Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software This chapter describes the Cisco IOS XR software commands used to configure authentication, authorization, and accounting (AAA) services. For detailed information about AAA concepts, configuration tasks, and examples, see the Configuring AAA Services on Cisco IOS XR Software configuration module.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software aaa accounting aaa accounting To create a method list for accounting, use the aaa accounting command in global configuration mode. To remove a list name from the system, use the no form of this command.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software aaa accounting Use the aaa accounting command to create default or named method lists defining specific accounting methods and that can be used on a per-line or per-interface basis. You can specify up to four methods in the method list. The list name can be applied to a line (console, aux, or vty template) to enable accounting on that particular line.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software aaa accounting system default aaa accounting system default To enable authentication, authorization, and accounting (AAA) system accounting, use the aaa accounting system default command in global configuration mode. To disable system accounting, use the no form of this command.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software aaa accounting system default The default method list is automatically applied to all interfaces or lines. If no default method list is defined, then no accounting takes place. You can specify up to four methods in the method list. Task ID Examples Task ID Operations aaa read, write The following example shows how to cause a “start accounting” record to be sent to a TACACS+ server when a router initially boots.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software aaa authentication aaa authentication To create a method list for authentication, use the aaa authentication command in global configuration mode. To disable this authentication method, use the no form of this command.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software aaa authentication Command History Usage Guidelines Release Modification Release 2.0 This command was introduced on the Cisco CRS-1. Release 3.0 No modification. Release 3.2 This command was supported on the Cisco XR 12000 Series Router. Release 3.3.0 The method-list argument was added to specify either group tacacs+, group radius, group named-group, local, or line options.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software aaa authentication Command Description aaa group server radius Groups different RADIUS server hosts into distinct lists and distinct methods. aaa group server tacacs+ Groups different TACACS+ server hosts into distinct lists and distinct methods. login authentication Enables AAA authentication for logins. radius-server host Specifies a RADIUS host. tacacs-server host Specifies a TACACS+ host.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software aaa authorization aaa authorization To create a method list for authorization, use the aaa authorization command in global configuration mode. To disable authorization for a function, use the no form of this command.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software aaa authorization Use the aaa authorization command to create method lists defining specific authorization methods that can be used on a per-line or per-interface basis. You can specify up to four methods in the method list. Note The command authorization mentioned here applies to the one performed by an external AAA server and not for task-based authorization.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software aaa authorization Examples The following example shows how to define the network authorization method list named listname1, which specifies that TACACS+ authorization is used: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa authorization commands listname1 group tacacs+ Related Commands Command Description aaa accounting Creates a method list for accounting.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software aaa default-taskgroup aaa default-taskgroup To specify a task group to be used for both remote TACACS+ authentication and RADIUS authentication, use the aaa default-taskgroup command in global configuration mode. To remove this default task group, enter the no form of this command.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software aaa group server radius aaa group server radius To group different RADIUS server hosts into distinct lists, use the aaa group server radius command in global configuration mode. To remove a group server from the configuration list, enter the no form of this command. aaa group server radius group-name no aaa group server radius group-name Syntax Description group-name Defaults This command is not enabled.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software aaa group server radius Task ID Examples Task ID Operations aaa read, write The following example shows the configuration of an AAA group server named radgroup1, which comprises three member servers: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa group RP/0/RP0/CPU0:router(config-sg-radius)# RP/0/RP0/CPU0:router(config-sg-radius)# RP/0/RP0/CPU0:router(config-sg-radius)# Note Related Commands radius r
