Authentication, Authorization, and Accounting
Commands on Cisco IOS XR Software
This chapter describes the Cisco IOS XR software commands used to configure authentication,
authorization, and accounting (AAA) services.
For detailed information about AAA concepts, configuration tasks, and examples, see the ConfiguringAAA Services on Cisco IOS XR Software configuration module.
Cisco IOS XR System Security Command Reference
SR-1
aaa accounting
aaa accounting
To create a method list for accounting, use the aaa accounting command in global configuration mode.
To remove a list name from the system, use the no form of this command.
no aaa accounting {commands | exec} {default | list-name}
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
{none | group {tacacs+ | radius | group-name}}
Syntax Description
DefaultsAAA accounting is disabled.
commandsEnables accounting for EXEC shell commands.
execEnables accounting of an EXEC session.
defaultUses the listed accounting methods that follow this keyword as the default list
of methods for accounting services.
list-nameCharacter string used to name the accounting method list.
start-stopSends a “start accounting” notice at the beginning of a process and a “stop
accounting” notice at the end of a process. The requested user process begins
regardless of whether the “start accounting” notice was received by the
accounting server.
stop-onlySends a “stop accounting” notice at the end of the requested user process.
noneUses no accounting.
group tacacs+Uses the list of all TACACS+ servers for accounting.
group radiusUses the list of all RADIUS servers for accounting.
group group-nameUses a named subset of TACACS+ or RADIUS servers for accounting, as
defined by the aaa group server tacacs+ command or aaa gbroup server
radius command.
Command ModesGlobal configuration
Command History
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
Cisco IOS XR System Security Command Reference
SR-2
ReleaseModification
Release 2.0This command was introduced on the Cisco CRS-1.
Release 3.0No modification.
Release 3.2This command was supported on the Cisco XR 12000 Series Router.
Release 3.3.0No modification.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Use the aaa accounting command to create default or named method lists defining specific accounting
methods and that can be used on a per-line or per-interface basis. You can specify up to four methods in
the method list. The list name can be applied to a line (console, aux, or vty template) to enable
accounting on that particular line.
The Cisco IOS XR software supports both TACACS+ and RADIUS methods for accounting. The router
reports user activity to the security server in the form of accounting records, which are stored on the
security server.
Method lists for accounting define the way accounting is performed, enabling you to designate a
particular security protocol to be used on specific lines or interfaces for particular types of accounting
services.
For minimal accounting, include the stop-only keyword to send a “stop accounting” notice after the
requested user process. Formore accounting, you can include the start-stop keyword, so that TACACS+
or RADIUS sends a “start accounting” notice at the beginning of the requested process and a “stop
accounting” notice after the process. The accounting record is stored only on the TACACS+or RADIUS
server.
The requested user process begins regardless of whether the “start accounting” notice was received by
the accounting server.
aaa accounting
NoteThis command cannot be used with TACACS or extended TACACS.
Task ID
Task IDOperations
aaaread, write
ExamplesThe following example shows how to define a default commands accounting method list, where
accounting services are provided by a TACACS+ security server, with a stop-only restriction:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# aaa accounting commands default stop-only group tacacs+
Related Commands
CommandDescription
aaa authorizationCreates a method list to be used for authorization.
Cisco IOS XR System Security Command Reference
SR-3
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
aaa accounting system default
aaa accounting system default
To enable authentication, authorization, and accounting (AAA) system accounting, use the aaa
accounting system default command in global configuration mode. To disable system accounting, usethe no form of this command.
aaa accounting system default {start-stop | stop-only} {none | method}
no aaa accounting system default
Syntax Description
DefaultsAAA accounting is disabled.
Command ModesGlobal configuration
Command History
start-stopSends a “start accounting” notice during system bootup and a “stop accounting”
notice during system shutdown or reload.
stop-onlySends a “stop accounting” notice during system shutdown or reload.
noneUses no accounting.
methodMethod used to enable AAA system accounting. The value is one of the
following options:
• group tacacs+—Uses the list of all TACACS+ servers for accounting.
• group radius—Uses the list of all RADIUS servers for accounting.
• group named-group—Uses a named subset of TACACS+ or RADIUS
ReleaseModification
Release 2.0This command was introduced on the Cisco CRS-1.
Release 3.0No modification.
Release 3.2This command was supported on the Cisco XR 12000 Series Router.
Release 3.3.0The method argument was added to specify either group tacacs+, group radius,or
group named-group options.
servers for accounting, as defined by the aaa group server tacacs+ or aaagroup server radius command.
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
System accounting does not use named accounting lists; you can define only the default list for system
accounting.
Cisco IOS XR System Security Command Reference
SR-4
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
The default method list is automatically applied to all interfaces or lines. If no default method list is
defined, then no accounting takes place.
You can specify up to four methods in the method list.
aaa accounting system default
Task ID
Task IDOperations
aaaread, write
ExamplesThe following example shows how to cause a “start accounting” record to be sent to a TACACS+ server
when a router initially boots. A “stop accounting” record is also sent when a router is shut down or
reloaded.
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# aaa accounting system default start-stop group tacacs+
Related Commands
CommandDescription
aaa authenticationCreates a method list for authentication.
aaa authorizationCreates a method list for authorization.
Cisco IOS XR System Security Command Reference
SR-5
aaa authentication
aaa authentication
To create a method list for authentication, use the aaa authentication command in global configuration
mode. To disable this authentication method, use the no form of this command.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Syntax Description
loginSets authentication for login.
pppSets authentication for Point-to-Point Protocol.
defaultUses the listed authentication methods that follow this keyword as the
default list of methods for authentication.
list-nameCharacter string used to name the authentication method list.
remoteUses the listed authentication methods that follow this keyword as the
default list of methods for administrative authentication on a remote
nonowner secure domain router. The remote keyword is used only with the
login keyword and not with the ppp keyword.
NoteThe remote keyword is available only on the admin plane.
method-listMethod used to enable AAA system accounting. The value is one of the
following options:
• group tacacs+—Specifies a method list that uses the list of all
configured TACACS+ servers for authentication.
• groupradius—Specifiesamethodlistthat uses the list of all configured
RADIUS servers for authentication.
• group named-group—Specifies a method list that uses a named subset
of TACACS+ or RADIUS servers for authentication as defined by the
aaa group server tacacs+ or aaa group server radius command.
• local—Specifies a method list that uses the local username database
method for authentication. Rollover cannot happen beyond the local
method.
• line—Specifies a method list that uses the line password for
authentication.
DefaultsDefault behavior applies the local authentication on all ports.
Command ModesGlobal configuration
Cisco IOS XR System Security Command Reference
SR-6
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
aaa authentication
Command History
ReleaseModification
Release 2.0This command was introduced on the Cisco CRS-1.
Release 3.0No modification.
Release 3.2This command was supported on the Cisco XR 12000 Series Router.
Release 3.3.0Themethod-listargumentwas added to specify either group tacacs+, group
radius, group named-group, local, or line options.
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the aaa authentication command to create a series of authentication methods, or method list. You
can specify up to four methods in the method list. A method list is a named list describing the
authentication methods to be used (such as TACACS+ or RADIUS) in sequence. The subsequent
methods of authentication are used only if the initial method is not available, not if it fails.
The default method list is applied for all interfaces for authentication, except when a different named
method list is explicitly specified—in which case the explicitly specified method list overrides the
default list.
For console and vty access, if no authentication is configured, a default of local method is applied.
Note• The group tacacs+, group radius, and group group-name forms of this command refer to a set of
previously defined TACACS+ or RADIUS servers.
• Use the tacacs-server host or radius-server host command to configure the host servers.
• Use the aaa group server tacacs+ or aaa group server radius command to create a named subset
of servers.
• The login keyword, remote keyword, local option, and group option are available only in
administration configuration mode.
Task ID
Task IDOperations
aaaread, write
ExamplesThe following example shows how to specify the default method list to be used for authentication, and
also enable authentication for console:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# aaa authentication login default group tacacs+
Related Commands
CommandDescription
aaa accountingCreates a method list for accounting.
aaa authorizationCreates a method list for authorization.
