Cisco Systems IOS XR User Manual 3
Authentication, Authorization, and Accounting
Commands on Cisco IOS XR Software
This chapter describes the Cisco IOS XR software commands used to configure authentication,
authorization, and accounting (AAA) services.
For detailed information about AAA concepts, configuration tasks, and examples, see the Configuring
AAA Services on Cisco IOS XR Software configuration module.
Cisco IOS XR System Security Command Reference
SR-1
aaa accounting
aaa accounting
To create a method list for accounting, use the aaa accounting command in global configuration mode.
To remove a list name from the system, use the no form of this command.
aaa accounting {commands | exec} {default | list-name} {start-stop | stop-only}
no aaa accounting {commands | exec} {default | list-name}
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
{none | group {tacacs+ | radius | group-name}}
Syntax Description
Defaults AAA accounting is disabled.
commands Enables accounting for EXEC shell commands.
exec Enables accounting of an EXEC session.
default Uses the listed accounting methods that follow this keyword as the default list
of methods for accounting services.
list-name Character string used to name the accounting method list.
start-stop Sends a “start accounting” notice at the beginning of a process and a “stop
accounting” notice at the end of a process. The requested user process begins
regardless of whether the “start accounting” notice was received by the
accounting server.
stop-only Sends a “stop accounting” notice at the end of the requested user process.
none Uses no accounting.
group tacacs+ Uses the list of all TACACS+ servers for accounting.
group radius Uses the list of all RADIUS servers for accounting.
group group-name Uses a named subset of TACACS+ or RADIUS servers for accounting, as
defined by the aaa group server tacacs+ command or aaa gbroup server
radius command.
Command Modes Global configuration
Command History
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
Cisco IOS XR System Security Command Reference
SR-2
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1.
Release 3.0 No modification.
Release 3.2 This command was supported on the Cisco XR 12000 Series Router.
Release 3.3.0 No modification.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on
Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Use the aaa accounting command to create default or named method lists defining specific accounting
methods and that can be used on a per-line or per-interface basis. You can specify up to four methods in
the method list. The list name can be applied to a line (console, aux, or vty template) to enable
accounting on that particular line.
The Cisco IOS XR software supports both TACACS+ and RADIUS methods for accounting. The router
reports user activity to the security server in the form of accounting records, which are stored on the
security server.
Method lists for accounting define the way accounting is performed, enabling you to designate a
particular security protocol to be used on specific lines or interfaces for particular types of accounting
services.
For minimal accounting, include the stop-only keyword to send a “stop accounting” notice after the
requested user process. Formore accounting, you can include the start-stop keyword, so that TACACS+
or RADIUS sends a “start accounting” notice at the beginning of the requested process and a “stop
accounting” notice after the process. The accounting record is stored only on the TACACS+or RADIUS
server.
The requested user process begins regardless of whether the “start accounting” notice was received by
the accounting server.
aaa accounting
Note This command cannot be used with TACACS or extended TACACS.
Task ID
Task ID Operations
aaa read, write
Examples The following example shows how to define a default commands accounting method list, where
accounting services are provided by a TACACS+ security server, with a stop-only restriction:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# aaa accounting commands default stop-only group tacacs+
Related Commands
Command Description
aaa authorization Creates a method list to be used for authorization.
Cisco IOS XR System Security Command Reference
SR-3
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
aaa accounting system default
aaa accounting system default
To enable authentication, authorization, and accounting (AAA) system accounting, use the aaa
accounting system default command in global configuration mode. To disable system accounting, use
the no form of this command.
aaa accounting system default {start-stop | stop-only} {none | method}
no aaa accounting system default
Syntax Description
Defaults AAA accounting is disabled.
Command Modes Global configuration
Command History
start-stop Sends a “start accounting” notice during system bootup and a “stop accounting”
notice during system shutdown or reload.
stop-only Sends a “stop accounting” notice during system shutdown or reload.
none Uses no accounting.
method Method used to enable AAA system accounting. The value is one of the
following options:
• group tacacs+—Uses the list of all TACACS+ servers for accounting.
• group radius—Uses the list of all RADIUS servers for accounting.
• group named-group—Uses a named subset of TACACS+ or RADIUS
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1.
Release 3.0 No modification.
Release 3.2 This command was supported on the Cisco XR 12000 Series Router.