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software aaa group server tacacs+ aaa group server tacacs+ To group different TACACS+ server hosts into distinct lists, use the b command in global configuration mode. To remove a server group from the configuration list, enter the no form of this command. aaa group server tacacs+ group-name no aaa group server tacacs+ group-name Syntax Description group-name Defaults This command is not enabled.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software aaa group server tacacs+ Examples The following example shows the configuration of an AAA group server named tacgroup1, which comprises three member servers: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa group RP/0/RP0/CPU0:router(config-sg-tacacs)# RP/0/RP0/CPU0:router(config-sg-tacacs)# RP/0/RP0/CPU0:router(config-sg-tacacs)# Related Commands tacacs+ tacgroup1 192.168.200.226 192.168.200.227 192.168.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software accounting accounting To enable authentication, authorization, and accounting (AAA) accounting services for a specific line or group of lines, use the accounting command in line configuration mode. To disable AAA accounting services, use the no form of this command.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software accounting Examples The following example shows how to enable command accounting services using the accounting method list named listname2 on a line template named configure: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# line template configure RP/0/RP0/CPU0:router(config-line)# accounting commands listname2 Related Commands Command Description aaa accounting Creates a method list for accounting.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software authorization authorization To enable authentication, authorization, and accounting (AAA) authorization for a specific line or group of lines, use the authorization command in line configuration mode. To disable authorization, use the no form of this command.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software authorization Examples The following example shows how to enable command authorization using the method list named listname4 on a line template named configure: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# line template configure RP/0/RP0/CPU0:router(config-line)# authorization commands listname4 Related Commands Command Description aaa authorization Creates a method list for authorization.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software deadtime (server-group configuration) deadtime (server-group configuration) To configure the deadtime value at the RADIUS server group level, use the deadtime command in server-group configuration mode. To set deadtime to 0, use the no form of this command. deadtime minutes no deadtime Syntax Description minutes Defaults Deadtime is set to 0.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software deadtime (server-group configuration) Related Commands Command Description aaa group server radius Groups different RADIUS server hosts into distinct lists and distinct methods. radius-server dead-criteria time Forces one or both of the criteria that is used to mark a RADIUS server as dead.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software description (AAA) description (AAA) To create a description of a task group or user group during configuration, use the description command in task group configuration or user group configuration mode. To delete a task group description or user group description, use the no form of this command. description string no description Syntax Description string Defaults The default description is blank.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software description (AAA) Examples The following example shows the creation of a task group description: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# taskgroup alpha RP/0/RP0/CPU0:router(config-tg)# description this is a sample taskgroup The following example shows the creation of a user group description: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# usergroup alpha RP/0/RP0/CPU0:router(config-ug)# d
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software group group To add a user to a group, use the group command in username configuration mode. To remove the user from a group, use the no form of this command.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software group Use the group command in username configuration mode. To access username configuration mode, use the username command in global configuration mode. If the group command is used in admin configuration mode, only root-system and cisco-support can be specified.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software inherit taskgroup inherit taskgroup To enable a task group to derive permissions from another task group, use the inherit taskgroup command in task group configuration mode. inherit taskgroup {taskgroup-name | netadmin | operator | sysadmin | cisco-support | root-lr | root-system | serviceadmin} Syntax Description taskgroup-name Name of the task group from which permissions are inherited.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software inherit taskgroup Examples In the following example, the permissions of task group tg2 are inherited by task group tg1: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# taskgroup tg1 RP/0/RP0/CPU0:router(config-tg)# inherit taskgroup tg2 RP/0/RP0/CPU0:router(config-tg)# end Cisco IOS XR System Security Command Reference SR-28
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software inherit usergroup inherit usergroup To enable a user group to derive characteristics of another user group, use the inherit usergroup command in user group configuration mode. inherit usergroup usergroup-name Syntax Description usergroup-name Defaults No default behavior or values Command Modes User group configuration Command History Release Modification Release 2.0 This command was introduced on the Cisco CRS-1.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software inherit usergroup Examples The following example shows how to enable the purchasing user group to inherit properties from the sales user group: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# usergroup purchasing RP/0/RP0/CPU0:router(config-ug)# inherit usergroup sales Related Commands Command Description description (AAA) Creates a description of a task group in task group configuration mode, or creates a d
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software login authentication login authentication To enable authentication, authorization, and accounting (AAA) authentication for logins, use the login authentication command in line configuration mode. To return to the default authentication settings, use the no form of this command.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software login authentication Task ID Examples Task ID Operations aaa read, write tty-access read, write The following example shows that the default AAA authentication is to be used for the line template template1: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# line template template1 RP/0/RP0/CPU0:router(config-line)# login authentication default The following example shows that the AAA authentication list call
