Authentication, Authorization, and Accounting Commands
This module describes the commands used to configure authentication, authorization, and
accounting (AAA) services.
For detailed information about AAA concepts, configuration tasks, and examples, see the
Configuring AAA Services on Cisco IOS XR Software configuration
module.
To create a method list for accounting, use the aaa accounting
command in global configuration mode. To remove a list name from the system, use the
no form of this command.
Enables accounting for all network-related service requests, such as
Internet Key Exchange (IKE) and Point-to-Point Protocol (PPP).
default
Uses the listed accounting methods that follow this keyword as the default
list of methods for accounting services.
list-name
Character string used to name the accounting method list.
start-stop
Sends a “start accounting” notice at the beginning of a process and a “stop
accounting” notice at the end of a process. The requested user process
begins regardless of whether the “start accounting” notice was received by
the accounting server.
stop-only
Sends a “stop accounting” notice at the end of the requested user
process.
none
Uses no accounting.
method
Method used to enable AAA system accounting. The value is one of the
following options:
group tacacs+—Uses the list of all TACACS+ servers for
accounting.
group radius—Uses the list of all RADIUS servers for
accounting.
groupnamed-group—Uses a named subset of TACACS+ or RADIUS servers for
accounting, as defined by the aaa group server
tacacs+ or aaa group server
radius command.
Command Default
AAA accounting is disabled.
Command Modes
Global configuration
Command History
Release
Modification
Release 3.2
This command was introduced.
Release 3.4.0
The network keyword and method argument were added.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the aaa accounting command to create default or named
method lists defining specific accounting methods and that can be used on a per-line or
per-interface basis. You can specify up to four methods in the method list. The list
name can be applied to a line (console, aux, or vty template) to enable accounting on
that particular line.
The
Cisco IOS XR software supports both
TACACS+ and RADIUS methods for accounting. The router reports user activity to
the security server in the form of accounting records, which are stored on the security
server.
Method lists for accounting define the way accounting is performed, enabling you to
designate a particular security protocol that is used on specific lines or interfaces
for particular types of accounting services.
For minimal accounting, include the stop-only keyword to send
a “stop accounting” notice after the requested user process. For more accounting, you
can include the start-stop keyword, so that TACACS+ or RADIUS sends a “start
accounting” notice at the beginning of the requested process and a “stop accounting”
notice after the process. The accounting record is stored only on the TACACS+ or RADIUS server.
The requested user process begins regardless of whether the “start accounting” notice
was received by the accounting server.
Note
This command cannot be used with TACACS or extended TACACS.
Task ID
Task ID
Operations
aaa
read, write
Examples
The following example shows how to define a default commands accounting method list,
where accounting services are provided by a TACACS+ security server, with a stop-only
restriction:
RP/0/0/CPU0:router# configure
RP/0/0/CPU0:router(config)# aaa accounting commands default stop-only group tacacs+
To enable authentication, authorization, and accounting (AAA) system accounting, use the
aaa accounting system default command in global
configuration mode. To disable system accounting, use the no
form of this command.
Sends a “start accounting” notice during system bootup and a “stop
accounting” notice during system shutdown or reload.
stop-only
Sends a “stop accounting” notice during system shutdown or reload.
none
Uses no accounting.
method
Method used to enable AAA system accounting. The value is one of the
following options:
group tacacs+—Uses the list of all TACACS+ servers for
accounting.
group radius—Uses the list of all RADIUS servers for
accounting.
groupnamed-group—Uses a named subset of TACACS+ or RADIUS servers for
accounting, as defined by the aaa group server
tacacs+ or aaa group server
radius command.
Command Default
AAA accounting is disabled.
Command Modes
Global configuration mode
Command History
Release
Modification
Release 3.2
This command was introduced.
Release 3.3.0
The method argument was added to specify either group tacacs+, group radius, or groupnamed-group options.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
System accounting does not use named accounting lists; you can define only the default
list for system accounting.
The default method list is automatically applied to all interfaces or lines. If no
default method list is defined, then no accounting takes place.
You can specify up to four methods in the method list.
Task ID
Task ID
Operations
aaa
read, write
Examples
This example shows how to cause a “start accounting” record to be sent to a
TACACS+ server when a router initially boots. A “stop accounting” record is also sent
when a router is shut down or reloaded.
RP/0/0/CPU0:router# configure
RP/0/0/CPU0:router(config)# aaa accounting system default start-stop group tacacs+
To enable periodic interim accounting records to be sent to the accounting server, use
the aaa accounting update command in global configuration
mode. To disable the interim accounting updates, use the no
form of this command.
aaaaccountingupdate
{ newinfo | periodicminutes }
noaaaaccountingupdate
Syntax Description
newinfo
(Optional) Sends an interim accounting record to the accounting server
whenever there is new accounting information to report relating to the user
in question.
periodicminutes
(Optional) Sends an interim accounting record to the accounting server
periodically, as defined by the minutes argument, which is an integer that specifies the number of minutes.
The range is from 1 to 35791394 minutes.
Command Default
AAA accounting update is disabled.
Command Modes
Global configuration
Command History
Release
Modification
Release 3.4.0
This command was introduced.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
If the newinfo keyword is used, interim accounting records are
sent to the accounting server every time there is new accounting information to report.
An example of this report would be when IP Control Protocol (IPCP) completes IP address
negotiation with the remote peer. The interim accounting record includes the negotiated
IP address used by the remote peer.
When used with the periodic keyword, interim accounting
records are sent periodically as defined by the minutes
argument. The interim accounting record contains all the accounting information recorded
for that user up to the time the accounting record is sent.
When using both the newinfo and
periodic keywords, interim accounting records are sent to
the accounting server every time there is new accounting information to report, and
accounting records are sent to the accounting server periodically as defined by the
minutes argument. For example, if you configure the
aaa accounting update command with the
newinfo and periodic keywords,
all users currently logged in continue to generate periodic interim accounting records
while new users generate accounting records based on the newinfo algorithm.
Caution
Using the aaa accounting update command with the
periodic keyword can cause heavy congestion when many
users are logged into the network.
Both periodic and newinfo keywords
are mutually exclusive; therefore, only one keyword can be configured at a time.
Task ID
Task ID
Operations
aaa
read, write
Examples
The following example shows how to send periodic interim accounting records to the
RADIUS server at 30-minute intervals:
To create a method list for authentication, use the aaa authentication
command in global configuration mode or administration configuration
mode. To disable this authentication method, use the no form
of this command.
Uses the listed authentication methods that follow this keyword as the
default list of methods for authentication.
list-name
Character string used to name the authentication method list.
remote
Uses the listed authentication methods that follow this keyword as the
default list of methods for administrative authentication on a remote
non-owner secure domain router. The remote keyword
is used only with the login keyword and not with
the ppp keyword.
Note
The remote keyword is available only on the
administration plane.
method-list
Method used to enable AAA system accounting. The value is one of the
following options:
group tacacs+—Specifies a method list that uses the list of all
configured TACACS+ servers for authentication.
group radius—Specifies a method list that uses the list of all
configured RADIUS servers for authentication.
groupnamed-group—Specifies a method list that uses a named subset of TACACS+ or
RADIUS servers for authentication, as defined by the aaa
group server tacacs+ or aaa group server
radius command.
local—Specifies a method list that uses the local username
database method for authentication. AAA method rollover happens beyond the local method if username is not defined in the local group.
line—Specifies a method list that uses the line password for
authentication.
Command Default
Default behavior applies the local authentication on all ports.
Command Modes
Global configuration
Administration configuration
Command History
Release
Modification
Release 3.2
This command was introduced.
Release 3.3.0
The method-list argument was added to specify either group tacacs+, group radius, groupnamed-group, local, or line options.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the aaa authentication command to create a series of authentication methods,
or method list. You can specify up to four methods in the method list. A method list is a named list describing the authentication methods (such as TACACS+ or
RADIUS) in sequence. The subsequent methods of authentication are used only if the
initial method is not available, not if it fails.
The default method list is applied for all interfaces for authentication, except when a
different named method list is explicitly specified—in which case the explicitly
specified method list overrides the default list.
For console and vty access, if no authentication is configured, a default of local
method is applied.
Note
The group tacacs+, group radius, and groupgroup-name forms of this command refer to a set of previously defined
TACACS+ or RADIUS servers.
Use the tacacs-server host or radius-server
host command to configure the host servers.
Use the aaa group server tacacs+ or aaa
group server radius command to create a named subset of
servers.
The login keyword, remote keyword, local option, and
group option are available only in administration configuration
mode.
Task ID
Task ID
Operations
aaa
read, write
Examples
The following example shows how to specify the default method list for authentication,
and also enable authentication for console in global configuration mode:
RP/0/0/CPU0:router# configure
RP/0/0/CPU0:router(config)# aaa authentication login default group tacacs+
The following example shows how to specify the remote method list for authentication,
and also enable authentication for console in administration configuration mode:
RP/0/0/CPU0:router# admin
RP/0/0/CPU0:router (admin)# configure
RP/0/0/CPU0:router(admin-config)# aaa authentication login remote local group tacacs+
To create a method list for authorization, use the aaa authorization
command in global configuration mode. To disable authorization for a
function, use the no form of this command.
Configures authorization for all EXEC shell commands.
eventmanager
Applies an authorization method for authorizing an event manager (fault
manager).
exec
Configures authorization for an interactive (EXEC) session.
network
Configures authorization for network services, such as PPP or Internet Key
Exchange (IKE).
default
Uses the listed authorization methods that follow this keyword as the
default list of methods for authorization.
list-name
Character string used to name the list of authorization methods.
none
Uses no authorization. If you specify none, no
subsequent authorization methods is attempted. However, the task ID
authorization is always required and cannot be disabled.
local
Uses local authorization. This method of authorization is not available for
command authorization.
group tacacs+
Uses the list of all configured TACACS+ servers for authorization.
group radius
Uses the list of all configured RADIUS servers for authorization. This
method of authorization is not available for command authorization.
groupgroup-name
Uses a named subset of TACACS+ or RADIUS servers for authorization as
defined by the aaa group server tacacs+ or
aaa group server radius command.
Command Default
Authorization is disabled for all actions (equivalent to the method none
keyword).
Command Modes
Global configuration
Command History
Release
Modification
Release 3.2
This command was introduced.
Release 3.6.0
The eventmanager keyword (fault manager) was added.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the aaa authorization command to create method lists
defining specific authorization methods that can be used on a per-line or per-interface
basis. You can specify up to four methods in the method list.
Note
The command authorization mentioned here applies to the one performed by an external
AAA server and not for task-based authorization.
Method lists for authorization define the ways authorization will be performed and the
sequence in which these methods will be performed. A method list is a named list
describing the authorization methods (such as TACACS+), in sequence. Method lists enable
you to designate one or more security protocols for authorization, thus ensuring a
backup system in case the initial method fails. Cisco IOS XR software uses the first method
listed to authorize users for specific network services; if that method fails to
respond, Cisco IOS XR software selects the
next method listed in the method list. This process continues until there is successful
communication with a listed authorization method or until all methods defined have been
exhausted.
Note
Cisco IOS XR software attempts
authorization with the next listed method only when there is no response (not a
failure) from the previous method. If authorization fails at any point in this
cycle—meaning that the security server or local username database responds by denying
the user services—the authorization process stops and no other authorization methods
are attempted.