Release 3.3.0 The method argument was added to specify either group tacacs+, group radius,or
group named-group options.
servers for accounting, as defined by the aaa group server tacacs+ or aaa
group server radius command.
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on
Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
System accounting does not use named accounting lists; you can define only the default list for system
accounting.
Cisco IOS XR System Security Command Reference
SR-4
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
The default method list is automatically applied to all interfaces or lines. If no default method list is
defined, then no accounting takes place.
You can specify up to four methods in the method list.
aaa accounting system default
Task ID
Task ID Operations
aaa read, write
Examples The following example shows how to cause a “start accounting” record to be sent to a TACACS+ server
when a router initially boots. A “stop accounting” record is also sent when a router is shut down or
reloaded.
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# aaa accounting system default start-stop group tacacs+
Related Commands
Command Description
aaa authentication Creates a method list for authentication.
aaa authorization Creates a method list for authorization.
Cisco IOS XR System Security Command Reference
SR-5
aaa authentication
aaa authentication
To create a method list for authentication, use the aaa authentication command in global configuration
mode. To disable this authentication method, use the no form of this command.
aaa authentication {login | ppp} {default | list-name | remote} method-list
no aaa authentication {login | ppp} {default | list-name | remote} method-list
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Syntax Description
login Sets authentication for login.
ppp Sets authentication for Point-to-Point Protocol.
default Uses the listed authentication methods that follow this keyword as the
default list of methods for authentication.
list-name Character string used to name the authentication method list.
remote Uses the listed authentication methods that follow this keyword as the
default list of methods for administrative authentication on a remote
nonowner secure domain router. The remote keyword is used only with the
login keyword and not with the ppp keyword.
Note The remote keyword is available only on the admin plane.
method-list Method used to enable AAA system accounting. The value is one of the
following options:
• group tacacs+—Specifies a method list that uses the list of all
configured TACACS+ servers for authentication.
• groupradius—Specifiesamethodlistthat uses the list of all configured
RADIUS servers for authentication.
• group named-group—Specifies a method list that uses a named subset
of TACACS+ or RADIUS servers for authentication as defined by the
aaa group server tacacs+ or aaa group server radius command.
• local—Specifies a method list that uses the local username database
method for authentication. Rollover cannot happen beyond the local
method.
• line—Specifies a method list that uses the line password for
authentication.
Defaults Default behavior applies the local authentication on all ports.
Command Modes Global configuration
Cisco IOS XR System Security Command Reference
SR-6
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
aaa authentication
Command History
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1.
Release 3.0 No modification.
Release 3.2 This command was supported on the Cisco XR 12000 Series Router.
Release 3.3.0 Themethod-listargumentwas added to specify either group tacacs+, group
radius, group named-group, local, or line options.
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on
Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the aaa authentication command to create a series of authentication methods, or method list. You
can specify up to four methods in the method list. A method list is a named list describing the
authentication methods to be used (such as TACACS+ or RADIUS) in sequence. The subsequent
methods of authentication are used only if the initial method is not available, not if it fails.
The default method list is applied for all interfaces for authentication, except when a different named
method list is explicitly specified—in which case the explicitly specified method list overrides the
default list.
For console and vty access, if no authentication is configured, a default of local method is applied.
Note • The group tacacs+, group radius, and group group-name forms of this command refer to a set of
previously defined TACACS+ or RADIUS servers.
• Use the tacacs-server host or radius-server host command to configure the host servers.
• Use the aaa group server tacacs+ or aaa group server radius command to create a named subset
of servers.
• The login keyword, remote keyword, local option, and group option are available only in
administration configuration mode.
Task ID
Task ID Operations
aaa read, write
Examples The following example shows how to specify the default method list to be used for authentication, and
also enable authentication for console:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# aaa authentication login default group tacacs+
Related Commands
Command Description
aaa accounting Creates a method list for accounting.
aaa authorization Creates a method list for authorization.
Cisco IOS XR System Security Command Reference
SR-7
aaa authentication
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Command Description
aaa group server radius Groups different RADIUS server hosts into distinct lists and distinct
methods.
aaa group server tacacs+ Groups different TACACS+ server hosts into distinct lists and distinct
methods.
login authentication Enables AAA authentication for logins.
radius-server host Specifies a RADIUS host.
tacacs-server host Specifies a TACACS+ host.