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software password (AAA) password (AAA) To create a login password for a user, use the password command in username or line configuration mode. To remove the password, use the no form of this command. password {0 | 7} password no password {0 | 7} password Syntax Description 0 Specifies that an unencrypted (clear-text) password follows. 7 Specifies that an encrypted password follows.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software password (AAA) Examples The following example shows how to establish the unencrypted password pwd1 for the user user1: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# username user1 RP/0/RP0/CPU0:router(config-un)# password 0 pwd1 Related Commands Command Description group Adds a user to a group.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software radius-server dead-criteria time radius-server dead-criteria time To specify the minimum amount of time, in seconds, that must elapse from the time that the router last received a valid packet from the RADIUS server to the time the server is marked as dead, use the radius-server dead-criteria time command in global configuration mode. To disable the criteria that were set, use the no form of this command.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software radius-server dead-criteria time Examples The following example shows how to establish the time for the dead-criteria conditions for a RADIUS server to be marked as dead for the radius-server dead-criteria time command: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# radius-server dead-criteria time 5 Related Commands Command Description radius-server dead-criteria tries Specifies the number of consecutive t
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software radius-server dead-criteria tries radius-server dead-criteria tries To specify the number of consecutive timeouts that must occur on the router before the RADIUS server is marked as dead, use the radius-server dead-criteria tries command in global configuration mode. To disable the criteria that were set, use the no form of this command.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software radius-server dead-criteria tries Examples The following example shows how to establish the number of tries for the dead-criteria conditions for a RADIUS server to be marked as dead for the radius-server dead-criteria tries command: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# radius-server dead-criteria tries 4 Related Commands Command Description radius-server dead-criteria time Defines the length of ti
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software radius-server deadtime radius-server deadtime To improve RADIUS response times when some servers are unavailable and cause the unavailable servers to be skipped immediately, use the radius-server deadtime command in global configuration mode. To set deadtime to 0, use the no form of this command. radius-server deadtime minutes no radius-server deadtime Syntax Description minutes Defaults Dead time is set to 0.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software radius-server deadtime Related Commands Command Description deadtime (server-group configuration) Configures the deadtime value at the RADIUS server group level. radius-server dead-criteria time Forces one or both of the criteria that is used to mark a RADIUS server as dead. show radius dead-criteria Displays information for the dead-server detection criteria.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software radius-server host radius-server host To specify a RADIUS server host, use the radius-server host command in global configuration mode. To delete the specified RADIUS host, use the no form of this command.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software radius-server host Command History Usage Guidelines Release Modification Release 3.2 This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router. Release 3.3.0 No modification. To use this command, you must be in a user group associated with a task group that includes the proper task IDs.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software radius-server host Related Commands Command Description aaa accounting Creates a method list for accounting. aaa authentication Creates a method list for authentication. aaa authorization Creates a method list for authorization. radius-server key Sets the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software radius-server key radius-server key To set the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon, use the radius-server key command in global configuration mode. To disable the key, use the no form of this command.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software radius-server key Related Commands Command Description radius-server host Specifies a RADIUS server host.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software radius-server retransmit radius-server retransmit To specify the number of times the Cisco IOS XR software retransmits a packet to a server before giving up, use the radius-server retransmit command in global configuration mode. To disable retransmission, use the no form of this command.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software radius-server timeout radius-server timeout To set the interval for which a router waits for a server host to reply before timing out, use the radius-server timeout command in global configuration mode. To restore the default, use the no form of this command.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software radius source-interface radius source-interface To force RADIUS to use the IP address of a specified interface or subinterface for all outgoing RADIUS packets, use the radius source-interface command in global configuration mode. To prevent only the specified interface from being the default and not from being used for all outgoing RADIUS packets, use the no form of this command.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software radius source-interface Examples The following example shows how to make RADIUS use the IP address of subinterface s2 for all outgoing RADIUS packets: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# radius source-interface Loopback 10 Cisco IOS XR System Security Command Reference SR-49