Cisco IOS XR System Security Command Reference
SR-7
aaa authentication
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
CommandDescription
aaa group server radiusGroups different RADIUS server hosts into distinct lists and distinct
methods.
aaa group server tacacs+Groups different TACACS+ server hosts into distinct lists and distinct
methods.
login authenticationEnables AAA authentication for logins.
radius-server hostSpecifies a RADIUS host.
tacacs-server hostSpecifies a TACACS+ host.
SR-8
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
aaa authorization
To create a method list for authorization, use the aaa authorization command in global configuration
mode. To disable authorization for a function, use the no form of this command.
aaa authorization {commands | exec | network} {default | list-name} {none | local | group
DefaultsAuthorization is disabled for all actions (equivalent to the method none keyword).
commandsConfigures authorization for all EXEC shell commands.
execConfigures authorization for an interactive (EXEC) session.
networkConfigures authorization for network services, such as PPP or Internet Key
Exchange (IKE).
defaultUses the listed authorization methods that follow this keyword as the default list
of methods for authorization.
list-nameCharacter string used to name the list of authorization methods.
noneUses no authorization. If you specify none, no subsequent authorization methods
is attempted. However, the task ID authorization is always required and cannot be
disabled.
localUses local authorization. This method of authorization is not available for
command authorization.
group tacacs+Uses the list of all configured TACACS+ servers for authorization.
group radiusUsesthe list of all configured RADIUS servers for authorization. This method of
authorization is not available for command authorization.
group group-name Uses a named subset of TACACS+ or RADIUS servers for authorization as
defined by the aaa group server tacacs+ or aaa group server radius command.
Command ModesGlobal configuration
Command History
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
ReleaseModification
Release 2.0This command was introduced on the Cisco CRS-1.
Release 3.0No modification.
Release 3.2This command was supported on the Cisco XR 12000 Series Router.
Release 3.3.0No modification.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Cisco IOS XR System Security Command Reference
SR-9
aaa authorization
NoteThe command authorization mentioned here applies to the one performed by an external AAA server and
NoteCisco IOS XR software attempts authorization with the next listed method only when there is no
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Use the aaa authorization command to create method lists defining specific authorization methods that
can be used on a per-line or per-interface basis. You can specify up to four methods in the method list.
not for task-based authorization.
Method lists for authorization definethewaysauthorization will be performed and the sequence in which
these methods will be performed. A method list is a named list describing the authorization methods to
be used (such as TACACS+), in sequence. Method lists enable you to designate one or more security
protocols to be used for authorization, thus ensuring a backup system in case the initial method fails.
Cisco IOS XR software uses the first method listed to authorize users for specific network services; if
that method fails to respond, Cisco IOS XR software selects the next method listed in the method list.
This process continues until there is successful communication with a listed authorization method or
until all methods defined have been exhausted.
response (not a failure) from the previous method. If authorization fails at any point in this
cycle—meaning that the security server or local username database responds by denying the user
services—the authorization process stops and no other authorization methods are attempted.
The Cisco IOS XR software supports the following methods for authorization:
• none—The router does not request authorization information; authorization is not performed over
this line or interface.
• local—Use local database for authorization.
• group tacacs+—Use the list of all configured TACACS+ servers for authorization.
• group radius—Use the list of all configured RADIUS servers for authorization.
• group group-name—Uses a named subset of TACACS+ or RADIUS servers for authorization.
Method lists are specific to the type of authorization being requested. The Cisco IOS XR software
supports three types of AAA authorization:
• Commands authorization: Applies to the EXEC mode commands a user issues. Command
authorization attempts authorization for all EXEC mode commands.
Note“Command” authorization is distinct from “task-based” authorization, which is based on the task profile
established during authentication.
• EXEC authorization: Applies authorization for starting an EXEC session.
• Network authorization: Applies authorization for network services, such as IKE.
When you create a named method list, you are defining a particular list of authorization methods for the
indicated authorization type. When defined, method lists must be applied to specific lines or interfaces
before any of the defined methods are performed.
Task IDTask IDOperations
aaaread, write
Cisco IOS XR System Security Command Reference
SR-10
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
aaa authorization
ExamplesThe following example shows how to define the network authorization method list named listname1,
which specifies that TACACS+ authorization is used:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# aaa authorization commands listname1 group tacacs+
Related CommandsCommandDescription
aaa accountingCreates a method list for accounting.
Cisco IOS XR System Security Command Reference
SR-11
aaa default-taskgroup
aaa default-taskgroup
To specify a task group to be used for both remote TACACS+ authentication and RADIUS
authentication, use the aaa default-taskgroup command in global configuration mode. To remove this
default task group, enter the no form of this command.
aaa default-taskgroup taskgroup-name
no aaa default-taskgroup
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Syntax Description
DefaultsNo default task group is assigned for remote authentication.
Command ModesGlobal configuration
Command History
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
taskgroup-nameName of an existing task group.
ReleaseModification
Release 3.2This command was introduced on the Cisco CRS-1 and
Cisco XR 12000 Series Router.
Release 3.3.0No modification.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the aaa default-taskgroup command to specify an existing task group to be used for remote
TACACS+ authentication.
Task ID
ExamplesThefollowingexample shows how to specify taskgroup1 as the default task group for remote TACACS+
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
aaa group server radius
To group different RADIUS server hosts into distinct lists, use the aaa group server radius command
in global configuration mode. To remove a group server from the configurationlist, enter the no form of
this command.
aaa group server radius group-name
no aaa group server radius group-name
aaa group server radius
Syntax Description
DefaultsThis command is not enabled.
Command ModesGlobal configuration
Command History
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
group-nameCharacter string used to name the group of servers.
ReleaseModification
Release 3.2This command was introduced on the Cisco CRS-1 and
Cisco XR 12000 Series Router.
Release 3.3.0No modification.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the aaa group server radius command to group existing server hosts, which allows you to select a
subset of the configured server hosts and use them for a particular service. A server group is used in
conjunction with a global server-host list. The server group lists the IP addresses or hostnames of the
selected server hosts.
Server groups can also include multiple host entries for the same server, as long as each entry has a
unique identifier. The combination of an IP address and User Datagram Protocol (UDP) port number
creates a unique identifier, allowing different ports to individually defined as RADIUS hosts providing
a specific authentication, authorization, and accounting (AAA) service. In other words, this unique
identifierenables RADIUS requests to be sent to different UDP ports on a server at the same IP address.
If two different host entries on the same RADIUS server are configured for the same service, for
example, accounting, the second host entry acts as a failover backup to the first host entry. Using this
example, if the firsthost entry fails to provide accounting services, the network access server will try the
second host entry on the same device for accounting services. The RADIUS host entries are tried in the
order in which they are configured in the server group.
All members of a server group must be the same type, that is, RADIUS.
The server group cannot be named radius or tacacs.
This command enters server group configuration mode. You can use the server command to associate a
particular RADIUS server with the defined server group.
Cisco IOS XR System Security Command Reference
SR-13
aaa group server radius
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Task ID
Task IDOperations
aaaread, write
ExamplesThe following example shows the configuration of an AAA group server named radgroup1, which
comprises three member servers:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# aaa group server radius radgroup1
RP/0/RP0/CPU0:router(config-sg-radius)# server 10.0.0.5 auth-port 1700 acct-port 1701
RP/0/RP0/CPU0:router(config-sg-radius)# server 10.0.0.10 auth-port 1702 acct-port 1703
RP/0/RP0/CPU0:router(config-sg-radius)# server 10.0.0.20 auth-port 1705 acct-port 1706
NoteIf the auth-port port-number keyword and argument and the acct-port port-number keyword and
argument are not specified, the default value of the port-number argument for the auth-port keyword is
1645 and the default value of the port-number argument for the acct-port keyword is 1646.
Related Commands
CommandDescription
radius-server hostSpecifies a RADIUS server host.
SR-14
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
aaa group server tacacs+
To group different TACACS+ server hosts into distinct lists, use the b command in global configuration
mode. To remove a server group from the configuration list, enter the no form of this command.
aaa group server tacacs+ group-name
no aaa group server tacacs+ group-name
aaa group server tacacs+
Syntax Description
DefaultsThis command is not enabled.