SR-8
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
aaa authorization
To create a method list for authorization, use the aaa authorization command in global configuration
mode. To disable authorization for a function, use the no form of this command.
aaa authorization {commands | exec | network} {default | list-name} {none | local | group
{tacacs+ | radius | group-name}}
no aaa authorization {commands | exec | network} {default | list-name}
aaa authorization
Syntax Description
Defaults Authorization is disabled for all actions (equivalent to the method none keyword).
commands Configures authorization for all EXEC shell commands.
exec Configures authorization for an interactive (EXEC) session.
network Configures authorization for network services, such as PPP or Internet Key
Exchange (IKE).
default Uses the listed authorization methods that follow this keyword as the default list
of methods for authorization.
list-name Character string used to name the list of authorization methods.
none Uses no authorization. If you specify none, no subsequent authorization methods
is attempted. However, the task ID authorization is always required and cannot be
disabled.
local Uses local authorization. This method of authorization is not available for
command authorization.
group tacacs+ Uses the list of all configured TACACS+ servers for authorization.
group radius Usesthe list of all configured RADIUS servers for authorization. This method of
authorization is not available for command authorization.
group group-name Uses a named subset of TACACS+ or RADIUS servers for authorization as
defined by the aaa group server tacacs+ or aaa group server radius command.
Command Modes Global configuration
Command History
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1.
Release 3.0 No modification.
Release 3.2 This command was supported on the Cisco XR 12000 Series Router.
Release 3.3.0 No modification.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on
Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Cisco IOS XR System Security Command Reference
SR-9
aaa authorization
Note The command authorization mentioned here applies to the one performed by an external AAA server and
Note Cisco IOS XR software attempts authorization with the next listed method only when there is no
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Use the aaa authorization command to create method lists defining specific authorization methods that
can be used on a per-line or per-interface basis. You can specify up to four methods in the method list.
not for task-based authorization.
Method lists for authorization definethewaysauthorization will be performed and the sequence in which
these methods will be performed. A method list is a named list describing the authorization methods to
be used (such as TACACS+), in sequence. Method lists enable you to designate one or more security
protocols to be used for authorization, thus ensuring a backup system in case the initial method fails.
Cisco IOS XR software uses the first method listed to authorize users for specific network services; if
that method fails to respond, Cisco IOS XR software selects the next method listed in the method list.
This process continues until there is successful communication with a listed authorization method or
until all methods defined have been exhausted.
response (not a failure) from the previous method. If authorization fails at any point in this
cycle—meaning that the security server or local username database responds by denying the user
services—the authorization process stops and no other authorization methods are attempted.
The Cisco IOS XR software supports the following methods for authorization:
• none—The router does not request authorization information; authorization is not performed over
this line or interface.
• local—Use local database for authorization.
• group tacacs+—Use the list of all configured TACACS+ servers for authorization.
• group radius—Use the list of all configured RADIUS servers for authorization.
• group group-name—Uses a named subset of TACACS+ or RADIUS servers for authorization.
Method lists are specific to the type of authorization being requested. The Cisco IOS XR software
supports three types of AAA authorization:
• Commands authorization: Applies to the EXEC mode commands a user issues. Command
authorization attempts authorization for all EXEC mode commands.
Note “Command” authorization is distinct from “task-based” authorization, which is based on the task profile
established during authentication.
• EXEC authorization: Applies authorization for starting an EXEC session.
• Network authorization: Applies authorization for network services, such as IKE.
When you create a named method list, you are defining a particular list of authorization methods for the
indicated authorization type. When defined, method lists must be applied to specific lines or interfaces
before any of the defined methods are performed.
Task ID Task ID Operations
aaa read, write
Cisco IOS XR System Security Command Reference
SR-10
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
aaa authorization
Examples The following example shows how to define the network authorization method list named listname1,
which specifies that TACACS+ authorization is used:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# aaa authorization commands listname1 group tacacs+
Related Commands Command Description
aaa accounting Creates a method list for accounting.