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software secret secret To create a secure login secret for a user, use the secret command in username or line configuration mode. To remove the secure secret, use the no form of this command. secret {0 | 5} secret no secret {0 | 5} secret Syntax Description 0 Specifies that an unencrypted (clear text) secure secret follows. 5 Specifies that an encrypted secure secret follows.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software secret Examples The following example shows how to establish the secure encrypted secret pwd2 for the user user2: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# username user2 RP/0/RP0/CPU0:router(config-un)# secret 5 pwd2 Related Commands Command Description group Adds a user to a group. password (AAA) Creates a login password for a user.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software server (RADIUS) server (RADIUS) To associate a particular RADIUS server with a defined server group, use the server command in RADIUS server-group configuration mode. To remove the associated server from the server group, use the no form of this command.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software server (RADIUS) When you use the optional keywords, the network access server identifies RADIUS security servers and host instances associated with a group server based on their IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS host entries providing a specific AAA service.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software server (TACACS+) server (TACACS+) To associate a particular TACACS+ server with a defined server group, use the server command in TACACS+ server-group configuration mode. To remove the associated server from the server group, use the no form of this command. server {hostname | ip-address} no server {hostname | ip-address} Syntax Description hostname Character string used to name the server host.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software server (TACACS+) Related Commands Command Description aaa group server tacacs+ Groups different TACACS+ server hosts into distinct lists.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software show aaa show aaa To display information about a user group, local user, or task group; to list all task IDs associated with all user groups, local users, or task groups in the system; or to list all task IDs for a specified user group, local user, or task group, use the show aaa command in EXEC mode.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software show aaa Examples The following sample output is from the show aaa usergroup command: RP/0/RP0/CPU0:router# show aaa usergroup operator User group 'operator' Inherits from task group 'operator' User group 'operator' has the following combined set of task IDs (including all inherited groups): Task: basic-services : READ WRITE EXECUTE DEBUG Task: cdp : READ Task: diag : READ Task: ext-access : READ EXECUTE Task: logging : READ
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software show aaa Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: netflow network ospf ouni pkg-mgmt pos-dpt ppp qos rib rip root-lr route-map route-policy snmp sonet-sdh static sysmgr system transport tty-access tunnel universal vlan vrrp : : : : : : : : : : : : : : : : : : : : : : : : READ READ READ READ READ READ READ READ READ READ REA
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software show aaa Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: inventory ip-services ipv4 ipv6 isis logging lpts monitor mpls-ldp mpls-static mpls-te multicast netflow network ospf ouni pkg-mgmt pos-dpt ppp qos rib rip root-lr root-system route-map route-policy
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software show radius show radius To display information about the RADIUS servers that are configured in the system, use the show radius command in EXEC mode. show radius Syntax Description This command has no arguments or keywords. Defaults If no radius servers are configured, no output is displayed. Command Modes EXEC Command History Release Modification Release 3.3.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software show radius Table 2 describes the significant fields shown in the display. Table 2 Related Commands show radius Field Descriptions Field Description Server Server IP address/UDP destination port for authentication requests/UDP destination port for accounting requests. Timeout Number of seconds the router waits for a server host to reply before timing out.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software show radius accounting show radius accounting To obtain information and detailed statistics for the RADIUS accounting server and port, use the show radius accounting command in EXEC mode. show radius accounting Syntax Description This command has no arguments or keywords. Defaults If no RADIUS servers are configured on the router, the output is empty.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software show radius accounting Server: 12.38.28.18, port: 29199 0 requests, 0 pending, 0 retransmits 0 responses, 0 timeouts, 0 bad responses 0 bad authenticators, 0 unknown types, 0 dropped 0 ms latest rtt RP/0/RP0/CPU0:router# Table 3 describes the significant fields shown in the display.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software show radius authentication show radius authentication To obtain information and detailed statistics for the RADIUS authentication server and port, use the show radius authentication command in EXEC mode. show radius authentication Syntax Description This command has no arguments or keywords. Defaults If no RADIUS servers are configured on the router, the output is empty.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software show radius authentication Server: 12.38.28.18, port: 21099 0 requests, 0 pending, 0 retransmits 0 accepts, 0 rejects, 0 challenges 0 timeouts, 0 bad responses, 0 bad authenticators 0 unknown types, 0 dropped, 0 ms latest rtt RP/0/RP0/CPU0:router# Table 4 describes the significant fields shown in the display.