Command ModesGlobal configuration
Command History
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
group-nameCharacter string used to name a group of servers.
ReleaseModification
Release 2.0This command was introduced on the Cisco CRS-1.
Release 3.0No modification.
Release 3.2This command was supported on the Cisco XR 12000 Series Router.
Release 3.3.0No modification.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The AAA server-group feature introduces a way to group existing server hosts. The feature enables you
to select a subset of the configured server hosts and use them for a particular service.
The aaa group server tacacs+ command enters server group configuration mode. The server command
associates a particular TACACS+ server with the defined server group.
A server group is a list of server hosts of a particular type. The supported server host type is TACACS+
server hosts. A server group is used with a global server host list. The server group lists the IP addresses
or hostnames of the selected server hosts.
The server group cannot be named radius or tacacs.
Task ID
NoteGroup name methods refer to a set of previously defined TACACS+ servers. Use the tacacs-server host
command to configure the host servers.
Task IDOperations
aaaread, write
Cisco IOS XR System Security Command Reference
SR-15
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
aaa group server tacacs+
ExamplesThe following example shows the configuration of an AAA group server named tacgroup1, which
comprises three member servers:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# aaa group server tacacs+ tacgroup1
RP/0/RP0/CPU0:router(config-sg-tacacs)# server 192.168.200.226
RP/0/RP0/CPU0:router(config-sg-tacacs)# server 192.168.200.227
RP/0/RP0/CPU0:router(config-sg-tacacs)# server 192.168.200.228
Related CommandsCommandDescription
aaa accountingCreates a method list for accounting.
aaa authenticationCreates a method list for authentication.
aaa authorizationCreates a method list for authorization.
server (TACACS+)Specifies the host name or IP address of an external TACACS+ server.
tacacs-server hostSpecifies a TACACS+ host.
SR-16
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
accounting
To enable authentication, authorization, and accounting (AAA) accounting services for a specificline or
group of lines, use the accounting command in line configuration mode. To disable AAA accounting
services, use the no form of this command.
commandsEnables accounting on the selected lines for all EXEC shell commands.
execEnables accounting of an EXEC session.
defaultThe name of the default method list, created with the aaa accounting command.
list-nameSpecifies the name of a list of accounting methods to use. The list is created with the
aaa accounting command.
ReleaseModification
Release 2.0This command was introduced on the Cisco CRS-1.
Release 3.0No modification.
Release 3.2This command was supported on the Cisco XR 12000 Series Router.
Release 3.3.0No modification.
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
After you enable the aaa accounting command and define a named accounting method list (or use the
default method list) for a particular type of accounting, you must apply the defined lists to the
appropriate lines for accounting services to take place. Use the accounting command to apply the
specified method lists to the selected line or group of lines. If a method list is not specified this way, no
accounting is applied to the selected line or group of lines.
Task ID
Task IDOperations
aaaread, write
Cisco IOS XR System Security Command Reference
SR-17
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
accounting
ExamplesThefollowingexampleshowshowtoenable command accounting services using the accounting method
list named listname2 on a line template named configure:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# line template configure
RP/0/RP0/CPU0:router(config-line)# accounting commands listname2
Related CommandsCommandDescription
aaa accountingCreates a method list for accounting.
SR-18
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
authorization
To enable authentication, authorization, and accounting (AAA) authorization for a specific line or group
of lines, use the authorization command in line configuration mode. To disable authorization, use the
commandsEnables authorization on the selected lines for all commands.
execEnables authorization for an interactive (EXEC) session.
defaultApplies the default method list, created with the aaa authorization command.
list-nameSpecifies the name of a list of authorization methods to use. If no list name is
specified, the system uses the default. The list is created with the aaaauthorization command.
ReleaseModification
Release 2.0This command was introduced on the Cisco CRS-1.
Release 3.0No modification.
Release 3.2This command was supported on the Cisco XR 12000 Series Router.
Release 3.3.0No modification.
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
After you use the aaa authorization command to define a named authorization method list (or use the
default method list) for a particular type of authorization, you must apply the defined lists to the
appropriate lines for authorization to take place. Use the authorization command to apply the specified
method lists (or, if none is specified, the default method list) to the selected line or group of lines.
Task ID
Task IDOperations
aaaread, write
Cisco IOS XR System Security Command Reference
SR-19
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
authorization
ExamplesThe following example shows how to enable command authorization using the method list named
listname4 on a line template named configure:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# line template configure
RP/0/RP0/CPU0:router(config-line)# authorization commands listname4
Related CommandsCommandDescription
aaa authorizationCreates a method list for authorization.
SR-20
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
deadtime (server-group configuration)
To configure the deadtime value at the RADIUS server group level, use the deadtime command in
server-group configuration mode. To set deadtime to 0, use the no form of this command.
deadtime minutes
no deadtime
deadtime (server-group configuration)
Syntax Description
minutesLength of time, in minutes, for which a RADIUS server is skipped over by
transaction requests, up to a maximum of 1440 (24 hours). The range is
from 1 to 1440.
DefaultsDeadtime is set to 0.
Command ModesServer-group configuration
Command History
ReleaseModification
Release 3.3.0This command was introduced on the Cisco CRS-1 and
Cisco XR 12000 Series Router.
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The value of the deadtime set in the server groups overrides the deadtime that is configured globally. If
the deadtime is omitted from the server group configuration, the value is inherited from the master list.
If the server group is not configured, the default value of 0 applies to all servers in the group. If the
deadtime is set to 0, no servers are marked dead.
Task ID
Task IDOperations
aaaread, write
ExamplesThe following example specifies a one-minute deadtime for RADIUS server group group1 when it has
failed to respond to authentication requests for the deadtime command:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# aaa group server radius group1
RP/0/RP0/CPU0:router(config-sg-radius)# server 1.1.1.1 auth-port 1645 acct-port 1646
RP/0/RP0/CPU0:router(config-sg-radius)# server 2.2.2.2 auth-port 2000 acct-port 2001
RP/0/RP0/CPU0:router(config-sg-radius)# deadtime 1
Cisco IOS XR System Security Command Reference
SR-21
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
deadtime (server-group configuration)
Related CommandsCommandDescription
aaa group server radiusGroups different RADIUS server hosts into distinct lists and
distinct methods.
radius-server dead-criteria time Forces one or both of the criteria that is used to mark a RADIUS
server as dead.
radius-server deadtimeDefines the length of time in minutes for a RADIUS server to
remain marked dead.
SR-22
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
description (AAA)
To create a description of a task group or user group during configuration,use the description command
in task group configuration or user group configuration mode. To delete a task group description or user
group description, use the no form of this command.
description string
no description
description (AAA)
Syntax Description
DefaultsThe default description is blank.
Command ModesTask group configuration
Command History
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
stringCharacter string describing the task group or user group.
User group configuration
ReleaseModification
Release 2.0This command was introduced on the Cisco CRS-1.
Release 3.0No modification.
Release 3.2This command was supported on the Cisco XR 12000 Series Router.
Release 3.3.0No modification.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the description command inside the task or user group configuration submode to define a
description for the task or user group, respectively.
Task ID
Task IDOperations
aaaread, write
Cisco IOS XR System Security Command Reference
SR-23
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
description (AAA)
ExamplesThe following example shows the creation of a task group description:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# taskgroup alpha
RP/0/RP0/CPU0:router(config-tg)# description this is a sample taskgroup
The following example shows the creation of a user group description:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# usergroup alpha
RP/0/RP0/CPU0:router(config-ug)# description this is a sample user group
Related CommandsCommandDescription
taskgroupAccesses task group configuration mode and configures a task group by associating
it with a set of task IDs.
usergroupAccesses user group configuration mode and configures a user group by associating
it with a set of task groups.
SR-24
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
group
To add a user to a group, use the group command in username configuration mode. To remove the user
from a group, use the no form of this command.
no group {root-system | root-lr | netadmin | sysadmin | operator | cisco-support |
serviceadmin | group-name}
group
Syntax Description
DefaultsNo default behavior or values
Command ModesUsername configuration
Command History
root-systemAdds the user to the predefined root-system group. Only users with root-system
authority may use this option.
root-lrAdds the user to the predefined root-lr group. Only users with root-system
authority or root-lr authority may use this option.
netadminAdds the user to the predefined network administrators group.
sysadminAdds the user to the predefined system administrators group.
operatorAdds the user to the predefined operator group.
cisco-supportAdds the user to the predefined Cisco support personnel group.
serviceadminAdds the user to the predefined service administrators group.
group-nameAdds the user to a named user group that has already been defined with the
usergroup command.
