How it Works
Cisco
Loading...
CRS
Command Reference Manual
154 pgs2.99 Mb0
Configuration Manual
430 pgs5.65 Mb0
Configuration Manual
292 pgs5.24 Mb0
Configuration Manual
128 pgs3.3 Mb0
Installation Manual
148 pgs6.04 Mb0
User Manual
304 pgs3.82 Mb0
Table of contents
Loading...

Cisco CRS User Manual

Download
Page 1

Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1

Americas Headquarters
Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883
Text Part Number: OL-24740-01
Page 2
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright©1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULARPURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http://
www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)
©
2014 Cisco Systems, Inc. All rights reserved.
Page 3

CONTENTS

Preface
CHAPTER 1
Preface ix
Changes to This Document ix
Obtaining Documentation and Submitting a Service Request ix
Authentication, Authorization, and Accounting Commands 1
aaa accounting 4
aaa accounting system default 7
aaa accounting system rp-failover 9
aaa accounting update 11
aaa authentication 13
aaa authorization 16
aaa default-taskgroup 19
aaa group server radius 20
aaa group server tacacs+ 22
accounting (line) 24
authorization (line) 26
deadtime (server-group configuration) 28
description (AAA) 30
group (AAA) 32
inherit taskgroup 34
inherit usergroup 36
key (RADIUS) 38
key (TACACS+) 40
login authentication 42
password (AAA) 44
radius-server dead-criteria time 46
radius-server dead-criteria tries 48
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 iii
Page 4
Contents
radius-server deadtime 50
radius-server key 51
radius-server retransmit 52
radius-server timeout 54
radius source-interface 55
retransmit (RADIUS) 57
secret 59
server (RADIUS) 61
server (TACACS+) 63
server-private (RADIUS) 65
server-private (TACACS+) 68
show aaa 70
show radius 76
show radius accounting 78
show radius authentication 80
show radius client 82
show radius dead-criteria 84
show radius server-groups 86
show tacacs 89
show tacacs server-groups 91
show user 93
single-connection 97
tacacs-server host 99
tacacs-server key 102
tacacs-server timeout 104
tacacs source-interface 105
task 107
taskgroup 109
timeout (RADIUS) 111
timeout (TACACS+) 113
timeout login response 115
usergroup 117
username 119
users group 123
vrf (RADIUS) 125
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
iv OL-24740-01
Page 5
Contents
vrf (TACACS+) 127
CHAPTER 2
CHAPTER 3
IPSec Commands 129
clear crypto ipsec sa 130
description (IPSec profile) 132
interface tunnel-ip (GRE) 133
show crypto ipsec sa 134
show crypto ipsec summary 138
show crypto ipsec transform-set 140
tunnel mode (IP) 141
tunnel tos (IP) 142
tunnel ttl (IP) 143
tunnel dfbit disable (IP) 144
Keychain Management Commands 145
accept-lifetime 146
accept-tolerance 148
key (key chain) 150
CHAPTER 4
CHAPTER 5
key chain (key chain) 152
key-string (keychain) 154
send-lifetime 156
show key chain 158
Lawful Intercept Commands 161
lawful-intercept disable 162
Management Plane Protection Commands 163
address ipv4 (MPP) 164
allow 166
control-plane 169
inband 170
interface (MPP) 172
management-plane 174
out-of-band 175
show mgmt-plane 177
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 v
Page 6
Contents
vrf (MPP) 179
CHAPTER 6
Public Key Infrastructure Commands 181
clear crypto ca certificates 183
clear crypto ca crl 184
crl optional (trustpoint) 186
crypto ca authenticate 188
crypto ca cancel-enroll 190
crypto ca enroll 191
crypto ca import 193
crypto ca trustpoint 194
crypto key generate dsa 197
crypto key generate rsa 199
crypto key import authentication rsa 201
crypto key zeroize dsa 202
crypto key zeroize rsa 203
description (trustpoint) 205
enrollment retry count 206
CHAPTER 7
enrollment retry period 208
enrollment terminal 210
enrollment url 211
ip-address (trustpoint) 213
query url 215
rsakeypair 217
serial-number (trustpoint) 218
sftp-password (trustpoint) 220
sftp-username (trustpoint) 222
subject-name (trustpoint) 224
show crypto ca certificates 226
show crypto ca crls 228
show crypto key mypubkey dsa 229
show crypto key mypubkey rsa 231
Software Authentication Manager Commands 233
sam add certificate 234
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
vi OL-24740-01
Page 7
Contents
sam delete certificate 236
sam prompt-interval 238
sam verify 240
show sam certificate 242
show sam crl 246
show sam log 248
show sam package 250
show sam sysinfo 253
CHAPTER 8
Secure Shell Commands 255
clear ssh 256
sftp 258
sftp (Interactive Mode) 262
show ssh 265
show ssh session details 267
ssh 269
ssh client knownhost 272
ssh client source-interface 274
ssh client vrf 276
ssh server 278
ssh server logging 280
ssh server rate-limit 282
ssh server session-limit 283
ssh server v2 285
ssh timeout 286
CHAPTER 9
Secure Socket Layer Protocol Commands 287
show ssl 288
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 vii
Page 8
Contents
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
viii OL-24740-01
Page 9

Preface

This guide describes the commands used to display and configure system security on Cisco IOS XR software. For System Security configuration information and examples, refer to the Cisco IOS XR System Security Configuration Guide for the Cisco CRS Router.
The preface contains the following sections:
Changes to This Document, page ix
Obtaining Documentation and Submitting a Service Request, page ix

Changes to This Document

This table lists the technical changes made to this document since it was first printed.
Table 1: Changes to This Document
Change SummaryDateRevision
Initial release of this document.April 2011OL-24740-01

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What's New in Cisco Product Documentation, at: http://
www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html.
Subscribe to What's New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 ix
Page 10
Obtaining Documentation and Submitting a Service Request
Preface
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
x OL-24740-01
Page 11

Authentication, Authorization, and Accounting Commands

This module describes the commands used to configure authentication, authorization, and accounting (AAA) services.
For detailed information about AAA concepts, configuration tasks, and examples, see the Configuring AAA Services on Cisco IOS XR Software configuration module.
aaa accounting, page 4
aaa accounting system default, page 7
aaa accounting system rp-failover, page 9
aaa accounting update, page 11
aaa authentication , page 13
aaa authorization , page 16
aaa default-taskgroup, page 19
aaa group server radius, page 20
aaa group server tacacs+, page 22
accounting (line), page 24
authorization (line), page 26
deadtime (server-group configuration), page 28
description (AAA), page 30
group (AAA), page 32
inherit taskgroup, page 34
inherit usergroup, page 36
key (RADIUS), page 38
key (TACACS+), page 40
login authentication, page 42
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 1
Page 12
password (AAA), page 44
radius-server dead-criteria time, page 46
radius-server dead-criteria tries, page 48
radius-server deadtime , page 50
radius-server key , page 51
radius-server retransmit , page 52
radius-server timeout , page 54
radius source-interface , page 55
retransmit (RADIUS), page 57
secret, page 59
server (RADIUS), page 61
server (TACACS+), page 63
Authentication, Authorization, and Accounting Commands
server-private (RADIUS), page 65
server-private (TACACS+), page 68
show aaa , page 70
show radius, page 76
show radius accounting, page 78
show radius authentication, page 80
show radius client, page 82
show radius dead-criteria, page 84
show radius server-groups, page 86
show tacacs, page 89
show tacacs server-groups, page 91
show user, page 93
single-connection, page 97
tacacs-server host, page 99
tacacs-server key, page 102
tacacs-server timeout, page 104
tacacs source-interface, page 105
task, page 107
taskgroup, page 109
timeout (RADIUS), page 111
timeout (TACACS+), page 113
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
2 OL-24740-01
Page 13
Authentication, Authorization, and Accounting Commands
timeout login response, page 115
usergroup, page 117
username, page 119
users group, page 123
vrf (RADIUS), page 125
vrf (TACACS+), page 127
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 3
Page 14

aaa accounting

aaa accounting
To create a method list for accounting, use the aaa accounting command. To remove a list name from the system, use the no form of this command.
aaa accounting {commands| exec| network | subscriber | system } {default| list-name} {start-stop| stop-only} {none| method}
no aaa accounting {commands| exec| network} {default| list-name}
Authentication, Authorization, and Accounting Commands
Syntax Description
network
default
list-name
start-stop
stop-only
Enables accounting for EXEC shell commands.commands
Enables accounting of an EXEC session.exec
Enables accounting for all network-related service requests, such as Internet Key Exchange (IKE) and Point-to-Point Protocol (PPP).
Sets accounting lists for subscribers.subscriber
Enables accounting for all system-related events.system
Uses the listed accounting methods that follow this keyword as the default list of methods for accounting services.
Character string used to name the accounting method list.
Sends a start accountingnotice at the beginning of a process and a stop accounting notice at the end of a process. The requested user process begins regardless of whether the start accountingnotice was received by the accounting server.
Sends a stop accountingnotice at the end of the requested user process.
Note: This is not supported with system accounting.
Uses no accounting.none
method
Command Default
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
4 OL-24740-01
AAA accounting is disabled.
Method used to enable AAA system accounting. The value is one of the following options:
group tacacs+—Uses the list of all TACACS+ servers for accounting.
group radius—Uses the list of all RADIUS servers for accounting.
group named-group—Uses a named subset of TACACS+ or RADIUS servers
for accounting, as defined by the aaa group server tacacs+ or aaa group server radius command.
Page 15
Authentication, Authorization, and Accounting Commands
aaa accounting
Command Modes
Command History
Usage Guidelines
Global configuration
ModificationRelease
This command was introduced.Release 2.0
Release 3.4.0
The network keyword and method argument were added.
Use the aaa accounting command to create default or named method lists defining specific accounting methods and that can be used on a per-line or per-interface basis. You can specify up to four methods in the method list. The list name can be applied to a line (console, aux, or vty template) to enable accounting on that particular line.
The Cisco IOS XR software supports both TACACS+ and RADIUS methods for accounting. The router reports user activity to the security server in the form of accounting records, which are stored on the security server.
Method lists for accounting define the way accounting is performed, enabling you to designate a particular security protocol that is used on specific lines or interfaces for particular types of accounting services.
For minimal accounting, include the stop-only keyword to send a stop accountingnotice after the requested user process. For more accounting, you can include the start-stop keyword, so that TACACS+ or RADIUS sends a start accountingnotice at the beginning of the requested process and a stop accountingnotice after the process. The accounting record is stored only on the TACACS+ or RADIUS server.
Task ID
Examples
The requested user process begins regardless of whether the start accountingnotice was received by the accounting server.
This command cannot be used with TACACS or extended TACACS.Note
OperationsTask ID
read, writeaaa
The following example shows how to define a default commands accounting method list, where accounting services are provided by a TACACS+ security server, with a stop-only restriction:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa accounting commands default stop-only group tacacs+
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 5
Page 16
aaa accounting
Authentication, Authorization, and Accounting Commands
Related Commands
DescriptionCommand
Creates a method list for authorization.aaa authorization , on page 16
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
6 OL-24740-01
Page 17
Authentication, Authorization, and Accounting Commands

aaa accounting system default

To enable authentication, authorization, and accounting (AAA) system accounting, use the aaa accounting system default command. To disable system accounting, use the no form of this command.
aaa accounting system default {start-stop| stop-only} {none| method}
no aaa accounting system default
aaa accounting system default
Syntax Description
Command Default
Command Modes
start-stop
stop-only
method
AAA accounting is disabled.
Global configuration
Sends a start accountingnotice during system bootup and a stop accountingnotice during system shutdown or reload.
Sends a stop accountingnotice during system shutdown or reload.
Uses no accounting.none
Method used to enable AAA system accounting. The value is one of the following options:
group tacacs+—Uses the list of all TACACS+ servers for accounting.
group radius—Uses the list of all RADIUS servers for accounting.
group named-group—Uses a named subset of TACACS+ or RADIUS servers
for accounting, as defined by the aaa group server tacacs+ or aaa group server radius command.
Command History
Release 3.3.0
Usage Guidelines
OL-24740-01 7
System accounting does not use named accounting lists; you can define only the default list for system accounting.
The default method list is automatically applied to all interfaces or lines. If no default method list is defined, then no accounting takes place.
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
ModificationRelease
This command was introduced.Release 2.0
The method argument was added to specify either group tacacs+ , group radius, or group named-group options.
Page 18
aaa accounting system default
You can specify up to four methods in the method list.
Authentication, Authorization, and Accounting Commands
Task ID
Examples
Related Commands
OperationsTask ID
read, writeaaa
This example shows how to cause a start accountingrecord to be sent to a TACACS+ server when a router initially boots. A stop accountingrecord is also sent when a router is shut down or reloaded.
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa accounting system default start-stop group tacacs+
DescriptionCommand
Creates a method list for authentication.aaa authentication , on page 13
Creates a method list for authorization.aaa authorization , on page 16
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
8 OL-24740-01
Page 19
Authentication, Authorization, and Accounting Commands

