Information About Configuring AAA Services
Task:
Task:
Alternatively, if a user named user2, who does not have a task string, logs in to the external server, the
following information is displayed:
Username:user2
Password:
RP/0/RP0/CPU0:router# show user tasks
No task ids available
Privilege Level Mapping
For compatibility with TACACS+ daemons that do not support the concept of task IDs, AAA supports a
mapping between privilege levels defined for the user in the external TACACS+ server configuration file
and local user groups. Following TACACS+ authentication, the task map of the user group that has been
mapped from the privilege level returned from the external TACACS+ server is assigned to the user. For
example, if a privilege level of 5 is returned from the external TACACS server, AAA attempts to get the
task map of the local user group priv5. This mapping process is similar for other privilege levels from 1
to 13. For privilege level 15, the root-system user group is used; privilege level 14 maps to the user group
owner-sdr.
For example, with the Cisco freeware tac plus server, the configuration file has to specify priv_lvl in its
configuration file, as shown in the following example:
user = sampleuser1{
}
The number 5 in this example can be replaced with any privilege level that has to be assigned to the user
sampleuser.
With the RADIUS server, task IDs are defined using the Cisco-AVPair, as shown in the following
example:
user = sampleuser2{
}
XML Schema for AAA Services
The extensible markup language (XML) interface uses requests and responses in XML document format
to configure and monitor AAA. The AAA components publish the XML schema corresponding to the
content and structure of the data used for configuration and monitoring. The XML tools and applications
use the schema to communicate to the XML agent for performing the configuration.
The following schema are published by AAA:
•
•
Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router
SC-16
ext-access
logging
member = bar
service = exec-ext {
priv_lvl = 5
}
member = bar
Cisco-AVPair = "shell:tasks=#root-system,#cisco-support"{
Cisco-AVPair = "shell:priv-lvl=10"
}
Authentication, Authorization and Accounting configuration
User, user group, and task group configuration
:READ
EXECUTE
:READ
Configuring AAA Services on Cisco IOS XR Software
OL-20382-01