The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
To use these commands in System Admin VM, you must be in a user group associated with appropriate command rules and data rules. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
To create users and user-groups for the System Admin VM, use the aaa authentication command in the System Admin Config mode. To delete users and user-groups, use the no form of this command.
aaa authentication { groups group group-name [ gid | users ] | users user user-name [ gid | homedir | password | ssh_keydir | uid ] }
groups |
Configures access groups. |
group |
Specifies a group. |
group-name |
Name of the group. |
gid |
Specifies a numeric value. |
users |
Configures users. |
user |
Specifies a user. |
user-name |
Name of the user. |
homedir |
Specifies an alphanumeric value. |
password |
Specifies a password for user authentication. |
ssh_keydir |
Specifies an alphanumeric value. |
uid |
Specifies a numeric value. |
None
System Admin Config
Release | Modification |
---|---|
Release 5.0.0 |
This command was introduced. |
This example shows how to create a new user- user1:
sysadmin-vm:0_RP0#config sysadmin-vm:0_RP0(config)# aaa authentication users user user1 gid 20 homedir dir password pwd ssh_keydir dir uid 10
This example shows how to create a new group- group1:
sysadmin-vm:0_RP0#config sysadmin-vm:0_RP0(config)# aaa authentication groups group group1 gid 10 users user1
To enable remote authentication support using TACACS+ protocol, use the aaa authentication login group tacacs command. To disable remote authentication , use the no form of this command.
aaa authentication login group tacacs
AAA authentication is disabled.
System Admin Config
Release |
Modification |
---|---|
Release 6.1.2 |
This command is introduced. |
The following example shows how to use this command:
sysadmin-vm:0_RP0# configure sysadmin-vm:0_RP0(config)# aaa authentication login group tacacs
To create command rules and data rules for authorization, use the aaa authorization command in the System Admin Config mode. To delete the command rules and data rules, use the no form of this command.
aaa authorization { cmdrules cmdrule [ integer | range integer ] [ action | command | context | group | ops ] | datarules datarule [ integer | range integer ] [ action | context | group | keypath | namespace | ops ] }
cmdrules |
Configures command rules. |
||
cmdrule integer |
|
||
range integer |
Specifies the range of the command rules or data rules to be configured. The integer value ranges from 1 to 2,147,483,647. |
||
action |
Specifies whether the users are permitted or refrained from performing the operation specified for the ops keyword. |
||
command |
Specifies the command to which the command rule applies to. The command should be entered within double-quotes. |
||
context |
Specifies which type of connection the command rule or data rule applies to. The connection type can be netconf, cli, or xml. |
||
group |
Specifies the group to which the command rule or data rule applies to. |
||
ops |
Specifies whether the user has read, execute, or read and execute permission for the command. |
||
datarules |
Configures data rules. |
||
datarule integer |
|
||
keypath |
Specifies the keypath of the data element. If you enter an asterisk '*' for keypath, it indicates that the command rule is applicable to all the configuration data. |
||
namespace |
Enter asterisk "*" to indicate that the data rule is applicable for all namespace values. |
None
System Admin Config
Release | Modification |
---|---|
Release 5.0.0 |
This command was introduced. |
This example shows how to create a command rule:
sysadmin-vm:0_RP0#config sysadmin-vm:0_RP0(config)#aaa authorization cmdrules cmdrule 10 action accept command "show platform" context cli group group1 ops rx
sysadmin-vm:0_RP0#config sysadmin-vm:0_RP0(config)#aaa authorization datarules datarule 20 action accept context cli group group10 keypath * namespace * ops rwx
To enable remote authorization support using TACACS+ protocol, use the aaa authorization commands group tacacs command. To disable authorization for a function, use the no form of this command.
aaa authorization command group { tacacs | | none }
tacacs |
Specifies that authorization has to be performed using TACACS+ protocol. |
none |
(Optional) Specifies that no authorization has to be performed. |
Authorization is disabled for all actions.
