Configure ASR9k TACACS with Cisco Secure ACS 5.x Server

Available Languages

Download Options

PDF (2.9 MB)
View with Adobe Reader on a variety of devices
ePub (3.1 MB)
View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle) (1.3 MB)
View on Kindle device or Kindle app on multiple devices

Updated:November 8, 2017

Document ID:212423

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document describes the configuration of ASR 9000 series Aggregation Services Router (ASR) to authenticate and authorize via TACACS+ with Cisco Secure Access Control Server (ACS) 5.x server.

This examples the implementation of the administrative model of task-based authorization used to control user access in the Cisco IOS XR software system. The major tasks required to implement task-based authorization involves how to configure user groups and task groups. User groups and task groups are configured through the Cisco IOS XR software command set used for Authentication, Authorization and Accounting (AAA) services. Authentication commands are used to verify the identity of a user or principal. Authorization commands are used to verify that an authenticated user (or principal) is granted permission to perform a specific task. Accounting commands are used for logging of sessions and to create an audit trail by recording certain user- or system-generated actions.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

ASR 9000 deployment and basic configuration
ACS 5.x deployment and configuration.
TACACS+ protocol

Components Used

The information in this document is based on these software and hardware versions:

ASR 9000 with Cisco IOS XR Software, Version 4.3.4
Cisco Secure ACS 5.7

The information in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any configuration change.

Configuration

Predefined Components on IOS XR

There are predefined user groups and task groups in IOS XR. The administrator can either use these predefined groups or define custom groups as per the requirement.

Predefined User Groups

These user groups are predefined on IOS XR:

User Group	Privileges
cisco-support	Debug and troubleshoot features (usually, used by Cisco Technical Support personnel).
netadmin	Configure network protocols such as Open Shortest Path First (OSPF) (usually used by network administrators).
operator	Perform day-to-day monitoring activities, and have limited configuration rights.
root-lr	Display and execute all commands within a single RP.
root-system	Display and execute all commands for all RPs in the system.
sysadmin	Perform system administration tasks for the router, such as maintaining where the core dumps are stored or setting up the Network Time Protocol (NTP) clock.
serviceadmin	Perform service administration tasks, such as Session Border Controller (SBC).

The root-system user group has predefined authorization; that is, it has the complete responsibility for root-system user-managed resources and certain responsibilities in other services.

Use these command to check the predefined user groups:

RP/0/RSP1/CPU0:ASR9k#show aaa usergroup ?
  |              Output Modifiers
  root-lr        Name of the usergroup
  netadmin       Name of the usergroup
  operator       Name of the usergroup
  sysadmin       Name of the usergroup
  root-system    Name of the usergroup
  serviceadmin   Name of the usergroup
  cisco-support  Name of the usergroup
  WORD           Name of the usergroup
  <cr>

Predefined Task Groups

These predefined task groups are available for administrators to use, typically for initial configuration:

cisco-support: Cisco support personnel tasks
netadmin: Network administrator tasks
operator: Operator day-to-day tasks (for demonstration purposes)
root-lr: Secure domain router administrator tasks
root-system: System-wide administrator tasks
sysadmin: System administrator tasks
serviceadmin: Service administration tasks, for example, SBC

Use these command to check the predefined task groups:

RP/0/RSP1/CPU0:ASR9k#show aaa taskgroup ?
  |              Output Modifiers
  root-lr        Name of the taskgroup
  netadmin       Name of the taskgroup
  operator       Name of the taskgroup
  sysadmin       Name of the taskgroup
  root-system    Name of the taskgroup
  serviceadmin   Name of the taskgroup
  cisco-support  Name of the taskgroup
  WORD           Name of the taskgroup
  <cr>

Use this command to check the supported tasks:

 
RP/0/RSP1/CPU0:ASR9k#show aaa task supported

Here are the list of supported tasks:

Aaa	Acl	Admin	Ancp	Atm	basic-services	Bcdl	Bfd	bgp
Boot	Bundle	call-home	Cdp	Cef	Cgn	cisco-support	config-mgmt	config-services
Crypto	Diag	Disallowed	Drivers	Dwdm	Eem	Eigrp	ethernet-services	ext-access
Fabric	fault-mgr	Filesystem	Firewall	Fr	Hdlc	host-services	Hsrp	interface
Inventory	ip-services	Ipv4	Ipv6	Isis	L2vpn	Li	Lisp	logging
Lpts	Monitor	mpls-ldp	mpls-static	mpls-te	Multicast	Netflow	Network	nps
Ospf	Ouni	Pbr	pkg-mgmt	pos-dpt	Ppp	Qos	Rcmd	rib
Rip	root-lr	root-system	route-map	route-policy	Sbc	Snmp	sonet-sdh	static
Sysmgr	System	Transport	tty-access	Tunnel	Universal	Vlan	Vpdn	vrrp

Each of the above mentioned tasks can be given with any of these or all the four permissions.

Read	Specifies a designation that permits only a read operation.
Write	Specifies a designation that permits a change operation and implicitly allows a read operation.
Execute	Specifies a designation that permits an access operation; for example, ping and Telnet.
Debug	Specifies a designation that permits a debug operation.

User-Defined components on IOS XR

User-Defined User Groups

Administrator can configure his own user groups to meet particular needs. Here is the configuration example:

RP/0/RSP1/CPU0:ASR9k(config)#usergroup TAC-Defined
RP/0/RSP1/CPU0:ASR9k(config-ug)#taskgroup operator
RP/0/RSP1/CPU0:ASR9k(config-ug)#commit

User-Defined Task Groups

Administrator can configure their own task groups to meet particular needs. Here is the configuration example:

RP/0/RSP1/CPU0:ASR9k(config)#taskgroup TAC-Defined-TASK
RP/0/RSP1/CPU0:ASR9k(config-tg)#task ?
  debug    Specify a debug-type task ID
  execute  Specify a execute-type task ID
  read     Specify a read-type task ID
  write    Specify a read-write-type task ID
 
RP/0/RSP1/CPU0:ASR9k(config-tg)#task read aaa
RP/0/RSP1/CPU0:ASR9k(config-tg)#task write aaa
RP/0/RSP1/CPU0:ASR9k(config-tg)#task execute aaa
RP/0/RSP1/CPU0:ASR9k(config-tg)#task debug aaa
RP/0/RSP1/CPU0:ASR9k(config-tg)#task read acl
RP/0/RSP1/CPU0:ASR9k(config-tg)#task write acl
RP/0/RSP1/CPU0:ASR9k(config-tg)#task execute acl
RP/0/RSP1/CPU0:ASR9k(config-tg)#commit
 
RP/0/RSP1/CPU0:ASR9k#show aaa taskgroup TAC-Defined-TASK
Task group 'TAC-Defined-TASK'
 
Task IDs included directly by this group:
Task:                  aaa  : READ    WRITE    EXECUTE    DEBUG
Task:                  acl  : READ    WRITE    EXECUTE         
 
Task group 'TAC-Defined-TASK' has the following combined set
  of task IDs (including all inherited groups):
Task:                  aaa  : READ    WRITE    EXECUTE    DEBUG
Task:                  acl  : READ    WRITE    EXECUTE

If you are not sure how to find what task group and permission is needed for certain command, you can use describe command to find it. Here is an example:

Example 1:

 
RP/0/RSP1/CPU0:ASR9k#describe show aaa usergroup
Package:
.....
User needs ALL of the following taskids: 
 
aaa (READ)
RP/0/RSP1/CPU0:ASR9k#

In order to allow a user to run the command show aaa usergroup, you need to allow this line in the task group:

task read aaa

Example 2:

RP/0/RSP1/CPU0:ASR9k(config)#describe aaa authentication login default group tacacs+
Package:
.....
User needs ALL of the following taskids:
 
aaa (READ WRITE)
RP/0/RSP1/CPU0:ASR9k(config)#

In order to allow a user to run the command aaa authentication login default group tacacs+ from the config mode, you need to allow this line in the task group:

task read write aaa

You can define the user group that can imports several task groups. Here is the configuration example:

RP/0/RSP1/CPU0:ASR9k#show aaa usergroup TAC-Defined
Tue Feb 16 00:50:56.799 UTC
User group 'TAC-Defined'
  Inherits from task group 'operator'
 