aaa accounting system rp-failover

To create an accounting list to send rp-failover or rp-switchover start or stop accounting messages, use the aaa accounting system rp-failover command in global configuration mode. To disable the system accounting for rp-failover, use the no form of this command.
aaa accounting system rp-failover {list_name {start-stop| stop-only}| default {start-stop| stop-only}}
no aaa accounting system rp-failover {list_name {start-stop| stop-only}| default {start-stop| stop-only}}
aaa accounting system rp-failover
Syntax Description
Command Default
Command Modes
Command History
Usage Guidelines
list_name
None
Global configuration mode
Specifies the accounting list name.
Specifies the default accounting list.default
Enables the start and stop records.start-stop
Enables the stop records only.stop-only
ModificationRelease
This command was introduced.Release 4.2.0
Task ID
Examples
OL-24740-01 9
This is an example of configuring the aaa accounting system rp-failover command for default accounting list:
RP/0/RP0/CPU0:router(config)# aaa accounting system rp-failover default start-stop none
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OperationTask ID
read, writeaaa
Page 20
aaa accounting system rp-failover
Authentication, Authorization, and Accounting Commands
Related Commands
DescriptionCommand
Create an AAA attribute format name.aaa attribute format
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
10 OL-24740-01
Page 21
Authentication, Authorization, and Accounting Commands

aaa accounting update

To enable periodic interim accounting records to be sent to the accounting server, use the aaa accounting update command. To disable the interim accounting updates, use the no form of this command.
aaa accounting update {newinfo| periodic minutes}
no aaa accounting update
aaa accounting update
Syntax Description
Command Default
Command Modes
Command History
Usage Guidelines
newinfo
periodic minutes
AAA accounting update is disabled.
Global configuration
If the newinfo keyword is used, interim accounting records are sent to the accounting server every time there is new accounting information to report. An example of this report would be when IP Control Protocol (IPCP) completes IP address negotiation with the remote peer. The interim accounting record includes the negotiated IP address used by the remote peer.
When used with the periodic keyword, interim accounting records are sent periodically as defined by the minutes argument. The interim accounting record contains all the accounting information recorded for that user up to the time the accounting record is sent.
When using both the newinfo and periodic keywords, interim accounting records are sent to the accounting server every time there is new accounting information to report, and accounting records are sent to the accounting server periodically as defined by the minutes argument. For example, if you configure the aaa accounting update command with the newinfo and periodic keywords, all users currently logged in continue to generate periodic interim accounting records while new users generate accounting records based on the newinfo algorithm.
(Optional) Sends an interim accounting record to the accounting server whenever there is new accounting information to report relating to the user in question.
(Optional) Sends an interim accounting record to the accounting server periodically, as defined by the minutes argument, which is an integer that specifies the number of minutes. The range is from 1 to 35791394 minutes.
ModificationRelease
This command was introduced.Release 3.4.0
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 11
Page 22
aaa accounting update
Authentication, Authorization, and Accounting Commands
Task ID
Examples
Caution
Using the aaa accounting update command with the periodic keyword can cause heavy congestion when many users are logged into the network.
Both periodic and newinfo keywords are mutually exclusive; therefore, only one keyword can be configured at a time.
OperationsTask ID
read, writeaaa
The following example shows how to send periodic interim accounting records to the RADIUS server at 30-minute intervals:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa accounting update periodic 30
The following example shows how to send interim accounting records to the RADIUS server when there is new accounting information to report:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa accounting update newinfo
Related Commands
DescriptionCommand
Creates a method list for accounting.aaa accounting, on page 4
Creates a method list for authorization.aaa authorization , on page 16
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
12 OL-24740-01
Page 23
Authentication, Authorization, and Accounting Commands

aaa authentication

To create a method list for authentication, use the aaa authentication command. To disable this authentication method, use the no form of this command.
aaa authentication {login| ppp} {default| list-name| remote} method-list
no aaa authentication {login| ppp} {default| list-name| remote} method-list
aaa authentication
Syntax Description
default
list-name
remote
method-list
Sets authentication for login.login
Sets authentication for Point-to-Point Protocol.ppp
Uses the listed authentication methods that follow this keyword as the default list of methods for authentication.
Sets the authentication list for the subscriber.subscriber
Character string used to name the authentication method list.
Uses the listed authentication methods that follow this keyword as the default list of methods for administrative authentication on a remote non-owner secure domain router. The remote keyword is used only with the login keyword and not with the ppp keyword.
Note
Method used to enable AAA system accounting. The value is one of the following options:
The remote keyword is available only on the administration plane.
group tacacs+—Specifies a method list that uses the list of all configured
TACACS+ servers for authentication.
group radius—Specifies a method list that uses the list of all configured RADIUS
servers for authentication.
group named-group —Specifies a method list that uses a named subset of
TACACS+ or RADIUS servers for authentication, as defined by the aaa group server tacacs+ or aaa group server radius command.
local—Specifies a method list that uses the local username database method for
authentication. AAA method rollover happens beyond the local method if username is not defined in the local group.
line—Specifies a method list that uses the line password for authentication.
Command Default
Command Modes
OL-24740-01 13
Default behavior applies the local authentication on all ports.
Global configuration or Administration Configuration
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
Page 24
aaa authentication
Authentication, Authorization, and Accounting Commands
Command History
Usage Guidelines
Note
ModificationRelease
This command was introduced.Release 2.0
Release 3.3.0
The method-list argument was added to specify either group tacacs+ , group radius, group named-group, local, or line options.
Use the aaa authentication command to create a series of authentication methods, or method list. You can specify up to four methods in the method list. A method list is a named list describing the authentication methods (such as TACACS+ or RADIUS) in sequence. The subsequent methods of authentication are used only if the initial method is not available, not if it fails.
The default method list is applied for all interfaces for authentication, except when a different named method list is explicitly specifiedin which case the explicitly specified method list overrides the default list.
For console and vty access, if no authentication is configured, a default of local method is applied.
The group tacacs+, group radius, and group group-name forms of this command refer to a set of
previously defined TACACS+ or RADIUS servers.
Use the tacacs-server host or radius-server host command to configure the host servers.
Use the aaa group server tacacs+ or aaa group server radius command to create a named subset
of servers.
Task ID
Examples
The login keyword, remote keyword, local option, and group option are available only in
administration configuration mode.
OperationsTask ID
read, writeaaa
The following example shows how to specify the default method list for authentication, and also enable authentication for console in global configuration mode:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa authentication login default group tacacs+
The following example shows how to specify the remote method list for authentication, and also enable authentication for console in administration configuration mode:
RP/0/RP0/CPU0:router# admin RP/0/RP0/CPU0:router (admin)# configure RP/0/RP0/CPU0:router(admin-config)# aaa authentication login remote local group tacacs+
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
14 OL-24740-01
Page 25
Authentication, Authorization, and Accounting Commands
aaa authentication
Related Commands
aaa group server radius, on page 20
aaa group server tacacs+, on page 22
DescriptionCommand
Creates a method list for accounting.aaa accounting, on page 4
Creates a method list for authorization.aaa authorization , on page 16
Groups different RADIUS server hosts into distinct lists and distinct methods.
Groups different TACACS+ server hosts into distinct lists and distinct methods.
Enables AAA authentication for logins.login authentication, on page 42
Specifies a TACACS+ host.tacacs-server host, on page 99
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 15
Page 26

aaa authorization

aaa authorization
To create a method list for authorization, use the aaa authorization command. To disable authorization for a function, use the no form of this command.
aaa authorization {commands| eventmanager| exec| network | subscriber} {default| list-name} {none| local| group {tacacs+| radius| group-name}}
no aaa authorization {commands| eventmanager| exec| network | subscriber} {default| list-name}
Authentication, Authorization, and Accounting Commands
Syntax Description
eventmanager
network
default
list-name
none
local
Configures authorization for all EXEC shell commands.commands
Applies an authorization method for authorizing an event manager (fault manager).
Configures authorization for an interactive ( EXEC) session.exec
Configures authorization for network services, such as PPP or Internet Key Exchange (IKE).
Sets the authorization lists for the subscriber.subscriber
Uses the listed authorization methods that follow this keyword as the default list of methods for authorization.
Character string used to name the list of authorization methods.
Uses no authorization. If you specify none, no subsequent authorization methods is attempted. However, the task ID authorization is always required and cannot be disabled.
Uses local authorization. This method of authorization is not available for command authorization.
Uses the list of all configured TACACS+ servers for authorization.group tacacs+
group radius
group group-name
Command Default
Command Modes
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
16 OL-24740-01
Authorization is disabled for all actions (equivalent to the method none keyword).
Global configuration
Uses the list of all configured RADIUS servers for authorization. This method of authorization is not available for command authorization.
Uses a named subset of TACACS+ or RADIUS servers for authorization as defined by the aaa group server tacacs+ or aaa group server radius command.
Page 27
Authentication, Authorization, and Accounting Commands
aaa authorization
Command History
Usage Guidelines
Note
ModificationRelease
This command was introduced.Release 2.0
The eventmanager keyword (fault manager) was added.Release 3.6.0
Use the aaa authorization command to create method lists defining specific authorization methods that can be used on a per-line or per-interface basis. You can specify up to four methods in the method list.
The command authorization mentioned here applies to the one performed by an external AAA server and not for task-based authorization.
Method lists for authorization define the ways authorization will be performed and the sequence in which these methods will be performed. A method list is a named list describing the authorization methods (such as TACACS+), in sequence. Method lists enable you to designate one or more security protocols for authorization, thus ensuring a backup system in case the initial method fails. Cisco IOS XR software uses the first method listed to authorize users for specific network services; if that method fails to respond, Cisco IOS XR software selects the next method listed in the method list. This process continues until there is successful communication with a listed authorization method or until all methods defined have been exhausted.
Note
Cisco IOS XR software attempts authorization with the next listed method only when there is no response (not a failure) from the previous method. If authorization fails at any point in this cyclemeaning that the security server or local username database responds by denying the user servicesthe authorization process stops and no other authorization methods are attempted.
The Cisco IOS XR software supports the following methods for authorization:
none—The router does not request authorization information; authorization is not performed over this line or interface.
localUse the local database for authorization.
group tacacs+Use the list of all configured TACACS+ servers for authorization.
group radiusUse the list of all configured RADIUS servers for authorization.
group group-name—Uses a named subset of TACACS+ or RADIUS servers for authorization.
Method lists are specific to the type of authorization being requested. Cisco IOS XR software supports four types of AAA authorization:
Commands authorization—Applies to the EXEC mode commands a user issues. Command authorization attempts authorization for all EXEC mode commands.
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 17
Page 28
aaa authorization
Authentication, Authorization, and Accounting Commands
Note
Commandauthorization is distinct from task-basedauthorization, which is based on the task profile established during authentication.
EXEC authorizationApplies authorization for starting an EXEC session.
Note
The exec keyword is no longer used to authorize the fault manager service. The eventmanager keyword (fault manager) is used to authorize the fault manager service. The exec keyword is used for EXEC authorization.
Network authorizationApplies authorization for network services, such as IKE.
Event manager authorization—Applies an authorization method for authorizing an event manager (fault manager). RADIUS servers are not allowed to be configured for the event manager (fault manager) authorization. You are allowed to use TACACS+ or locald.
Note
The eventmanager keyword (fault manager) replaces the exec keyword to authorize event managers (fault managers).
When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type. When defined, method lists must be applied to specific lines or interfaces before any of the defined methods are performed.
Task ID
Examples
Related Commands
OperationsTask ID
read, writeaaa
The following example shows how to define the network authorization method list named listname1, which specifies that TACACS+ authorization is used:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa authorization commands listname1 group tacacs+
DescriptionCommand
Creates a method list for accounting.aaa accounting, on page 4
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
18 OL-24740-01
Page 29
Authentication, Authorization, and Accounting Commands

aaa default-taskgroup

To specify a task group for both remote TACACS+ authentication and RADIUS authentication, use the aaa default-taskgroup command. To remove this default task group, enter the no form of this command.
aaa default-taskgroup taskgroup-name
no aaa default-taskgroup
aaa default-taskgroup
Syntax Description
Command Default
Command Modes
Command History
Usage Guidelines
Task ID
taskgroup-name
Name of an existing task group.
No default task group is assigned for remote authentication.
Global configuration
ModificationRelease
This command was introduced.Release 3.2
Use the aaa default-taskgroup command to specify an existing task group for remote TACACS+ authentication.
OperationsTask ID
read, writeaaa
Examples
The following example shows how to specify taskgroup1 as the default task group for remote TACACS+ authentication:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa default-taskgroup taskgroup1
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 19
Page 30

