Create Users and Assign Privileges on the Cisco 8000 Series Router

Users are authenticated using a username and a password. The authentication, authorization, and accounting (AAA) commands help with these services:

  • create users, groups, command rules, or data rules

  • change the disaster-recovery password

XR has its AAA separate from Linux. XR AAA is the primary AAA system. A user created through XR can log in directly to the EXEC prompt when connected to the router. A user created through Linux can connect to the router, but arrive at the bash prompt. The user must log in to XR explicitly in order to access the XR EXEC prompt.

Configure AAA authorization to restrict users from uncontrolled access. If AAA authorization is not configured, the command and data rules associated to the groups that are assigned to the user are bypassed. A user can have full read-write access to IOS XR configuration through Network Configuration Protocol (NETCONF), google-defined Remote Procedure Calls (gRPC), or any YANG-based agents. In order to avoid granting uncontrolled access, enable AAA authorization before setting up any configuration. To gain an understanding about AAA, and to explore the AAA services, see the Configuring AAA Services chapter in the System Security Configuration Guide for Cisco 8000 Series Routers.

Create a User Profile

Table 1. Feature History Table

Feature name

Release Information

Feature Description

Enhanced Login Banner

Release 7.3.1

To comply with the US DoD, an option to enable display of login banner is introduced. The login banner provides information such as number of successful and unsuccessful login attempts, time stamp, login method, and so on.

The login-history command is introduced.

Create new users and include the user in a user group with certain privileges. The router supports a maximum of 1024 user profiles.

In this task, you create a user, user1, password for this user, pw123, and assign the user to a group root-lr.

Procedure

Step 1

Enter the XR configuration mode.

Example:

Router#config

Step 2

Create a new user.

Example:

Router(config)#username user1

Step 3

Create a password for the new user.

Example:

Router(config-un)#password pw123

Step 4

Assign the user to group root-lr.

Example:

Router(config-un)#group root-lr

All users have read privileges. However, users can be assigned to root-lr usergroup. These users inherit the write privileges where users can create configurations, create new users, and so on.

Step 5

(Optional) You can enable the display of the US Department of Defense (DOD)-approved login banner. The banner is displayed before granting access to devices. The banner also ensures privacy and security that is consistent with applicable federal laws. In addition, the system keeps track of logins, right from the system boot, or as soon as the user profile is created.

Note

 

When you reload a router, login notifications get reset.

Enable or disable the login banner using these commands:

Example:

Router(config-un)#login-history enable
Router(config-un)#login-history disable

Run the show running-config username user1 command to verify the state of login banner. 

Router(config-un)# show running-config username NAME1
Fri Jan 29 13:55:28.261 UTC
username NAME1
 group UG1
 secret * **********
 password * ******
 login-history enable

Step 6

Commit the configuration.

Example:

Router(config-un)#commit

What to do next

With the router set up, you can manage your system, install software packages, and configure your network.

Create a User Group

Create a new user group to associate command rules and data rules with it. The command rules and data rules are enforced on all users that are part of the user group.

The router supports a maximum of 32 user groups.

In this task, you create a group name, group1, and assign a user, user1 to this group.

Before you begin

Create a user profile. See Create a User Profile.

Procedure

Step 1

Enter the XR configuration mode.

Example:

Router#config

Step 2

Create a new user group, group1.

Example:

Router#(config)#group group1

Step 3

Specify the name of the user, user1 to assign to this user group.

Example:

Router#(config-GRP)#username user1

You can specify multiple user names enclosed withing double quotes. For example, users "user1 user2 ..." .

Step 4

Commit the configuration.

Example:

Router#commit

What to do next

With the router set up, you can manage your system, install software packages, and configure your network.

Recover System Using Console Port

Table 2. Feature History Table

Feature name

Release Information

Feature Description

Recover System Using Console Port

Release 7.3.16

With this feature, you can recover the router from disaster without having to reimage using iPXE or USB boot. The user data is securely erased before the router reloads.

If you lose your admin and root user credentials, the router becomes inaccessible. The system can be recovered using a router reimage using iPXE or USB boot. However, this approach is not scalable.

With this feature, the system is recovered without the need to reimage the router. The system is recovered to its initial state with the current running software. The installed software and SMUs are retained after the system is recovered. The process complies with the Cisco Product Security Baseline (PSB) where user data is securely erased before recovering the router. The following data that are generated at run-time are erased:

  • XR and admin configuration including the password data

  • Cryptographic keys on the disk

  • Data on encrypted partition

  • Generated core files

  • SNMP interface index files

  • Third-party application (TPA) software and data

  • User files


Note
The data on the line card is not erased.

This feature is disabled by default. Since the router can be recovered through the console, it is crucial to secure the physical access and the console.

The following steps show the process to recover the system in case of a disaster.

Before you begin

Prepare the system with the following requirements:

  • Ensure you have administrator privileges.

  • Enter the XR configuration mode. Enable the system recovery using console port. 
    Router(config)#system recovery
    With this command, the functionality to recover the router is enabled. The logs are stored at /var/log/system_recovery_logs/ location.

    Note
    To disable this feature, use the no form of command. 
    Router(config)#no system recovery

Procedure

Step 1

Power cycle the router using an external power cycler.

Step 2

Press ESC key and hold both active and standby RPs (RP0 and RP1) in BIOS.

This procedure must be executed on each RP individually on a distributed system.

Step 3

Boot on the standby RP. Press ESC key to enter the GRUB (bootstrap program) menu.

Step 4

Select the IOS-XR-Recovery option from the menu.

The RP boots in the recovery mode, clears generated files, and reboots.

Step 5

Hold the standby RP in BIOS prompt and initiate the recovery on the active RP.

The active RP boots up and the login prompt appears.

Step 6

Boot the standby RP.

After the system boots up, the syslog displays the status of the recovery operation. If the recovery operation fails, the system comes up to an inconsistent state. Power cycle and retry the recovery. If the router recovery is successful, configure the credentials to log in to the router with the preexisting image.

Note

 

The option to recover the system using console port is disabled on bootup because all the previous configurations are erased. With this configuration disabled, if you select IOS-XR-recovery option from grub menu to recover the system, the recovery is skipped.