesystem : READ WRITE EXECUTE DEBUGTask: fr : READ WRITE EXECUTE DEBUGTask: hdlc : READ WRITE EXECUTE DEBUGTask: host-services : READ WRITE EXECUTE DEBUGTask: hsrp : READ WRITE EXECUTE DEBUGTask: interface : READ WRITE EXECUTE DEBUGTask: inventory : READTask: ip-services : READ WRITE EXECUTE DEBUGTask: ipv4 : READ WRITE EXECUTE DEBUGTask: ipv6 : READ WRITE EXECUTE DEBUGTask: isis : READ WRITE EXECUTE DEBUGTask: logging : READ WRITE EXECUTE DEBUGTask: lpts : READ WRITE EXECUTE DEBUGTask: monitor : READTask: mpls-ldp : READ WRITE EXECUTE DEBUGTask: mpls-static : READ WRITE EXECUTE DEBUGTask: mpls-te : READ WRITE EXECUTE DEBUGTask: multicast : READ WRITE EXECUTE DEBUGTask: netflow : READ WRITE EXECUTE DEBUGTask: network : READ WRITE EXECUTE DEBUGTask: ospf : READ WRITE EXECUTE DEBUGTask: ouni : READ WRITE EXECUTE DEBUGTask: pkg-mgmt : READTask: pos-dpt : READ WRITE EXECUTE DEBUGTask: ppp : READ WRITE EXECUTE DEBUGTask: qos : READ WRITE EXECUTE DEBUGTask: rib : READ WRITE EXECUTE DEBUGTask: rip : READ WRITE EXECUTE DEBUGTask: root-lr : READTask: route-map : READ WRITE EXECUTE DEBUGTask: route-policy : READ WRITE EXECUTE DEBUGTask: snmp : READ WRITE EXECUTE DEBUGTask: sonet-sdh : READ WRITE EXECUTE DEBUGTask: static : READ WRITE EXECUTE DEBUGTask: sysmgr : READTask: system : READ WRITE EXECUTE DEBUGTask: transport : READ WRITE EXECUTE DEBUGTask: tty-access : READ WRITE EXECUTE DEBUGTask: tunnel : READ WRITE EXECUTE DEBUGTask: universal : READTask: vlan : READ WRITE EXECUTE DEBUGTask: vrrp : READ WRITE EXECUTE DEBUGThe following sample output is from the show aaa taskgroup operator command. The task group operator has the following combined set of task IDs, which includes all inherited groups:
Task: basic-services : READ WRITE EXECUTE DEBUGTask: cdp : READTask: diag : READTask: ext-access : READ EXECUTETask: logging : READThe following sample output is from the show aaa taskgroup root-system command. The task group root-system has the following combined set of task IDs, which includes all inherited groups:
Task: aaa : READ WRITE EXECUTE DEBUGTask: acl : READ WRITE EXECUTE DEBUGTask: admin : READ WRITE EXECUTE DEBUGTask: atm : READ WRITE EXECUTE DEBUGTask: basic-services : READ WRITE EXECUTE DEBUGTask: bcdl : READ WRITE EXECUTE DEBUGTask: bfd : READ WRITE EXECUTE DEBUGTask: bgp : READ WRITE EXECUTE DEBUGTask: boot : READ WRITE EXECUTE DEBUGTask: bundle : READ WRITE EXECUTE DEBUGTask: cdp : READ WRITE EXECUTE DEBUGTask: cef : READ WRITE EXECUTE DEBUGTask: config-mgmt : READ WRITE EXECUTE DEBUGTask: config-services : READ WRITE EXECUTE DEBUGTask: crypto : READ WRITE EXECUTE DEBUGTask: diag : READ WRITE EXECUTE DEBUGTask: drivers : READ WRITE EXECUTE DEBUGTask: ext-access : READ WRITE EXECUTE DEBUGTask: fabric : READ WRITE EXECUTE DEBUGTask: fault-mgr : READ WRITE EXECUTE DEBUGTask: filesystem : READ WRITE EXECUTE DEBUGTask: fr : READ WRITE EXECUTE DEBUGTask: hdlc : READ WRITE EXECUTE DEBUGTask: host-services : READ WRITE EXECUTE DEBUGTask: hsrp : READ WRITE EXECUTE DEBUGTask: interface : READ WRITE EXECUTE DEBUGTask: inventory : READ WRITE EXECUTE DEBUGTask: ip-services : READ WRITE EXECUTE DEBUGTask: ipv4 : READ WRITE EXECUTE DEBUGTask: ipv6 : READ WRITE EXECUTE DEBUGTask: isis : READ WRITE EXECUTE DEBUGTask: logging : READ WRITE EXECUTE DEBUGTask: lpts : READ WRITE EXECUTE DEBUGTask: monitor : READ WRITE EXECUTE DEBUGTask: mpls-ldp : READ WRITE EXECUTE DEBUGTask: mpls-static : READ WRITE EXECUTE DEBUGTask: mpls-te : READ WRITE EXECUTE DEBUGTask: multicast : READ WRITE EXECUTE DEBUGTask: netflow : READ WRITE EXECUTE DEBUGTask: network : READ WRITE EXECUTE DEBUGTask: ospf : READ WRITE EXECUTE DEBUGTask: ouni : READ WRITE EXECUTE DEBUGTask: pkg-mgmt : READ WRITE EXECUTE DEBUGTask: pos-dpt : READ WRITE EXECUTE DEBUGTask: ppp : READ WRITE EXECUTE DEBUGTask: qos : READ WRITE EXECUTE DEBUGTask: rib : READ WRITE EXECUTE DEBUGTask: rip : READ WRITE EXECUTE DEBUGTask: root-lr : READ WRITE EXECUTE DEBUGTask: root-system : READ WRITE EXECUTE DEBUGTask: route-map : READ WRITE EXECUTE DEBUGTask: route-policy : READ WRITE EXECUTE DEBUGTask: snmp : READ WRITE EXECUTE DEBUGTask: sonet-sdh : READ WRITE EXECUTE DEBUGTask: static : READ WRITE EXECUTE DEBUGTask: sysmgr : READ WRITE EXECUTE DEBUGTask: system : READ WRITE EXECUTE DEBUGTask: transport : READ WRITE EXECUTE DEBUGTask: tty-access : READ WRITE EXECUTE DEBUGTask: tunnel : READ WRITE EXECUTE DEBUGTask: universal : READ WRITE EXECUTE DEBUGTask: vlan : READ WRITE EXECUTE DEBUGTask: vrrp : READ WRITE EXECUTE DEBUGThe following sample is output from the show aaa userdb command:
RP/0/RP0/CPU0:router# show aaa userdbUsername lab (admin plane)User group root-systemUser group cisco-supportUsername acmeUser group root-systemRelated Commands
show radius
To display information about the RADIUS servers that are configured in the system, use the show radius command in EXEC mode.
show radius
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Release 3.2
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the show radius command to display statistics for each configured RADIUS server.
Examples
The following sample output is for the show radius command:
RP/0/RP0/CPU0:router# show radiusServer:12.26.49.12/10000/10001Timeout:5, Retransmit limit:35 requests sent, 5 responses received, 0 requests timed-outServer:1.1.1.1/10000/10001Timeout:5, Retransmit limit:30 requests sent, 0 responses received, 0 requests timed-outTable 2 describes the significant fields shown in the display.
Related Commands
show radius server-groups
To display information about the RADIUS server groups that are configured in the system, use the show radius server-groups command in EXEC mode.
show radius server-groups
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Release 3.2
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the show radius server-groups command to display information about each configured RADIUS server group, including the group name, numbers of servers in the group, and a list of servers in the named server group. A global list of all configured RADIUS servers, along with authentication and accounting port numbers, is also displayed.
Examples
The following sample is output for the show radius server-groups command:
RP/0/RP0/CPU0:router# show radius server-groupsGlobal list of servers Server 4.4.4.4/1812/1813 Server 12.26.37.2/1812/1813 Server 6.6.6.6/8000/5000 Server 7.7.8.8/4532/1813 Server 9.9.9.9/1812/5000Server group `rad100' has 3 servers Server 7.7.8.8/4532/1813 Server 9.9.9.9/1812/5000Server 6.6.6.6/8000/5000Table 3 describes the significant fields shown in the display.
Table 3 show radius server-groups Field Descriptions
Server
Server IP address/UDP destination port for authentication requests/UDP destination port for accounting requests.
Related Commands
show tacacs
To display information about the TACACS+ servers that are configured in the system, use the show tacacs command in EXEC mode.
show tacacs
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Release 2.0
This command was introduced on the Cisco CRS-1.
Release 3.0
No modification.
Release 3.2
This command was supported on the Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the show tacacs command to display statistics for each configured TACACS+ server.