aaa group server radius

aaa group server radius
To group different RADIUS server hosts into distinct lists, use the aaa group server radius command. To remove a group server from the configuration list, enter the no form of this command.
aaa group server radius group-name
no aaa group server radius group-name
Authentication, Authorization, and Accounting Commands
Syntax Description
Command Default
Command Modes
Command History
Usage Guidelines
group-name
This command is not enabled.
Global configuration
Use the aaa group server radius command to group existing server hosts, which allows you to select a subset of the configured server hosts and use them for a particular service. A server group is used in conjunction with a global server-host list. The server group lists the IP addresses or hostnames of the selected server hosts.
Server groups can also include multiple host entries for the same server, as long as each entry has a unique identifier. The combination of an IP address and User Datagram Protocol (UDP) port number creates a unique identifier, allowing different ports to be individually defined as RADIUS hosts providing a specific authentication, authorization, and accounting (AAA) service. In other words, this unique identifier enables RADIUS requests to be sent to different UDP ports on a server at the same IP address. If two different host entries on the same RADIUS server are configured for the same service, for example, accounting, the second host entry acts as an automatic switchover backup to the first host entry. Using this example, if the first host entry fails to provide accounting services, the network access server tries the second host entry on the same device for accounting services. The RADIUS host entries are tried in the order in which they are configured in the server group.
All members of a server group must be the same type, that is, RADIUS.
The server group cannot be named radius or tacacs.
Character string used to name the group of servers.
ModificationRelease
This command was introduced.Release 3.2
This command enters server group configuration mode. You can use the server command to associate a particular RADIUS server with the defined server group.
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
20 OL-24740-01
Page 31
Authentication, Authorization, and Accounting Commands
aaa group server radius
Task ID
Examples
Note
Related Commands
OperationsTask ID
read, writeaaa
The following example shows the configuration of an AAA group server named radgroup1, which comprises three member servers:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa group server radius radgroup1 RP/0/RP0/CPU0:router(config-sg-radius)# server 10.0.0.5 auth-port 1700 acct-port 1701 RP/0/RP0/CPU0:router(config-sg-radius)# server 10.0.0.10 auth-port 1702 acct-port 1703 RP/0/RP0/CPU0:router(config-sg-radius)# server 10.0.0.20 auth-port 1705 acct-port 1706
If the auth-port port-number and acct-port port-number keywords and arguments are not specified, the default value of the port-number argument for the auth-port keyword is 1645 and the default value of the port-number argument for the acct-port keyword is 1646.
DescriptionCommand
key (RADIUS), on page 38
Specifies the authentication and encryption key that is used between the router and the RADIUS daemon running on the RADIUS server.
radius source-interface , on page 55
retransmit (RADIUS), on page 57
server (RADIUS), on page 61
server-private (RADIUS), on page 65
timeout (RADIUS), on page 111
vrf (RADIUS), on page 125
Forces RADIUS to use the IP address of a specified interface or subinterface for all outgoing RADIUS packets.
Specifies the number of times a RADIUS request is resent to a server if the server is not responding or is responding slowly.
Associates a RADIUS server with a defined server group.
Configures the IP address of the private RADIUS server for the group server.
Specifies the number of seconds the router waits for the RADIUS server to reply before retransmitting.
Configures the Virtual Private Network (VPN) routing and forwarding (VRF) reference of an AAA RADIUS server group.
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 21
Page 32

aaa group server tacacs+

aaa group server tacacs+
To group different TACACS+ server hosts into distinct lists, use the aaa group server tacacs+ command. To remove a server group from the configuration list, enter the no form of this command.
aaa group server tacacs+ group-name
no aaa group server tacacs+ group-name
Authentication, Authorization, and Accounting Commands
Syntax Description
Command Default
Command Modes
Command History
Usage Guidelines
group-name
This command is not enabled.
Global configuration
The AAA server-group feature introduces a way to group existing server hosts. The feature enables you to select a subset of the configured server hosts and use them for a particular service.
The aaa group server tacacs+ command enters server group configuration mode. The server command associates a particular TACACS+ server with the defined server group.
A server group is a list of server hosts of a particular type. The supported server host type is TACACS+ server hosts. A server group is used with a global server host list. The server group lists the IP addresses or hostnames of the selected server hosts.
The server group cannot be named radius or tacacs.
Character string used to name a group of servers.
ModificationRelease
This command was introduced.Release 2.0
Note
Task ID
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
22 OL-24740-01
Group name methods refer to a set of previously defined TACACS+ servers. Use the tacacs-server host command to configure the host servers.
OperationsTask ID
read, writeaaa
Page 33
Authentication, Authorization, and Accounting Commands
aaa group server tacacs+
Examples
Related Commands
The following example shows the configuration of an AAA group server named tacgroup1, which comprises three member servers:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa group server tacacs+ tacgroup1 RP/0/RP0/CPU0:router(config-sg-tacacs)# server 192.168.200.226 RP/0/RP0/CPU0:router(config-sg-tacacs)# server 192.168.200.227 RP/0/RP0/CPU0:router(config-sg-tacacs)# server 192.168.200.228
DescriptionCommand
Creates a method list for accounting.aaa accounting, on page 4
Creates a method list for authentication.aaa authentication , on page 13
Creates a method list for authorization.aaa authorization , on page 16
server (TACACS+), on page 63
Specifies the host name or IP address of an external TACACS+ server.
Specifies a TACACS+ host.tacacs-server host, on page 99
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 23
Page 34

accounting (line)

accounting (line)
To enable authentication, authorization, and accounting (AAA) accounting services for a specific line or group of lines, use the accounting command. To disable AAA accounting services, use the no form of this command.
accounting {commands| exec} {default| list-name}
no accounting {commands| exec}
Authentication, Authorization, and Accounting Commands
Syntax Description
Command Default
Command Modes
Command History
list-name
Accounting is disabled.
Line template configuration
Enables accounting on the selected lines for all EXEC shell commands.commands
Enables accounting of EXEC session.exec
The name of the default method list, created with the aaa accounting command.default
Specifies the name of a list of accounting methods to use. The list is created with the aaa accounting command.
ModificationRelease
This command was introduced.Release 2.0
Usage Guidelines
Task ID
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
24 OL-24740-01
After you enable the aaa accounting command and define a named accounting method list (or use the default method list) for a particular type of accounting, you must apply the defined lists to the appropriate lines for accounting services to take place. Use the accounting command to apply the specified method lists to the selected line or group of lines. If a method list is not specified this way, no accounting is applied to the selected line or group of lines.
OperationsTask ID
read, writeaaa
Page 35
Authentication, Authorization, and Accounting Commands
accounting (line)
Examples
Related Commands
The following example shows how to enable command accounting services using the accounting method list named listname2 on a line template named configure:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# line template configure RP/0/RP0/CPU0:router(config-line)# accounting commands listname2
DescriptionCommand
Creates a method list for accounting.aaa accounting, on page 4
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 25
Page 36

authorization (line)

authorization (line)
To enable authentication, authorization, and accounting (AAA) authorization for a specific line or group of lines, use the authorization command in line template configuration mode. To disable authorization, use the
no form of this command.
authorization {commands| exec | eventmanager} {default| list-name}
no authorization {commands| exec | eventmanager}
Authentication, Authorization, and Accounting Commands
Syntax Description
Command Default
Command Modes
Command History
eventmanager
list-name
Authorization is not enabled.
Line template configuration
Enables authorization on the selected lines for all commands.commands
Enables authorization for an interactive (EXEC) session.exec
Applies the default method list, created with the aaa authorization command.default
Sets eventmanager authorization method. This method is used for the embedded event manager.
Specifies the name of a list of authorization methods to use. If no list name is specified, the system uses the default. The list is created with the aaa authorization command.
ModificationRelease
This command was introduced.Release 2.0
Usage Guidelines
Task ID
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
26 OL-24740-01
After you use the aaa authorization command to define a named authorization method list (or use the default method list) for a particular type of authorization, you must apply the defined lists to the appropriate lines for authorization to take place. Use the authorization command to apply the specified method lists (or, if none is specified, the default method list) to the selected line or group of lines.
OperationsTask ID
read, writeaaa
Page 37
Authentication, Authorization, and Accounting Commands
authorization (line)
Examples
Related Commands
The following example shows how to enable command authorization using the method list named listname4 on a line template named configure:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# line template configure RP/0/RP0/CPU0:router(config-line)# authorization commands listname4
DescriptionCommand
Creates a method list for authorization.aaa authorization , on page 16
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 27
Page 38

deadtime (server-group configuration)

deadtime (server-group configuration)
To configure the deadtime value at the RADIUS server group level, use the deadtime command in server-group configuration mode. To set deadtime to 0, use the no form of this command.
deadtime minutes
no deadtime
Authentication, Authorization, and Accounting Commands
Syntax Description
Command Default
Command Modes
Command History
Usage Guidelines
minutes
Length of time, in minutes, for which a RADIUS server is skipped over by transaction requests, up to a maximum of 1440 (24 hours). The range is from 1 to 1440.
Deadtime is set to 0.
Server-group configuration
ModificationRelease
This command was introduced.Release 3.3.0
The value of the deadtime set in the server groups overrides the deadtime that is configured globally. If the deadtime is omitted from the server group configuration, the value is inherited from the master list. If the server group is not configured, the default value of 0 applies to all servers in the group. If the deadtime is set to 0, no servers are marked dead.
Task ID
OperationsTask ID
read, writeaaa
Examples
The following example specifies a one-minute deadtime for RADIUS server group group1 when it has failed to respond to authentication requests for the deadtime command:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa group server radius group1 RP/0/RP0/CPU0:router(config-sg-radius)# server 1.1.1.1 auth-port 1645 acct-port 1646 RP/0/RP0/CPU0:router(config-sg-radius)# server 2.2.2.2 auth-port 2000 acct-port 2001 RP/0/RP0/CPU0:router(config-sg-radius)# deadtime 1
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
28 OL-24740-01
Page 39
Authentication, Authorization, and Accounting Commands
deadtime (server-group configuration)
Related Commands
aaa group server tacacs+, on page 22
radius-server dead-criteria time, on page 46
radius-server deadtime , on page 50
DescriptionCommand
Groups different RADIUS server hosts into distinct lists and distinct methods.
Forces one or both of the criteria that is used to mark a RADIUS server as dead.
Defines the length of time in minutes for a RADIUS server to remain marked dead.
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 29
Page 40

description (AAA)

description (AAA)
To create a description of a task group or user group during configuration, use the description command in task group configuration or user group configuration mode. To delete a task group description or user group description, use the no form of this command.
description string
no description
Authentication, Authorization, and Accounting Commands
Syntax Description
Command Default
Command Modes
Command History
Usage Guidelines
Task ID
string
Character string describing the task group or user group.
None
Task group configuration
User group configuration
ModificationRelease
This command was introduced.Release 2.0
Use the description command inside the task or user group configuration submode to define a description for the task or user group, respectively.
OperationsTask ID
read, writeaaa
Examples
The following example shows the creation of a task group description:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# taskgroup alpha RP/0/RP0/CPU0:router(config-tg)# description this is a sample taskgroup
The following example shows the creation of a user group description:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# usergroup alpha RP/0/RP0/CPU0:router(config-ug)# description this is a sample user group
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
30 OL-24740-01
Page 41
Authentication, Authorization, and Accounting Commands
description (AAA)
Related Commands
taskgroup, on page 109
usergroup, on page 117
DescriptionCommand
Accesses task group configuration mode and configures a task group by associating it with a set of task IDs.
Accesses user group configuration mode and configures a user group by associating it with a set of task groups.
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 31
Page 42

group (AAA)

group (AAA)
To add a user to a group, use the group command in username configuration mode. To remove the user from a group, use the no form of this command.
group {root-system| root-lr| netadmin| sysadmin| operator| cisco-support| serviceadmin| group-name}
no group {root-system| root-lr| netadmin| sysadmin| operator| cisco-support| serviceadmin| group-name}
Authentication, Authorization, and Accounting Commands
Syntax Description
Command Default
root-system
root-lr
group-name
None
Adds the user to the predefined root-system group. Only users with root-system authority may use this option.
Adds the user to the predefined root-lr group. Only users with root-system authority or root-lr authority may use this option.
Adds the user to the predefined network administrators group.netadmin
Adds the user to the predefined system administrators group.sysadmin
Adds the user to the predefined operator group.operator
Adds the user to the predefined Cisco support personnel group.cisco-support
Adds the user to the predefined service administrators group.serviceadmin
Adds the user to a named user group that has already been defined with the usergroup command.
Command Modes
Command History
Usage Guidelines
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
32 OL-24740-01
Username configuration
ModificationRelease
This command was introduced.Release 2.0
The serviceadmin keyword was added.Release 3.3.0
The predefined group root-system may be specified only by root-system users while configuring administration.
Use the group command in username configuration mode. To access username configuration mode, use the
username, on page 119 command in global configuration mode.
Page 43
Authentication, Authorization, and Accounting Commands
If the group command is used in administration configuration mode, only root-system and cisco-support keywords can be specified.
group (AAA)
Task ID
Examples
Related Commands
OperationsTask ID
read, writeaaa
The following example shows how to assign the user group operator to the user named user1:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# username user1 RP/0/RP0/CPU0:router(config-un)# group operator
DescriptionCommand
Creates a login password for a user.password (AAA), on page 44
usergroup, on page 117
Configures a user group and associates it with a set of task groups.
username, on page 119
Accesses username configuration mode, configures a new user with a username, and establishes a password and permissions for that user.
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 33
Page 44