System Admin Config
Release |
Modification |
---|---|
Release 6.1.2 |
This command is introduced. |
The following example shows how to use this command to specify that TACACS+ authorization has to be performed:
sysadmin-vm:0_RP0# configure sysadmin-vm:0_RP0(config)# aaa authorization commands group tacacs
The following example shows how to use this command to specify that no authorization should be performed:
sysadmin-vm:0_RP0# configure sysadmin-vm:0_RP0(config)# aaa authorization commands group none
The following example shows how to use this command to specify that first TACACS+ authorization has to be performed and if it fails, no authorization should be performed:
sysadmin-vm:0_RP0# configure sysadmin-vm:0_RP0(config)# aaa authorization commands group tacacs none
To configure a disaster-recovery user and password, use the aaa disaster-recovery command in the System Admin Config mode. To delete the disaster-recovery user and password, use the no form of this command.
aaa disaster-recovery username username password password
username |
Configures the username for the disaster-recovery user. |
username |
Specifies the username for the disaster-recovery user. |
password |
Configures the password for the disaster-recovery user. |
password |
Password for the disaster-recovery user. |
None
System Admin Config
Release | Modification |
---|---|
Release 5.0.0 |
This command was introduced. |
Only an already existing user can be specified as a disaster-recovery user.
This example shows how to configure a disaster-recovery user:
sysadmin-vm:0_RP0#config sysadmin-vm:0_RP0(config)## aaa disaster-recovery username root user1 password pwd
To enable remote accounting support using TACACS+ protocol, use the aaa accounting commands group tacacs command. To disable remote accounting , use the no form of this command.
aaa accounting commands group tacacs
Authorization is disabled for all actions (equivalent to the method none keyword).
System Admin Config
Release |
Modification |
---|---|
Release 6.1.2 |
This command was introduced. |
The following example shows how to use this command:
sysadmin-vm:0_RP0# configure sysadmin-vm:0_RP0(config)# aaa accounting commands group tacacs
To specify an order of authentication for AAA systems, use the confdConfig aaa authOrdercommand.
confdConfig aaa authOrder { externalAuthentication | | localAuthentication }
externalAuthentication |
Specifies that external authentication should be performed based on the configured executable. |
localAuthentication |
Specifies that local authentication should be performed. |
By default the user is authenticated by using local authentication methods.
System Admin Config
Release |
Modification |
---|---|
Release 6.1.2 |
This command was introduced. |
The following example shows how to define external authentication as the primary authentication mechanism:
sysadmin-vm:0_RP0# configure sysadmin-vm:0_RP0(config)# confdConfig aaa authOrder externalAuthentication localAuthentication
To enable application callbacks for authorization, use the confdConfig aaa authorization callback enabledcommand.
confdConfig aaa authorization callback enabled
System Admin Config
Release |
Modification |
---|---|
Release 6.1.2 |
This command was introduced. |
The following example shows how use this command:
sysadmin-vm:0_RP0# configure sysadmin-vm:0_RP0(config)# confdConfig aaa authorization callback enabled
To enable external authorization, use the confdConfig aaa authorization enabledcommand.
confdConfig aaa authorization enabled
System Admin Config
Release |
Modification |
---|---|
Release 6.1.2 |
This command was introduced. |
The following example shows how use this command:
sysadmin-vm:0_RP0# configure sysadmin-vm:0_RP0(config)# confdConfig aaa authorization enabled
To enable external authentication, use the confdConfig aaa externalAuthentication enabledcommand. To disable external authentication, use the no form of the command.
confdConfig aaa externalAuthentication enabled
By default the user is authenticated by using external authentication method.
System Admin Config
Release |
Modification |
---|---|
Release 6.1.2 |
This command was introduced. |
The following example shows how to use this command:
sysadmin-vm:0_RP0# configure sysadmin-vm:0_RP0(config)# confdConfig aaa externalAuthentication enabled
To enable external authentication using an executable configured on the local host, use the confdConfig aaa externalAuthentication enabledcommand.
confdConfig aaa externalAuthentication enabled chvrf 0 /opt/cisco/calvados/bin/calvados_login_aaa_proxy
chvrf 0 /opt/cisco/calvados/bin/calvados_login_aaa_proxy |
File name and path of the executable configured on the local host that is used to enable external authentication. |
System Admin Config
Release |
Modification |
---|---|
Release 6.1.2 |
This command was introduced. |
The following example shows how use this command:
sysadmin-vm:0_RP0# configure sysadmin-vm:0_RP0(config)# confdConfig aaa externalAuthentication executable chvrf 0 /opt/cisco/calvados/bin/calvados_login_aaa_proxy
To display information of send/receive/pending request information of TACACS+ servers, use the show tacacs-server request command in the System Admin EXEC mode.
show tacacs-server request
None
System Admin EXEC
Release | Modification |
---|---|
Release 6.1.2 |
This command was introduced. |
This command is used for diagnostics purpose only.