The Cisco IOS XR software supports the
following methods for authorization:
none—The router does not request authorization information; authorization is
not performed over this line or interface.
local—Use the local database for authorization.
group tacacs+—Use the list of all configured TACACS+ servers for
authorization.
group radius—Use the list of all configured RADIUS servers for
authorization.
groupgroup-name—Uses a named subset of TACACS+ or RADIUS servers for
authorization.
Method lists are specific to the type of authorization being requested. Cisco IOS XR software supports four types of
AAA authorization:
Commands authorization—Applies to the EXEC mode commands a user issues.
Command authorization attempts authorization for all EXEC mode commands.
Note
“Command” authorization is distinct from “task-based” authorization, which is
based on the task profile established during authentication.
EXEC authorization—Applies authorization for starting an EXEC session.
Note
The exec keyword is no longer used to authorize the
fault manager service. The eventmanager keyword
(fault manager) is used to authorize the fault manager service. The
exec keyword is used for EXEC
authorization.
Network authorization—Applies authorization for network services, such as
IKE.
Event manager authorization—Applies an authorization method for authorizing an
event manager (fault manager).
RADIUS servers are not allowed to be configured for the event manager (fault
manager) authorization. You are allowed to use TACACS+ or locald.
Note
The eventmanager keyword (fault manager) replaces the
exec keyword to authorize event managers (fault
managers).
When you create a named method list, you are defining a particular list of authorization
methods for the indicated authorization type. When defined, method lists must be applied
to specific lines or interfaces before any of the defined methods are performed.
Task ID
Task ID
Operations
aaa
read, write
Examples
The following example shows how to define the network authorization method list named
listname1, which specifies that TACACS+ authorization is used:
RP/0/0/CPU0:router# configure
RP/0/0/CPU0:router(config)# aaa authorization commands listname1 group tacacs+
To specify a task group for both remote TACACS+ authentication and RADIUS
authentication, use the aaa default-taskgroup command in
global configuration mode. To remove this default task group, enter the
no form of this command.
aaadefault-taskgrouptaskgroup-name
noaaadefault-taskgroup
Syntax Description
taskgroup-name
Name of an existing task group.
Command Default
No default task group is assigned for remote authentication.
Command Modes
Global configuration
Command History
Release
Modification
Release 3.2
This command was introduced.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the aaa default-taskgroup command to specify an existing task group for remote TACACS+
authentication.
Task ID
Task ID
Operations
aaa
read, write
Examples
The following example shows how to specify taskgroup1 as the default task group for
remote TACACS+ authentication:
To group different RADIUS server hosts into distinct lists, use the aaa
group server radius command in global configuration mode. To remove
a group server from the configuration list, enter the no form
of this command.
aaagroupserverradiusgroup-name
noaaagroupserverradiusgroup-name
Syntax Description
group-name
Character string used to name the group of servers.
Command Default
This command is not enabled.
Command Modes
Global configuration
Command History
Release
Modification
Release 3.2
This command was introduced.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the aaa group server radius command to group existing server hosts, which allows you to select a
subset of the configured server hosts and use them for a particular service. A server
group is used in conjunction with a global server-host list. The server group lists the
IP addresses or hostnames of the selected server hosts.
Server groups can also include multiple host entries for the same server, as long as
each entry has a unique identifier. The combination of an IP address and User Datagram
Protocol (UDP) port number creates a unique identifier, allowing different ports to be individually defined as RADIUS
hosts providing a specific authentication, authorization, and accounting (AAA) service.
In other words, this unique identifier enables RADIUS requests to be sent to different
UDP ports on a server at the same IP address. If two different host entries on the same
RADIUS server are configured for the same service, for example, accounting, the second
host entry acts as an automatic switchover backup to the first host entry. Using this
example, if the first host entry fails to provide accounting services, the network
access server tries the second host entry on the same device for accounting services.
The RADIUS host entries are tried in the order in which they are configured in the
server group.
All members of a server group must be the same type, that is, RADIUS.
The server group cannot be named radius or tacacs.
This command enters server group configuration mode. You can use the server command to
associate a particular RADIUS server with the defined server group.
Task ID
Task ID
Operations
aaa
read, write
Examples
The following example shows the configuration of an AAA group server named radgroup1,
which comprises three member servers:
RP/0/0/CPU0:router# configure
RP/0/0/CPU0:router(config)# aaa group server radius radgroup1
RP/0/0/CPU0:router(config-sg-radius)# server 10.0.0.5 auth-port 1700 acct-port 1701
RP/0/0/CPU0:router(config-sg-radius)# server 10.0.0.10 auth-port 1702 acct-port 1703
RP/0/0/CPU0:router(config-sg-radius)# server 10.0.0.20 auth-port 1705 acct-port 1706
Note
If the auth-portport-number and acct-portport-number keywords and arguments are not specified, the
default value of the port-number argument for the
auth-port keyword is 1645 and the default value of
the port-number argument for the
acct-port keyword is 1646.
Configures the Virtual Private Network (VPN) routing and forwarding (VRF)
reference of an AAA RADIUS server group.
aaa group server tacacs+
To group different TACACS+ server hosts into distinct lists, use the aaa
group server tacacs+ command in global configuration mode. To remove
a server group from the configuration list, enter the no form
of this command.
aaagroupservertacacs+
group-name
noaaagroupservertacacs+
group-name
Syntax Description
group-name
Character string used to name a group of servers.
Command Default
This command is not enabled.
Command Modes
Global configuration
Command History
Release
Modification
Release 3.2
This command was introduced.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
The AAA server-group feature introduces a way to group existing server hosts. The
feature enables you to select a subset of the configured server hosts and use them for a
particular service.
The aaa group server tacacs+ command enters server group
configuration mode. The server command associates a particular
TACACS+ server with the defined server group.
A server group is a list of server hosts of a particular type. The supported
server host type is TACACS+ server hosts. A server group is used with a global server
host list. The server group lists the IP addresses or hostnames of the selected server
hosts.
The server group cannot be named radius or tacacs.
Note
Group name methods refer to a set of previously defined TACACS+ servers. Use the
tacacs-server host command to configure the host
servers.
Task ID
Task ID
Operations
aaa
read, write
Examples
The following example shows the configuration of an AAA group server named tacgroup1,
which comprises three member servers:
RP/0/0/CPU0:router# configure
RP/0/0/CPU0:router(config)# aaa group server tacacs+ tacgroup1
RP/0/0/CPU0:router(config-sg-tacacs)# server 192.168.200.226
RP/0/0/CPU0:router(config-sg-tacacs)# server 192.168.200.227
RP/0/0/CPU0:router(config-sg-tacacs)# server 192.168.200.228
To enable authentication, authorization, and accounting (AAA) accounting services for a
specific line or group of lines, use the accounting command in
line template configuration mode. To disable AAA accounting services, use the
no form of this command.
Enables accounting on the selected lines for all EXEC shell commands.
exec
Enables accounting of an EXEC session.
default
The name of the default method list, created with the aaa
accounting command.
list-name
Specifies the name of a list of accounting methods to use. The list is
created with the aaa accounting command.
Command Default
Accounting is disabled.
Command Modes
Line template configuration
Command History
Release
Modification
Release 3.2
This command was introduced.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
After you enable the aaa accounting command and define a named
accounting method list (or use the default method list) for a particular type of
accounting, you must apply the defined lists to the appropriate lines for accounting
services to take place. Use the accounting command to apply
the specified method lists to the selected line or group of lines. If a method list is
not specified this way, no accounting is applied to the selected line or group of
lines.
Task ID
Task ID
Operations
aaa
read, write
Examples
The following example shows how to enable command accounting services using the
accounting method list named listname2 on a line template
named configure:
RP/0/0/CPU0:router# configure
RP/0/0/CPU0:router(config)# line template configure
RP/0/0/CPU0:router(config-line)# accounting commands listname2
To enable authentication, authorization, and accounting (AAA) authorization for a
specific line or group of lines, use the authorization command
in line template configuration mode. To disable authorization, use the
no form of this command.
Enables authorization on the selected lines for all commands.
exec
Enables authorization for an interactive (EXEC) session.
default
Applies the default method list, created with the aaa
authorization command.
list-name
Specifies the name of a list of authorization methods to use. If no list
name is specified, the system uses the default. The list is created with the
aaa authorization command.
Command Default
Authorization is not enabled.
Command Modes
Line template configuration
Command History
Release
Modification
Release 3.2
This command was introduced.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
After you use the aaa authorization command to define a named
authorization method list (or use the default method list) for a particular type of
authorization, you must apply the defined lists to the appropriate lines for
authorization to take place. Use the authorization command to
apply the specified method lists (or, if none is specified, the default method list) to
the selected line or group of lines.
Task ID
Task ID
Operations
aaa
read, write
Examples
The following example shows how to enable command authorization using the method list
named listname4 on a line template named
configure:
RP/0/0/CPU0:router# configure
RP/0/0/CPU0:router(config)# line template configure
RP/0/0/CPU0:router(config-line)# authorization commands listname4
To configure the deadtime value at the RADIUS server group level, use the
deadtime command in server-group configuration mode. To
set deadtime to 0, use the no form of this command.
deadtimeminutes
nodeadtime
Syntax Description
minutes
Length of time, in minutes, for which a RADIUS server is skipped over by
transaction requests, up to a maximum of 1440 (24 hours). The range is from
1 to 1440.
Command Default
Deadtime is set to 0.
Command Modes
Server-group configuration
Command History
Release
Modification
Release 3.3.0
This command was introduced.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
The value of the deadtime set in the server groups overrides the deadtime that is
configured globally. If the deadtime is omitted from the server group configuration, the
value is inherited from the master list. If the server group is not configured, the
default value of 0 applies to all servers in the group. If the deadtime is set to 0, no
servers are marked dead.
Task ID
Task ID
Operations
aaa
read, write
Examples
The following example specifies a one-minute deadtime for RADIUS server group group1
when it has failed to respond to authentication requests for the
deadtime command:
RP/0/0/CPU0:router# configure
RP/0/0/CPU0:router(config)# aaa group server radius group1
RP/0/0/CPU0:router(config-sg-radius)# server 1.1.1.1 auth-port 1645 acct-port 1646
RP/0/0/CPU0:router(config-sg-radius)# server 2.2.2.2 auth-port 2000 acct-port 2001
RP/0/0/CPU0:router(config-sg-radius)# deadtime 1
Defines the length of time in minutes for a RADIUS server to remain
marked dead.
description (AAA)
To create a description of a task group or user group during configuration, use the
description command in task group configuration or user
group configuration mode. To delete a task group description or user group description,
use the no form of this command.
descriptionstring
nodescription
Syntax Description
string
Character string describing the task group or user group.
Command Default
None
Command Modes
Task group configuration
User group configuration
Command History
Release
Modification
Release 3.2
This command was introduced.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the description command inside the task or user group
configuration submode to define a description for the task or user group,
respectively.
Task ID
Task ID
Operations
aaa
read, write
Examples
The following example shows the creation of a task group description:
RP/0/0/CPU0:router# configure
RP/0/0/CPU0:router(config)# taskgroup alpha
RP/0/0/CPU0:router(config-tg)# description this is a sample taskgroup
The following example shows the creation of a user group description:
RP/0/0/CPU0:router# configure
RP/0/0/CPU0:router(config)# usergroup alpha
RP/0/0/CPU0:router(config-ug)# description this is a sample user group
Adds the user to the predefined root-system group. Only users with
root-system authority may use this option.
root-lr
Adds the user to the predefined root-lr group. Only users with root-system
authority or root-lr authority may use this option.
netadmin
Adds the user to the predefined network administrators group.
sysadmin
Adds the user to the predefined system administrators group.
operator
Adds the user to the predefined operator group.
cisco-support
Adds the user to the predefined Cisco support personnel group.
serviceadmin
Adds the user to the predefined service administrators group.
group-name
Adds the user to a named user group that has already been defined with the
usergroup command.