inherit taskgroup

inherit taskgroup
To enable a task group to derive permissions from another task group, use the inherit taskgroup command in task group configuration mode.
inherit taskgroup {taskgroup-name| netadmin| operator| sysadmin| cisco-support| root-lr| root-system| serviceadmin}
Authentication, Authorization, and Accounting Commands
Syntax Description
Command Default
Command Modes
taskgroup-name
None
Task group configuration
Name of the task group from which permissions are inherited.
Inherits permissions from the network administrator task group.netadmin
Inherits permissions from the operator task group.operator
Inherits permissions from the system administrator task group.sysadmin
Inherits permissions from the cisco support task group.cisco-support
Inherits permissions from the root-lr task group.root-lr
Inherits permissions from the root system task group.root-system
Inherits permissions from the service administrators task group.serviceadmin
Command History
Usage Guidelines
Task ID
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
34 OL-24740-01
Use the inherit taskgroup command to inherit the permissions (task IDs) from one task group into another task group. Any changes made to the taskgroup from which they are inherited are reflected immediately in the group from which they are inherited.
ModificationRelease
This command was introduced.Release 2.0
The serviceadmin keyword was added.Release 3.3.0
OperationsTask ID
read, writeaaa
Page 45
Authentication, Authorization, and Accounting Commands
inherit taskgroup
Examples
In the following example, the permissions of task group tg2 are inherited by task group tg1:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# taskgroup tg1 RP/0/RP0/CPU0:router(config-tg)# inherit taskgroup tg2 RP/0/RP0/CPU0:router(config-tg)# end
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 35
Page 46

inherit usergroup

inherit usergroup
To enable a user group to derive characteristics of another user group, use the inherit usergroup command in user group configuration mode.
inherit usergroup usergroup-name
Authentication, Authorization, and Accounting Commands
Syntax Description
Command Default
Command Modes
Command History
Usage Guidelines
usergroup-name
None
User group configuration
Each user group is associated with a set of task groups applicable to the users in that group. A task group is defined by a collection of task IDs. Task groups contain task ID lists for each class of action. The task permissions for a user are derived (at the start of the EXEC or XML session) from the task groups associated with the user groups to which that user belongs.
User groups support inheritance from other user groups. Use the inherit usergroup command to copy permissions (task ID attributes) from one user group to another user group. The destinationuser group inherits the properties of the inherited group and forms a union of all task IDs specified in those groups. For example, when user group A inherits user group B, the task map of the user group A is a union of that of A and B. Cyclic inclusions are detected and rejected. User groups cannot inherit properties from predefined groups, such as root-system users, root-sdr users, netadmin users, and so on. Any changes made to the usergroup from which it is inherited are reflected immediately in the group from which it is inherited.
Name of the user group from which permissions are to be inherited.
ModificationRelease
This command was introduced.Release 2.0
Task ID
Examples
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
36 OL-24740-01
The following example shows how to enable the purchasing user group to inherit properties from the sales user group:
RP/0/RP0/CPU0:router# configure
OperationsTask ID
read, writeaaa
Page 47
Authentication, Authorization, and Accounting Commands
RP/0/RP0/CPU0:router(config)# usergroup purchasing RP/0/RP0/CPU0:router(config-ug)# inherit usergroup sales
inherit usergroup
Related Commands
description (AAA), on page 30
taskgroup, on page 109
usergroup, on page 117
DescriptionCommand
Creates a description of a task group in task group configuration mode, or creates a description of a user group in user group configuration mode.
Configures a task group to be associated with a set of task IDs.
Configures a user group to be associated with a set of task groups.
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 37
Page 48

key (RADIUS)

key (RADIUS)
To specify the authentication and encryption key that is used between the router and the RADIUS daemon running on the RADIUS server, use the key (RADIUS) command in RADIUS server-group private configuration mode.
key {0 clear-text-key| 7 encrypted-key| clear-text-key}
no key {0 clear-text-key| 7 encrypted-key| clear-text-key}
Authentication, Authorization, and Accounting Commands
Syntax Description
Command Default
Command Modes
Command History
Usage Guidelines
0 clear-text-key
7 encrypted-key
clear-text-key
Specifies an unencrypted (cleartext) shared key.
Specifies an encrypted shared key.
Specifies an unencrypted (cleartext) user password.
For submode key commands, the default is to use the radius-server key command in global configuration mode, if defined. If the global key is also not defined, the configuration is not complete.
RADIUS server-group private configuration
ModificationRelease
This command was introduced.Release 3.4.0
Task ID
OperationsTask ID
read, writeaaa
Examples
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
38 OL-24740-01
The following example shows how to set the encrypted key to anykey:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa group server radius group1 RP/0/RP0/CPU0:router(config-sg-radius)# server-private 10.1.1.1 auth-port 300 RP/0/RP0/CPU0:router(config-sg-radius-private)# key anykey
Page 49
Authentication, Authorization, and Accounting Commands
key (RADIUS)
Related Commands
aaa group server tacacs+, on page 22
radius-server key , on page 51
retransmit (RADIUS), on page 57
server-private (RADIUS), on page 65
timeout (RADIUS), on page 111
DescriptionCommand
Groups different RADIUS server hosts into distinct lists.
Sets the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon.
Specifies the number of times a RADIUS request is resent to a server if the server is not responding or is responding slowly.
Configures the IP address of the private RADIUS server for the group server.
Specifies the number of seconds the router waits for the RADIUS server to reply before retransmitting.
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 39
Page 50

key (TACACS+)

key (TACACS+)
To specify an authentication and encryption key shared between the AAA server and the TACACS+ server, use the key (TACACS+) command in TACACS host configuration mode. To disable this feature, use the no form of this command.
key {0 clear-text-key| 7 encrypted-key| auth-key}
no key {0 clear-text-key| 7 encrypted-key| auth-key}
Authentication, Authorization, and Accounting Commands
Syntax Description
Command Default
Command Modes
Command History
Usage Guidelines
0 clear-text-key
7 encrypted-key
auth-key
None
TACACS host configuration
The TACACS+ packets are encrypted using the key, and it must match the key used by the TACACS+ daemon. Specifying this key overrides the key set by the tacacs-server key command for this server only.
Specifies an unencrypted (cleartext) shared key.
Specifies an encrypted shared key.
Specifies the unencrypted key between the AAA server and the TACACS+ server.
ModificationRelease
This command was introduced.Release 3.6.0
The key is used to encrypt the packets that are going from TACACS+, and it should match with the key configured on the external TACACS+ server so that the packets are decrypted properly. If a mismatch occurs, the result fails.
Task ID
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
40 OL-24740-01
OperationsTask ID
read, writeaaa
Page 51
Authentication, Authorization, and Accounting Commands
key (TACACS+)
Examples
Related Commands
The following example shows how to set the encrypted key to anykey
RP/0/RP0/CPU0:router(config)# tacacs-server host 209.165.200.226 RP/0/RP0/CPU0:router(config-tacacs-host)# key anykey
DescriptionCommand
Specifies a TACACS+ host.tacacs-server host, on page 99
tacacs-server key, on page 102
Globally sets the authentication encryption key used for all TACACS+ communications between the router and the TACACS+ daemon.
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 41
Page 52

login authentication

login authentication
To enable authentication, authorization, and accounting (AAA) authentication for logins, use the login authentication command in line template configuration mode. To return to the default authentication settings, use the no form of this command.
login authentication {default| list-name}
no login authentication
Authentication, Authorization, and Accounting Commands
Syntax Description
Command Default
Command Modes
Command History
Usage Guidelines
default
list-name
This command uses the default set with the aaa authentication login command.
Line template configuration
The login authentication command is a per-line command used with AAA that specifies the name of a list of AAA authentication methods to try at login.
Default list of AAA authentication methods, as set by the aaa authentication login command.
Name of the method list used for authenticating. You specify this list with the aaa authentication login command.
ModificationRelease
This command was introduced.Release 2.0
Caution
Task ID
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
42 OL-24740-01
If you use a list-name value that was not configured with the aaa authentication login command, the configuration is rejected.
Entering the no form of the login authentication command has the same effect as entering the command with the default keyword.
Before issuing this command, create a list of authentication processes by using the aaa authentication login command.
OperationsTask ID
read, writeaaa
Page 53
Authentication, Authorization, and Accounting Commands
login authentication
OperationsTask ID
read, writetty-access
Examples
Related Commands
The following example shows that the default AAA authentication is used for the line template template1:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# line template template1 RP/0/RP0/CPU0:router(config-line)# login authentication default
The following example shows that the AAA authentication list called list1 is used for the line template template2:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# line template template2 RP/0/RP0/CPU0:router(config-line)# login authentication list1
DescriptionCommand
Creates a method list for authentication.aaa authentication , on page 13
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 43
Page 54

password (AAA)

password (AAA)
To create a login password for a user, use the password command in username configuration mode or line template configuration mode. To remove the password, use the no form of this command.
password {[0]| 7 password}
no password {0| 7 password}
Authentication, Authorization, and Accounting Commands
Syntax Description
Command Default
Command Modes
Command History
(Optional) Specifies that an unencrypted clear-text password follows.0
Specifies that an encrypted password follows.7
password
The password is in unencrypted clear text.
Username configuration
Line template configuration
Specifies the unencrypted password text to be entered by the user to log in, for example, lab. If encryption is configured, the password is not visible to the user.
Can be up to 253 characters in length.
ModificationRelease
This command was introduced.Release 2.0
Usage Guidelines
Note
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
44 OL-24740-01
You can specify one of two types of passwords: encrypted or clear text.
When an EXEC process is started on a line that has password protection, the process prompts for the password. If the user enters the correct password, the process issues the prompt. The user can try three times to enter a password before the process exits and returns the terminal to the idle state.
Passwords are two-way encrypted and should be used for applications such as PPP that need decryptable passwords that can be decrypted.
The show running-config command always displays the clear-text login password in encrypted form when the 0 option is used.
Page 55
Authentication, Authorization, and Accounting Commands
password (AAA)
Task ID
Examples
Related Commands
OperationsTask ID
read, writeaaa
The following example shows how to establish the unencrypted password pwd1 for user. The output from the show command displays the password in its encrypted form.
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# username user1 RP/0/RP0/CPU0:router(config-un)# password 0 pwd1 RP/0/RP0/CPU0:router(config-un)# commit RP/0/RP0/CPU0:router(config-un)# show running-config Building configuration... username user1
password 7 141B1309
DescriptionCommand
Adds a user to a group.group (AAA), on page 32
usergroup, on page 117
Accesses user group configuration mode and configures a user group, associating it with a set of task groups.
username, on page 119
line
Accesses username configuration mode and configures a new user with a username, establishing a password and granting permissions for that user.
Enters line template configuration mode for the specified line template.
For more information, see the Cisco IOS XR System
Management Command Reference.
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 45
Page 56

radius-server dead-criteria time

radius-server dead-criteria time
To specify the minimum amount of time, in seconds, that must elapse from the time that the router last received a valid packet from the RADIUS server to the time the server is marked as dead, use the radius-server dead-criteria time command in global configuration mode. To disable the criteria that were set, use the no form of this command.
radius-server dead-criteria time seconds
no radius-server dead-criteria time seconds
Authentication, Authorization, and Accounting Commands
Syntax Description
Command Default
Command Modes
Command History
Usage Guidelines
seconds
If this command is not used, the number of seconds ranges from 10 to 60 seconds, depending on the transaction rate of the server.
Global configuration
Length of time, in seconds. The range is from 1 to120 seconds. If the seconds argument is not configured, the number of seconds ranges from 10 to 60, depending on the transaction rate of the server.
Note
The time criterion must be met for the server to be marked as dead.
ModificationRelease
This command was introduced.Release 3.3.0
Note
Task ID
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
46 OL-24740-01
If you configure the radius-server dead-criteria time command before the radius-server deadtime command, the radius-server dead-criteria time command may not be enforced.
If a packet has not been received since the router booted and there is a timeout, the time criterion is treated as though it were met.
OperationsTask ID
read, writeaaa
Page 57
Authentication, Authorization, and Accounting Commands
radius-server dead-criteria time
Examples
Related Commands
The following example shows how to establish the time for the dead-criteria conditions for a RADIUS server to be marked as dead for the radius-server dead-criteria time command:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# radius-server dead-criteria time 5
DescriptionCommand
radius-server dead-criteria tries, on page 48
Specifies the number of consecutive timeouts that must occur on the router before the RADIUS server is marked as dead.
radius-server deadtime , on page 50
Defines the length of time, in minutes, for a RADIUS server to remain marked dead.
show radius dead-criteria, on page 84
Displays information for the dead-server detection criteria.
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 47
Page 58

radius-server dead-criteria tries

radius-server dead-criteria tries
To specify the number of consecutive timeouts that must occur on the router before the RADIUS server is marked as dead, use the radius-server dead-criteria tries command. To disable the criteria that were set, use the no form of this command.
radius-server dead-criteria tries
no radius-server dead-criteria tries
Authentication, Authorization, and Accounting Commands
Syntax Description
Command Default
Command Modes
Command History
Usage Guidelines
tries
If this command is not used, the number of consecutive timeouts ranges from 10 to 100, depending on the transaction rate of the server and the number of configured retransmissions.
Global configuration
If the server performs both authentication and accounting, both types of packet are included in the number. Improperly constructed packets are counted as though they were timeouts. All transmissions, including the initial transmit and all retransmits, are counted.
Number of timeouts from 1 to 100. If the tries argument is not configured, the number of consecutive timeouts ranges from 10 to 100, depending on the transaction rate of the server and the number of configured retransmissions.
Note
The tries criterion must be met for the server to be marked as dead.
ModificationRelease
This command was introduced.Release 3.3.0
Note
Task ID
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
48 OL-24740-01
If you configure the radius-server dead-criteria tries command before the radius-server deadtime command, the radius-server dead-criteria tries command may not be enforced.
OperationsTask ID
read, writeaaa
Page 59
Authentication, Authorization, and Accounting Commands
radius-server dead-criteria tries
Examples
Related Commands
The following example shows how to establish the number of tries for the dead-criteria conditions for a RADIUS server to be marked as dead for the radius-server dead-criteria tries command:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# radius-server dead-criteria tries 4
DescriptionCommand
radius-server dead-criteria time, on page 46
Defines the length of time in seconds that must elapse from the time that the router last received a valid packet from the RADIUS server to the time the server is marked as dead.
radius-server deadtime , on page 50
Defines the length of time, in minutes, for a RADIUS server to remain marked dead.
show radius dead-criteria, on page 84
Displays information for the dead-server detection criteria.
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 49
Page 60

radius-server deadtime

radius-server deadtime
To improve RADIUS response times when some servers are unavailable and cause the unavailable servers to be skipped immediately, use the radius-server deadtime command. To set deadtime to 0, use the no form of this command.
radius-server deadtime value
no radius-server deadtime value
Authentication, Authorization, and Accounting Commands
Syntax Description
Command Default
Command Modes
Command History
Usage Guidelines
Task ID
value
Length of time, in minutes, for which a RADIUS server is skipped over by transaction requests, up to a maximum of 1440 (24 hours). The range is from 1 to 1440. The default value is 0.
Dead time is set to 0.
Global configuration mode
ModificationRelease
This command was introduced.Release 3.3.0
A RADIUS server marked as dead is skipped by additional requests for the duration of minutes unless all other servers are marked dead and there is no rollover method.
OperationsTask ID
read, writeaaa
Examples
This example specifies five minutes of deadtime for RADIUS servers that fail to respond to authentication requests for the radius-server deadtime command:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# radius-server deadtime 5
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
50 OL-24740-01
Page 61
Authentication, Authorization, and Accounting Commands

radius-server key

To set the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon, use the radius-server key command. To disable the key, use the no form of this command.
radius-server key {0 clear-text-key| 7 encrypted-key| clear-text-key}
no radius-server key
radius-server key
Syntax Description
Command Default
Command Modes
Command History
Usage Guidelines
0 clear-text-key
7 encrypted-key
clear-text-key
Specifies an unencrypted (cleartext) shared key.
Specifies a encrypted shared key.
Specifies an unencrypted (cleartext) shared key.
The authentication and encryption key is disabled.
Global configuration mode
ModificationRelease
This command was introduced.Release 3.2
The key entered must match the key used on the RADIUS server. All leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.
Task ID
OperationsTask ID
read, writeaaa
Examples
This example shows how to set the cleartext key to samplekey:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# radius-server key 0 samplekey
This example shows how to set the encrypted shared key to anykey:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# radius-server key 7 anykey
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 51
Page 62

radius-server retransmit

radius-server retransmit
To specify the number of times the Cisco IOS XR software retransmits a packet to a server before giving up, use the radius-server retransmit command. The no form of this command sets it to the default value of 3 .
radius-server retransmit {retries disable}
no radius-server retransmit {retries disable}
Authentication, Authorization, and Accounting Commands
Syntax Description
Command Default
Command Modes
Command History
Usage Guidelines
Task ID
retries
Maximum number of retransmission attempts. The range is from 1 to 100. Default is 3.
Disables the radius-server transmit command.disable
The RADIUS servers are retried three times, or until a response is received.
Global configuration mode
ModificationRelease
This command was introduced.Release 3.2
The RADIUS client tries all servers, allowing each one to time out before increasing the retransmit count.
OperationsTask ID
read, writeaaa
Examples
Related Commands
This example shows how to specify a retransmit counter value of five times:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# radius-server retransmit 5
DescriptionCommand
radius-server key , on page 51
Sets the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon.
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
52 OL-24740-01
Page 63
Authentication, Authorization, and Accounting Commands
radius-server retransmit
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 53
Page 64

radius-server timeout

radius-server timeout
To set the interval for which a router waits for a server host to reply before timing out, use the radius-server timeout command. To restore the default, use the no form of this command.
radius-server timeout seconds
no radius-server timeout
Authentication, Authorization, and Accounting Commands
Syntax Description
Command Default
Command Modes
Command History
Usage Guidelines
Task ID
seconds
Number that specifies the timeout interval, in seconds. Range is from 1 to 1000.
The default radius-server timeout value is 5 seconds.
Global configuration mode
ModificationRelease
This command was introduced.Release 3.2
Use the radius-server timeout command to set the number of seconds a router waits for a server host to reply before timing out.
OperationsTask ID
read, writeaaa
Examples
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
54 OL-24740-01
This example shows how to change the interval timer to 10 seconds:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# radius-server timeout 10
Page 65
Authentication, Authorization, and Accounting Commands

radius source-interface

To force RADIUS to use the IP address of a specified interface or subinterface for all outgoing RADIUS packets, use the radius source-interface command. To prevent only the specified interface from being the default and not from being used for all outgoing RADIUS packets, use the no form of this command.
radius source-interface interface [vrf vrf_name]
no radius source-interface interface
radius source-interface
Syntax Description
Command Default
Command Modes
Command History
Usage Guidelines
interface-name
vrf vrf-id
If a specific source interface is not configured, or the interface is down or does not have an IP address configured, the system selects an IP address.
Global configuration mode
Use the radius source-interface command to set the IP address of the specified interface or subinterface for all outgoing RADIUS packets. This address is used as long as the interface or subinterface is in the up state. In this way, the RADIUS server can use one IP address entry for every network access client instead of maintaining a list of IP addresses.
The specified interface or subinterface must have an IP address associated with it. If the specified interface or subinterface does not have an IP address or is in the down state, then RADIUS reverts to the default. To avoid this, add an IP address to the interface or subinterface or bring the interface to the up state.
The radius source-interface command is especially useful in cases in which the router has many interfaces or subinterfaces and you want to ensure that all RADIUS packets from a particular router have the same IP address.
Name of the interface that RADIUS uses for all of its outgoing packets.
Specifies the name of the assigned VRF.
ModificationRelease
This command was introduced.Release 3.2
The vrf keyword was added.Release 3.4.0
Task ID
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 55
OperationsTask ID
read, writeaaa
Page 66
radius source-interface
Authentication, Authorization, and Accounting Commands
Examples
This example shows how to make RADIUS use the IP address of subinterface s2 for all outgoing RADIUS packets:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# radius source-interface loopback 10 vrf vrf1
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
56 OL-24740-01
Page 67
Authentication, Authorization, and Accounting Commands

retransmit (RADIUS)

To specify the number of times a RADIUS request is resent to a server if the server is not responding or is responding slowly, use the retransmit command in RADIUS server-group private configuration mode.
retransmit retries
no retransmit retries
retransmit (RADIUS)
Syntax Description
Command Default
Command Modes
Command History
Usage Guidelines
Task ID
retries
The retries argument specifies the retransmit value. The range is from 1 to 100. If no retransmit value is specified, the global value is used.
The default value is 3.
RADIUS server-group private configuration
ModificationRelease
This command was introduced.Release 3.4.0
OperationsTask ID
read, writeaaa
Examples
Related Commands
The following example shows how to set the retransmit value:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa group server radius group1 RP/0/RP0/CPU0:router(config-sg-radius)# server-private 10.1.1.1 auth-port 300 RP/0/RP0/CPU0:router(config-sg-radius-private)# retransmit 100
DescriptionCommand
aaa group server tacacs+, on page 22
Groups different RADIUS server hosts into distinct lists.
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 57
Page 68
retransmit (RADIUS)
Authentication, Authorization, and Accounting Commands
DescriptionCommand
server-private (RADIUS), on page 65
timeout (RADIUS), on page 111
Configures the IP address of the private RADIUS server for the group server.
Specifies the number of seconds the router waits for the RADIUS server to reply before retransmitting.
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
58 OL-24740-01
Page 69
Authentication, Authorization, and Accounting Commands

secret

To configure an MD5-encrypted secret to be associated with an encrypted username, use the secret command in username configuration mode or line template configuration mode. To remove the secure secret, use the
no form of this command.
secret {[0] secret-login| 5 secret-login}
no secret {0| 5} secret-login
secret
Syntax Description
Command Default
Command Modes
Command History
0
secret-login
No password is specified.
Username configuration
Line template configuration
(Optional) Specifies that an unencrypted (clear-text) password follows. The password will be encrypted for storage in the configuration using an MD5 encryption algorithm. Otherwise, the password is not encrypted.
Specifies that an encrypted MD5 password (secret) follows.5
Text string in alphanumeric characters that is stored as the MD5-encrypted password entered by the user in association with the users login ID.
Can be up to 253 characters in length.
The characters entered must conform to MD5 encryption standards.Note
ModificationRelease
This command was introduced.Release 2.0
Release 3.3.0
Usage Guidelines
OL-24740-01 59
Cisco IOS XR software allows you to configure Message Digest 5 (MD5) encryption for username logins and passwords. MD5 encryption is a one-way hash function that makes reversal of an encrypted password impossible, providing strong encryption protection. Using MD5 encryption, you cannot retrieve clear-text passwords. Therefore, MD5 encrypted passwords cannot be used with protocols that require the clear-text password to be retrievable, such as Challenge Handshake Authentication Protocol (CHAP).
You can specify one of two types of secure secret IDs: encrypted (5) or clear text (0). If you do not select either 0 or 5, the clear-text password you enter is not be encrypted.
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
The password argument was replaced with the secret-login argument.
Page 70
secret
Authentication, Authorization, and Accounting Commands
When an EXEC process is started on a line that has password protection, the process prompts for the secret. If the user enters the correct secret, the process issues the prompt. The user can try entering the secret thrice before the terminal returns to the idle state.
Secrets are one-way encrypted and should be used for login activities that do not require a decryptable secret.
To verify that MD5 password encryption has been enabled, use the show running-config command. If the username name secret 5line appears in the command output, enhanced password security is enabled.
Note
Task ID
Examples
Related Commands
The show running-config command does not display the login password in clear text when the 0 option is used to specify an unencrypted password. See the Examplessection.
OperationsTask ID
read, writeaaa
The following example shows how to establish the clear-text secret labfor the user user2:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# username user2 RP/0/RP0/CPU0:router(config-un)# secret 0 lab RP/0/RP0/CPU0:router(config-un)# commit RP/0/RP0/CPU0:router(config-un)# show running-config Building configuration... username user2
secret 5 $1$DTmd$q7C6fhzje7Cc7Xzmu2Frx1 ! end
DescriptionCommand
Adds a user to a group.group (AAA), on page 32
Creates a login password for a user.password (AAA), on page 44
usergroup, on page 117
Accesses user group configuration mode and configures a user group, associating it with a set of task groups.
username, on page 119
Accesses username configuration mode and configures a new user with a username, establishing a password and granting permissions for that user.
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
60 OL-24740-01
Page 71
Authentication, Authorization, and Accounting Commands

server (RADIUS)

To associate a particular RADIUS server with a defined server group, use the server command in RADIUS server-group configuration mode. To remove the associated server from the server group, use the no form of this command.
server ip-address [auth-port port-number] [acct-port port-number]
no server ip-address [auth-port port-number] [acct-port port-number]
server (RADIUS)
Syntax Description
Command Default
Command Modes
Command History
ip-address
auth-port port-number
acct-port port-number
If no port attributes are defined, the defaults are as follows:
Authentication port: 1645
Accounting port: 1646
RADIUS server-group configuration
IP address of the RADIUS server host.
(Optional) Specifies the User Datagram Protocol (UDP) destination port for authentication requests. The port-number argument specifies the port number for authentication requests. The host is not used for authentication if this value is set to 0. Default is 1645.
(Optional) Specifies the UDP destination port for accounting requests. The port-number argument specifies the port number for accounting requests. The host is not used for accounting services if this value is set to 0. Default is 1646.
ModificationRelease
This command was introduced.Release 3.2
Usage Guidelines
OL-24740-01 61
Use the server command to associate a particular RADIUS server with a defined server group.
There are two different ways in which you can identify a server, depending on the way you want to offer AAA services. You can identify the server simply by using its IP address, or you can identify multiple host instances or entries using the optional auth-port and acct-port keywords.
When you use the optional keywords, the network access server identifies RADIUS security servers and host instances associated with a group server based on their IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS host entries providing a specific AAA service. If two different host entries
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
Page 72
server (RADIUS)
Authentication, Authorization, and Accounting Commands
on the same RADIUS server are configured for the same service, for example, accounting, the second host entry configured acts as an automatic switchover backup to the first one. Using this example, if the first host entry fails to provide accounting services, the network access server tries the second host entry configured on the same device for accounting services. (The RADIUS host entries are tried in the order they are configured.)
Task ID
Examples
Related Commands
OperationsTask ID
read, writeaaa
The following example shows how to use two different host entries on the same RADIUS server that are configured for the same servicesauthentication and accounting. The second host entry configured acts as switchover backup to the first one.
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa group server radius group1 RP/0/RP0/CPU0:router(config-sg-radius)# server 1.1.1.1 auth-port 1645 acct-port 1646 RP/0/RP0/CPU0:router(config-sg-radius)# server 2.2.2.2 auth-port 2000 acct-port 2001
DescriptionCommand
aaa group server radius, on page 20
Groups different RADIUS server hosts into distinct lists and distinct methods.
deadtime (server-group configuration), on page 28
Configures the deadtime value at the RADIUS server group level.
server-private (RADIUS), on page 65
Configures the IP address of the private RADIUS server for the group server.
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
62 OL-24740-01
Page 73
Authentication, Authorization, and Accounting Commands

server (TACACS+)