Examples
The following sample output is from the show tacacs command:
RP/0/RP0/CPU0:router# show tacacsServer:1.1.1.1/21212 opens=0 closes=0 aborts=0 errors=0packets in=0 packets out=0status=up single-connect=falseServer:2.2.2.2/21232 opens=0 closes=0 aborts=0 errors=0packets in=0 packets out=0status=up single-connect=falseTable 4 describes the significant fields shown in the display.
show tacacs server-groups
To display information about the TACACS+ server groups that are configured in the system, use the show tacacs server-groups command in EXEC mode.
show tacacs server-groups
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Release 3.2
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the show tacacs server-groups command to display information about each configured TACACS+ server group, including the group name, numbers of servers in the group, and a list of servers in the named server group. A global list of all configured TACACS+ servers is also displayed.
Examples
The following sample output is from the show tacacs server-groups command:
RP/0/RP0/CPU0:router# show tacacs server-groupsGlobal list of serversServer 12.26.25.61/23456Server 12.26.49.12/12345Server 12.26.49.12/9000Server 12.26.25.61/23432Server 5.5.5.5/23456Server 1.1.1.1/49Server group `tac100' has 1 servers Server 12.26.49.12Table 5 describes the significant fields shown in the display.
Related Commands
show task supported
To display all task IDs available in the system, use the show task supported command in EXEC mode.
show task supported
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Release 2.0
This command was introduced on the Cisco CRS-1.
Release 3.0
No modification.
Release 3.2
This command was supported on the Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the show task supported command to display all task IDs available in the system.
Examples
The following sample output is from the show task supported command. Task IDs are displayed in alphabetical order.
RP/0/RP0/CPU0:router# show task supportedaaaacladminatmbasic-servicesbcdlbfdbgpbootbundlecdpcefcisco-supportconfig-mgmtconfig-servicescryptodiagdisalloweddriversext-accessfabricfault-mgrfilesystemfrhdlchost-serviceshsrpinterfaceinventoryip-servicesipv4ipv6isislogginglptsmonitormpls-ldpmpls-staticmpls-temulticastnetflownetworkospfounipkg-mgmtpos-dptpppqosribriproot-lrroot-systemroute-maproute-policysnmpsonet-sdhstaticsysmgrsystemtransporttty-accesstunneluniversalvlanvrrpRelated Commands
show aaa taskgroup
Lists all task groups or the specified group and the corresponding task map.
show aaa usergroup
Lists all user groups or the specified group.
show user task
Displays task IDs enabled for the currently logged-in user.
show user
To display all user groups and task IDs associated with the currently logged-in user, use the show user command in EXEC mode.
show user [group | tasks | all]
Syntax Description
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Release 2.0
This command was introduced on the Cisco CRS-1.
Release 3.0
No modification.
Release 3.2
This command was supported on the Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the show user command to display all user groups and task IDs associated with the currently logged-in user.
Examples
The following sample output is from the show user tasks command:
RP/0/RP0/CPU0:router# show user tasksTask: basic-services : READ WRITE EXECUTE DEBUGTask: cdp : READTask: diag : READTask: ext-access : READ EXECUTETask: logging : READRelated Commands
Displays the task maps for selected user groups, local users, or task groups.
Displays all task IDs defined in the system.
tacacs-server host
To specify a TACACS+ host server, use the tacacs-server host command in global configuration mode. To delete the specified name or address, use the no form of this command.
tacacs-server host host-name [port port-number] [timeout seconds] [key [0 | 7] auth-key]
no tacacs-server host host-name [port port-number]
Syntax Description
Defaults
No TACACS+ host is specified.
The port, if not specified, defaults to the standard port 49.Command Modes
Global configuration
Command History
Release 2.0
This command was introduced on the Cisco CRS-1.
Release 3.0
No modification.
Release 3.2
This command was supported on the Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The key keyword must be entered last because it uses a line (text with breaks) rather than a string (text only, with no breaks). Any text and line breaks up to the time the user presses Enter can be used as part of the key.
You can use multiple tacacs-server host commands to specify additional hosts. The Cisco IOS XR software searches for hosts in the order in which you specify them.
Examples
The following example shows how to specify a TACACS+ host with the IP address 209.165.200.226:
RP/0/RP0/CPU0:router(config)# tacacs-server host 209.165.200.226The following example shows how to specify that the router consult the TACACS+ server host named host1 on port number 51. The timeout value for requests on this connection is 30 seconds; the encryption key is a_secret.
RP/0/RP0/CPU0:router(config)# tacacs-server host host1 port 51 timeout 30 key a_secretRelated Commands
tacacs-server key
To set the authentication encryption key used for all TACACS+ communications between the HF and the TACACS+ daemon, use the tacacs-server key command in global configuration mode. To disable the key, use the no form of this command.
tacacs-server key key-name
no tacacs-server key
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Release 2.0
This command was introduced on the Cisco CRS-1.