Cisco IOS XR System Security Command Reference
SR-11
aaa default-taskgroup
aaa default-taskgroup
To specify a task group to be used for both remote TACACS+ authentication and RADIUS
authentication, use the aaa default-taskgroup command in global configuration mode. To remove this
default task group, enter the no form of this command.
aaa default-taskgroup taskgroup-name
no aaa default-taskgroup
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Syntax Description
Defaults No default task group is assigned for remote authentication.
Command Modes Global configuration
Command History
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
taskgroup-name Name of an existing task group.
Release Modification
Release 3.2 This command was introduced on the Cisco CRS-1 and
Cisco XR 12000 Series Router.
Release 3.3.0 No modification.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on
Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the aaa default-taskgroup command to specify an existing task group to be used for remote
TACACS+ authentication.
Task ID
Examples Thefollowingexample shows how to specify taskgroup1 as the default task group for remote TACACS+
Cisco IOS XR System Security Command Reference
SR-12
Task ID Operations
aaa read, write
authentication:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# aaa default-taskgroup taskgroup1
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
aaa group server radius
To group different RADIUS server hosts into distinct lists, use the aaa group server radius command
in global configuration mode. To remove a group server from the configurationlist, enter the no form of
this command.
aaa group server radius group-name
no aaa group server radius group-name
aaa group server radius
Syntax Description
Defaults This command is not enabled.
Command Modes Global configuration
Command History
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
group-name Character string used to name the group of servers.
Release Modification
Release 3.2 This command was introduced on the Cisco CRS-1 and
Cisco XR 12000 Series Router.
Release 3.3.0 No modification.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on
Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the aaa group server radius command to group existing server hosts, which allows you to select a
subset of the configured server hosts and use them for a particular service. A server group is used in
conjunction with a global server-host list. The server group lists the IP addresses or hostnames of the
selected server hosts.
Server groups can also include multiple host entries for the same server, as long as each entry has a
unique identifier. The combination of an IP address and User Datagram Protocol (UDP) port number
creates a unique identifier, allowing different ports to individually defined as RADIUS hosts providing
a specific authentication, authorization, and accounting (AAA) service. In other words, this unique
identifierenables RADIUS requests to be sent to different UDP ports on a server at the same IP address.
If two different host entries on the same RADIUS server are configured for the same service, for
example, accounting, the second host entry acts as a failover backup to the first host entry. Using this
example, if the firsthost entry fails to provide accounting services, the network access server will try the
second host entry on the same device for accounting services. The RADIUS host entries are tried in the
order in which they are configured in the server group.
All members of a server group must be the same type, that is, RADIUS.
The server group cannot be named radius or tacacs.
This command enters server group configuration mode. You can use the server command to associate a
particular RADIUS server with the defined server group.
Cisco IOS XR System Security Command Reference
SR-13
aaa group server radius
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Task ID
Task ID Operations
aaa read, write
Examples The following example shows the configuration of an AAA group server named radgroup1, which
comprises three member servers:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# aaa group server radius radgroup1
RP/0/RP0/CPU0:router(config-sg-radius)# server 10.0.0.5 auth-port 1700 acct-port 1701
RP/0/RP0/CPU0:router(config-sg-radius)# server 10.0.0.10 auth-port 1702 acct-port 1703
RP/0/RP0/CPU0:router(config-sg-radius)# server 10.0.0.20 auth-port 1705 acct-port 1706
Note If the auth-port port-number keyword and argument and the acct-port port-number keyword and
argument are not specified, the default value of the port-number argument for the auth-port keyword is
1645 and the default value of the port-number argument for the acct-port keyword is 1646.
Related Commands
Command Description
radius-server host Specifies a RADIUS server host.
SR-14
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
aaa group server tacacs+
To group different TACACS+ server hosts into distinct lists, use the b command in global configuration
mode. To remove a server group from the configuration list, enter the no form of this command.
aaa group server tacacs+ group-name
no aaa group server tacacs+ group-name
aaa group server tacacs+
Syntax Description
Defaults This command is not enabled.
Command Modes Global configuration
Command History
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
group-name Character string used to name a group of servers.
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1.
Release 3.0 No modification.
Release 3.2 This command was supported on the Cisco XR 12000 Series Router.
Release 3.3.0 No modification.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on
Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The AAA server-group feature introduces a way to group existing server hosts. The feature enables you
to select a subset of the configured server hosts and use them for a particular service.
The aaa group server tacacs+ command enters server group configuration mode. The server command
associates a particular TACACS+ server with the defined server group.