Command Default
None
Command Modes
Username configuration
Command History
Release
Modification
Release 3.2
This command was introduced.
Release 3.3.0
The serviceadmin keyword was added.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
The predefined group root-system may be specified only by root-system users while
configuring administration.
Use the group command in username configuration mode. To
access username configuration mode, use the username command in global
configuration mode.
If the group command is used in administration configuration
mode, only root-system and cisco-support keywords can be specified.
Task ID
Task ID
Operations
aaa
read, write
Examples
The following example shows how to assign the user group operator to the user named
user1:
RP/0/0/CPU0:router# configure
RP/0/0/CPU0:router(config)# username user1
RP/0/0/CPU0:router(config-un)# group operator
Name of the task group from which permissions are inherited.
netadmin
Inherits permissions from the network administrator task group.
operator
Inherits permissions from the operator task group.
sysadmin
Inherits permissions from the system administrator task group.
cisco-support
Inherits permissions from the cisco support task group.
root-lr
Inherits permissions from the root-lr task group.
root-system
Inherits permissions from the root system task group.
serviceadmin
Inherits permissions from the service administrators task group.
Command Default
None
Command Modes
Task group configuration
Command History
Release
Modification
Release 3.2
This command was introduced.
Release 3.3.0
The serviceadmin keyword was added.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the inherit taskgroup command to inherit the permissions
(task IDs) from one task group into another task group. Any changes made to the
taskgroup from which they are inherited are reflected immediately in the group from
which they are inherited.
Task ID
Task ID
Operations
aaa
read, write
Examples
In the following example, the permissions of task group tg2 are inherited by task group
tg1:
To enable a user group to derive characteristics of another user group, use the
inherit usergroup command in user group configuration
mode.
inheritusergroupusergroup-name
Syntax Description
usergroup-name
Name of the user group from which permissions are to be inherited.
Command Default
None
Command Modes
User group configuration
Command History
Release
Modification
Release 3.2
This command was introduced.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Each user group is associated with a set of task groups applicable to the users in that
group. A task group is defined by a collection of task IDs. Task groups contain task ID
lists for each class of action. The task permissions for a user are derived (at the
start of the EXEC or XML session) from the task groups associated with the user groups
to which that user belongs.
User groups support inheritance from other user groups. Use the inherit
usergroup command to copy permissions (task ID attributes) from one
user group to another user group. The “destination” user group inherits the properties
of the inherited group and forms a union of all task IDs specified in those groups. For
example, when user group A inherits user group B, the task map of the user group A is a
union of that of A and B. Cyclic inclusions are detected and rejected. User groups
cannot inherit properties from predefined groups, such as root-system users, root-sdr
users, netadmin users, and so on. Any changes made to the usergroup from which it is
inherited are reflected immediately in the group from which it is inherited.
Task ID
Task ID
Operations
aaa
read, write
Examples
The following example shows how to enable the purchasing user group to inherit
properties from the sales user group:
Configures a user group to be associated with a set of task groups.
key (RADIUS)
To specify the authentication and encryption key that is used between the router and the
RADIUS daemon running on the RADIUS server, use the key(RADIUS) command in RADIUS server-group private configuration
mode.
Specifies an unencrypted (cleartext) user password.
Command Default
For submode key commands, the default is to use
the radius-server key command in global configuration
mode, if defined. If the global key is also not defined, the configuration is not
complete.
Command Modes
RADIUS server-group private configuration
Command History
Release
Modification
Release 3.4.0
This command was introduced.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Task ID
Task ID
Operations
aaa
read, write
Examples
The following example shows how to set the encrypted key to anykey:
RP/0/0/CPU0:router# configure
RP/0/0/CPU0:router(config)# aaa group server radius group1
RP/0/0/CPU0:router(config-sg-radius)# server-private 10.1.1.1 auth-port 300
RP/0/0/CPU0:router(config-sg-radius-private)# key anykey
Specifies the number of seconds the router waits for the RADIUS server to
reply before retransmitting.
key (TACACS+)
To specify an authentication and encryption key shared between the AAA server and the
TACACS+ server, use the key(TACACS+) command in TACACS host configuration mode. To disable
this feature, use the no form of this command.
Specifies the unencrypted key between the AAA server and the TACACS+
server.
Command Default
None
Command Modes
TACACS host configuration
Command History
Release
Modification
Release 3.6.0
This command was introduced.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
The TACACS+ packets are encrypted using the key, and it must match the key used by the
TACACS+ daemon. Specifying this key overrides the key set by the
tacacs-server key command for this server only.
The key is used to encrypt the packets that are going from TACACS+, and it should match
with the key configured on the external TACACS+ server so that the packets are decrypted
properly. If a mismatch occurs, the result fails.
Task ID
Task ID
Operations
aaa
read, write
Examples
The following example shows how to set the encrypted key to anykey
Globally sets the authentication encryption key used for all TACACS+
communications between the router and the TACACS+ daemon.
login authentication
To enable authentication, authorization, and accounting (AAA) authentication for logins,
use the login authentication command inline template configuration mode. To return to the default
authentication settings, use the no form of this command.
loginauthentication
{ default | list-name }
nologinauthentication
Syntax Description
default
Default list of AAA authentication methods, as set by the aaa
authentication login command.
list-name
Name of the method list used for authenticating. You specify this list with
the aaa authentication login command.
Command Default
This command uses the default set with the aaa authentication login
command.
Command Modes
Line template configuration
Command History
Release
Modification
Release 3.2
This command was introduced.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
The login authentication command is a per-line command used
with AAA that specifies the name of a list of AAA authentication methods to try at
login.
Caution
If you use a list-name value that was not configured with
the aaa authentication logincommand, the configuration is rejected.
Entering the no form of the login
authentication command has the same effect as entering the command
with the default keyword.
Before issuing this command, create a list of authentication processes by using the
aaa authentication login global configuration command.
Task ID
Task ID
Operations
aaa
read, write
tty-access
read, write
Examples
The following example shows that the default AAA authentication is used for the line
template template1:
RP/0/0/CPU0:router# configure
RP/0/0/CPU0:router(config)# line template template1
RP/0/0/CPU0:router(config-line)# login authentication default
The following example shows that the AAA authentication list called list1 is used
for the line template template2:
RP/0/0/CPU0:router# configure
RP/0/0/CPU0:router(config)# line template template2
RP/0/0/CPU0:router(config-line)# login authentication list1
To create a login password for a user, use the password command in username
configuration mode or line template configuration mode. To remove the password, use the
no form of this command.
password
{ [0] | 7password }
nopassword
{ 0 | 7password }
Syntax Description
0
(Optional) Specifies that an unencrypted clear-text password follows.
7
Specifies that an encrypted password follows.
password
Specifies the unencrypted password text to be entered by the user to log in,
for example, “lab”. If encryption is configured, the password is not visible
to the user.
Can be up to 253 characters in length.
Command Default
The password is in unencrypted clear text.
Command Modes
Username configuration
Line template configuration
Command History
Release
Modification
Release 3.2
This command was supported.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
You can specify one of two types of passwords: encrypted or clear text.
When an EXEC process is started on a line that has password protection, the process
prompts for the password. If the user enters the correct password, the process issues
the prompt. The user can try three times to enter a password before the process exits
and returns the terminal to the idle state.
Passwords are two-way encrypted and should be used for applications such as PPP that
need decryptable passwords that can be decrypted.
Note
The show running-config command always displays the
clear-text login password in encrypted form when the 0
option is used.
Task ID
Task ID
Operations
aaa
read, write
Examples
The following example shows how to establish the unencrypted password
pwd1 for user. The output from the show
command displays the password in its encrypted form.
Accesses username configuration mode and configures a new user with a
username, establishing a password and granting permissions for that
user.
line
Enters line template configuration mode for the specified line template.
For more information, see the
Cisco IOS XR System Management Command Reference.
radius-server dead-criteria time
To specify the minimum amount of time, in seconds, that must elapse from the time that
the router last received a valid packet from the RADIUS server to the time the server is
marked as dead, use the radius-server dead-criteria time
command in global configuration mode. To disable the criteria that were
set, use the no form of this command.
radius-serverdead-criteriatimeseconds
noradius-serverdead-criteriatimeseconds
Syntax Description
seconds
Length of time, in seconds. The range is from 1 to120 seconds. If the
seconds argument is not configured, the
number of seconds ranges from 10 to 60, depending on the transaction rate of
the server.
Note
The time criterion must be met for the server to be marked as dead.
Command Default
If the seconds argument is not configured, the number of
seconds ranges from 10 to 60 seconds, depending on the transaction rate of the
server.
Command Modes
Global configuration
Command History
Release
Modification
Release 3.3.0
This command was introduced.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Note
If you configure the radius-server dead-criteria time
command before the radius-server deadtime command, the
radius-server dead-criteria time command may not be
enforced.
If a packet has not been received since the router booted and there is a timeout, the
time criterion is treated as though it were met.
If the seconds argument is not indicated, the time is set to
the defaults.
Task ID
Task ID
Operations
aaa
read, write
Examples
The following example shows how to establish the time for the dead-criteria conditions
for a RADIUS server to be marked as dead for the radius-server dead-criteria
time command:
RP/0/0/CPU0:router# configure
RP/0/0/CPU0:router(config)# radius-server dead-criteria time 5
Displays information for the dead-server detection criteria.
radius-server dead-criteria tries
To specify the number of consecutive timeouts that must occur on the router before the
RADIUS server is marked as dead, use the radius-server dead-criteria tries
command in global configuration mode. To disable the criteria that were
set, use the no form of this command.
radius-serverdead-criteriatries
noradius-serverdead-criteriatries
Syntax Description
tries
Number of timeouts from 1 to 100. If the tries
argument is not configured, the number of consecutive timeouts ranges from
10 to 100, depending on the transaction rate of the server and the number of
configured retransmissions.
Note
The tries criterion must be met for the server to be marked as dead.
Command Default
If the tries argument is not configured, the number of
consecutive timeouts ranges from 10 to 100, depending on the transaction rate of the
server and the number of configured retransmissions.
Command Modes
Global configuration
Command History
Release
Modification
Release 3.3.0
This command was introduced.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
If the server performs both authentication and accounting, both types of packet are
included in the number. Improperly constructed packets are counted as though they were
timeouts. All transmissions, including the initial transmit and all retransmits, are
counted.
Note
If you configure the radius-server dead-criteria tries
command before the radius-server deadtime command, the
radius-server dead-criteria tries command may not be
enforced.
If the tries argument is not indicated, the number of tries is
set to the default.
Task ID
Task ID
Operations
aaa
read, write
Examples
The following example shows how to establish the number of tries for the dead-criteria
conditions for a RADIUS server to be marked as dead for the radius-server
dead-criteria tries command:
Defines the length of time in seconds that must elapse from the time that
the router last received a valid packet from the RADIUS server to the
time the server is marked as dead.