sysadmin-vm:0_RP0#show tacacs-server request
sysadmin-vm:0_RP0# tacacs-server requests ipv4 1.1.1.1 59
Server: 1.1.1.1/59 opens=0 closes=0 aborts=0 errors=0
packets in=0 packets out=0 family=IPv4
To display TACACS+ server and client process information, use the show tacacs-server trace command in the System Admin EXEC mode.
show tacacs-server trace location [all| node-id]
locationall |node-id |
Specifies the target location. The node-id argument is expressed in the rack/slot notation. The allargument displays trace details of all the TACACS+ servers and client processes. |
None
System Admin EXEC
Release | Modification |
---|---|
Release 6.1.2 |
This command was introduced. |
This command is used for diagnostics purpose only.
sysadmin-vm:0_RP0#show tacacs-server trace location 0/RP0
sysadmin-vm:0_RP0#show tacacs-server trace location all
show aaa { privileged-access | trace { login | sync } location node-id }
privileged-access |
Displays access data. |
trace |
Displays the trace data. |
login |
Displays login trace. |
sync |
Displays aaa sync trace. |
location node-id |
Specifies the target location. The node-id argument is expressed in the rack/slot notation. |
None
System Admin EXEC
Release | Modification |
---|---|
Release 5.0.0 |
This command was introduced. |
The show aaa privileged-access command displays information about the first user, current disaster-recovery user, who accessed the disaster-recovery account, and when was it last accessed.
The show aaa trace command is used only for diagnostics.
This example shows how to view privileged access user details:
sysadmin-vm:0_RP0#show aaa privileged-access
Fri Aug 30 10:27:24.170 UTC
Privileged-user, shell access and disaster-recovery user information
Last access to shell via disaster-recovery account : None
Privileged-user : root
Privileged-user attributes changed via admin CLI : Yes
Current disaster-recovery user : root
To specify a TACACS+ server and TCP port number, use the tacacs-server host command. To delete the specified name or address, use the no form of this command.
tacacs-server host host-name port number
host ipaddress or host-name |
Host or domain name or IP address of the TACACS+ server. |
port-number |
Specifies a server port number. Valid port numbers range from 1 to 65535. |
No TACACS+ host is specified.
System Admin Config
Release |
Modification |
---|---|
Release 6.1.2 |
This command was introduced. |
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
You can use multiple tacacs-server host commands to specify additional hosts. Cisco IOS XR software searches for hosts in the order in which you specify them.
The following example shows how to specify a TACACS+ host with the IP address 209.165.200.226:
sysadmin-vm:0_RP0(config)# tacacs-server host 209.165.200.226 sysadmin-vm:0_RP0(config-tacacs-host)#
The following example shows that the default values from the tacacs-server host command are displayed from the show run command:
sysadmin-vm:0_RP0# show run
Building configuration...
!! Last configuration change at 13:51:56 UTC Mon Nov 14 2005 by lab
!
tacacs-server host 209.165.200.226 port 49
timeout 5
!
To set the authentication encryption key used for all TACACS+ communications between the router and the TACACS+ daemon, use the tacacs-server key command. To disable the key, use the no form of this command.
tacacs-server key { clear-text-key }
clear-text-key |
Specifies an unencrypted (cleartext) shared key. |
None
System Admin Config
Release |
Modification |
---|---|
Release 6.1.2 |
This command was introduced. |
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
The key name entered must match the key used on the TACACS+ daemon. The key name applies to all servers that have no individual keys specified. All leading spaces are ignored; spaces within and after the key are not. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.
The key name is valid only when the following guidelines are followed:
The TACACS server key is used only if no key is configured for an individual TACACS server. Keys configured for an individual TACACS server always override this global key configuration.
The following example sets the authentication and encryption key to key1:
sysadmin-vm:0_RP0(config)# tacacs-server key key1
To set the interval that the server waits for a server host to reply, use the tacacs-server timeout command. To restore the default, use the no form of this command.
tacacs-server timeout seconds
no tacacs-server timeout seconds
seconds |
Integer that specifies the timeout interval (in seconds) from 1 to 1000. |
5 seconds
System Admin Config
Release |
Modification |
---|---|
Release 6.1.2 |
This command was introduced. |
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
The TACACS+ server timeout is used only if no timeout is configured for an individual TACACS+ server. Timeout intervals configured for an individual TACACS+ server always override this global timeout configuration.
The following example shows the interval timer being changed to 10 seconds:
RP/0/RP0/CPU0:router(config)# tacacs-server timeout 10