A server group is a list of server hosts of a particular type. The supported server host type is TACACS+
server hosts. A server group is used with a global server host list. The server group lists the IP addresses
or hostnames of the selected server hosts.
The server group cannot be named radius or tacacs.
Task ID
Note Group name methods refer to a set of previously defined TACACS+ servers. Use the tacacs-server host
command to configure the host servers.
Task ID Operations
aaa read, write
Cisco IOS XR System Security Command Reference
SR-15
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
aaa group server tacacs+
Examples The following example shows the configuration of an AAA group server named tacgroup1, which
comprises three member servers:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# aaa group server tacacs+ tacgroup1
RP/0/RP0/CPU0:router(config-sg-tacacs)# server 192.168.200.226
RP/0/RP0/CPU0:router(config-sg-tacacs)# server 192.168.200.227
RP/0/RP0/CPU0:router(config-sg-tacacs)# server 192.168.200.228
Related Commands Command Description
aaa accounting Creates a method list for accounting.
aaa authentication Creates a method list for authentication.
aaa authorization Creates a method list for authorization.
server (TACACS+) Specifies the host name or IP address of an external TACACS+ server.
tacacs-server host Specifies a TACACS+ host.
SR-16
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
accounting
To enable authentication, authorization, and accounting (AAA) accounting services for a specificline or
group of lines, use the accounting command in line configuration mode. To disable AAA accounting
services, use the no form of this command.
accounting {commands | exec} {default | list-name}
no accounting {commands | exec}
accounting
Syntax Description
Defaults Accounting is disabled.
Command Modes Line configuration
Command History
commands Enables accounting on the selected lines for all EXEC shell commands.
exec Enables accounting of an EXEC session.
default The name of the default method list, created with the aaa accounting command.
list-name Specifies the name of a list of accounting methods to use. The list is created with the
aaa accounting command.
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1.
Release 3.0 No modification.
Release 3.2 This command was supported on the Cisco XR 12000 Series Router.
Release 3.3.0 No modification.
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on
Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
After you enable the aaa accounting command and define a named accounting method list (or use the
default method list) for a particular type of accounting, you must apply the defined lists to the
appropriate lines for accounting services to take place. Use the accounting command to apply the
specified method lists to the selected line or group of lines. If a method list is not specified this way, no
accounting is applied to the selected line or group of lines.
Task ID
Task ID Operations
aaa read, write
Cisco IOS XR System Security Command Reference
SR-17
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
accounting
Examples Thefollowingexampleshowshowtoenable command accounting services using the accounting method
list named listname2 on a line template named configure:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# line template configure
RP/0/RP0/CPU0:router(config-line)# accounting commands listname2
Related Commands Command Description
aaa accounting Creates a method list for accounting.
SR-18
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
authorization
To enable authentication, authorization, and accounting (AAA) authorization for a specific line or group
of lines, use the authorization command in line configuration mode. To disable authorization, use the
no form of this command.
authorization {commands | exec} {default | list-name}
no authorization {commands | exec}
authorization
Syntax Description
Defaults Authorization is not enabled.
Command Modes Line configuration
Command History
commands Enables authorization on the selected lines for all commands.
exec Enables authorization for an interactive (EXEC) session.
default Applies the default method list, created with the aaa authorization command.
list-name Specifies the name of a list of authorization methods to use. If no list name is
specified, the system uses the default. The list is created with the aaa
authorization command.
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1.
Release 3.0 No modification.
Release 3.2 This command was supported on the Cisco XR 12000 Series Router.
Release 3.3.0 No modification.
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on
Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
After you use the aaa authorization command to define a named authorization method list (or use the
default method list) for a particular type of authorization, you must apply the defined lists to the
appropriate lines for authorization to take place. Use the authorization command to apply the specified
method lists (or, if none is specified, the default method list) to the selected line or group of lines.
Task ID
Task ID Operations
aaa read, write
Cisco IOS XR System Security Command Reference
SR-19
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
authorization
Examples The following example shows how to enable command authorization using the method list named
listname4 on a line template named configure:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# line template configure
RP/0/RP0/CPU0:router(config-line)# authorization commands listname4
Related Commands Command Description
aaa authorization Creates a method list for authorization.