Displays information for the dead-server detection criteria.
radius-server deadtime
To improve RADIUS response times when some servers are unavailable and cause the
unavailable servers to be skipped immediately, use the radius-server
deadtime command in global configuration mode. To set deadtime to 0,
use the no form of this command.
radius-serverdeadtimevalue
noradius-serverdeadtimevalue
Syntax Description
value
Length of time, in minutes, for which a RADIUS server is skipped over by
transaction requests, up to a maximum of 1440 (24 hours). The range is from
1 to 1440. The default value is 0.
Command Default
Dead time is set to 0.
Command Modes
Global configuration mode
Command History
Release
Modification
Release 3.3.0
This command was introduced.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
A RADIUS server marked as dead is skipped by additional requests for the duration of
minutes unless all other servers are marked dead and there is no rollover method.
Task ID
Task ID
Operations
aaa
read, write
Examples
This example specifies five minutes of deadtime for RADIUS servers that fail to
respond to authentication requests for the radius-server deadtime
command:
To specify a RADIUS server host, use the radius-server host
command in global configuration mode. To delete the specified RADIUS host, use the
no form of this command.
(Optional) Specifies the User Datagram Protocol (UDP) destination port for
authentication requests; the host is not used for authentication if set to
0. If unspecified, the port number defaults to 1645.
acct-portport-number
(Optional) Specifies the UDP destination port for accounting requests; the
host is not used for accounting if set to 0. If unspecified, the port number
defaults to 1646.
timeoutseconds
(Optional) The time interval (in seconds) that the router waits for the
RADIUS server to reply before retransmitting. This setting overrides the
global value of the radius-server timeout command.
If no timeout value is specified, the global value is used. Enter a value in
the range from 1 to 1000. Default is 5.
retransmit retries
(Optional) The number of times a RADIUS request is re-sent to a server, if
that server is not responding or is responding slowly. This setting
overrides the global setting of the radius-server
retransmit command. If no retransmit value is specified,
the global value is used. Enter a value in the range from 1 to 100. Default
is 3.
key string
(Optional) Specifies the authentication and encryption key used between the
router and the RADIUS server. This key overrides the global setting of the
radius-server key command. If no key string
is specified, the global value is used.
The key is a text string that must match the encryption key used on the
RADIUS server. Always configure the key as the last item in the
radius-server host command syntax. This is
because the leading spaces are ignored, but spaces within and at the end of
the key are used. If you use spaces in the key, do not enclose the key in
quotation marks unless the quotation marks themselves are part of the
key.
Command Default
No RADIUS host is specified; use global
radius-server command values.
Command Modes
Global configuration
Command History
Release
Modification
Release 3.2
This command was introduced.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
You can use multiple
radius-server host commands to specify multiple hosts.
The Cisco IOS XR software searches for
hosts in the order in which you specify them.
If no host-specific timeout, retransmit,
or key values are specified, the global values apply to each host.
Task ID
Task ID
Operations
aaa
read, write
Examples
This example shows how to
establish the host with IP address 172.29.39.46 as the RADIUS server, use ports 1612 and
1616 as the authorization and accounting ports, set the timeout value to 6, set the
retransmit value to 5, and set “rad123” as the encryption key, matching the key on the
RADIUS server:
Sets the interval a router waits for a server host to reply.
radius-server key
To set the authentication and encryption key for all RADIUS communications between the
router and the RADIUS daemon, use the radius-server key
command in global configuration mode. To disable the key, use the no form of this
command.
The authentication and encryption key is disabled.
Command Modes
Global configuration mode
Command History
Release
Modification
Release 3.2
This command was introduced.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
The key entered must match the key used on the RADIUS server. All leading spaces are
ignored, but spaces within and at the end of the key are used. If you use spaces in your
key, do not enclose the key in quotation marks unless the quotation marks themselves are
part of the key.
Task ID
Task ID
Operations
aaa
read, write
Examples
This example shows how to set the cleartext key to “samplekey:”
To specify the number of times the Cisco IOS XR software retransmits a packet
to a server before giving up, use the radius-server retransmit
command in global configuration mode. To disable retransmission, use the
no form of this command.
radius-serverretransmitretries
noradius-serverretransmit
Syntax Description
retries
Maximum number of retransmission attempts. The range is from 1 to 100.
Default is 3.
Command Default
The RADIUS servers are retried three times, or until a response is received.
Command Modes
Global configuration
Command History
Release
Modification
Release 3.2
This command was introduced.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
The RADIUS client tries all servers, allowing each one to time out before increasing the
retransmit count.
Task ID
Task ID
Operations
aaa
read, write
Examples
This example shows how to specify a retransmit counter value of five times:
Sets the authentication and encryption key for all RADIUS communications
between the router and the RADIUS daemon.
radius-server timeout
To set the interval for which a router waits for a server host to reply before timing
out, use the radius-server timeout command in global
configuration mode. To restore the default, use the no form of
this command.
radius-servertimeoutseconds
noradius-servertimeout
Syntax Description
seconds
Number that specifies the timeout interval, in seconds. Range is from 1 to
1000.
Command Default
The default radius-server timeout value is 5 seconds.
Command Modes
Global configuration mode
Command History
Release
Modification
Release 3.2
This command was introduced.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the radius-server timeout command to set the number of
seconds a router waits for a server host to reply before timing out.
Task ID
Task ID
Operations
aaa
read, write
Examples
This example shows how to change the interval timer to 10 seconds:
To force RADIUS to use the IP address of a specified interface or subinterface for all
outgoing RADIUS packets, use the radius source-interface
command in global configuration mode. To prevent only the specified
interface from being the default and not from being used for all outgoing RADIUS
packets, use the no form of this command.
radiussource-interfaceinterface
[ vrfvrf_name ]
noradiussource-interfaceinterface
Syntax Description
interface-name
Name of the interface that RADIUS uses for all of its outgoing packets.
vrfvrf-id
Specifies the name of the assigned VRF.
Command Default
If a specific source interface is not configured, or the interface is down or does not
have an IP address configured, the system selects an IP address.
Command Modes
Global configuration mode
Command History
Release
Modification
Release 3.2
This command was introduced.
Release 3.4.0
The vrf keyword was added.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the radius source-interface command to set the IP address
of the specified interface or subinterface for all outgoing RADIUS packets. This address
is used as long as the interface or subinterface is in the up state. In this way, the
RADIUS server can use one IP address entry for every network access client instead of
maintaining a list of IP addresses.
The specified interface or subinterface must have an IP address associated with it. If
the specified interface or subinterface does not have an IP address or is in the down
state, then RADIUS reverts to the default. To avoid this, add an IP address to the
interface or subinterface or bring the interface to the upstate.
The radius source-interface command is especially useful in
cases in which the router has many interfaces or subinterfaces and you want to ensure
that all RADIUS packets from a particular router have the same IP address.
Task ID
Task ID
Operations
aaa
read, write
Examples
This example shows how to make RADIUS use the IP address of subinterface s2 for
all outgoing RADIUS packets:
To specify the number of times a RADIUS request is resent to a server if the server is
not responding or is responding slowly, use the retransmit
command in RADIUS server-group private configuration mode.
retransmitretries
noretransmitretries
Syntax Description
retries
The retries argument specifies the retransmit
value. The range is from 1 to 100. If no retransmit value is specified, the
global value is used.
Command Default
The default value is 3.
Command Modes
RADIUS server-group private configuration
Command History
Release
Modification
Release 3.4.0
This command was introduced.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Task ID
Task ID
Operations
aaa
read, write
Examples
The following example shows how to set the retransmit value:
RP/0/0/CPU0:router# configure
RP/0/0/CPU0:router(config)# aaa group server radius group1
RP/0/0/CPU0:router(config-sg-radius)# server-private 10.1.1.1 auth-port 300
RP/0/0/CPU0:router(config-sg-radius-private)# retransmit 100
Specifies the number of seconds the router waits for the RADIUS server to
reply before retransmitting.
secret
To configure an MD5-encrypted secret to be associated with an encrypted username, use
the secret command in username configuration mode or line template configuration
mode. To remove the secure secret, use the no form of this
command.
secret
{ [0] secret-login | 5secret-login }
nosecret
{ 0 | 5 }
secret-login
Syntax Description
0
(Optional) Specifies that an unencrypted (clear-text) password follows. The
password will be encrypted for storage in the configuration using an MD5
encryption algorithm. Otherwise, the password is not encrypted.
5
Specifies that an encrypted MD5 password (secret) follows.
secret-login
Text string in alphanumeric characters that is stored as the MD5-encrypted
password entered by the user in association with the user’s login ID.
Can be up to 253 characters in length.
Note
The characters entered must conform to MD5 encryption standards.
Command Default
No password is specified.
Command Modes
Username configuration
Line template configuration
Command History
Release
Modification
Release 3.2
This command was introduced.
Release 3.3.0
The password argument was replaced with the secret-login argument.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Cisco IOS XR software allows you to
configure Message Digest 5 (MD5) encryption for username logins and passwords. MD5
encryption is a one-way hash function that makes reversal of an encrypted password
impossible, providing strong encryption protection. Using MD5 encryption, you cannot
retrieve clear-text passwords. Therefore, MD5 encrypted passwords cannot be used with
protocols that require the clear-text password to be retrievable, such as Challenge
Handshake Authentication Protocol (CHAP).
You can specify one of two types of secure secret IDs: encrypted (5) or clear text (0).
If you do not select either 0 or 5, the clear-text password you enter is not be
encrypted.
When an EXEC process is started on a line that has password protection, the process
prompts for the secret. If the user enters the correct secret, the process issues the
prompt. The user can try entering the secret thrice before the terminal returns to the
idle state.
Secrets are one-way encrypted and should be used for login actitivities that do not
require a decryptable secret.
To verify that MD5 password encryption has been enabled, use the show
running-config command. If the “username name secret 5” line appears
in the command output, enhanced password security is enabled.
Note
The show running-config command does not display the login
password in clear text when the 0 option is used to specify
an unencrypted password. See the “Examples” section.
Task ID
Task ID
Operations
aaa
read, write
Examples
The following example shows how to establish the clear-text secret “lab” for the user
user2:
RP/0/0/CPU0:router# configure
RP/0/0/CPU0:router(config)# username user2
RP/0/0/CPU0:router(config-un)# secret 0 lab
RP/0/0/CPU0:router(config-un)# commit
RP/0/0/CPU0:router(config-un)# show running-config
Building configuration...
username user2
secret 5 $1$DTmd$q7C6fhzje7Cc7Xzmu2Frx1
!
end
Accesses username configuration mode and configures a new user with a
username, establishing a password and granting permissions for that
user.
server (RADIUS)
To associate a particular RADIUS server with a defined server group, use the
server command in RADIUS server-group configuration
mode. To remove the associated server from the server group, use the no form of
this command.
(Optional) Specifies the User Datagram Protocol (UDP) destination port for
authentication requests. The port-number argument specifies the port
number for authentication requests. The host is not used for authentication
if this value is set to 0. Default is 1645.
acct-portport-number
(Optional) Specifies the UDP destination port for accounting requests. The
port-number argument specifies the port number for accounting
requests. The host is not used for accounting services if this value is set
to 0. Default is 1646.
Command Default
If no port attributes are defined, the defaults are as follows:
Authentication port: 1645
Accounting port: 1646
Command Modes
RADIUS server-group configuration
Command History
Release
Modification
Release 3.2
This command was introduced.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the server command to associate a particular RADIUS server
with a defined server group.
There are two different ways in which you can identify a server, depending on the way
you want to offer AAA services. You can identify the server simply by using its IP
address, or you can identify multiple host instances or entries using the optional
auth-port and acct-port
keywords.