To associate a particular TACACS+ server with a defined server group, use the server command in TACACS+ server-group configuration mode. To remove the associated server from the server group, use the no form of this command.
server {hostname| ip-address}
no server {hostname| ip-address}
server (TACACS+)
Syntax Description
Command Default
Command Modes
Command History
Usage Guidelines
Task ID
hostname
ip-address
Character string used to name the server host.
IP address of the server host.
None
TACACS+ server-group configuration
ModificationRelease
This command was introduced.Release 2.0
The server need not be accessible during configuration. Later, you can reference the configured server group from the method lists used to configure authentication, authorization, and accounting (AAA).
OperationsTask ID
read, writeaaa
Examples
The following example shows how to associate the TACACS+ server with the IP address 192.168.60.15 with the server group tac1:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa group server tacacs+ tac1 RP/0/RP0/CPU0:router(config-sg-tacacs+)# server 192.168.60.15
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 63
Page 74
server (TACACS+)
Authentication, Authorization, and Accounting Commands
Related Commands
aaa group server tacacs+, on page 22
DescriptionCommand
Groups different TACACS+ server hosts into distinct lists.
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
64 OL-24740-01
Page 75
Authentication, Authorization, and Accounting Commands

server-private (RADIUS)

To configure the IP address of the private RADIUS server for the group server, use the server-private command in RADIUS server-group configuration mode. To remove the associated private server from the AAA group server, use the no form of this command .
server-private ip-address [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string]
no server-private ip-address [auth-port port-number] [acct-port port-number]
server-private (RADIUS)
Syntax Description
ip-address
auth-port
port-number
acct-port
port-number
timeout seconds
retransmit retries
key string
IP address of the RADIUS server host.
(Optional) Specifies the User Datagram Protocol (UDP) destination port for authentication requests. The port-number argument specifies the port number for authentication requests. The host is not used for authentication if this value is set to
0. The default value is 1645.
(Optional) Specifies the UDP destination port for accounting requests. The port-number argument specifies the port number for accounting requests. The host is not used for accounting services if this value is set to 0. The default value is 1646.
(Optional) Specifies the number of seconds the router waits for the RADIUS server to reply before retransmitting. The setting overrides the global value of the radius-server timeout command. If no timeout is specified, the global value is used.
The seconds argument specifies the timeout value in seconds. The range is from 1 to
1000. If no timeout is specified, the global value is used.
(Optional) Specifies the number of times a RADIUS request is resent to a server if the server is not responding or is responding slowly. The setting overrides the global setting of the radius-server transmit command.
The retries argument specifies the retransmit value. The range is from 1 to 100. If no retransmit value is specified, the global value is used.
(Optional) Specifies the authentication and encryption key that is used between the router and the RADIUS daemon running on the RADIUS server. This key overrides the global setting of the radius-server key command. If no key string is specified, the global value is used.
Command Default
OL-24740-01 65
If no port attributes are defined, the defaults are as follows:
Authentication port: 1645
Accounting port: 1646
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
Page 76
server-private (RADIUS)
Authentication, Authorization, and Accounting Commands
Command Modes
Command History
Usage Guidelines
Task ID
RADIUS server-group configuration
ModificationRelease
This command was introduced.Release 3.4.0
Use the server-private command to associate a particular private server with a defined server group. Possible overlapping of IP addresses between VRF instances are permitted. Private servers (servers with private addresses) can be defined within the server group and remain hidden from other groups, while the servers in the global pool (for example, default radius server group) can still be referred to by IP addresses and port numbers. Thus, the list of servers in server groups includes references to the hosts in the configuration and the definitions of private servers.
Both the auth-port and acct-port keywords enter RADIUS server-group private configuration mode.
OperationsTask ID
read, writeaaa
Examples
Related Commands
The following example shows how to define the group1 RADIUS group server, to associate private servers with it, and to enter RADIUS server-group private configuration mode:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa group server radius group1 RP/0/RP0/CPU0:router(config-sg-radius)# server-private 10.1.1.1 timeout 5 RP/0/RP0/CPU0:router(config-sg-radius)# server-private 10.1.1.1 retransmit 3 RP/0/RP0/CPU0:router(config-sg-radius)# server-private 10.1.1.1 key coke RP/0/RP0/CPU0:router(config-sg-radius)# server-private 10.1.1.1 auth-port 300 RP/0/RP0/CPU0:router(config-sg-radius-private)# exit RP/0/RP0/CPU0:router(config-sg-radius)# server-private 10.2.2.2 timeout 5 RP/0/RP0/CPU0:router(config-sg-radius)# server-private 10.2.2.2 retransmit 3 RP/0/RP0/CPU0:router(config-sg-radius)# server-private 10.2.2.2 key coke RP/0/RP0/CPU0:router(config-sg-radius)# server-private 10.2.2.2 auth-port 300 RP/0/RP0/CPU0:router(config-sg-radius-private)#
DescriptionCommand
aaa group server tacacs+, on page 22
Groups different RADIUS server hosts into distinct lists and distinct methods.
radius-server key , on page 51
Sets the authentication and encryption key for all RADIUS communication between the router and the RADIUS daemon.
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
66 OL-24740-01
Page 77
Authentication, Authorization, and Accounting Commands
server-private (RADIUS)
DescriptionCommand
radius-server retransmit , on page 52
radius-server timeout , on page 54
key (RADIUS), on page 38
retransmit (RADIUS), on page 57
timeout (RADIUS), on page 111
vrf (RADIUS), on page 125
Specifies the number of times the Cisco IOS XR software retransmits a packet to a server before giving up.
Sets the interval for which a router waits for a server host to reply before timing out.
Specifies the authentication and encryption key that is used between the router and the RADIUS daemon running on the RADIUS server.
Specifies the number of times a RADIUS request is resent to a server if the server is not responding or is responding slowly.
Specifies the number of seconds the router waits for the RADIUS server to reply before retransmitting.
Configures the Virtual Private Network (VPN) routing and forwarding (VRF) reference of an AAA RADIUS server group.
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 67
Page 78

server-private (TACACS+)

server-private (TACACS+)
To configure the IP address of the private TACACS+ server for the group server, use the server-private command in TACACS+ server-group configuration mode. To remove the associated private server from the AAA group server, use the no form of this command.
server-private {hostname| ip-address} [port port-number] [timeout seconds] [key string]
no server-private {hostname| ip-address}
Authentication, Authorization, and Accounting Commands
Syntax Description
Command Default
hostname
ip-address
port port-number
timeout seconds
key string
The port-name argument, if not specified, defaults to the standard port 49.
The seconds argument, if not specified, defaults to 5 seconds.
Character string used to name the server host.
IP address of the TACACS+ server host.
(Optional) Specifies a server port number. This option overrides the default, which is port 49. Valid port numbers range from 1 to 65535.
(Optional) Specifies, in seconds, a timeout value that sets the length of time the authentication, authorization, and accounting (AAA) server waits to receive a response from the TACACS+ server. This option overrides the global timeout value set with the tacacs-server timeout command for only this server. The range is from 1 to 1000. The default is 5.
(Optional) Specifies the authentication and encryption key that is used between the router and the TACACS+ daemon running on the TACACS+ server. This key overrides the global setting of the tacacs-server key command. If no key string is specified, the global value is used.
Command Modes
Command History
Usage Guidelines
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
68 OL-24740-01
TACACS+ server-group configuration
ModificationRelease
This command was introduced.Release 4.1.0
Use the server-private command to associate a particular private server with a defined server group. Possible overlapping of IP addresses between VRF instances are permitted. Private servers (servers with private addresses) can be defined within the server group and remain hidden from other groups, while the servers in the global pool (for example, default tacacs+ server group) can still be referred by IP addresses and port
Page 79
Authentication, Authorization, and Accounting Commands
numbers. Therefore, the list of servers in server groups includes references to the hosts in the global configuration and the definitions of private servers.
server-private (TACACS+)
Task ID
Examples
Related Commands
OperationsTask ID
read, writeaaa
This example shows how to define the myserver TACACS+ group server, to associate private servers with it, and to enter TACACS+ server-group private configuration mode:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa group server tacacs+ myserver RP/0/RP0/CPU0:router(config-sg-tacacs+)# server-private 10.1.1.1 timeout 5 RP/0/RP0/CPU0:router(config-sg-tacacs+)# server-private 10.1.1.1 key a_secret RP/0/RP0/CPU0:router(config-sg-tacacs+)# server-private 10.1.1.1 port 51 RP/0/RP0/CPU0:router(config-sg-tacacs-private)# exit RP/0/RP0/CPU0:router(config-sg-tacacs+)# server-private 10.2.2.2 timeout 5 RP/0/RP0/CPU0:router(config-sg-tacacs+)# server-private 10.2.2.2 key coke RP/0/RP0/CPU0:router(config-sg-tacacs+)# server-private 10.2.2.2 port 300 RP/0/RP0/CPU0:router(config-sg-tacacs-private)#
DescriptionCommand
aaa group server tacacs+, on page 22
Groups different TACACS+ server hosts into distinct lists and distinct methods.
tacacs-server key, on page 102
Sets the authentication encryption key used for all TACACS+ communications between the router and the TACACS+ daemon.
tacacs-server timeout, on page 104
Sets the interval for which a router waits for a server host to reply before timing out.
key (TACACS+), on page 40
Specifies an authentication and encryption key shared between the AAA server and the TACACS+ server.
timeout (TACACS+), on page 113
Specifies a timeout value that sets the length of time the authentication, authorization, and accounting (AAA) server waits to receive a response from the TACACS+ server.
vrf (TACACS+), on page 127
Configures the Virtual Private Network (VPN) routing and forwarding (VRF) reference of an AAA TACACS+ server group.
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 69
Page 80