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software show radius client show radius client To obtain general information about the RADIUS client on Cisco IOS XR software, use the show radius client command in EXEC mode. show radius client Syntax Description This command has no arguments or keywords. Defaults The default value for the counters (for example, an invalid address) is 0. The network access server (NAS) identifier is the hostname that is defined on the router.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software show radius client Table 5 describes the significant fields shown in the display. Table 5 Related Commands show radius client Field Descriptions Field Description Client NAS identifier Identifies the NAS-identifier of the RADIUS authentication client. Command Description radius-server host Specifies a RADIUS server host. server (RADIUS) Associates a particular RADIUS server with a defined server group.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software show radius dead-criteria show radius dead-criteria To obtain information about the dead server detection criteria, use the show radius dead-criteria command in EXEC mode. show radius dead-criteria host ip-addr [auth-port auth-port] [acct-port acct-port] Syntax Description host ip-addr Specifies the name or IP address of the configured RADIUS server.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software show radius dead-criteria Table 6 describes the significant fields shown in the display. Table 6 Related Commands show radius dead-criteria Field Descriptions Field Description Server Server IP address/UDP destination port for authentication requests/UDP destination port for accounting requests. Timeout Number of seconds the router waits for a server host to reply before timing out.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software show radius server-groups show radius server-groups To display information about the RADIUS server groups that are configured in the system, use the show radius server-groups command in EXEC mode. show radius server-groups Syntax Description This command has no arguments or keywords. Defaults No default behavior or values Command Modes EXEC Command History Release Modification Release 3.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software show radius server-groups Table 7 describes the significant fields shown in the display. Table 7 Related Commands show radius server-groups Field Descriptions Field Description Server Server IP address/UDP destination port for authentication requests/UDP destination port for accounting requests. Command Description radius-server host Specifies a RADIUS server host.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software show tacacs show tacacs To display information about the TACACS+ servers that are configured in the system, use the show tacacs command in EXEC mode. show tacacs Syntax Description This command has no arguments or keywords. Defaults No default behavior or values Command Modes EXEC Command History Release Modification Release 2.0 This command was introduced on the Cisco CRS-1. Release 3.0 No modification.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software show tacacs Table 8 describes the significant fields shown in the display. Table 8 show tacacs Field Descriptions Field Description Server Server IP address. opens Number of socket opens to the external server. closes Number of socket closes to the external server. aborts Number of tacacs requests that have been aborted midway. errors Number of error replies from the external server.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software show tacacs server-groups show tacacs server-groups To display information about the TACACS+ server groups that are configured in the system, use the show tacacs server-groups command in EXEC mode. show tacacs server-groups Syntax Description This command has no arguments or keywords. Defaults No default behavior or values Command Modes EXEC Command History Release Modification Release 3.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software show tacacs server-groups Table 9 describes the significant fields shown in the display. Table 9 Related Commands show tacacs server-groups Field Descriptions Field Description Server Server IP address. Command Description tacacs-server host Specifies a TACACS+ server host.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software show task supported show task supported To display all task IDs available in the system, use the show task supported command in EXEC mode. show task supported Syntax Description This command has no arguments or keywords. Defaults No default behavior or values Command Modes EXEC Command History Release Modification Release 2.0 This command was introduced on the Cisco CRS-1. Release 3.0 No modification. Release 3.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software show task supported cisco-support config-mgmt config-services crypto diag disallowed drivers eigrp ext-access fabric fault-mgr filesystem firewall fr hdlc host-services hsrp interface inventory ip-services ipv4 ipv6 isis logging lpts monitor mpls-ldp mpls-static mpls-te multicast netflow network ospf ouni pkg-mgmt pos-dpt ppp qos rib rip root-lr root-system route-map route-policy sbc snmp sonet-sdh static sysmgr system transpor
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software show user show user To display all user groups and task IDs associated with the currently logged-in user, use the show user command in EXEC mode. show user [all | authentication | group | tasks] Syntax Description all (Optional) Displays all user groups and task IDs for the currently logged-in user. authentication (Optional) Displays authentication parameters for the currently logged-in user.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software show user Examples The following sample output displays the authentication parameters from the show user command: RP/0/RP0/CPU0:router# show user authentication method local The following sample output displays the groups from the show user command: RP/0/RP0/CPU0:router# show user group root-system The following sample output displays all the information for the group and tasks from the show user command: RP/0/RP0/CPU0:route