User group 'TAC-Defined' has the following combined set
  of task IDs (including all inherited groups):
Task:       basic-services  : READ    WRITE    EXECUTE    DEBUG
Task:                  cdp  : READ                             
Task:                 diag  : READ                             
Task:           ext-access  : READ             EXECUTE         
Task:              logging  : READ                             
 
RP/0/RSP1/CPU0:ASR9k#conf t
RP/0/RSP1/CPU0:ASR9k(config)#usergroup TAC-Defined
RP/0/RSP1/CPU0:ASR9k(config-ug)#taskgroup TAC-Defined-TASK
RP/0/RSP1/CPU0:ASR9k(config-ug)#commit
 
RP/0/RSP1/CPU0:ASR9k#show aaa usergroup TAC-Defined
Tue Feb 16 00:51:31.494 UTC
User group 'TAC-Defined'
  Inherits from task group 'operator'
  Inherits from task group 'TAC-Defined-TASK'
 
User group 'TAC-Defined' has the following combined set
  of task IDs (including all inherited groups):
Task:                  aaa  : READ    WRITE    EXECUTE    DEBUG
Task:                  acl  : READ    WRITE    EXECUTE         
Task:       basic-services  : READ    WRITE    EXECUTE    DEBUG
Task:                  cdp  : READ                             
Task:                 diag  : READ                             
Task:           ext-access  : READ             EXECUTE         
Task:              logging  : READ

AAA Configuration on the Router

Define a TACACS server on the router:

Here you define the ACS server IP address as the tacacs-server with key cisco

 
RP/0/RSP1/CPU0:ASR9k(config)#tacacs-server host 10.106.73.233 port 49
RP/0/RSP1/CPU0:ASR9k(config-tacacs-host)#key 0 cisco
RP/0/RSP1/CPU0:ASR9k(config-tacacs-host)#commit
 
!
tacacs-server host 10.106.73.233 port 49
key 7 14141B180F0B
!

Point the authentication and authorisation to external TACACS server.

#aaa authentication login default group tacacs+ local
#aaa authorization exec default group tacacs+ local

Command authorisation(optional):

#aaa authorization commands default group tacacs+

Point the accounting to external server (Optional).

#aaa accounting commands default start-stop group tacacs+
#aaa accounting update newinfo

ACS Server Configuration

Step 1. In order to define the router IP in the AAA clients list on ACS server, navigate to Network Resources > Network Devices and AAA Clients, as shown in the image. In this example, you define cisco as Shared Secret as configured in the ASR.

Step 2. Define the user groups as per your requirement, In the example, as shown in this image, you use four groups.

Step 3. As shown in the image, create the users and map them to respective user group created above.

Note: In this example, the ACS internal users for authentication is used, if you want to use the users created in the external identity stores you can use them as well. In this example, the external identity source users is not covered. .

Step 4. Define the Shell Profile you want to push for the respective users.

In the already created shell profile, you configure to push the respective task groups as shown in the image.

Step 5. Define the access policy. Authentication is done against the internal users.

Step 6. Configure the authorization based on the requirement using the previously created user identity groups and map the respective shell profiles, as shown in the image.

Verify

Operator

In order to login, username asrread is used. These are the verification commands.

username: ASRread
password:
 
RP/0/RSP1/CPU0:ASR9k#show user
ASRread
 
RP/0/RSP1/CPU0:ASR9k#show user group
operator
 
RP/0/RSP1/CPU0:ASR9k#show user tasks
Task:       basic-services  : READ    WRITE    EXECUTE    DEBUG
Task:                  cdp  : READ                             
Task:                 diag  : READ                             
Task:           ext-access  : READ             EXECUTE         
Task:              logging  : READ

Operator with AAA

In order to login, username asraaa is used. These are the verification commands.