show aaa

show aaa
Authentication, Authorization, and Accounting Commands
To display information about an Internet Key Exchange (IKE) Security Protocol group, user group, local user, login traces, or task group; to list all task IDs associated with all IKE groups, user groups, local users, or task groups in the system; or to list all task IDs for a specified IKE group, user group, local user, or task group, use the show aaa command.
show aaa {ikegroup ikegroup-name| login trace| usergroup [ usergroup-name ]| trace| userdb [ username ]| task supported| taskgroup [root-lr| netadmin| operator| sysadmin| root-system| service-admin| cisco-support| askgroup-name]}
Syntax Description
ikegroup-name
usergroup-name
userdb
Displays details for all IKE groups.ikegroup
(Optional) IKE group whose details are to be displayed.
Displays trace data for login subsystem.login trace
Displays details for all user groups.usergroup
(Optional) Usergroup name.root-lr
(Optional) Usergroup name.netadmin
(Optional) Usergroup name.operator
(Optional) Usergroup name.sysadmin
(Optional) Usergroup name.root-system
(Optional) Usergroup name.cisco-support
(Optional) Usergroup name.
Displays trace data for AAA subsystem.trace
Displays details for all local users and the usergroups to which each user belongs.
username
taskgroup
taskgroup-name
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
70 OL-24740-01
(Optional) User whose details are to be displayed.
Displays all AAA task IDs available.task supported
Displays details for all task groups.
Note
(Optional) Task group whose details are to be displayed.
For taskgroup keywords, see optional usergroup name keyword list.
Page 81
Authentication, Authorization, and Accounting Commands
show aaa
Command Default
Command Modes
Command History
Usage Guidelines
Task ID
Details for all user groups, or all local users, or all task groups are listed if no argument is entered.
EXEC
ModificationRelease
This command was introduced.Release 2.0
The ikegroup keyword was added.Release 3.4.0
Release 3.5.0
The show task supported command was removed andits topic was added as a keyword for the show aaa command.
Use the show aaa command to list details for all IKE groups, user groups, local users, AAA task IDs, or task groups in the system. Use the optional ikegroup-name, usergroup-name, username, or taskgroup-name argument to display the details for a specified IKE group, user group, user, or task group, respectively.
OperationsTask ID
Examples
readaaa
The following sample output is from the show aaa command, using the ikegroup keyword:
RP/0/RP0/CPU0:router# show aaa ikegroup
IKE Group ike-group
Max-Users = 50
IKE Group ikeuser
Group-Key = test-password Default Domain = cisco.com
IKE Group ike-user
The following sample output is from the show aaa command, using the usergroup command:
RP/0/RP0/CPU0:router# show aaa usergroup operator
User group 'operator'
Inherits from task group 'operator' User group 'operator' has the following combined set of task IDs (including all inherited groups): Task: basic-services : READ WRITE EXECUTE DEBUG Task: cdp : READ Task: diag : READ Task: ext-access : READ EXECUTE Task: logging : READ
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 71
Page 82
show aaa
Authentication, Authorization, and Accounting Commands
The following sample output is from the show aaa command, using the taskgroup keyword for a task group named netadmin:
RP/0/RP0/CPU0:router# show aaa taskgroup netadmin
Task group 'netadmin'
Task group 'netadmin' has the following combined set
of task IDs (including all inherited groups):
Task: aaa : READ Task: acl : READ WRITE EXECUTE DEBUG Task: admin : READ Task: ancp : READ WRITE EXECUTE DEBUG Task: atm : READ WRITE EXECUTE DEBUG Task: basic-services : READ WRITE EXECUTE DEBUG Task: bcdl : READ Task: bfd : READ WRITE EXECUTE DEBUG Task: bgp : READ WRITE EXECUTE DEBUG Task: boot : READ WRITE EXECUTE DEBUG Task: bundle : READ WRITE EXECUTE DEBUG Task: cdp : READ WRITE EXECUTE DEBUG Task: cef : READ WRITE EXECUTE DEBUG Task: cgn : READ WRITE EXECUTE DEBUG Task: config-mgmt : READ WRITE EXECUTE DEBUG Task: config-services : READ WRITE EXECUTE DEBUG Task: crypto : READ WRITE EXECUTE DEBUG Task: diag : READ WRITE EXECUTE DEBUG Task: drivers : READ Task: dwdm : READ WRITE EXECUTE DEBUG Task: eem : READ WRITE EXECUTE DEBUG Task: eigrp : READ WRITE EXECUTE DEBUG Task: ethernet-services : READ Task: ext-access : READ WRITE EXECUTE DEBUG Task: fabric : READ WRITE EXECUTE DEBUG Task: fault-mgr : READ WRITE EXECUTE DEBUG Task: filesystem : READ WRITE EXECUTE DEBUG Task: firewall : READ WRITE EXECUTE DEBUG Task: fr : READ WRITE EXECUTE DEBUG Task: hdlc : READ WRITE EXECUTE DEBUG Task: host-services : READ WRITE EXECUTE DEBUG Task: hsrp : READ WRITE EXECUTE DEBUG Task: interface : READ WRITE EXECUTE DEBUG Task: inventory : READ Task: ip-services : READ WRITE EXECUTE DEBUG Task: ipv4 : READ WRITE EXECUTE DEBUG Task: ipv6 : READ WRITE EXECUTE DEBUG Task: isis : READ WRITE EXECUTE DEBUG Task: l2vpn : READ WRITE EXECUTE DEBUG Task: li : READ WRITE EXECUTE DEBUG Task: logging : READ WRITE EXECUTE DEBUG Task: lpts : READ WRITE EXECUTE DEBUG Task: monitor : READ Task: mpls-ldp : READ WRITE EXECUTE DEBUG Task: mpls-static : READ WRITE EXECUTE DEBUG Task: mpls-te : READ WRITE EXECUTE DEBUG Task: multicast : READ WRITE EXECUTE DEBUG Task: netflow : READ WRITE EXECUTE DEBUG Task: network : READ WRITE EXECUTE DEBUG Task: ospf : READ WRITE EXECUTE DEBUG Task: ouni : READ WRITE EXECUTE DEBUG Task: pkg-mgmt : READ Task: pos-dpt : READ WRITE EXECUTE DEBUG Task: ppp : READ WRITE EXECUTE DEBUG Task: qos : READ WRITE EXECUTE DEBUG Task: rib : READ WRITE EXECUTE DEBUG Task: rip : READ WRITE EXECUTE DEBUG Task: root-lr : READ (reserved) Task: route-map : READ WRITE EXECUTE DEBUG Task: route-policy : READ WRITE EXECUTE DEBUG Task: sbc : READ WRITE EXECUTE DEBUG
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
72 OL-24740-01
Page 83
Authentication, Authorization, and Accounting Commands
Task: snmp : READ WRITE EXECUTE DEBUG Task: sonet-sdh : READ WRITE EXECUTE DEBUG Task: static : READ WRITE EXECUTE DEBUG Task: sysmgr : READ Task: system : READ WRITE EXECUTE DEBUG Task: transport : READ WRITE EXECUTE DEBUG Task: tty-access : READ WRITE EXECUTE DEBUG Task: tunnel : READ WRITE EXECUTE DEBUG Task: universal : READ (reserved) Task: vlan : READ WRITE EXECUTE DEBUG Task: vrrp : READ WRITE EXECUTE DEBUG
The following sample output is from the show aaa command, using the taskgroup keyword for an operator. The task group operator has the following combined set of task IDs, which includes all inherited groups:
Task: basic-services : READ WRITE EXECUTE DEBUG Task: cdp : READ Task: diag : READ Task: ext-access : READ EXECUTE Task: logging : READ
The following sample output is from the show aaa command, using the taskgroup keyword for a root system. The task-group root system has the following combined set of task IDs, which includes all inherited groups:
Task: aaa : READ WRITE EXECUTE DEBUG Task: acl : READ WRITE EXECUTE DEBUG Task: admin : READ WRITE EXECUTE DEBUG Task: atm : READ WRITE EXECUTE DEBUG Task: basic-services : READ WRITE EXECUTE DEBUG Task: bcdl : READ WRITE EXECUTE DEBUG Task: bfd : READ WRITE EXECUTE DEBUG Task: bgp : READ WRITE EXECUTE DEBUG Task: boot : READ WRITE EXECUTE DEBUG Task: bundle : READ WRITE EXECUTE DEBUG Task: cdp : READ WRITE EXECUTE DEBUG Task: cef : READ WRITE EXECUTE DEBUG Task: config-mgmt : READ WRITE EXECUTE DEBUG Task: config-services : READ WRITE EXECUTE DEBUG Task: crypto : READ WRITE EXECUTE DEBUG Task: diag : READ WRITE EXECUTE DEBUG Task: drivers : READ WRITE EXECUTE DEBUG Task: ext-access : READ WRITE EXECUTE DEBUG Task: fabric : READ WRITE EXECUTE DEBUG Task: fault-mgr : READ WRITE EXECUTE DEBUG Task: filesystem : READ WRITE EXECUTE DEBUG Task: fr : READ WRITE EXECUTE DEBUG Task: hdlc : READ WRITE EXECUTE DEBUG Task: host-services : READ WRITE EXECUTE DEBUG Task: hsrp : READ WRITE EXECUTE DEBUG Task: interface : READ WRITE EXECUTE DEBUG Task: inventory : READ WRITE EXECUTE DEBUG Task: ip-services : READ WRITE EXECUTE DEBUG Task: ipv4 : READ WRITE EXECUTE DEBUG Task: ipv6 : READ WRITE EXECUTE DEBUG Task: isis : READ WRITE EXECUTE DEBUG Task: logging : READ WRITE EXECUTE DEBUG Task: lpts : READ WRITE EXECUTE DEBUG Task: monitor : READ WRITE EXECUTE DEBUG Task: mpls-ldp : READ WRITE EXECUTE DEBUG Task: mpls-static : READ WRITE EXECUTE DEBUG Task: mpls-te : READ WRITE EXECUTE DEBUG Task: multicast : READ WRITE EXECUTE DEBUG Task: netflow : READ WRITE EXECUTE DEBUG Task: network : READ WRITE EXECUTE DEBUG Task: ospf : READ WRITE EXECUTE DEBUG Task: ouni : READ WRITE EXECUTE DEBUG Task: pkg-mgmt : READ WRITE EXECUTE DEBUG Task: pos-dpt : READ WRITE EXECUTE DEBUG Task: ppp : READ WRITE EXECUTE DEBUG Task: qos : READ WRITE EXECUTE DEBUG Task: rib : READ WRITE EXECUTE DEBUG Task: rip : READ WRITE EXECUTE DEBUG
show aaa
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 73
Page 84
show aaa
Authentication, Authorization, and Accounting Commands
Task: root-lr : READ WRITE EXECUTE DEBUG Task: root-system : READ WRITE EXECUTE DEBUG Task: route-map : READ WRITE EXECUTE DEBUG Task: route-policy : READ WRITE EXECUTE DEBUG Task: snmp : READ WRITE EXECUTE DEBUG Task: sonet-sdh : READ WRITE EXECUTE DEBUG Task: static : READ WRITE EXECUTE DEBUG Task: sysmgr : READ WRITE EXECUTE DEBUG Task: system : READ WRITE EXECUTE DEBUG Task: transport : READ WRITE EXECUTE DEBUG Task: tty-access : READ WRITE EXECUTE DEBUG Task: tunnel : READ WRITE EXECUTE DEBUG Task: universal : READ WRITE EXECUTE DEBUG Task: vlan : READ WRITE EXECUTE DEBUG Task: vrrp : READ WRITE EXECUTE DEBUG
The following sample output is from show aaa command with the userdb keyword:
RP/0/RP0/CPU0:router# show aaa userdb
Username lab (admin plane) User group root-system User group cisco-support Username acme User group root-system
The following sample output is from the show aaa command, using the task supported keywords. Task IDs are displayed in alphabetic order.
RP/0/RP0/CPU0:router# show aaa task supported
aaa acl admin atm basic-services bcdl bfd bgp boot bundle cdp cef cisco-support config-mgmt config-services crypto diag disallowed drivers eigrp ext-access fabric fault-mgr filesystem firewall fr hdlc host-services hsrp interface inventory ip-services ipv4 ipv6 isis logging lpts monitor mpls-ldp mpls-static mpls-te
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
74 OL-24740-01
Page 85
Authentication, Authorization, and Accounting Commands
multicast netflow network ospf ouni pkg-mgmt pos-dpt ppp qos rib rip root-lr root-system route-map route-policy sbc snmp sonet-sdh static sysmgr system transport tty-access tunnel universal vlan vrrp
show aaa
Related Commands
show user, on page 93
DescriptionCommand
Displays task IDs enabled for the currently logged-in user.
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 75
Page 86

show radius

show radius
To display information about the RADIUS servers that are configured in the system, use the show radius command.
show radius
Authentication, Authorization, and Accounting Commands
Syntax Description
Command Default
Command Modes
Command History
Usage Guidelines
Task ID
This command has no keywords or arguments.
If no radius servers are configured, no output is displayed.
EXEC
ModificationRelease
This command was introduced.Release 3.3.0
Use the show radius command to display statistics for each configured RADIUS server.
OperationsTask ID
readaaa
Examples
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
76 OL-24740-01
The following sample output is for the show radius command:
RP/0/RP0/CPU0:router# show radius
Global dead time: 0 minute(s)
Server: 1.1.1.1/1645/1646 is UP
Timeout: 5 sec, Retransmit limit: 3 Quarantined: No Authentication:
0 requests, 0 pending, 0 retransmits 0 accepts, 0 rejects, 0 challenges 0 timeouts, 0 bad responses, 0 bad authenticators 0 unknown types, 0 dropped, 0 ms latest rtt
Accounting:
0 requests, 0 pending, 0 retransmits 0 responses, 0 timeouts, 0 bad responses 0 bad authenticators, 0 unknown types, 0 dropped 0 ms latest rtt
Server: 2.2.2.2/1645/1646 is UP
Timeout: 10 sec, Retransmit limit: 3 Authentication:
Page 87
Authentication, Authorization, and Accounting Commands
0 requests, 0 pending, 0 retransmits 0 accepts, 0 rejects, 0 challenges 0 timeouts, 0 bad responses, 0 bad authenticators 0 unknown types, 0 dropped, 0 ms latest rtt
Accounting:
0 requests, 0 pending, 0 retransmits 0 responses, 0 timeouts, 0 bad responses 0 bad authenticators, 0 unknown types, 0 dropped 0 ms latest rtt
This table describes the significant fields shown in the display.
Table 2: show radius Field Descriptions
show radius
DescriptionField
Related Commands
Server
Timeout
Retransmit limit
vrf (RADIUS), on page 125
radius-server retransmit , on page 52
radius-server timeout , on page 54
Server IP address/UDP destination port for authentication requests/UDP destination port for accounting requests.
Number of seconds the router waits for a server host to reply before timing out.
Number of times the Cisco IOS XR software searches the list of RADIUS server hosts before giving up.
DescriptionCommand
Configures the Virtual Private Network (VPN) routing and forwarding (VRF) reference of an AAA RADIUS server group.
Specifies how many times Cisco IOS XR software searches the list of RADIUS server hosts before giving up.
Sets the interval for which a router waits for a server host to reply.
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 77
Page 88