When you use the optional keywords, the network access server identifies RADIUS security
servers and host instances associated with a group server based on their IP address and
specific UDP port numbers. The combination of the IP address and UDP port number creates
a unique identifier, allowing different ports to be individually defined as RADIUS host
entries providing a specific AAA service. If two different host entries on the same
RADIUS server are configured for the same service, for example, accounting, the second
host entry configured acts as an automatic switchover backup to the first one. Using
this example, if the first host entry fails to provide accounting services, the network
access server tries the second host entry configured on the same device for accounting
services. (The RADIUS host entries are tried in the order they are configured.)
Task ID
Task ID
Operations
aaa
read, write
Examples
The following example shows how to use two different host entries on the same RADIUS
server that are configured for the same services—authentication and accounting. The
second host entry configured acts as switchover backup to the first one.
RP/0/0/CPU0:router# configure
RP/0/0/CPU0:router(config)# aaa group server radius group1
RP/0/0/CPU0:router(config-sg-radius)# server 1.1.1.1 auth-port 1645 acct-port 1646
RP/0/0/CPU0:router(config-sg-radius)# server 2.2.2.2 auth-port 2000 acct-port 2001
Configures the IP address of the private RADIUS server for the group
server.
server (TACACS+)
To associate a particular TACACS+ server with a defined server group, use the
server command in TACACS+ server-group configuration
mode. To remove the associated server from the server group, use the
no form of this command.
server
{ hostname | ip-address }
noserver
{ hostname | ip-address }
Syntax Description
hostname
Character string used to name the server host.
ip-address
IP address of the server host.
Command Default
None
Command Modes
TACACS+ server-group configuration
Command History
Release
Modification
Release 3.2
This command was introduced.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
The server
need not be accessible during configuration. Later, you can reference the configured
server group from the method lists used to configure authentication, authorization, and
accounting (AAA).
Task ID
Task ID
Operations
aaa
read, write
Examples
The following example shows how to associate the TACACS+ server with the IP address
192.168.60.15 with the server group tac1:
RP/0/0/CPU0:router# configure
RP/0/0/CPU0:router(config)# aaa group server tacacs+ tac1
RP/0/0/CPU0:router(config-sg-tacacs+)# server 192.168.60.15
Groups different TACACS+ server hosts into distinct lists.
server-private (RADIUS)
To configure the IP address of the private RADIUS server for the group server, use the
server-private command in RADIUS server-group
configuration mode. To remove the associated private server from the AAA group server,
use the no form of this command
.
(Optional) Specifies the User Datagram Protocol (UDP) destination port for
authentication requests. The port-number argument specifies the port
number for authentication requests. The host is not used for authentication
if this value is set to 0. The default value is 1645.
acct-portport-number
(Optional) Specifies the UDP destination port for accounting requests. The
port-number argument specifies the port number for accounting
requests. The host is not used for accounting services if this value is set
to 0. The default value is 1646.
timeoutseconds
(Optional) Specifies the number of seconds the router waits for the RADIUS
server to reply before retransmitting. The setting overrides the global
value of the radius-server timeout command. If no
timeout is specified, the global value is used.
The seconds argument specifies the timeout value
in seconds. The range is from 1 to 1000. If no timeout is specified, the
global value is used.
retransmitretries
(Optional) Specifies the number of times a RADIUS request is resent to a
server if the server is not responding or is responding slowly. The setting
overrides the global setting of the radius-server
transmit command.
The retries argument specifies the retransmit
value. The range is from 1 to 100. If no retransmit value is specified, the
global value is used.
keystring
(Optional) Specifies the authentication and encryption key that is used
between the router and the RADIUS daemon running on the RADIUS server. This
key overrides the global setting of the radius-server
key command. If no key string is specified, the global
value is used.
Command Default
If no port attributes are defined, the defaults are as follows:
Authentication port: 1645
Accounting port: 1646
Command Modes
RADIUS server-group configuration
Command History
Release
Modification
Release 3.4.0
This command was introduced.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the server-private command to associate a particular
private server with a defined server group. Possible overlapping of IP addresses between
VRF instances are permitted. Private servers (servers with private addresses) can be
defined within the server group and remain hidden from other groups, while the servers
in the global pool (for example, default radius server group) can still be referred to
by IP addresses and port numbers. Thus, the list of servers in server groups includes
references to the hosts in the global configuration and the definitions of private
servers.
Both the auth-port and acct-port
keywords enter RADIUS server-group private configuration mode.
Task ID
Task ID
Operations
aaa
read, write
Examples
The following example shows how to define the group1 RADIUS group server, to associate private servers with
it, and to enter RADIUS server-group private configuration mode:
Configures the Virtual Private Network (VPN) routing and forwarding (VRF)
reference of an AAA RADIUS server group.
server-private (TACACS+)
To configure the IP address of the private TACACS+ server for the group server, use the
server-private command in TACACS+ server-group
configuration mode. To remove the associated private server from the AAA group server,
use the no form of this command.
(Optional) Specifies a server port number. This option overrides the default, which is port 49. Valid port numbers range from 1 to 65535.
timeoutseconds
(Optional) Specifies, in seconds, a timeout value that sets the length of time the authentication, authorization, and accounting (AAA) server waits to receive a response from the TACACS+ server. This option overrides the global timeout value set with the tacacs-server timeout command for only this server. The range is from 1 to 1000. The default is 5.
keystring
(Optional) Specifies the authentication and encryption key that is used
between the router and the TACACS+ daemon running on the TACACS+ server. This
key overrides the global setting of the tacacs-server
key command. If no key string is specified, the global
value is used.
Command Default
The port-name argument, if not specified, defaults to the
standard port 49.
The seconds argument, if not specified, defaults to 5
seconds.
Command Modes
TACACS+ server-group configuration
Command History
Release
Modification
Release 4.1.0
This command was introduced.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the server-private command to associate a particular
private server with a defined server group. Possible overlapping of IP addresses between
VRF instances are permitted. Private servers (servers with private addresses) can be
defined within the server group and remain hidden from other groups, while the servers
in the global pool (for example, default tacacs+ server group) can still be referred by IP addresses and port numbers. Therefore, the list of servers in server groups includes
references to the hosts in the global configuration and the definitions of private
servers.
Task ID
Task ID
Operations
aaa
read, write
Examples
This example shows how to define the myserver TACACS+ group server, to associate private servers with
it, and to enter TACACS+ server-group private configuration mode:
RP/0/0/CPU0:router# configureRP/0/0/CPU0:router(config)# aaa group server tacacs+ myserverRP/0/0/CPU0:router(config-sg-tacacs+)# server-private 10.1.1.1 timeout 5RP/0/0/CPU0:router(config-sg-tacacs+)# server-private 10.1.1.1 key a_secretRP/0/0/CPU0:router(config-sg-tacacs+)# server-private 10.1.1.1 port 51RP/0/0/CPU0:router(config-sg-tacacs-private)# exitRP/0/0/CPU0:router(config-sg-tacacs+)# server-private 10.2.2.2 timeout 5RP/0/0/CPU0:router(config-sg-tacacs+)# server-private 10.2.2.2 key cokeRP/0/0/CPU0:router(config-sg-tacacs+)# server-private 10.2.2.2 port 300RP/0/0/CPU0:router(config-sg-tacacs-private)#
Specifies a timeout value that sets the length of time the
authentication, authorization, and accounting (AAA) server waits to
receive a response from the TACACS+ server.
Configures the Virtual Private Network (VPN) routing and forwarding (VRF)
reference of an AAA TACACS+ server group.
show aaa
To display information about an Internet Key Exchange (IKE) Security Protocol group,
user group, local user, login traces, or task group; to list all task IDs associated
with all IKE groups, user groups, local users, or task groups in the system; or to list
all task IDs for a specified IKE group, user group, local user, or task group, use the
show aaa command in EXEC mode.
(Optional) IKE group whose details are to be displayed.
login trace
Displays trace data for login subsystem.
usergroup
Displays details for all user groups.
root-lr
(Optional) Usergroup name.
netadmin
(Optional) Usergroup name.
operator
(Optional) Usergroup name.
sysadmin
(Optional) Usergroup name.
root-system
(Optional) Usergroup name.
cisco-support
(Optional) Usergroup name.
usergroup-name
(Optional) Usergroup name.
trace
Displays trace data for AAA subsystem.
userdb
Displays details for all local users and the usergroups to which each user
belongs.
username
(Optional) User whose details are to be displayed.
task supported
Displays all AAA task IDs available.
taskgroup
Displays details for all task groups.
Note
For taskgroup keywords, see optional usergroup name keyword list.
taskgroup-name
(Optional) Task group whose details are to be displayed.
Command Default
Details for all user groups, or all local users, or all task groups are listed if no
argument is entered.
Command Modes
EXEC
Command History
Release
Modification
Release 3.2
This command was introduced.
Release 3.4.0
The ikegroup keyword was added.
Release 3.5.0
The show task supported command was removed andits topic was added as a keyword for the show aaa command.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the show aaa command to list details for all IKE groups,
user groups, local users, AAA task IDs,
or task groups in the system. Use the optional
ikegroup-name, usergroup-name,
username, or taskgroup-name
argument to display the details for a specified IKE group, user group, user, or task
group, respectively.
Task ID
Task ID
Operations
aaa
read
Examples
The following sample output is from the show aaa command,
using the ikegroup keyword:
RP/0/0/CPU0:router# show aaa ikegroup
IKE Group ike-group
Max-Users = 50
IKE Group ikeuser
Group-Key = test-password
Default Domain = cisco.com
IKE Group ike-user
The following sample output is from the show aaa command,
using the usergroup command:
RP/0/0/CPU0:router# show aaa usergroup operator
User group 'operator'
Inherits from task group 'operator'
User group 'operator' has the following combined set
of task IDs (including all inherited groups):
Task: basic-services : READ WRITE EXECUTE DEBUG
Task: cdp : READ
Task: diag : READ
Task: ext-access : READ EXECUTE
Task: logging : READ
The following sample output is from the show aaa command,
using the taskgroupkeyword for a task group named netadmin:
The following sample output is from the show aaa command,
using the taskgroup keyword for an operator. The task group
operator has the following combined set of task IDs, which includes all inherited
groups:
The following sample output is from the show aaa command,
using the taskgroup keyword for a root system. The task-group
root system has the following combined set of task IDs, which includes all inherited
groups:
Displays task IDs enabled for the currently logged-in user.
show radius
To display information about the RADIUS servers that are configured in the system, use
the show radius command in EXEC mode.
showradius
Syntax Description
This command has no keywords or arguments.
Command Default
If no radius servers are configured, no output is displayed.
Command Modes
EXEC
Command History
Release
Modification
Release 3.3.0
This command was introduced.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the show radius command to display statistics for each
configured RADIUS server.