SR-20
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
deadtime (server-group configuration)
To configure the deadtime value at the RADIUS server group level, use the deadtime command in
server-group configuration mode. To set deadtime to 0, use the no form of this command.
deadtime minutes
no deadtime
deadtime (server-group configuration)
Syntax Description
minutes Length of time, in minutes, for which a RADIUS server is skipped over by
transaction requests, up to a maximum of 1440 (24 hours). The range is
from 1 to 1440.
Defaults Deadtime is set to 0.
Command Modes Server-group configuration
Command History
Release Modification
Release 3.3.0 This command was introduced on the Cisco CRS-1 and
Cisco XR 12000 Series Router.
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on
Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The value of the deadtime set in the server groups overrides the deadtime that is configured globally. If
the deadtime is omitted from the server group configuration, the value is inherited from the master list.
If the server group is not configured, the default value of 0 applies to all servers in the group. If the
deadtime is set to 0, no servers are marked dead.
Task ID
Task ID Operations
aaa read, write
Examples The following example specifies a one-minute deadtime for RADIUS server group group1 when it has
failed to respond to authentication requests for the deadtime command:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# aaa group server radius group1
RP/0/RP0/CPU0:router(config-sg-radius)# server 1.1.1.1 auth-port 1645 acct-port 1646
RP/0/RP0/CPU0:router(config-sg-radius)# server 2.2.2.2 auth-port 2000 acct-port 2001
RP/0/RP0/CPU0:router(config-sg-radius)# deadtime 1
Cisco IOS XR System Security Command Reference
SR-21
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
deadtime (server-group configuration)
Related Commands Command Description
aaa group server radius Groups different RADIUS server hosts into distinct lists and
distinct methods.
radius-server dead-criteria time Forces one or both of the criteria that is used to mark a RADIUS
server as dead.
radius-server deadtime Defines the length of time in minutes for a RADIUS server to
remain marked dead.
SR-22
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
description (AAA)
To create a description of a task group or user group during configuration,use the description command
in task group configuration or user group configuration mode. To delete a task group description or user
group description, use the no form of this command.
description string
no description
description (AAA)
Syntax Description
Defaults The default description is blank.
Command Modes Task group configuration
Command History
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
string Character string describing the task group or user group.
User group configuration
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1.
Release 3.0 No modification.
Release 3.2 This command was supported on the Cisco XR 12000 Series Router.
Release 3.3.0 No modification.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on
Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the description command inside the task or user group configuration submode to define a
description for the task or user group, respectively.
Task ID
Task ID Operations
aaa read, write
Cisco IOS XR System Security Command Reference
SR-23
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
description (AAA)
Examples The following example shows the creation of a task group description:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# taskgroup alpha
RP/0/RP0/CPU0:router(config-tg)# description this is a sample taskgroup
The following example shows the creation of a user group description:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# usergroup alpha
RP/0/RP0/CPU0:router(config-ug)# description this is a sample user group
Related Commands Command Description
taskgroup Accesses task group configuration mode and configures a task group by associating
it with a set of task IDs.
usergroup Accesses user group configuration mode and configures a user group by associating
it with a set of task groups.
SR-24
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
group
To add a user to a group, use the group command in username configuration mode. To remove the user
from a group, use the no form of this command.
group {root-system | root-lr | netadmin | sysadmin | operator | cisco-support | serviceadmin |
group-name}
no group {root-system | root-lr | netadmin | sysadmin | operator | cisco-support |
serviceadmin | group-name}
group
Syntax Description
Defaults No default behavior or values
Command Modes Username configuration
Command History
root-system Adds the user to the predefined root-system group. Only users with root-system
authority may use this option.
root-lr Adds the user to the predefined root-lr group. Only users with root-system
authority or root-lr authority may use this option.
netadmin Adds the user to the predefined network administrators group.
sysadmin Adds the user to the predefined system administrators group.
operator Adds the user to the predefined operator group.
cisco-support Adds the user to the predefined Cisco support personnel group.
serviceadmin Adds the user to the predefined service administrators group.
group-name Adds the user to a named user group that has already been defined with the
usergroup command.
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1.
Release 3.0 No modification.
Release 3.2 This command was supported on the Cisco XR 12000 Series Router.
Release 3.3.0 The serviceadmin keyword was added.