show radius accounting

show radius accounting
To obtain information and detailed statistics for the RADIUS accounting server and port, use the show radius accounting command in EXEC mode.
show radius accounting
Authentication, Authorization, and Accounting Commands
Syntax Description
Command Default
Command Modes
Command History
Usage Guidelines
Task ID
This command has no keywords or arguments.
If no RADIUS servers are configured on the router, the output is empty. If the default values are for the counter (for example, request and pending), the values are all zero because the RADIUS server was just defined and not used yet.
EXEC
ModificationRelease
This command was introduced.Release 3.3.0
OperationsTask ID
readaaa
Examples
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
78 OL-24740-01
The following sample output is displayed on a per-server basis for the show radius accounting command:
RP/0/RP0/CPU0:router# show radius accounting
Server: 12.26.25.61, port: 1813 0 requests, 0 pending, 0 retransmits 0 responses, 0 timeouts, 0 bad responses 0 bad authenticators, 0 unknown types, 0 dropped 0 ms latest rtt
Server: 12.26.49.12, port: 1813 0 requests, 0 pending, 0 retransmits 0 responses, 0 timeouts, 0 bad responses 0 bad authenticators, 0 unknown types, 0 dropped 0 ms latest rtt
Server: 12.38.28.18, port: 29199 0 requests, 0 pending, 0 retransmits 0 responses, 0 timeouts, 0 bad responses 0 bad authenticators, 0 unknown types, 0 dropped 0 ms latest rtt
Page 89
Authentication, Authorization, and Accounting Commands
This table describes the significant fields shown in the display.
Table 3: show radius accounting Field Descriptions
show radius accounting
DescriptionField
Related Commands
Server
show radius authentication, on page 80
Server IP address/UDP destination port for authentication requests; UDP destination port for accounting requests.
DescriptionCommand
Creates a method list for accounting.aaa accounting, on page 4
Creates a method list for authentication.aaa authentication , on page 13
Obtains information and detailed statistics for the RADIUS authentication server and port.
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 79
Page 90

show radius authentication

show radius authentication
To obtain information and detailed statistics for the RADIUS authentication server and port, use the show radius authentication command.
show radius authentication
Authentication, Authorization, and Accounting Commands
Syntax Description
Command Default
Command Modes
Command History
Usage Guidelines
Task ID
This command has no keywords or arguments.
If no RADIUS servers are configured on the router, the output is empty. If the default values are for the counter (for example, request and pending), the values are all zero because the RADIUS server was just defined and not used yet.
EXEC
ModificationRelease
This command was introduced.Release 3.3.0
OperationsTask ID
readaaa
Examples
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
80 OL-24740-01
The following sample output is for the show radius authentication command:
RP/0/RP0/CPU0:router# show radius authentication
Server: 12.26.25.61, port: 1812 0 requests, 0 pending, 0 retransmits 0 accepts, 0 rejects, 0 challenges 0 timeouts, 0 bad responses, 0 bad authenticators 0 unknown types, 0 dropped, 0 ms latest rtt
Server: 12.26.49.12, port: 1812 0 requests, 0 pending, 0 retransmits 0 accepts, 0 rejects, 0 challenges 0 timeouts, 0 bad responses, 0 bad authenticators 0 unknown types, 0 dropped, 0 ms latest rtt
Server: 12.38.28.18, port: 21099 0 requests, 0 pending, 0 retransmits 0 accepts, 0 rejects, 0 challenges 0 timeouts, 0 bad responses, 0 bad authenticators 0 unknown types, 0 dropped, 0 ms latest rtt
Page 91
Authentication, Authorization, and Accounting Commands
This table describes the significant fields shown in the display.
Table 4: show radius authentication Field Descriptions
show radius authentication
DescriptionField
Related Commands
Server
show radius accounting, on page 78
Server IP address/UDP destination port for authentication requests; UDP destination port for accounting requests.
DescriptionCommand
Creates a method list for accounting.aaa accounting, on page 4
Creates a method list for authentication.aaa authentication , on page 13
Obtains information and detailed statistics for the RADIUS accounting server and port.
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 81
Page 92

show radius client

show radius client
To obtain general information about the RADIUS client on Cisco IOS XR software, use the show radius client command.
show radius client
Authentication, Authorization, and Accounting Commands
Syntax Description
Command Default
Command Modes
Command History
Usage Guidelines
Task ID
This command has no keywords or arguments.
The default value for the counters (for example, an invalid address) is 0. The network access server (NAS) identifier is the hostname that is defined on the router.
EXEC
ModificationRelease
This command was introduced.Release 3.3.0
The show radius client command displays the authentication and accounting responses that are received from the invalid RADIUS servers, for example, unknown to the NAS. In addition, the show radius client command displays the hostname or NAS identifier for the RADIUS authentication client, accounting client, or both.
OperationsTask ID
readaaa
Examples
The following sample output is for the show radius client command:
RP/0/RP0/CPU0:router# show radius client
Client NAS identifier: miniq Authentication responses from invalid addresses: 0 Accounting responses from invalid addresses: 0
This table describes the significant fields shown in the display.
Table 5: show radius client Field Descriptions
DescriptionField
Client NAS identifier
Identifies the NAS-identifier of the RADIUS authentication client.
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
82 OL-24740-01
Page 93
Authentication, Authorization, and Accounting Commands
show radius client
Related Commands
server (RADIUS), on page 61
show radius, on page 76
DescriptionCommand
Associates a particular RADIUS server with a defined server group.
Displays information about the RADIUS servers that are configured in the system.
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 83
Page 94

show radius dead-criteria

show radius dead-criteria
To obtain information about the dead server detection criteria, use the show radius dead-criteria command.
show radius dead-criteria host ip-addr [auth-port auth-port] [acct-port acct-port]
Authentication, Authorization, and Accounting Commands
Syntax Description
Command Default
Command Modes
Command History
host ip-addr
auth-port auth-port
Specifies the name or IP address of the configured RADIUS server.
(Optional) Specifies the authentication port for the RADIUS server. The default value is 1645.
acct-port acct-port
(Optional) Specifies the accounting port for the RADIUS server. The default value is 1646.
The default values for time and tries are not fixed to a single value; therefore, they are calculated and fall within a range of 10 to 60 seconds for time and 10 to 100 for tries.
EXEC
ModificationRelease
This command was introduced.Release 3.3.0
Usage Guidelines
Task ID
OperationsTask ID
readaaa
Examples
The following sample output is for the show radius dead-criteria command:
RP/0/RP0/CPU0:router# show radius dead-criteria host 12.26.49.12 auth-port 11000 acct-port
11001
Server: 12.26.49.12/11000/11001 Dead criteria time: 10 sec (computed) tries: 10 (computed)
This table describes the significant fields shown in the display.
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
84 OL-24740-01
Page 95
Authentication, Authorization, and Accounting Commands
Table 6: show radius dead-criteria Field Descriptions
show radius dead-criteria
DescriptionField
Related Commands
Server
Timeout
Retransmits
radius-server dead-criteria time, on page 46
radius-server deadtime , on page 50
Server IP address/UDP destination port for authentication requests/UDP destination port for accounting requests.
Number of seconds the router waits for a server host to reply before timing out.
Number of times Cisco IOS XR software searches the list of RADIUS server hosts before giving up.
DescriptionCommand
Forces one or both of the criteria that is used to mark a RADIUS server as dead.
Defines the length of time in minutes for a RADIUS server to remain marked dead.
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 85
Page 96

show radius server-groups

show radius server-groups
To display information about the RADIUS server groups that are configured in the system, use the show radius server-groups command.
show radius server-groups [group-name [detail]]
Authentication, Authorization, and Accounting Commands
Syntax Description
Command Default
Command Modes
Command History
Usage Guidelines
group-name
(Optional) Name of the server group.The properties are displayed.
(Optional) Displays properties for all the server groups.detail
None
EXEC
ModificationRelease
This command was introduced.Release 3.2
Release 3.4.0
Support was added for the group-name argument and detail keyword.
Use the show radius server-groups command to display information about each configured RADIUS server group, including the group name, numbers of servers in the group, and a list of servers in the named server group. A global list of all configured RADIUS servers, along with authentication and accounting port numbers, is also displayed.
Task ID
OperationsTask ID
readaaa
Examples
The inherited global message is displayed if no group level deadtime is defined for this group; otherwise, the group level deadtime value is displayed and this message is omitted. The following sample output is for the show radius server-groups command:
RP/0/RP0/CPU0:router# show radius server-groups
Global list of servers
Contains 2 server(s)
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
86 OL-24740-01
Page 97
Authentication, Authorization, and Accounting Commands
Server 1.1.1.1/1645/1646 Server 2.2.2.2/1645/1646
Server group 'radgrp1' has 2 server(s)
Dead time: 0 minute(s) (inherited from global)
Contains 2 server(s)
Server 1.1.1.1/1645/1646 Server 2.2.2.2/1645/1646
Server group 'radgrp-priv' has 1 server(s)
Dead time: 0 minute(s) (inherited from global)
Contains 1 server(s)
Server 3.3.3.3/1645/1646 [private]
The following sample output shows the properties for all the server groups in group radgrp1:
RP/0/RP0/CPU0:router# show radius server-groups radgrp1 detail
Server group 'radgrp1' has 2 server(s)
VRF default (id 0x60000000) Dead time: 0 minute(s) (inherited from global) Contains 2 server(s)
Server 1.1.1.1/1645/1646
Authentication:
0 requests, 0 pending, 0 retransmits 0 accepts, 0 rejects, 0 challenges 0 timeouts, 0 bad responses, 0 bad authenticators 0 unknown types, 0 dropped, 0 ms latest rtt
Accounting:
0 requests, 0 pending, 0 retransmits 0 responses, 0 timeouts, 0 bad responses 0 bad authenticators, 0 unknown types, 0 dropped 0 ms latest rtt Server 2.2.2.2/1645/1646
Authentication:
0 requests, 0 pending, 0 retransmits 0 accepts, 0 rejects, 0 challenges 0 timeouts, 0 bad responses, 0 bad authenticators 0 unknown types, 0 dropped, 0 ms latest rtt
Accounting:
0 requests, 0 pending, 0 retransmits 0 responses, 0 timeouts, 0 bad responses 0 bad authenticators, 0 unknown types, 0 dropped 0 ms latest rtt
The following sample output shows the properties for all the server groups in detail in the group raddgrp-priv:
show radius server-groups
RP/0/RP0/CPU0:router# show radius server-groups radgrp-priv detail
Server group 'radgrp-priv' has 1 server(s)
VRF default (id 0x60000000) Dead time: 0 minute(s) (inherited from global) Contains 1 server(s)
Server 3.3.3.3/1645/1646 [private]
Authentication:
0 requests, 0 pending, 0 retransmits 0 accepts, 0 rejects, 0 challenges 0 timeouts, 0 bad responses, 0 bad authenticators 0 unknown types, 0 dropped, 0 ms latest rtt
Accounting:
0 requests, 0 pending, 0 retransmits 0 responses, 0 timeouts, 0 bad responses 0 bad authenticators, 0 unknown types, 0 dropped 0 ms latest rtt
This table describes the significant fields shown in the display.
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 87
Page 98
show radius server-groups
Table 7: show radius server-groups Field Descriptions
Authentication, Authorization, and Accounting Commands
DescriptionField
Related Commands
Server
vrf (RADIUS), on page 125
Server IP address/UDP destination port for authentication requests/UDP destination port for accounting requests.
DescriptionCommand
Configures the Virtual Private Network (VPN) routing and forwarding (VRF) reference of an AAA RADIUS server group.
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
88 OL-24740-01
Page 99
Authentication, Authorization, and Accounting Commands

show tacacs

To display information about the TACACS+ servers that are configured in the system, use the show tacacs command.
show tacacs
show tacacs
Syntax Description
Command Default
Command Modes
Command History
Usage Guidelines
Task ID
This command has no keywords or arguments.
None
EXEC
ModificationRelease
This command was introduced.Release 2.0
Use the show tacacs command to display statistics for each configured TACACS+ server.
OperationsTask ID
readaaa
Examples
The following is sample output from the show tacacs command:
RP/0/RP0/CPU0:router# show tacacs
Server:1.1.1.1/21212 opens=0 closes=0 aborts=0 errors=0
packets in=0 packets out=0 status=up single-connect=false
Server:2.2.2.2/21232 opens=0 closes=0 aborts=0 errors=0
packets in=0 packets out=0 status=up single-connect=false
This table describes the significant fields shown in the display.
Table 8: show tacacs Field Descriptions
DescriptionField
Server IP address.Server
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
OL-24740-01 89
Page 100
show tacacs
Authentication, Authorization, and Accounting Commands
DescriptionField
Number of socket opens to the external server.opens
Number of socket closes to the external server.closes
aborts
packets in
packets out
Number of tacacs requests that have been aborted midway.
Number of error replies from the external server.errors
Number of TCP packets that have been received from the external server.
Number of TCP packets that have been sent to the external server.
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
90 OL-24740-01
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use