Task ID
Task ID
Operations
aaa
read
Examples
The following sample output is for the show radius
command:
RP/0/0/CPU0:router# show radius
Global dead time: 0 minute(s)
Server: 1.1.1.1/1645/1646 is UP
Timeout: 5 sec, Retransmit limit: 3
Authentication:
0 requests, 0 pending, 0 retransmits
0 accepts, 0 rejects, 0 challenges
0 timeouts, 0 bad responses, 0 bad authenticators
0 unknown types, 0 dropped, 0 ms latest rtt
Accounting:
0 requests, 0 pending, 0 retransmits
0 responses, 0 timeouts, 0 bad responses
0 bad authenticators, 0 unknown types, 0 dropped
0 ms latest rtt
Server: 2.2.2.2/1645/1646 is UP
Timeout: 10 sec, Retransmit limit: 3
Authentication:
0 requests, 0 pending, 0 retransmits
0 accepts, 0 rejects, 0 challenges
0 timeouts, 0 bad responses, 0 bad authenticators
0 unknown types, 0 dropped, 0 ms latest rtt
Accounting:
0 requests, 0 pending, 0 retransmits
0 responses, 0 timeouts, 0 bad responses
0 bad authenticators, 0 unknown types, 0 dropped
0 ms latest rtt
This table describes the significant fields
shown in the display.
Table 1 show radius Field Descriptions
Field
Description
Server
Server IP address/UDP destination port for authentication requests/UDP
destination port for accounting requests.
Timeout
Number of seconds the router waits for a server host to reply before
timing out.
Retransmit limit
Number of times the Cisco IOS XR software
searches the list of RADIUS server hosts before giving up.
Sets the interval for which a router waits for a server host to
reply.
show radius accounting
To obtain information and detailed statistics for the RADIUS accounting server and port,
use the show radius accounting command in EXEC mode.
showradiusaccounting
Syntax Description
This command has no keywords or arguments.
Command Default
If no RADIUS servers are configured on the router, the output is empty. If the default
values are for the counter (for example, request and pending), the values are all zero
because the RADIUS server was just defined and not used yet.
Command Modes
EXEC
Command History
Release
Modification
Release 3.3.0
This command was introduced.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Task ID
Task ID
Operations
aaa
read
Examples
The following sample output is displayed on a per-server basis for the show radius
accounting command:
RP/0/0/CPU0:router# show radius accounting
Server: 12.26.25.61, port: 1813
0 requests, 0 pending, 0 retransmits
0 responses, 0 timeouts, 0 bad responses
0 bad authenticators, 0 unknown types, 0 dropped
0 ms latest rtt
Server: 12.26.49.12, port: 1813
0 requests, 0 pending, 0 retransmits
0 responses, 0 timeouts, 0 bad responses
0 bad authenticators, 0 unknown types, 0 dropped
0 ms latest rtt
Server: 12.38.28.18, port: 29199
0 requests, 0 pending, 0 retransmits
0 responses, 0 timeouts, 0 bad responses
0 bad authenticators, 0 unknown types, 0 dropped
0 ms latest rtt
This table describes the significant fields shown in the display.
Table 2 show radius accounting Field Descriptions
Field
Description
Server
Server IP address/UDP destination port for authentication requests; UDP
destination port for accounting requests.
Obtains information and detailed statistics for the RADIUS authentication
server and port.
show radius authentication
To obtain information and detailed statistics for the RADIUS authentication server and
port, use the show radius authentication command in EXEC mode.
showradiusauthentication
Syntax Description
This command has no keywords or arguments.
Command Default
If no RADIUS servers are configured on the router, the output is empty. If the default
values are for the counter (for example, request and pending), the values are all zero
because the RADIUS server was just defined and not used yet.
Command Modes
EXEC
Command History
Release
Modification
Release 3.3.0
This command was introduced.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Task ID
Task ID
Operations
aaa
read
Examples
The following sample output is for the show radius authentication command:
Obtains information and detailed statistics for the RADIUS accounting
server and port.
show radius client
To obtain general information about the RADIUS client on Cisco IOS XR software, use the show
radius client command in EXEC mode.
showradiusclient
Syntax Description
This command has no keywords or arguments.
Command Default
The default value for the counters (for example, an invalid address) is 0. The network
access server (NAS) identifier is the hostname that is defined on the router.
Command Modes
EXEC
Command History
Release
Modification
Release 3.3.0
This command was introduced.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
The show radius client command displays the authentication and
accounting responses that are received from the invalid RADIUS servers, for example,
unknown to the NAS. In addition, the show radius client
command displays the hostname or NAS identifier for the RADIUS authentication client,
accounting client, or both.
Task ID
Task ID
Operations
aaa
read
Examples
The following sample output is for the show radius client command:
RP/0/0/CPU0:router# show radius client
Client NAS identifier: miniq
Authentication responses from invalid addresses: 0
Accounting responses from invalid addresses: 0
This table describes the significant fields
shown in the display.
Table 4 show radius client Field Descriptions
Field
Description
Client NAS identifier
Identifies the NAS-identifier of the RADIUS authentication client.
Specifies the name or IP address of the configured RADIUS server.
auth-portauth-port
(Optional) Specifies the authentication port for the RADIUS server. The
default value is 1645.
acct-portacct-port
(Optional) Specifies the accounting port for the RADIUS server. The default
value is 1646.
Command Default
The default values for time and tries are not fixed to a single value; therefore, they
are calculated and fall within a range of 10 to 60 seconds for time and 10 to 100 for
tries.
Command Modes
EXEC
Command History
Release
Modification
Release 3.3.0
This command was introduced.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Task ID
Task ID
Operations
aaa
read
Examples
The following sample output is for the show radius
dead-criteria command:
Defines the length of time in minutes for a RADIUS server to remain
marked dead.
show radius server-groups
To display information about the RADIUS server groups that are configured in the system,
use the show radius server-groups command in EXEC mode.
showradiusserver-groups
[ group-name [detail] ]
Syntax Description
group-name
(Optional) Name of the server group.The properties are displayed.
detail
(Optional) Displays properties for all the server groups.
Command Default
None
Command Modes
EXEC
Command History
Release
Modification
Release 3.2
This command was introduced.
Release 3.4.0
Support was added for the group-name argument and detail keyword.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the show radius server-groups command to display
information about each configured RADIUS server group, including the group name, numbers
of servers in the group, and a list of servers in the named server group. A global list
of all configured RADIUS servers, along with authentication and accounting port numbers,
is also displayed.
Task ID
Task ID
Operations
aaa
read
Examples
The inherited global message is displayed if no group level deadtime is defined for this
group; otherwise, the group level deadtime value is displayed and this message is
omitted. The following sample output is for the show radius
server-groups command:
RP/0/0/CPU0:router# show radius server-groups
Global list of servers
Contains 2 server(s)
Server 1.1.1.1/1645/1646
Server 2.2.2.2/1645/1646
Server group 'radgrp1' has 2 server(s)
Dead time: 0 minute(s) (inherited from global)
Contains 2 server(s)
Server 1.1.1.1/1645/1646
Server 2.2.2.2/1645/1646
Server group 'radgrp-priv' has 1 server(s)
Dead time: 0 minute(s) (inherited from global)
Contains 1 server(s)
Server 3.3.3.3/1645/1646 [private]
The following sample output shows the properties for all the server groups in group
“radgrp1:”
RP/0/0/CPU0:router# show radius server-groups radgrp1 detail
Server group 'radgrp1' has 2 server(s)
VRF default (id 0x60000000)
Dead time: 0 minute(s) (inherited from global)
Contains 2 server(s)
Server 1.1.1.1/1645/1646
Authentication:
0 requests, 0 pending, 0 retransmits
0 accepts, 0 rejects, 0 challenges
0 timeouts, 0 bad responses, 0 bad authenticators
0 unknown types, 0 dropped, 0 ms latest rtt
Accounting:
0 requests, 0 pending, 0 retransmits
0 responses, 0 timeouts, 0 bad responses
0 bad authenticators, 0 unknown types, 0 dropped
0 ms latest rtt
Server 2.2.2.2/1645/1646
Authentication:
0 requests, 0 pending, 0 retransmits
0 accepts, 0 rejects, 0 challenges
0 timeouts, 0 bad responses, 0 bad authenticators
0 unknown types, 0 dropped, 0 ms latest rtt
Accounting:
0 requests, 0 pending, 0 retransmits
0 responses, 0 timeouts, 0 bad responses
0 bad authenticators, 0 unknown types, 0 dropped
0 ms latest rtt
The following sample output shows the properties for all the server groups in detail in
the group “raddgrp-priv:”
RP/0/0/CPU0:router# show radius server-groups radgrp-priv detail
Server group 'radgrp-priv' has 1 server(s)
VRF default (id 0x60000000)
Dead time: 0 minute(s) (inherited from global)
Contains 1 server(s)
Server 3.3.3.3/1645/1646 [private]
Authentication:
0 requests, 0 pending, 0 retransmits
0 accepts, 0 rejects, 0 challenges
0 timeouts, 0 bad responses, 0 bad authenticators
0 unknown types, 0 dropped, 0 ms latest rtt
Accounting:
0 requests, 0 pending, 0 retransmits
0 responses, 0 timeouts, 0 bad responses
0 bad authenticators, 0 unknown types, 0 dropped
0 ms latest rtt
This table describes the significant fields
shown in the display.
Table 6 show radius server-groups Field Descriptions
Field
Description
Server
Server IP address/UDP destination port for authentication requests/UDP
destination port for accounting requests.
Configures the Virtual Private Network (VPN) routing and forwarding (VRF)
reference of an AAA RADIUS server group.
show tacacs
To display information about the TACACS+ servers that are configured in the system, use
the show tacacs command in EXEC mode.
showtacacs
Syntax Description
This command has no keywords or arguments.
Command Default
None
Command Modes
EXEC
Command History
Release
Modification
Release 3.2
This command was introduced.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the show tacacs command to display statistics for each configured TACACS+ server.
Task ID
Task ID
Operations
aaa
read
Examples
The following is sample output from the show tacacs
command:
This table describes the significant fields
shown in the display.
Table 7 show tacacs Field Descriptions
Field
Description
Server
Server IP address.
opens
Number of socket opens to the external server.
closes
Number of socket closes to the external server.
aborts
Number of tacacs requests that have been aborted midway.
errors
Number of error replies from the external server.
packets in
Number of TCP packets that have been received from the external
server.
packets out
Number of TCP packets that have been sent to the external server.
show tacacs server-groups
To display information about the TACACS+ server groups that are configured in the
system, use the show tacacs server-groups command in EXEC
mode.
showtacacsserver-groups
Syntax Description
This command has no keywords or arguments.
Command Default
None
Command Modes
EXEC
Command History
Release
Modification
Release 3.2
This command was introduced.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the show tacacs server-groups command to display
information about each configured TACACS+ server group, including the group name,
numbers of servers in the group, and a list of servers in the named server group. A
global list of all configured TACACS+ servers is also displayed.
Task ID
Task ID
Operations
aaa
read
Examples
The following is sample output from the show tacacs
server-groups command:
RP/0/0/CPU0:router# show tacacs server-groups
Global list of servers
Server 12.26.25.61/23456
Server 12.26.49.12/12345
Server 12.26.49.12/9000
Server 12.26.25.61/23432
Server 5.5.5.5/23456
Server 1.1.1.1/49
Server group ‘tac100’ has 1 servers
Server 12.26.49.12
This table
describes the significant fields
shown in the display.
Table 8 show tacacs server-groups Field Descriptions
To display all user groups and task IDs associated with the currently logged-in user,
use the show user command in EXEC mode.
showuser
[ all | authentication | group | tasks ]
Syntax Description
all
(Optional) Displays all user groups and task IDs for the currently logged-in
user.
authentication
(Optional) Displays authentication method parameters for the currently
logged-in user.
group
(Optional) Displays the user groups associated with the currently logged-in
user.
tasks
(Optional) Displays task IDs associated with the currently logged-in user.