Release 3.0
No modification.
Release 3.2
This command was supported on the Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The key name entered must match the key used on the TACACS+ daemon. All leading spaces are ignored; spaces within and after the key are not. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.
The TACACS server key is used only if no key is configured for an individual TACACS server. Keys configured for an individual TACACS server always override this global key configuration.
Examples
The following example sets the authentication and encryption key to key1:
RP/0/RP0/CPU0:router(config)# tacacs-server key key1Related Commands
tacacs-server timeout
To set the interval that the server waits for a server host to reply, use the tacacs-server timeout command in global configuration mode. To restore the default, use the no form of this command.
tacacs-server timeout seconds
no tacacs-server timeout
Syntax Description
Defaults
seconds: 5 seconds
Command Modes
Global configuration
Command History
Release 2.0
This command was introduced on the Cisco CRS-1.
Release 3.0
No modification.
Release 3.2
This command was supported on the Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the tacacs-server timeout command to set the interval that the server waits for a server host to reply.
The TACACS+ server timeout is used only if no timeout is configured for an individual TACACS+ server. Timeout intervals configured for an individual TACACS+ server always override this global timeout configuration.
Examples
The following example shows the interval timer being changed to 10 seconds:
RP/0/RP0/CPU0:router(config)# tacacs-server timeout 10Related Commands
tacacs source-interface
To specify the source IP address of a selected interface for all outgoing TACACS+ packets, use the tacacs source-interface command in global configuration mode. To disable use of the specified interface IP address, use the no form of this command.
tacacs source-interface type instance
no tacacs source-interface type instance
Syntax Description
Defaults
If a specific source interface is not configured, or the interface is down or does not have an IP address configured, the system selects an IP address.
Command Modes
Global configuration
Command History
Release 2.0
This command was introduced on the Cisco CRS-1.
Release 3.0
No modification.
Release 3.2
This command was supported on the Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the tacacs source-interface command to set the IP address of the specified interface for all outgoing TACACS+ packets. This address is used as long as the interface is in the up state. In this way, the TACACS+ server can use one IP address entry associated with the network access client instead of maintaining a list of all IP addresses.
This command is especially useful in cases where the router has many interfaces and you want to ensure that all TACACS+ packets from a particular router have the same IP address.
When the specified interface does not have an IP address or is in a down state, TACACS+ behaves as if no source interface configuration is used.
Examples
The following example shows how to set the IP address of the specified POS interface for all outgoing TACACS+ packets:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# tacacs source-interface POS 0/1/0/1Related Commands
task
To add a task ID to a task group, use the task command in task group configuration mode. To remove a task ID from a task group, use the no form of this command.
task {read | write | execute | debug} taskid-name
no task {read | write | execute | debug} taskid-name
Syntax Description
Defaults
No task IDs are assigned to a newly created task group.
Command Modes
Task group configuration
Command History
Release 2.0
This command was introduced on the Cisco CRS-1.
Release 3.0
No modification.
Release 3.2
This command was supported on the Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the task command in task group configuration mode. To access task group configuration mode, use the taskgroup command in global configuration mode.
Examples
The following example shows how to enable execute privileges for the config-services task ID and associate that task ID with the task group named taskgroup1:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# taskgroup taskgroup1RP/0/RP0/CPU0:router(config-tg)# task execute config-servicesRelated Commands
taskgroup
To configure a task group to be associated with a set of task IDs, and to enter task group configuration mode, use the taskgroup command in global configuration mode. To delete a task group, use the no form of this command.
taskgroup taskgroup-name [description string | task {read | write | execute | debug}
taskid-name | inherit taskgroup taskgroup-name]no taskgroup taskgroup-name
Syntax Description
Defaults
Five predefined user groups are available by default.
Command Modes
Global configuration
Command History
Release 2.0
This command was introduced on the Cisco CRS-1.
Release 3.0
No modification.
Release 3.2
This command was supported on the Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Task groups are configured with a set of task IDs for each action type. Deleting a task group that is still referenced in the system results in a warning and rejection of the deletion.
Entering the taskgroup command with no keywords or arguments enters task group configuration mode, where you can use the description, inherit, show, and task commands.
Examples
The following example assigns read bgp permission to the task group named alpha:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# taskgroup alphaRP/0/RP0/CPU0:router(config-tg)# task read bgpRelated Commands
Creates a task group description in task configuration mode.