Note: asraaa is the operator task pushed from TACACS server along with the aaa task read write and execute permissions.

username: asraaa
password:
 
RP/0/RSP1/CPU0:ASR9k#sh user
asraaa
 
RP/0/RSP1/CPU0:ASR9k#sh user group
operator
 
RP/0/RSP1/CPU0:ASR9k#sh user tasks
Task:                  aaa  : READ    WRITE    EXECUTE         
Task:       basic-services  : READ    WRITE    EXECUTE    DEBUG
Task:                  cdp  : READ                             
Task:                 diag  : READ                             
Task:           ext-access  : READ             EXECUTE         
Task:              logging  : READ

Sysadmin

In order to login, username asrwrite is used. These are the verification commands.

username: asrwrite
password:
 
RP/0/RSP1/CPU0:ASR9k#sh user
asrwrite
 
RP/0/RSP1/CPU0:ASR9k#sh user group
sysadmin
 
RP/0/RSP1/CPU0:ASR9k#sh user tasks
Task:                  aaa  : READ                             
Task:                  acl  : READ    WRITE    EXECUTE    DEBUG
Task:                admin  : READ                             
Task:                 ancp  : READ                             
Task:                  atm  : READ                             
Task:       basic-services  : READ    WRITE    EXECUTE    DEBUG
Task:                 bcdl  : READ                             
Task:                  bfd  : READ                             
Task:                  bgp  : READ                             
Task:                 boot  : READ    WRITE    EXECUTE    DEBUG
Task:               bundle  : READ                             
Task:            call-home  : READ                             
Task:                  cdp  : READ    WRITE    EXECUTE    DEBUG
Task:                  cef  : READ                             
Task:                  cgn  : READ                             
Task:          config-mgmt  : READ    WRITE    EXECUTE    DEBUG
Task:      config-services  : READ    WRITE    EXECUTE    DEBUG
Task:               crypto  : READ    WRITE    EXECUTE    DEBUG
Task:                 diag  : READ    WRITE    EXECUTE    DEBUG
Task:              drivers  : READ                             
Task:                 dwdm  : READ                             
Task:                  eem  : READ    WRITE    EXECUTE    DEBUG
Task:                eigrp  : READ                             
Task:    ethernet-services  : READ                             
--More--
(output omitted )

Root-system

In order to login, username asrroot is used. These are the verification commands.

username: asrroot
password:
 
RP/0/RSP1/CPU0:ASR9k#show user
asrroot
 
RP/0/RSP1/CPU0:ASR9k#show user group
root-system
 
RP/0/RSP1/CPU0:ios#show user tasks
Task:                  aaa  : READ    WRITE    EXECUTE    DEBUG
Task:                  acl  : READ    WRITE    EXECUTE    DEBUG
Task:                admin  : READ    WRITE    EXECUTE    DEBUG
Task:                 ancp  : READ    WRITE    EXECUTE    DEBUG
Task:                  atm  : READ    WRITE    EXECUTE    DEBUG
Task:       basic-services  : READ    WRITE    EXECUTE    DEBUG
Task:                 bcdl  : READ    WRITE    EXECUTE    DEBUG
Task:                  bfd  : READ    WRITE    EXECUTE    DEBUG
Task:                  bgp  : READ    WRITE    EXECUTE    DEBUG
Task:                 boot  : READ    WRITE    EXECUTE    DEBUG
Task:               bundle  : READ    WRITE    EXECUTE    DEBUG
Task:            call-home  : READ    WRITE    EXECUTE    DEBUG
Task:                  cdp  : READ    WRITE    EXECUTE    DEBUG
Task:                  cef  : READ    WRITE    EXECUTE    DEBUG
Task:                  cgn  : READ    WRITE    EXECUTE    DEBUG
Task:          config-mgmt  : READ    WRITE    EXECUTE    DEBUG
Task:      config-services  : READ    WRITE    EXECUTE    DEBUG
Task:               crypto  : READ    WRITE    EXECUTE    DEBUG
Task:                 diag  : READ    WRITE    EXECUTE    DEBUG
Task:              drivers  : READ    WRITE    EXECUTE    DEBUG
Task:                 dwdm  : READ    WRITE    EXECUTE    DEBUG
Task:                  eem  : READ    WRITE    EXECUTE    DEBUG
Task:                eigrp  : READ    WRITE    EXECUTE    DEBUG
--More--
(output omitted )

Troubleshoot

You can verify the ACS report from the monitoring and reporting page. As shown in the image, you may click on the magnifying glass sumbol to see the detailed report.

These are a few helpful commands to troubleshoot on ASR:

show user
show user group
show user tasks
show user all

Contributed by Cisco Engineers

Prakash C Hegde
Cisco TAC Engineer