The tasks keyword indicates which task is reserved
in the sample output.
Command Default
None
Command Modes
EXEC
Command History
Release
Modification
Release 3.2
This command was introduced.
Release 3.3.0
The following enhancements are added:
An example was added to display all the group and tasks.
The authentication keyword was added.
The sample output for the group keyword was updated.
The sample output to display whether or not a task is reserved for the tasks keyword was updated.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the show user command to display all user groups and task
IDs associated with the currently logged-in user.
Task ID
Task ID
Operations
none
—
Examples
The following sample output displays the authentication method parameters from the
show user command:
RP/0/0/CPU0:router# show user authentication method
local
The following sample output displays the groups from the show
user command:
RP/0/0/CPU0:router# show user group
root-system
The following sample output displays all the information for the groups and tasks from
the show user command:
Displays the task maps for selected user groups, local users, or task
groups.
single-connection
To multiplex all TACACS+ requests to this server over a single TCP connection, use the
single-connection command in TACACS host configuration
mode. To disable the single TCP connection for all new sessions that use a separate
connection, use the no form of this command.
single-connection
nosingle-connection
Syntax Description
This command has no keywords or arguments.
Command Default
By default, a separate connection is used for each session.
Command Modes
TACACS host configuration
Command History
Release
Modification
Release 3.6.0
This command was introduced.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
The single-connection command allows the TACACS+ server to
handle a greater number of TACACS operations than would be possible if multiple TCP
connections were used to send requests to a server.
The TACACS+ server that is being used must support single-connection mode for this to be
effective; otherwise, the connection between the network access server and the TACACS+
server locks up or you can receive unauthentic errors.
Task ID
Task ID
Operations
aaa
read, write
Examples
The following example shows how to configure a single TCP connection to be made with the
TACACS+ server (IP address 209.165.200.226) and all authentication, authorization,
accounting requests to use this TCP connection. This works only if the TACACS+ server is
also configured in single-connection mode. To configure the TACACS+ server in single
connection mode, refer to the respective server manual.
To specify a TACACS+ host server, use the tacacs-server host
command in global configuration mode. To delete the specified name or address, use the
no form of this command.
Host or domain name or IP address of the TACACS+ server.
portport-number
(Optional) Specifies a server port number. This option overrides the
default, which is port 49. Valid port numbers range from 1 to 65535.
timeoutseconds
(Optional) Specifies a timeout value that sets the length of time the
authentication, authorization, and accounting (AAA) server waits to receive
a response from the TACACS+ server. This option overrides the global timeout
value set with the tacacs-server timeout command
for this server only. The valid timeout range is from 1 to 1000 seconds.
Default is 5.
key [0 | 7]
auth-key
(Optional) Specifies an authentication and encryption key shared between the
AAA server and the TACACS+ server. The TACACS+ packets are encrypted using
this key. This key must match the key used by the TACACS+ daemon. Specifying
this key overrides the key set by the tacacs-server
keycommand for this server only.
(Optional) Entering 0 specifies that an
unencrypted (clear-text) key follows.
(Optional) Entering 7 specifies that an encrypted
key follows.
The auth-key argument specifies the unencrypted
key between the AAA server and the TACACS+ server.
single-connection
(Optional) Multiplexes all TACACS+ requests to this server over a single TCP
connection. By default, a separate connection is used for each session.
Command Default
No TACACS+ host is specified.
The port-name argument, if not specified, defaults to the
standard port 49.
The seconds argument, if not specified, defaults to 5
seconds.
Command Modes
Global configuration
Command History
Release
Modification
Release 3.2
This command was introduced.
Release 3.3.0
The show run command was modified to display the default values for both the port keyword and the timeout keyword, if values are not specified.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
The key keyword must be entered last because it uses a line
(text with breaks) rather than a string (text only, with no breaks). Any text and line
breaks up to the time the user presses Enter can be used as part of the key.
You can use multiple tacacs-server host commands to specify
additional hosts. Cisco IOS XR software
searches for hosts in the order in which you specify them.
Task ID
Task ID
Operations
aaa
read, write
Examples
The following example shows how to specify a TACACS+ host with the IP address
209.165.200.226:
The following example shows that the default values from the tacacs-server
host command are displayed from the show
run command:
RP/0/0/CPU0:router# show run
Building configuration...
!! Last configuration change at 13:51:56 UTC Mon Nov 14 2005 by lab
!
tacacs-server host 209.165.200.226 port 49
timeout 5
!
The following example shows how to specify that the router consult the TACACS+ server
host named host1 on port number 51. The timeout value for requests on this connection is
30 seconds; the encryption key is a_secret.
RP/0/0/CPU0:router(config)# tacacs-server host host1 port 51 timeout 30 key a_secret
Specifies a timeout value that sets the length of time the
authentication, authorization, and accounting (AAA) server waits to
receive a response from the TACACS+ server.
tacacs-server key
To set the authentication encryption key used for all TACACS+ communications between the
router and the TACACS+ daemon, use the tacacs-server key command in global configuration mode. To disable the key, use the no form of this command.
Specifies the unencrypted key between the AAA server and the TACACS+
server.
Command Default
None
Command Modes
Global configuration
Command History
Release
Modification
Release 3.2
This command was introduced.
Release 3.6.0
The following keywords were added:
0
7
auth-key
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
The key name entered must match the key used on the TACACS+ daemon. The key name applies
to all servers that have no individual keys specified. All leading spaces are ignored;
spaces within and after the key are not. If you use spaces in your key, do not enclose
the key in quotation marks unless the quotation marks themselves are part of the key.
The key name is valid only when the following guidelines are followed:
The clear-text-key argument must be
followed by the 0 keyword.
The encrypted-key argument must be
followed by the 7 keyword.
The TACACS server key is used only if no key is configured for an individual TACACS
server. Keys configured for an individual TACACS server always override this global key
configuration.
Task ID
Task ID
Operations
aaa
read, write
Examples
The following example sets the authentication and encryption key to key1:
To set the interval that the server waits for a server host to reply, use the
tacacs-server timeout command in global configuration
mode. To restore the default, use the no form of this
command.
tacacs-servertimeoutseconds
notacacs-servertimeoutseconds
Syntax Description
seconds
Integer that specifies the timeout interval (in seconds) from 1 to 1000.
Command Default
5 seconds
Command Modes
Global configuration
Command History
Release
Modification
Release 3.2
This command was introduced.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
The TACACS+ server timeout is used only if no timeout is configured for an individual
TACACS+ server. Timeout intervals configured for an individual TACACS+ server always
override this global timeout configuration.
Task ID
Task ID
Operations
aaa
read, write
Examples
The following example shows the interval timer being changed to 10 seconds:
To set the Differentiated Services Code Point (DSCP), which is represented by the first six bits in the Type of Service (ToS) byte of the IP header, use the tacacs-server ipv4 command in global configuration mode.
tacacs-serveripv4dscpdscp-value
Syntax Description
ipv4
Specifies the dscp bit for the IPv4 packets.
dscp
Sets the DSCP in the IP header.
dscp-value
Specifies the options for setting the value of DSCP. The available options are:
<0-63> Differentiated services codepoint value
af11 Match packets with AF11 dscp (001010)
af12 Match packets with AF12 dscp (001100)
af13 Match packets with AF13 dscp (001110)
af21 Match packets with AF21 dscp (010010)
af22 Match packets with AF22 dscp (010100)
af23 Match packets with AF23 dscp (010110)
af31 Match packets with AF31 dscp (011010)
af32 Match packets with AF32 dscp (011100)
af33 Match packets with AF33 dscp (011110)
af41 Match packets with AF41 dscp (100010)
af42 Match packets with AF42 dscp (100100)
af43 Match packets with AF43 dscp (100110)
cs1 Match packets with CS1(precedence 1) dscp (001000)
cs2 Match packets with CS2(precedence 2) dscp (010000)
cs3 Match packets with CS3(precedence 3) dscp (011000)
cs4 Match packets with CS4(precedence 4) dscp (100000)
cs5 Match packets with CS5(precedence 5) dscp (101000)
cs6 Match packets with CS6(precedence 6) dscp (110000)
cs7 Match packets with CS7(precedence 7) dscp (111000)
default Match packets with default dscp (000000)
ef Match packets with EF dscp (101110)
Command Default
None
Command Modes
Global Configuration mode
Command History
Release
Modification
Release 4.3.2
This command was introduced.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Task ID
Task ID
Operation
aaa
read, write
Examples
The following example sets the DSCP value to Assured Forwarding (AF)11:
To specify the source IP address of a selected interface for all outgoing TACACS+
packets, use the tacacs source-interface command in global
configuration mode. To disable use of the specified interface IP address, use the
no form of this command.
tacacssource-interfacetypepath-id
[ vrfvrf-id ]
notacacssource-interfacetypepath-id
Syntax Description
type
Interface type. For more information, use the question mark (?) online help
function.
path-id
Physical interface or virtual interface.
Note
Use the showinterfaces command in EXEC mode to see a list of
all interfaces currently configured on the router.
For more information about the syntax for the router, use the question mark
(?) online help function.
vrfvrf-id
Specifies the name of the assigned VRF.
Command Default
If a specific source interface is not configured, or the interface is down or does not
have an IP address configured, the system selects an IP address.
Command Modes
Global configuration
Command History
Release
Modification
Release 3.2
This command was introduced.
Release 4.1.0
The vrf keyword was added.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the tacacs source-interface command to set the IP address
of the specified interface for all outgoing TACACS+ packets. This address is used as
long as the interface is in the up state. In this way, the
TACACS+ server can use one IP address entry associated with the network access client
instead of maintaining a list of all IP addresses.
This command is especially useful in cases where the router has many interfaces and you
want to ensure that all TACACS+ packets from a particular router have the same IP
address.
When the specified interface does not have an IP address or is in a
down state, TACACS+ behaves as if no source interface
configuration is used.
Task ID
Task ID
Operations
aaa
read, write
Examples
The following example shows how to set the IP address of the specified interface for all
outgoing TACACS+ packets:
Groups different server hosts into distinct lists and distinct
methods.
task
To add a task ID to a task group, use the task command in task
group configuration mode. To remove a task ID from a task group, use the
no form of this command.
Enables read-only privileges for the named task ID.
write
Enables write privileges for the named task ID. The term “write” implies
read also.
execute
Enables execute privileges for the named task ID.
debug
Enables debug privileges for the named task ID.
taskid-name
Name of the task ID.
Command Default
No task IDs are assigned to a newly created task group.
Command Modes
Task group configuration
Command History
Release
Modification
Release 3.2
This command was introduced.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the task command in task group configuration mode. To
access task group configuration mode, use the taskgroup
command in global configuration mode.
Task ID
Task ID
Operations
aaa
read, write
Examples
The following example shows how to enable execute privileges for the config-services
task ID and associate that task ID with the task group named taskgroup1:
Configures a task group to be associated with a set of task IDs.
taskgroup
To configure a task group to be associated with a set of task IDs, and to enter task
group configuration mode, use the taskgroup command in global
configuration mode. To delete a task group, use the no form of
this command.
(Optional) Enables you to create a description for the named task group.
string
(Optional) Character string used for the task group description.
task
(Optional) Specifies that a task ID is to be associated with the named task
group.
read
(Optional) Specifies that the named task ID permits read access only.
write
(Optional) Specifies that the named task ID permits read and write access
only.
execute
(Optional) Specifies that the named task ID permits execute access.
debug
(Optional) Specifies that the named task ID permits debug access only.
taskid-name
(Optional) Name of a task: the task ID.
inherit taskgroup
(Optional) Copies permissions from the named task group.
taskgroup-name
(Optional) Name of the task group from which permissions are to be
inherited.