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on
Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The predefined group root-system may be specified only by root-system users while configuring
administration.
Cisco IOS XR System Security Command Reference
SR-25
group
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Use the group command in username configuration mode. To access username configuration mode, use
the username command in global configuration mode.
If the group command is used in admin configuration mode, only root-system and cisco-support can be
specified.
Task ID
Task ID Operations
aaa read, write
Examples The following example shows how to assign the user group operator to the user named user1:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# username user1
RP/0/RP0/CPU0:router(config-un)# group operator
Related Commands
Command Description
password (AAA) Creates a login password for a user.
usergroup Configures a user group and associates it with a set of task groups.
username Accesses username configuration mode, configures a new user with a username,
and establishes a password and permissions for that user.
SR-26
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
inherit taskgroup
To enable a task group to derive permissions from another task group, use the inherit taskgroup
command in task group configuration mode.
inherit taskgroup {taskgroup-name | netadmin | operator | sysadmin | cisco-support | root-lr |
root-system | serviceadmin}
inherit taskgroup
Syntax Description
Defaults No default behavior or values
Command Modes Task group configuration
Command History
taskgroup-name Name of the task group from which permissions are inherited.
netadmin Inherits permissions from the network administrator task group.
operator Inherits permissions from the operator task group.
sysadmin Inherits permissions from the system administrator task group.
cisco-support Inherits permissions from the cisco support task group.
root-lr Inherits permissions from the root-lr task group.
root-system Inherits permissions from the root system task group.
serviceadmin Inherits permissions from the service administrators task group.
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1.
Release 3.0 No modification.
Release 3.2 This command was supported on the Cisco XR 12000 Series Router.
Release 3.3.0 The serviceadmin keyword was added.
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on
Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the inherit taskgroup command to inherit the permissions (task IDs) from one task group into
another task group. Any changes made to the taskgroup from which they are inherited are reflected
immediately in the group from which they are inherited.
Task ID
Task ID Operations
aaa read, write
Cisco IOS XR System Security Command Reference
SR-27
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
inherit taskgroup
Examples In the following example, the permissions of task group tg2 are inherited by task group tg1:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# taskgroup tg1
RP/0/RP0/CPU0:router(config-tg)# inherit taskgroup tg2
RP/0/RP0/CPU0:router(config-tg)# end
SR-28
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
inherit usergroup
To enable a user group to derive characteristics of another user group, use the inherit usergroup
command in user group configuration mode.
inherit usergroup usergroup-name
inherit usergroup
Syntax Description
Defaults No default behavior or values
Command Modes User group configuration
Command History
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
usergroup-name Name of the user group from which permissions are to be inherited.
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1.
Release 3.0 No modification.
Release 3.2 This command was supported on the Cisco XR 12000 Series Router.
Release 3.3.0 No modification.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on
Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Each user group is associated with a set of task groups applicable to the users in that group. A task group
is defined by a collection of task IDs. Task groups contain task ID lists for each class of action. The task
permissions for a user are derived (at the start of the EXEC or XML session) from the task groups
associated with the user groups to which that user belongs.
User groups support inheritance from other user groups. Use the inherit usergroup command to copy
permissions (task ID attributes) from one user group to another user group. The “destination” user group
inherits the properties of the inherited group and forms a union of all task IDs specified in those groups.
For example, when user group A inherits user group B, the task map of the user group A is a union of
that of A and B. Cyclic inclusions are detected and rejected. User groups cannot inherit properties from
predefined groups, such as root-system users, root-sdr users, netadmin users, and so on. Any changes
made to the usergroup from which it is inherited are reflected immediately in the group from which it is
inherited.
Task ID
Task ID Operations
aaa read, write
Cisco IOS XR System Security Command Reference
SR-29
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
inherit usergroup
Examples The following example shows how to enable the purchasing user group to inherit properties from the
sales user group:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# usergroup purchasing
RP/0/RP0/CPU0:router(config-ug)# inherit usergroup sales
Related Commands Command Description
description (AAA) Creates a description of a task group in task group configuration mode, or
creates a description of a user group in user group configuration mode.
taskgroup Configures a task group to be associated with a set of task IDs.
usergroup Configures a user group to be associated with a set of task groups.
SR-30
Cisco IOS XR System Security Command Reference
Loading...