Adds a task ID to a task group.
timeout login response
To set the interval that the server waits for a reply to a login, use the timeout login response command in line configuration mode. To restore the default, use the no form of this command.
timeout login response seconds
no timeout login response seconds
Syntax Description
Defaults
seconds: 30 seconds
Command Modes
Line configuration
Command History
Release 2.0
This command was introduced on the Cisco CRS-1.
Release 3.0
No modification.
Release 3.2
This command was supported on the Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the timeout login response command in line configuration mode to set the timeout value. This timeout value applies to all terminal lines to which the entered line template is applied. This timeout value can also be applied to line console. After the timeout value has expired, the user is prompted again. The retry is allowed three times.
Examples
The following example shows how to change the interval timer to 20 seconds:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# line template alphaRP/0/RP0/CPU0:router(config-line)# timeout login response 20Related Commands
usergroup
To configure a user group and associate it with a set of task groups, and to enter user group configuration mode, use the usergroup command in global configuration mode. To delete a user group, or to delete a task-group association with the specified user group, use the no form of this command.
usergroup usergroup-name [description string | taskgroup taskgroup-name | inherit usergroup usergroup-name]
no usergroup usergroup-name [description string | taskgroup taskgroup-name | inherit usergroup usergroup-name]
Syntax Description
Defaults
Five predefined user groups are available by default.
Command Modes
Global configuration
Command History
Release 2.0
This command was introduced on the Cisco CRS-1.
Release 3.0
No modification.
Release 3.2
This command was supported on the Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
User groups are configured with the command parameters for a set of users, such as task groups. You can remove specific user groups by using the no form of the usergroup command. You can remove the user group itself by using the no form of the command without giving any parameters. Deleting a user group that is still referenced in the system results in a warning and a rejection of the deletion.
Use the inherit usergroup command to copy permissions from other user groups. The user group is inherited by the parent group and forms a union of all task IDs specified in those groups. Cyclic inclusions are detected and rejected. User groups cannot inherit properties from predefined groups, such as root-system and owner-lr.
Examples
The following example shows how to add permissions from the user group beta to the user group alpha:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# usergroup alphaRP/0/RP0/CPU0:router(config-u)# inherit usergroup betaRelated Commands
username
To configure a new user with a username, establish a password, and grant permissions for the user, and to enter username configuration mode, use the username command in global configuration mode. To delete a user from the database, use the no form of this command.
username user-name [password {0 | 7} password | secret {5} password | group usergroup-name]
no username user-name [password {0 | 7} password | secret {5} password | group usergroup-name]
Syntax Description
Defaults
No usernames are defined in the system.
Command Modes
Global configuration
Command History
Release 2.0
This command was introduced on the Cisco CRS-1.
Release 3.0
No modification.
Release 3.2
This command was supported on the Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the username command to identify the user and enter username configuration mode. Password and user group assignments can be made from either global configuration mode or username configuration submode. Permissions (task IDs) are assigned by associating the user with one or more defined user groups.
Each user is identified by a username that is unique across the administrative domain. Each user should be made a member of at least one user group. Deleting a user group may orphan the users associated with that group. The AAA server authenticates orphaned users but most commands are not authorized.
If you want to require a username and password on the console or for Telnet sessions, configure authentication using both the aaa authentication login default local command and the username command.
The predefined group root-system may be specified only by root-system users while administration is configured.
Note
Examples
The following example shows how to establish the unencrypted password password1 for the user user1:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# username user1RP/0/RP0/CPU0:router(config-un)# password 0 password1Related Commands
Defines a method list for authentication.
Adds a user to a group.
Creates a login password for a user.
users group
To associate a user group and its privileges with a line, use the users group command in line configuration mode. To delete a user group association with a line, use the no form of this command.
users group {usergroup-name | cisco-support | netadmin | operator | root-lr | root-system | sysadmin}
no users group {usergroup-name | cisco-support | netadmin | operator | root-lr | root-system | sysadmin}
Syntax Description
Defaults
No default behavior or values
Command Modes
Line configuration
Command History
Release 2.0
This command was introduced on the Cisco CRS-1.
Release 3.0
No modification.
Release 3.2
This command was supported on the Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the users group command to enable a user group and its privileges to be associated with a line, meaning that users logging in through the line are given the privileges of the particular user group.
Examples
In the following example, if a vty-pool is created with line template vty, users logging in through vty are given operator privileges:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# aaa authen login vty-authen lineRP/0/RP0/CPU0:router(config)# commitRP/0/RP0/CPU0:router(config)# line template vtyRP/0/RP0/CPU0:router(config-line)# users group operatorRP/0/RP0/CPU0:router(config-line)# login authentication vty-authen