Command Default
Five predefined user groups are available by default.
Command Modes
Global configuration
Command History
Release
Modification
Release 3.2
This command was introduced.
Release 3.3.0
Support was added to display all task groups in global configuration
mode.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Task groups are configured with a set of task IDs for each action type. Deleting a task
group that is still referenced in the system results in a warning and rejection of the
deletion.
From global configuration mode, you can display all the configured task groups. However,
you cannot display all the configured task groups in taskgroup configuration mode.
Entering the taskgroup command with no keywords or arguments
enters task group configuration mode, in which you can use the
description, inherit,
show, and task commands.
Task ID
Task ID
Operations
aaa
read, write
Examples
The following example assigns read bgp permission to the task group named alpha:
To specify the number of seconds the router waits for the RADIUS server to reply before
retransmitting, use the timeout command in RADIUS server-group
private configuration mode. To disable this command and return to the default timeout
value of 5 seconds, use the no form of this command.
timeoutseconds
notimeoutseconds
Syntax Description
seconds
Timeout value (in seconds). The range is from 1 to 1000. If no timeout is
specified, the global value is used.
Command Default
seconds: 5
Command Modes
RADIUS server-group private configuration
Command History
Release
Modification
Release 3.4.0
This command was introduced.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Task ID
Task ID
Operations
aaa
read, write
Examples
The following example shows how to set the number of seconds for the timeout value:
RP/0/0/CPU0:router# configure
RP/0/0/CPU0:router(config)# aaa group server radius group1
RP/0/0/CPU0:router(config-sg-radius)# server-private 10.1.1.1 auth-port 300
RP/0/0/CPU0:router(config-sg-radius-private)# timeout 500
Configures the IP address of the private RADIUS server for the group
server.
timeout (TACACS+)
To specify a timeout value that sets the length of time the authentication,
authorization, and accounting (AAA) server waits to receive a response from the TACACS+
server, use the timeout (TACACS+) command in TACACS host
configuration mode. To disable this command and return to the default timeout value of 5
seconds, use the no form of this command.
timeoutseconds
notimeoutseconds
Syntax Description
seconds
Timeout value (in seconds). The range is from 1 to 1000. If no timeout is
specified, the global value is used.
Command Default
seconds: 5
Command Modes
TACACS host configuration
Command History
Release
Modification
Release 3.6.0
This command was introduced.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
The timeout (TACACS+) command overrides the global timeout
value set with the tacacs-server timeout command for this
server only.
Task ID
Task ID
Operations
aaa
read, write
Examples
The following example shows how to set the number of seconds for the timeout value:
To set the interval that the server waits for a reply to a login, use the
timeout login response command in line template
configuration mode. To restore the default, use the no form of
this command.
timeoutloginresponseseconds
notimeoutloginresponseseconds
Syntax Description
seconds
Integer that specifies the timeout interval (in seconds) from 0 to 300.
Command Default
seconds: 30
Command Modes
Line template configuration
Command History
Release
Modification
Release 3.2
This command was introduced.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the timeout login response command in line template
configuration mode to set the timeout value. This timeout value applies to all terminal
lines to which the entered line template is applied. This timeout value can also be
applied to line console. After the timeout value has expired, the user is prompted
again. The retry is allowed three times.
Task ID
Task ID
Operations
aaa
read, write
Examples
The following example shows how to change the interval timer to 20 seconds:
RP/0/0/CPU0:router# configure
RP/0/0/CPU0:router(config)# line template alpha
RP/0/0/CPU0:router(config-line)#timeout login response 20
To configure a user group and associate it with a set of task groups, and to enter user
group configuration mode, use the usergroup command in global
configuration mode. To delete a user group, or to delete a task-group association with
the specified user group, use the no form of this command.
usergroupusergroup-name
nousergroupusergroup-name
Syntax Description
usergroup-name
Name of the user group. The usergroup-name
argument can be only one word. Spaces and quotation marks are
not allowed.
Command Default
Five predefined user groups are available by default.
Command Modes
Global configuration
Command History
Release
Modification
Release 3.2
This command was introduced.
Release 3.3.0
Support was added to display all user groups in global configuration
mode.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
User groups are configured with the command parameters for a set of users, such as task
groups. You can remove specific user groups by using the no form of the
usergroup command. You can remove the user group itself
by using the no form of the command without giving any parameters. Deleting a
user group that is still referenced in the system results in a warning and a rejection
of the deletion.
Use the inherit usergroup command
to copy permissions from other user groups. The user group is inherited by the parent
group and forms a union of all task IDs specified in those groups. Circular inclusions
are detected and rejected. User groups cannot inherit properties from predefined groups,
such as root-system and owner-sdr.
From global configuration mode, you can display all the configured user groups. However,
you cannot display all the configured user groups in usergroup configuration mode.
Task ID
Task ID
Operations
aaa
read, write
Examples
The following example shows how to add permissions from the user group beta to the user
group alpha:
Configures a task group to be associated with a set of task IDs.
username
To configure a new user with a username, establish a password, grant permissions for the
user, and to enter username configuration mode, use the username
command in either global configuration or administration configuration
mode. To delete a user from the database, use the no form of
this command.
Name of the user. The user-name argument can be
only one word. Spaces and quotation marks are not allowed.
password
(Optional) Enables a password to be created for the named user.
0
(Optional) Specifies that an unencrypted (clear-text) password follows. The
password will be encrypted for storage in the configuration using a Cisco
proprietary encryption algorithm.
7
(Optional) Specifies that an encrypted password follows.
password
(Optional) Specifies the unencrypted password text to be entered by the user
to log in, for example,
lab
. If encryption is configured,
the password is not visible to the user.
Can be up to 253 characters in length.
secret
(Optional) Enables an MD5-secured password to be created for the named
user.
0
(Optional) Specifies that an unencrypted (clear-text) password follows. The
password will be encrypted for storage in the configuration using an MD5
encryption algorithm.
5
(Optional) Specifies that an encrypted password follows.
group
(Optional) Enables a named user to be associated with a user group.
usergroup-name
(Optional) Name of a user group as defined with the
usergroup command.
Command Default
No usernames are defined in the system.
Command Modes
Global configuration
Administration configuration
Command History
Release
Modification
Release 3.2
This command was introduced.
Release 3.3.0
Support was added to display all user names in global configuration
mode.
Release 3.6.0
Having cisco-support privileges as the only group was disallowed.
Release 3.7.0
The command syntax descriptions, usage information, and examples were
corrected or enhanced.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Note
A user is never allowed to have cisco-support privileges as the only group.
Use the username commandto identify
the user and enter username configuration mode. Password and user group assignments can
be made from either global configuration mode or username configuration submode.
Permissions (task IDs) are assigned by associating the user with one or more defined
user groups.
From global configuration mode, you can display all the configured usernames. However,
you cannot display all the configured usernames in username configuration mode.
Each user is identified by a username that is unique across the administrative domain.
Each user should be made a member of at least one user group. Deleting a user group may
orphan the users associated with that group. The AAA server authenticates orphaned
users, but most commands are not authorized.
The username command is associated with a particular user for
local login authentication by default. Alternatively, a user and password can be
configured in the database of the RADIUS server for RADIUS login authentication, or a user and password can be
configured in the database of the TACACS+ server for TACACS+ login
authentication. For more information, see the description of theaaa authentication command.
The predefined group root-system may be specified only by root-system users while
administration is configured.
Note
To enable the local networking device to respond to remote Challenge Handshake
Authentication Protocol (CHAP) challenges, one username
command entry must be the same as the hostname entry that has already been assigned
to the other networking device.
Task ID
Task ID
Operations
aaa
read, write
Examples
The following example shows the commands available after executing the
username command in global configuration mode:
To associate a user group and its privileges with a line, use the users
group command in line template configuration mode. To delete a user
group association with a line, use the no form of this
command.
Name of the user group. The usergroup-name
argument can be only one word. Spaces and quotation marks are
not allowed.
cisco-support
Specifies that users logging in through the line are given Cisco support
personnel privileges.
netadmin
Specifies that users logging in through the line are given network
administrator privileges.
operator
Specifies that users logging in through the line are given operator
privileges.
root-lr
Specifies that users logging in through the line are given root logical
router (LR) privileges.
root-system
Specifies that users logging in through the line are given root system
privileges.
serviceadmin
Specifies that users logging in through the line are given service
administrator group privileges.
sysadmin
Specifies that users logging in through the line are given system
administrator privileges.
Command Default
None
Command Modes
Line template configuration
Command History
Release
Modification
Release 3.2
This command was introduced.
Release 3.3.0
The serviceadmin keyword was added.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the users group command to enable a user group and its
privileges to be associated with a line, meaning that users logging in through the line
are given the privileges of the particular user group.
Task ID
Task ID
Operations
aaa
read, write
Examples
In the following example, if a vty-pool is created with line template vty, users
logging in through vty are given operator privileges:
RP/0/0/CPU0:router# configure
RP/0/0/CPU0:router(config)# aaa authen login vty-authen line
RP/0/0/CPU0:router(config)# commit
RP/0/0/CPU0:router(config)# line templatevty
RP/0/0/CPU0:router(config-line)# users group operator
RP/0/0/CPU0:router(config-line)# login authentication
vrf (RADIUS)
To configure the Virtual Private Network (VPN) routing and forwarding (VRF) reference of
an AAA RADIUS server group, use the vrf command in RADIUS
server-group configuration mode. To enable server groups to use the global (default)
routing table, use the no form of this command.
vrfvrf-name
novrfvrf-name
Syntax Description
vrf-name
Name assigned to a VRF.
Command Default
The default VRF is used.
Command Modes
RADIUS server-group configuration
Command History
Release
Modification
Release 3.4.0
This command was introduced.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the vrf command to specify a VRF for an AAA RADIUS server
group and enable dial-up users to use AAA servers in different routing domains.
Task ID
Task ID
Operations
aaa
read, write
Examples
The following example shows how to use the vrf command:
RP/0/0/CPU0:router# configure
RP/0/0/CPU0:router(config)# aaa group server radius group1
RP/0/0/CPU0:router(config-sg-radius)# vrf wal-mart
Configures the IP address of the private RADIUS server for the group
server.
vrf (TACACS+)
To configure the Virtual Private Network (VPN) routing and forwarding (VRF) reference of
an AAA TACACS+ server group, use the vrf command in TACACS+ server-group configuration
mode. To enable server groups to use the global (default)
routing table, use the no form of this command.
vrfvrf-name
novrfvrf-name
Syntax Description
vrf-name
Name assigned to a VRF.
Command Default
The default VRF is used.
Command Modes
TACACS+ server-group configuration
Command History
Release
Modification
Release 4.1.0
This command was introduced.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the vrf command to specify a VRF for an AAA TACACS+ server
group and enable dial-up users to use AAA servers in different routing domains.
Task ID
Task ID
Operations
aaa
read, write
Examples
This example shows how to use the vrf command:
RP/0/0/CPU0:router# configureRP/0/0/CPU0:router(config)# aaa group server tacacs+ myserverRP/0/0/CPU0:router(config-sg-tacacs+)# server 9.27.10.6RP/0/0/CPU0:router(config-sg-tacacs+)# vrf abc