ReleaseModification
Release 2.0This command was introduced on the Cisco CRS-1.
Release 3.0No modification.
Release 3.2This command was supported on the Cisco XR 12000 Series Router.
Release 3.3.0The serviceadmin keyword was added.
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The predefined group root-system may be specified only by root-system users while configuring
administration.
Cisco IOS XR System Security Command Reference
SR-25
group
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Use the group command in username configuration mode. To access username configuration mode, use
the username command in global configuration mode.
If the group command is used in admin configuration mode, only root-system and cisco-support can be
specified.
Task ID
Task IDOperations
aaaread, write
ExamplesThe following example shows how to assign the user group operator to the user named user1:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# username user1
RP/0/RP0/CPU0:router(config-un)# group operator
Related Commands
CommandDescription
password (AAA)Creates a login password for a user.
usergroupConfigures a user group and associates it with a set of task groups.
usernameAccesses username configuration mode, configures a new user with a username,
and establishes a password and permissions for that user.
SR-26
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
inherit taskgroup
To enable a task group to derive permissions from another task group, use the inherit taskgroup
command in task group configuration mode.
taskgroup-nameName of the task group from which permissions are inherited.
netadminInherits permissions from the network administrator task group.
operatorInherits permissions from the operator task group.
sysadminInherits permissions from the system administrator task group.
cisco-supportInherits permissions from the cisco support task group.
root-lrInherits permissions from the root-lr task group.
root-systemInherits permissions from the root system task group.
serviceadminInherits permissions from the service administrators task group.
ReleaseModification
Release 2.0This command was introduced on the Cisco CRS-1.
Release 3.0No modification.
Release 3.2This command was supported on the Cisco XR 12000 Series Router.
Release 3.3.0The serviceadmin keyword was added.
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the inherit taskgroup command to inherit the permissions (task IDs) from one task group into
another task group. Any changes made to the taskgroup from which they are inherited are reflected
immediately in the group from which they are inherited.
Task ID
Task IDOperations
aaaread, write
Cisco IOS XR System Security Command Reference
SR-27
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
inherit taskgroup
ExamplesIn the following example, the permissions of task group tg2 are inherited by task group tg1:
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
inherit usergroup
To enable a user group to derive characteristics of another user group, use the inherit usergroup
command in user group configuration mode.
inherit usergroup usergroup-name
inherit usergroup
Syntax Description
DefaultsNo default behavior or values
Command ModesUser group configuration
Command History
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
usergroup-nameName of the user group from which permissions are to be inherited.
ReleaseModification
Release 2.0This command was introduced on the Cisco CRS-1.
Release 3.0No modification.
Release 3.2This command was supported on the Cisco XR 12000 Series Router.
Release 3.3.0No modification.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Each user group is associated with a set of task groups applicable to the users in that group. A task group
is defined by a collection of task IDs. Task groups contain task ID lists for each class of action. The task
permissions for a user are derived (at the start of the EXEC or XML session) from the task groups
associated with the user groups to which that user belongs.
User groups support inheritance from other user groups. Use the inherit usergroup command to copy
permissions (task ID attributes) from one user group to another user group. The “destination” user group
inherits the properties of the inherited group and forms a union of all task IDs specified in those groups.
For example, when user group A inherits user group B, the task map of the user group A is a union of
that of A and B. Cyclic inclusions are detected and rejected. User groups cannot inherit properties from
predefined groups, such as root-system users, root-sdr users, netadmin users, and so on. Any changes
made to the usergroup from which it is inherited are reflected immediately in the group from which it is
inherited.
Task ID
Task IDOperations
aaaread, write
Cisco IOS XR System Security Command Reference
SR-29
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
inherit usergroup
ExamplesThe following example shows how to enable the purchasing user group to inherit properties from the
description (AAA)Creates a description of a task group in task group configuration mode, or
creates a description of a user group in user group configuration mode.
taskgroupConfigures a task group to be associated with a set of task IDs.
usergroupConfigures a user group to be associated with a set of task groups.
SR-30
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
login authentication
To enable authentication, authorization, and accounting (AAA) authentication for logins, use the login
authentication command in line configurationmode. To return to the default authentication settings, usethe no form of this command.
login authentication {default | list-name}
no login authentication
login authentication
Syntax Description
DefaultsThis command uses the default set with the aaa authentication login command.
Command ModesLine configuration
Command History
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
defaultDefault list of AAA authentication methods, as set by the aaa authentication
login command.
list-nameName of the method list used for authenticating. You specify this list with the aaa
authentication login command
ReleaseModification
Release 2.0This command was introduced on the Cisco CRS-1.
Release 3.0No modification.
Release 3.2This command was supported on the Cisco XR 12000 Series Router.
Release 3.3.0No modification.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The login authentication command is a per-line command used with AAA that specifies the name of a
list of AAA authentication methods to try at login.
CautionIf you use a list-name value that was not configured with the aaa authentication login command, the
configuration is rejected.
Entering the no form of the login authentication command has the same effectasentering the command
with the default keyword.
Before issuing this command, create a list of authentication processes by using the aaa authenticationlogin global configuration command.
Cisco IOS XR System Security Command Reference
SR-31
login authentication
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Task ID
Task IDOperations
aaaread, write
tty-accessread, write
ExamplesThe following example shows that the default AAA authentication is to be used for the line template
template1:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# line template template1
RP/0/RP0/CPU0:router(config-line)# login authentication default
The following example shows that the AAA authentication list called list1 is to be used for the line
template template2:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# line template template2
RP/0/RP0/CPU0:router(config-line)# login authentication list1
Related Commands
CommandDescription
aaa authenticationCreates a method list for authentication.
SR-32
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
password (AAA)
To create a login password for a user, use the password command in username or line configuration
mode. To remove the password, use the no form of this command.
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
0Specifies that an unencrypted (clear-text) password follows.
7Specifies that an encrypted password follows.
passwordCharacter-string password to be entered by the user to log in.
Line configuration
ReleaseModification
Release 2.0This command was introduced on the Cisco CRS-1.
Release 3.0No modification.
Release 3.2This command was supported on the Cisco XR 12000 Series Router.
Release 3.3.0No modification.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
You can specify one of two types of passwords: encrypted or clear text.
When an EXEC process is started on a line that has password protection, the process prompts for the
password. If the user enters the correct password, the process issues the prompt. The user can try three
times to enter a password before the process exits and returns the terminal to the idle state.
Passwords are two-way encrypted and should be used for applications such as PPP that need decryptable
passwords.
Task ID
NoteThe show running-configcommand does not display the login password in clear text when the 0 option
is used to specify an unecrypted password.
Task IDOperations
aaaread, write
Cisco IOS XR System Security Command Reference
SR-33
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
password (AAA)
ExamplesThe following example shows how to establish the unencrypted password pwd1 for the user user1:
groupAdds a user to a group.
usergroupAccesses user group configuration mode and configures a user group,
associating it with a set of task groups.
usernameAccesses username configuration mode and configures a new user with a
username, establishing a password and granting permissions for that user.
SR-34
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
radius-server dead-criteria time
To specify the minimum amount of time, in seconds, that must elapse from the time that the router last
received a valid packet from the RADIUS server to the time the server is marked as dead, use the
radius-server dead-criteria time command in global configuration mode. To disable the criteria that
were set, use the no form of this command.
radius-server dead-criteria time seconds
no radius-server dead-criteria time seconds
radius-server dead-criteria time
Syntax Description
DefaultsIf the seconds argument is not configured, the number of seconds ranges from 10 to 60 seconds,
Command ModesGlobal configuration
Command History
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
secondsLength of time, in seconds. The range is from 1 to120 seconds. If the seconds argument
is not configured, the number of seconds ranges from 10 to 60, depending on the
transaction rate of the server.