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software show user Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: network ospf ouni pkg-mgmt pos-dpt ppp qos rib rip root-lr root-system route-map route-policy sbc snmp sonet-sdh static sysmgr system transport tty-access tunnel universal vlan vrrp : : : : : : : : : : : : : : : : : : : : : : : : : READ READ READ READ READ READ READ R
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software show user Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Task: Related Commands logging lpts monitor mpls-ldp mpls-static mpls-te multicast netflow network ospf ouni pkg-mgmt pos-dpt ppp qos rib rip root-lr root-system route-map route-policy sbc snmp sonet-sdh static sysmgr system tr
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software tacacs-server host tacacs-server host To specify a TACACS+ host server, use the tacacs-server host command in global configuration mode. To delete the specified name or address, use the no form of this command.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software tacacs-server host Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software tacacs-server key tacacs-server key To set the authentication encryption key used for all TACACS+ communications between the HF and the TACACS+ daemon, use the tacacs-server key command in global configuration mode. To disable the key, use the no form of this command.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software tacacs-server key Related Commands Command Description tacacs-server host Specifies a TACACS+ host.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software tacacs-server timeout tacacs-server timeout To set the interval that the server waits for a server host to reply, use the tacacs-server timeout command in global configuration mode. To restore the default, use the no form of this command.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software tacacs source-interface tacacs source-interface To specify the source IP address of a selected interface for all outgoing TACACS+ packets, use the tacacs source-interface command in global configuration mode. To disable use of the specified interface IP address, use the no form of this command. tacacs source-interface type instance no tacacs source-interface type instance Syntax Description type Interface type.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software tacacs source-interface Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software task task To add a task ID to a task group, use the task command in task group configuration mode. To remove a task ID from a task group, use the no form of this command. task {read | write | execute | debug} taskid-name no task {read | write | execute | debug} taskid-name Syntax Description read Enables read-only privileges for the named task ID. write Enables write privileges for the named task ID.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software task Related Commands Command Description taskgroup Configures a task group to be associated with a set of task IDs.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software taskgroup taskgroup To configure a task group to be associated with a set of task IDs, and to enter task group configuration mode, use the taskgroup command in global configuration mode. To delete a task group, use the no form of this command.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software taskgroup Entering the taskgroup command with no keywords or arguments enters task group configuration mode, in which you can use the description, inherit, show, and task commands.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software timeout login response timeout login response To set the interval that the server waits for a reply to a login, use the timeout login response command in line configuration mode. To restore the default, use the no form of this command.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software timeout login response Related Commands Command Description login authentication Enables AAA authentication for logins.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software usergroup usergroup To configure a user group and associate it with a set of task groups, and to enter user group configuration mode, use the usergroup command in global configuration mode. To delete a user group, or to delete a task-group association with the specified user group, use the no form of this command.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software usergroup From global configuration mode, you can display all the configured user groups. However, you cannot display all the configured user groups in usergroup configuration mode.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software username username To configure a new user with a username, establish a password, and grant permissions for the user, and to enter username configuration mode, use the username command in global configuration mode. To delete a user from the database, use the no form of this command.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software username From global configuration mode, you can display all the configured usernames. However, you cannot display all the configured usernames in username configuration mode. Each user is identified by a username that is unique across the administrative domain. Each user should be made a member of at least one user group. Deleting a user group may orphan the users associated with that group.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software users group users group To associate a user group and its privileges with a line, use the users group command in line configuration mode. To delete a user group association with a line, use the no form of this command.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software users group Task ID Examples Task ID Operations aaa read, write In the following example, if a vty-pool is created with line template vty, users logging in through vty are given operator privileges: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa authen login vty-authen line RP/0/RP0/CPU0:router(config)# commit RP/0/RP0/CPU0:router(config)# line template vty RP/0/RP0/CPU0:router(config-line)# users group