NoteThe time criterion must be met for the server to be marked as dead.
depending on the transaction rate of the server.
ReleaseModification
Release 3.3.0This command was introduced on the Cisco CRS-1 and
Cisco XR 12000 Series Router.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Task ID
NoteIf you configure the radius-server dead-criteria time command before the radius-server deadtime
command, the radius-server dead-criteria time command may not be enforced.
If a packet has not been received since the router booted and there is a timeout, the time criterion is
treated as though it were met.
If the seconds argument is not indicated, the time is set to the defaults.
Task IDOperations
aaaread, write
Cisco IOS XR System Security Command Reference
SR-35
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
radius-server dead-criteria time
ExamplesThe following example shows how to establish the time for the dead-criteria conditions for a RADIUS
server to be marked as dead for the radius-server dead-criteria time command:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# radius-server dead-criteria time 5
Related CommandsCommandDescription
radius-server
dead-criteria tries
Specifies the number of consecutive timeouts that must occur on the
router before the RADIUS server is marked as dead.
radius-server deadtimeDefines the length of time, in minutes, for a RADIUS server to remain
marked dead.
show radius
Displays information for the dead-server detection criteria.
dead-criteria
SR-36
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
radius-server dead-criteria tries
To specify the number of consecutive timeouts that must occur on the router before the RADIUS server
is marked as dead, use the radius-server dead-criteria tries command in global configuration mode.
To disable the criteria that were set, use the no form of this command.
radius-server dead-criteria tries tries
no radius-server dead-criteria tries tries
radius-server dead-criteria tries
Syntax Description
DefaultsIf the tries argument is not configured, the number of consecutive timeouts ranges from 10 to 100,
Command ModesGlobal configuration
Command History
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
triesNumber of timeouts from 1 to 100. If the tries argument is not configured, the number
of consecutive timeouts ranges from 10 to 100, depending on the transaction rate of the
server and the number of configured retransmissions.
NoteThe tries criterion must be met for the server to be marked as dead.
depending on the transaction rate of the server and the number of configured retransmissions.
ReleaseModification
Release 3.3.0This command was introduced on the Cisco CRS-1 and
Cisco XR 12000 Series Router.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
If the server performs both authentication and accounting, both types of packet are included in the
number. Improperly constructed packets are counted as though they were timeouts. All transmissions,
including the initial transmit and all retransmits, are counted.
Task ID
NoteIf you configure the radius-server dead-criteria tries command before the radius-server deadtime
command, the radius-server dead-criteria tries command may not be enforced.
If the tries argument is not indicated, the number of tries is set to the default.
Task IDOperations
aaaread, write
Cisco IOS XR System Security Command Reference
SR-37
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
radius-server dead-criteria tries
ExamplesThe following example shows how to establish the number of tries for the dead-criteria conditions for a
RADIUS server to be marked as dead for the radius-server dead-criteria tries command:
Definesthe length of time in seconds that must elapse from the time that
the router last received a valid packet from the RADIUS server to the
time the server is marked as dead.
radius-server deadtimeDefines the length of time, in minutes, for a RADIUS server to remain
marked dead.
show radius
Displays information for the dead-server detection criteria.
dead-criteria
SR-38
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
radius-server deadtime
To improve RADIUS response times when some servers are unavailable and cause the unavailable
servers to be skipped immediately, use the radius-server deadtime command in global configuration
mode. To set deadtime to 0, use the no form of this command.
radius-server deadtime minutes
no radius-server deadtime
radius-server deadtime
Syntax Description
DefaultsDead time is set to 0.
Command ModesGlobal configuration
Command History
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
minutesLength of time, in minutes, for which a RADIUS server is skipped over by transaction
requests, up to a maximum of 1440 (24 hours). The range is from 1 to 1440. The default
value is 0.
ReleaseModification
Release 3.3.0This command was introduced on the Cisco CRS-1 and
Cisco XR 12000 Series Router.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
A RADIUS server marked as dead is skipped by additional requests for the duration of minutes unless
all other servers are marked dead and there is no rollover method.
Task ID
ExamplesThe following example specifies five minutes of deadtime for RADIUS servers that fail to respond to
Task IDOperations
aaaread, write
authentication requests for the radius-server deadtime command:
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
radius-server deadtime
Related CommandsCommandDescription
deadtime (server-group
Configures the deadtime value at the RADIUS server group level.
configuration)
radius-server
dead-criteria time
show radius
Forces one or both of the criteria that is used to mark a RADIUS server
as dead.
Displays information for the dead-server detection criteria.
dead-criteria
SR-40
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
radius-server host
To specify a RADIUS server host, use the radius-server host command in global configuration mode.
To delete the specified RADIUS host, use the no form of this command.
no radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number]
radius-server host
Syntax Description
hostnameDomain Name System (DNS) name of the RADIUS server host.
ip-addressIP address of the RADIUS server host.
auth-port port-number (Optional) Specifies the User Datagram Protocol (UDP) destination port for
authentication requests; the host is not used for authentication if set to 0. If
unspecified, the port number defaults to 1645.
acct-port port-number(Optional) Specifies the UDP destination port for accounting requests; the
host is not used for accounting if set to 0. If unspecified, the port number
defaults to 1646.
timeout seconds(Optional) The time interval (in seconds) that the router waits for the
RADIUS server to reply before retransmitting. This setting overrides the
global value of the radius-server timeout command. If no timeout value is
specified,the global valueis used. Enter a valuein the range from 1 to 1000.
Default is 5.
retransmit retries(Optional) The number of times a RADIUS request is re-sent to a server, if
that server is not responding or responding slowly.This setting overrides the
global setting of the radius-server retransmit command. If no retransmit
value is specified,the global value is used. Enter a value in the range from 1
to 100. Default is 3.
key string(Optional) Specifiesthe authentication and encryption key used between the
router and the RADIUS server. This key overrides the global setting of the
radius-server key command. If no key string is specified, the global value
is used.
The key is a text string that must match the encryption key used on the
RADIUS server. Always configure the key as the last item in the
radius-server host command syntax. This is because the leading spaces are
ignored, but spaces within and at the end of the key are used. If you use
spaces in the key, do not enclose the key in quotation marks unless the
quotation marks themselves are part of the key.
DefaultsNo RADIUS host is specified; use global radius-server command values.
Command ModesGlobal configuration
Cisco IOS XR System Security Command Reference
SR-41
radius-server host
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Command History
ReleaseModification
Release 3.2This command was introduced on the Cisco CRS-1 and
Cisco XR 12000 Series Router.
Release 3.3.0No modification.
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
You can use multiple radius-server host commands to specify multiple hosts. The
Cisco IOS XR software searches for hosts in the order in which you specify them.
If no host-specific timeout, retransmit, or key values are specified, the global values apply to each host
Task ID.
Task IDOperations
aaaread, write
ExamplesThe following example shows how to establish host1 as the RADIUS server and use default ports for
The following example shows how to establish port 1612 as the destination port for authentication
requests and port 1616 as the destination port for accounting requests on the RADIUS host named host1:
Because entering a line resets all the port numbers, you must specify a host and configure accounting
and authentication ports on a single line.
The following example shows how to establish the host with IP address 172.29.39.46 as the RADIUS
server,use ports 1612 and 1616 as the authorization and accounting ports, set the timeout value to 6, set
the retransmit value to 5, and set “rad123” as the encryption key, matching the key on the RADIUS
server:
To use separate servers for accounting and authentication, use the zero port value as appropriate.
The following example shows how to establish that RADIUS server host1 be used for accounting butnot
for authentication, and specify that RADIUS server host2 be used for authentication but not for
accounting:
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Related CommandsCommandDescription
aaa accountingCreates a method list for accounting.
aaa authenticationCreates a method list for authentication.
aaa authorizationCreates a method list for authorization.
radius-server keySets the authentication and encryption key for all RADIUS
communications between the router and the RADIUS daemon.
radius-server retransmit Specifieshow many times Cisco IOS XR software retransmits packets to
a server before giving up.
radius-server timeoutSets the interval a router waits for a server host to reply.
radius-server host
Cisco IOS XR System Security Command Reference
SR-43
radius-server key
radius-server key
To set the authentication and encryption key for all RADIUS communications between the router and
the RADIUS daemon, use the radius-server key command in global configuration mode. Todisable the
key, use the no form of this command.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Syntax Description
0 clear-text-keySpecifies an unencrypted (cleartext) shared key.
7 encrypted-keySpecifies a encrypted shared key.
clear-text-keySpecifies an unencrypted (cleartext) shared key.
DefaultsThe authentication and encryption key is disabled.
Command ModesGlobal configuration
Command History
ReleaseModification
Release 3.2This command was introduced on the Cisco CRS-1 and
Cisco XR 12000 Series Router.
Release 3.3.0No modification.
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The key entered must match the key used on the RADIUS server. All leading spaces are ignored, but
spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in
quotation marks unless the quotation marks themselves are part of the key.
Task ID
Task IDOperations
aaaread, write
ExamplesThe following example shows how to set the cleartext key to “samplekey”:
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Related CommandsCommandDescription
radius-server hostSpecifies a RADIUS server host.
radius-server key
Cisco IOS XR System Security Command Reference
SR-45
radius-server retransmit
radius-server retransmit
To specify the number of times the Cisco IOS XR software retransmits a packet to a server before giving
up, use the radius-server retransmit command in global configuration mode. To disable
retransmission, use the no form of this command.
radius-server retransmit retries
no radius-server retransmit
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Syntax Description
DefaultsThe RADIUS servers are retried three times, or until a response is received.
Command ModesGlobal configuration
Command History
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
retriesMaximum number of retransmission attempts. The range is from 1 to 100. Default is 3.
ReleaseModification
Release 3.2This command was introduced on the Cisco CRS-1 and
Cisco XR 12000 Series Router.
Release 3.3.0No modification.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The RADIUS client tries all servers, allowing each one to time out before increasing the retransmit
count.
Task ID
ExamplesThe following example shows how to specify a retransmit counter value of five times:
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
radius-server timeout
To set the interval for which a router waits for a server host to reply before timing out, use the
radius-server timeout command in global configuration mode. To restore the default, use the no form
of this command.
radius-server timeout seconds
no radius-server timeout
radius-server timeout
Syntax Description
Defaultsseconds: 5 seconds
Command ModesGlobal configuration
Command History
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
secondsNumber that specifies the timeout interval, in seconds. Range is from 1 to 1000.
ReleaseModification
Release 3.2This command was introduced on the Cisco CRS-1 and
Cisco XR 12000 Series Router.
Release 3.3.0No modification.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the radius-server timeout command to set the number of seconds a router waits for a server host
to reply before timing out.
Task ID
ExamplesThe following example shows how to change the interval timer to 10 seconds:
radius-server hostSpecifies a RADIUS server host.
radius-server keySets the authentication and encryption key for all RADIUS communications
between the router and the RADIUS daemon.
Cisco IOS XR System Security Command Reference
SR-47
radius source-interface
radius source-interface
To force RADIUS to use the IP address of a specified interface or subinterface for all outgoing RADIUS
packets, use the radius source-interface command in global configuration mode. To prevent only the
specifiedinterfacefrom being the default and not from being used for all outgoing RADIUS packets, use
the no form of this command.
radius source-interface interface-name
no radius source-interface
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Syntax Description
DefaultsIf a specific source interface is not configured, or the interface is down or does not have an IP address
Command ModesGlobal configuration
Command History
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
interface-nameName of the interface that RADIUS uses for all of its outgoing packets.
configured, the system selects an IP address.
ReleaseModification
Release 3.2This command was introduced on the Cisco CRS-1 and
Cisco XR 12000 Series Router.
Release 3.3.0No modification.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the radius source-interfacecommand to set the IP address of the specifiedinterfaceor subinterface
for all outgoing RADIUS packets. This address is used as long as the interface or subinterface is in the
up state. In this way, the RADIUS server can use one IP address entry for every network access client
instead of maintaining a list of IP addresses.
The specified interface or subinterface must have an IP address associated with it. If the specified
interface or subinterface does not have an IP address or is in the down state, then RADIUS reverts to the
default. To avoid this, add an IP address to the interface or subinterface or bring the interface to the up
state.
The radius source-interface command is especially useful in cases in which the router has many
interfaces or subinterfaces and you want to ensure that all RADIUS packets from a particular router have
the same IP address.
Task ID
SR-48
Task IDOperations
aaaread, write
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
radius source-interface
ExamplesThe following example shows how to make RADIUS use the IP address of subinterface s2 for all
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
To create a secure login secret for a user, use the secret command in username or line configuration
mode. To remove the secure secret, use the no form of this command.
secret {0 | 5} secret
no secret {0 | 5} secret
Syntax Description
DefaultsNo password is specified.
Command ModesUsername configuration
Command History
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
0Specifies that an unencrypted (clear text) secure secret follows.
5Specifies that an encrypted secure secret follows.
secretCharacter-string secret to be entered by the user to log in.
Line configuration
ReleaseModification
Release 2.0This command was introduced on the Cisco CRS-1.
Release 3.0No modification.
Release 3.2This command was supported on the Cisco XR 12000 Series Router.
Release 3.3.0The password argument was replaced with the secret argument.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
You can specify one of two types of secure secrets: encrypted or clear text.
When an EXEC process is started on a line that has password protection, the process prompts for the
secret. If the user enters the correct secret, the process issues the prompt. The user can try three times to
enter a secret before the process exits and returns the terminal to the idle state.
Secrets are one-way encrypted and should be used for applications such as login that do not need a
decryptable secret.
Task ID
SR-50
NoteThe show running command does not display the login password in clear text when the 0 option is used
to specify an unecrypted password.
Task IDOperations
aaaread, write
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
secret
ExamplesThe following example shows how to establish the secure encrypted secret pwd2 for the user user2:
groupAdds a user to a group.
password (AAA)Creates a login password for a user.
usergroupAccesses user group configuration mode and configures a user group,
associating it with a set of task groups.
usernameAccesses username configuration mode and configures a new user with a
username, establishing a password and granting permissions for that user.
Cisco IOS XR System Security Command Reference
SR-51
server (RADIUS)
server (RADIUS)
To associate a particular RADIUS server with a defined server group, use the se rve r command in
RADIUS server-group configuration mode. To remove the associated server from the server group, use
the no form of this command.
server {hostname | ip-address}[auth-port port-number] [acct-port port-number]
no server {hostname | ip-address} [auth-port port-number] [acct-port port-number]
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Syntax Description
DefaultsIf no port attributes are defined, the defaults are as follows:
Command ModesRADIUS server-group configuration
Command History
hostnameCharacter string used to name the server host.
ip-addressIP address of the RADIUS server host.
auth-port port-number (Optional) Specifies the User Datagram Protocol (UDP) destination port for
authentication requests. The port-number argument specifies the port
number for authentication requests. The host is not used for authentication
if this value is set to 0. Default is 1645.
acct-port port-number(Optional) Specifies the UDP destination port for accounting requests. The
port-number argument specifies the port number for accounting requests.
The host is not used for accounting services if this value is set to 0. Default
is 1646.
• Authentication port: 1645
• Accounting port: 1646
ReleaseModification
Release 3.2This command was introduced on the Cisco CRS-1 and
Cisco XR 12000 Series Router.
Release 3.3.0No modification.
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the server command to associate a particular RADIUS server with a defined server group.
There are two different ways in which you can identify a server,depending on the way you want to offer
AAA services. You can identify the server simply by using its IP address, or you can identify multiple
host instances or entries using the optional auth-port and acct-port keywords.
Cisco IOS XR System Security Command Reference
SR-52
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
When you use the optional keywords, the network access server identifies RADIUS security servers and
host instances associated with a group server based on their IP address and specific UDP port numbers.
The combination of the IP address and UDP port number creates a unique identifier, allowing different
ports to be individually defined as RADIUS host entries providing a specific AAA service. If two
different host entries on the same RADIUS server are configured for the same service, for example,
accounting, the second host entry configuredacts as failover backup to the first one. Using this example,
if the first host entry fails to provide accounting services, the network access server will try the second
host entry configuredon the same device for accounting services. (The RADIUS host entries are tried in
the order they are configured.)
server (RADIUS)
Task ID
Task IDOperations
aaaread, write
ExamplesThe following example shows how to use two different host entries on the same RADIUS server that are
configuredfor the same services—authentication and accounting. The second host entry configuredacts
as fail-over backup to the first one.
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# aaa group server radius group1
RP/0/RP0/CPU0:router(config-sg-radius)# server 1.1.1.1 auth-port 1645 acct-port 1646
RP/0/RP0/CPU0:router(config-sg-radius)# server 2.2.2.2 auth-port 2000 acct-port 2001
Related Commands
CommandDescription
aaa group server radiusGroups different RADIUS serverhostsintodistinctlistsand distinct
methods.
deadtime (server-group
Configures the deadtime value at the RADIUS server group level.
configuration)
radius-server hostSpecifies a RADIUS server host.
Cisco IOS XR System Security Command Reference
SR-53
server (TACACS+)
server (TACACS+)
To associate a particular TACACS+ server with a defined server group, use the server command in
TACACS+ server-group configurationmode. Toremovetheassociated server from the server group, use
the no form of this command.
server {hostname | ip-address}
no server {hostname | ip-address}
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Syntax Description
hostnameCharacter string used to name the server host.
ip-addressIP address of the server host.
DefaultsNo default behavior or values
Command ModesTACACS+ server-group configuration
Command History
ReleaseModification
Release 2.0This command was introduced on the Cisco CRS-1.
Release 3.0No modification.
Release 3.2This command was supported on the Cisco XR 12000 Series Router.
Release 3.3.0No modification.
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the server command to associate a particular TACACS+ server with a defined server group. The
server need not be accessible during configuration.Later,you can reference the configuredserver group
from the method lists used to configure authentication, authorization, and accounting (AAA).
Task ID
Task IDOperations
aaaread, write
ExamplesThe following example shows how to associate the TACACS+ server with the IP address 192.168.60.15
with the server group tac1:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# aaa group server tacacs+ tac1
RP/0/RP0/CPU0:router(config-sg-tacacs+)# server 192.168.60.15
Cisco IOS XR System Security Command Reference
SR-54
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Related CommandsCommandDescription
aaa group server tacacs+Groups different TACACS+ server hosts into distinct lists.
server (TACACS+)
Cisco IOS XR System Security Command Reference
SR-55
show aaa
show aaa
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
To display information about a user group, local user, or task group; to list all task IDs associated with
all user groups, local users, or task groups in the system; or to list all task IDs for a specified user group,
local user, or task group, use the show aaa command in EXEC mode.
show aaa {usergroup [usergroup-name] | userdb [username] | taskgroup [taskgroup-name]}
Syntax Description
DefaultsDetails for all user groups, or all local users, or all task groups are listed if no argument is entered.
Command ModesEXEC
Command History
usergroupDisplays details for all user groups.
usergroup-name(Optional) User group whose details are to be displayed.
userdbDisplays details for all local users and the usergroups to which each
user belongs.
username(Optional) User whose details are to be displayed.
taskgroupDisplays details for all task groups.
taskgroup-name(Optional) Task group whose details are to be displayed.
ReleaseModification
Release 2.0This command was introduced on the Cisco CRS-1.
Release 3.0No modification.
Release 3.2This command was supported on the Cisco XR 12000 Series Router.
Release 3.3.0No modification.
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the show aaa command to list details for all user groups, local users, or task groups in the system.
Use the optional usergroup-name, username, or taskgroup-name argument to display the details for a
specified user group, user, or task group, respectively.
Task ID
Cisco IOS XR System Security Command Reference
SR-56
Task IDOperations
aaaread
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
ExamplesThe following sample output is from the show aaa usergroup command:
RP/0/RP0/CPU0:router# show aaa usergroup operator
User group 'operator'
Inherits from task group 'operator'
User group 'operator' has the following combined set
of task IDs (including all inherited groups):
Task: basic-services : READ WRITE EXECUTE DEBUG
Task: cdp : READ
Task: diag : READ
Task: ext-access : READ EXECUTE
Task: logging : READ
The following sample output is from the taskgroup keyword for a task group named netadmin:
RP/0/RP0/CPU0:router# show aaa taskgroup netadmin
Task group 'netadmin'
Task group 'netadmin' has the following combined set
of task IDs (including all inherited groups):
The sample output is from the taskgroup keyword for an operator. The task group operator has the
following combined set of task IDs, which includes all inherited groups:
The sample output is from the taskgroupkeyword for a root-system. The task group root-system has the
following combined set of task IDs, which includes all inherited groups:
The following sample output is from show aaa command with the userdb keyword:
RP/0/RP0/CPU0:router# show aaa userdb
Username lab (admin plane)
User group root-system
User group cisco-support
Username acme
User group root-system
Related CommandsCommandDescription
show userDisplays task IDs enabled for the currently logged-in user.
Cisco IOS XR System Security Command Reference
SR-59
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
show radius
show radius
To display information about the RADIUS servers that are configured in the system, use the show radius
command in EXEC mode.
show radius
Syntax DescriptionThis command has no arguments or keywords.
DefaultsIf no radius servers are configured, no output is displayed.
Command ModesEXEC
Command History
ReleaseModification
Release 3.3.0This command was introduced on the Cisco CRS-1 and
Cisco XR 12000 Series Router.
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the show radius command to display statistics for each configured RADIUS server.
Task ID
Task IDOperations
aaaread
ExamplesThe following sample output is for the show radius command:
RP/0/RP0/CPU0:router# show radius
Global dead time: 0 minute(s)
Server: 1.1.1.1/1/2 is UP
Timeout: 5 sec, Retransmit limit: 3
Authentication:
0 requests, 0 pending, 0 retransmits
0 accepts, 0 rejects, 0 challenges
0 timeouts, 0 bad responses, 0 bad authenticators
0 unknown types, 0 dropped, 0 ms latest rtt
SR-60
Accounting:
0 requests, 0 pending, 0 retransmits
0 responses, 0 timeouts, 0 bad responses
0 bad authenticators, 0 unknown types, 0 dropped
0 ms latest rtt
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Table 2 describes the significant fields shown in the display.
Table 2show radius Field Descriptions
FieldDescription
ServerServer IP address/UDP destination port for authentication requests/UDP
destination port for accounting requests.
TimeoutNumber of seconds the router waits for a server host to reply before timing out.
Retransmit limitNumberoftimes the Cisco IOS XR softwaresearchesthe list of RADIUS server
hosts before giving up.
show radius
Related Commands
CommandDescription
radius-server hostSpecifies a RADIUS server host.
radius-server retransmitSpecifies how many times Cisco IOS XR software searches the list
of RADIUS server hosts before giving up.
radius-server timeoutSets the interval for which a router waits for a server host to reply.
Cisco IOS XR System Security Command Reference
SR-61
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
show radius accounting
show radius accounting
To obtain information and detailed statistics for the RADIUS accounting server and port, use the show
radius accounting command in EXEC mode.
show radius accounting
Syntax DescriptionThis command has no arguments or keywords.
DefaultsIf no RADIUS servers are configured on the router, the output is empty. If the default values are for the
counter (for example, request and pending), the values are all zero because the RADIUS server was just
defined and not used yet.
Command ModesEXEC
Command History
ReleaseModification
Release 3.3.0This command was introduced on the Cisco CRS-1 and
Cisco XR 12000 Series Router.
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Task ID
Task IDOperations
aaaread
ExamplesThe following sample output is displayed on a per-server basis for the show radius accounting
command:
RP/0/RP0/CPU0:router# show radius accounting
Server: 12.26.25.61, port: 1813
0 requests, 0 pending, 0 retransmits
0 responses, 0 timeouts, 0 bad responses
0 bad authenticators, 0 unknown types, 0 dropped
0 ms latest rtt
SR-62
Server: 12.26.49.12, port: 1813
0 requests, 0 pending, 0 retransmits
0 responses, 0 timeouts, 0 bad responses
0 bad authenticators, 0 unknown types, 0 dropped
0 ms latest rtt
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Server: 12.38.28.18, port: 29199
0 requests, 0 pending, 0 retransmits
0 responses, 0 timeouts, 0 bad responses
0 bad authenticators, 0 unknown types, 0 dropped
0 ms latest rtt
RP/0/RP0/CPU0:router#
Table 3 describes the significant fields shown in the display.
Table 3show radius accounting Field Descriptions
FieldDescription
ServerServer IP address/UDP destination port for authentication requests; UDP
destination port for accounting requests.
show radius accounting
Related Commands
CommandDescription
aaa accountingCreates a method list for accounting.
aaa authenticationCreates a method list for authentication.
show radius authenticationObtains information and detailed statistics for the RADIUS
authentication server and port.
Cisco IOS XR System Security Command Reference
SR-63
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
show radius authentication
show radius authentication
To obtain information and detailed statistics for the RADIUS authentication server and port, use the
show radius authentication command in EXEC mode.
show radius authentication
Syntax DescriptionThis command has no arguments or keywords.
DefaultsIf no RADIUS servers are configured on the router, the output is empty. If the default values are for the
counter (for example, request and pending), the values are all zero because the RADIUS server was just
defined and not used yet.
Command ModesEXEC
Command History
ReleaseModification
Release 3.3.0This command was introduced on the Cisco CRS-1 and
Cisco XR 12000 Series Router.
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Task ID
Task IDOperations
aaaread
ExamplesThe following sample output is for the show radius authentication command:
Table 4 describes the significant fields shown in the display.
Table 4show radius authentication Field Descriptions
FieldDescription
ServerServer IP address/UDP destination port for authentication requests; UDP
destination port for accounting requests.
show radius authentication
Related Commands
CommandDescription
aaa accountingCreates a method list for accounting.
aaa authenticationCreates a method list for authentication.
show radius accountingObtains information and detailed statistics for the RADIUS
accounting server and port.
Cisco IOS XR System Security Command Reference
SR-65
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
show radius client
show radius client
To obtain general information about the RADIUS client on Cisco IOS XR software, use the show radius
client command in EXEC mode.
show radius client
Syntax DescriptionThis command has no arguments or keywords.
DefaultsThe default value for the counters (for example, an invalid address) is 0. The network access server
(NAS) identifier is the hostname that is defined on the router.
Command ModesEXEC
Command History
ReleaseModification
Release 3.3.0This command was introduced on the Cisco CRS-1 and
Cisco XR 12000 Series Router.
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The show radius client command displaysthe authentication and accounting responses that are received
from the invalidRADIUSservers,for example, unknownto the NAS. In addition, the show radius client
command displays the hostname or NAS identifier for the RADIUS authentication client, accounting
client, or both.
Task ID
Task IDOperations
aaaread
ExamplesThe following sample output is for the show radius client command:
RP/0/RP0/CPU0:router# show radius client
Client NAS identifier:miniq
Authentication responses from invalid addresses: 0
Accounting responses from invalid addresses: 0
SR-66
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Table 5 describes the significant fields shown in the display.
Table 5show radius client Field Descriptions
FieldDescription
Client NAS identifierIdentifies the NAS-identifier of the RADIUS authentication client.
show radius client
Related Commands
CommandDescription
radius-server hostSpecifies a RADIUS server host.
server (RADIUS)Associates a particular RADIUS server with a defined server group.
show radiusDisplays information about the RADIUS servers that are configured
in the system.
Cisco IOS XR System Security Command Reference
SR-67
show radius dead-criteria
show radius dead-criteria
To obtain information about the dead server detection criteria, use the show radius dead-criteria
command in EXEC mode.
show radius dead-criteria host ip-addr [auth-port auth-port] [acct-port acct-port]
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Syntax Description
host ip-addrSpecifies the name or IP address of the configured RADIUS server.
auth-port auth-port(Optional) Specifies the authentication port for the RADIUS server. The
default value is 1645.
acct-port acct-port(Optional) Specifies the accounting port for the RADIUS server. The
default value is 1646.
DefaultsThe default values for time and tries are not fixed to a single value; therefore, they are calculated and fall
within a range of 10 to 60 seconds for time and 10 to 100 for tries.
Command ModesEXEC
Command History
ReleaseModification
Release 3.3.0This command was introduced on the Cisco CRS-1 and
Cisco XR 12000 Series Router.
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Task ID
Task IDOperations
aaaread
ExamplesThe following sample output is for the show radius dead-criteria command:
RP/0/RP0/CPU0:router# show radius dead-criteria host 12.26.49.12 auth-port 11000 acct-port
11001
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Table 6 describes the significant fields shown in the display.
Table 6show radius dead-criteria Field Descriptions
FieldDescription
ServerServer IP address/UDP destination port for authentication requests/UDP
destination port for accounting requests.
TimeoutNumber of seconds the router waits for a server host to reply before timing out.
RetransmitsNumber of times Cisco IOS XR software searches the list of RADIUS server
hosts before giving up.
show radius dead-criteria
Related Commands
CommandDescription
radius-server dead-criteria
time
Forces one or both of the criteria that is used to mark a RADIUS
server as dead.
radius-server deadtimeDefinesthe length of time in minutes for a RADIUS server to remain
marked dead.
Cisco IOS XR System Security Command Reference
SR-69
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
show radius server-groups
show radius server-groups
To display information about the RADIUS server groups that are configured in the system, use the show
radius server-groups command in EXEC mode.
show radius server-groups
Syntax DescriptionThis command has no arguments or keywords.
DefaultsNo default behavior or values
Command ModesEXEC
Command History
ReleaseModification
Release 3.2This command was introduced on the Cisco CRS-1 and
Cisco XR 12000 Series Router.
Release 3.3.0No modification.
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the show radius server-groups command to display information about each configured RADIUS
server group, including the group name, numbers of servers in the group, and a list of servers in the
named server group. A global list of all configured RADIUS servers, along with authentication and
accounting port numbers, is also displayed.
Task ID
Task IDOperations
aaaread
ExamplesTheinheritedglobal message is displayed if no group level deadtime is defined for this group; otherwise,
the group level deadtime value is displayed and this message is omitted. The following sample output is
for the show radius server-groups command:
RP/0/RP0/CPU0:router# show radius server-groups
SR-70
Global list of servers
Contains 1 servers
Server 12.26.49.12/11000/11001
Server group 'radgroup' has 1 servers
Dead time: 0 minute(s) (inherited from global)
Contains 1 servers
Server 12.26.49.12/11000/11001
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Table 7 describes the significant fields shown in the display.
Table 7show radius server-groups Field Descriptions
FieldDescription
ServerServer IP address/UDP destination port for authentication requests/UDP destination
port for accounting requests.
show radius server-groups
Related Commands
CommandDescription
radius-server hostSpecifies a RADIUS server host.
Cisco IOS XR System Security Command Reference
SR-71
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
show tacacs
show tacacs
To display information about the TACACS+ servers that are configured in the system, use the show
tacacs command in EXEC mode.
show tacacs
Syntax DescriptionThis command has no arguments or keywords.
DefaultsNo default behavior or values
Command ModesEXEC
Command History
ReleaseModification
Release 2.0This command was introduced on the Cisco CRS-1.
Release 3.0No modification.
Release 3.2This command was supported on the Cisco XR 12000 Series Router.
Release 3.3.0No modification.
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the show tacacs command to display statistics for each configured TACACS+ server.
Task ID
Task IDOperations
aaaread
ExamplesThe following is sample output from the show tacacs command:
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Table 8 describes the significant fields shown in the display.
Table 8show tacacs Field Descriptions
FieldDescription
ServerServer IP address.
opensNumber of socket opens to the external server.
closesNumber of socket closes to the external server.
abortsNumber of tacacs requests that have been aborted midway.
errorsNumber of error replies from the external server.
packets inNumber of TCP packets that have been received from the external server.
packets outNumber of TCP packets that have been sent to the external server.
show tacacs
Cisco IOS XR System Security Command Reference
SR-73
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
show tacacs server-groups
show tacacs server-groups
To display information about the TACACS+ server groups that are configured in the system, use the
show tacacs server-groups command in EXEC mode.
show tacacs server-groups
Syntax DescriptionThis command has no arguments or keywords.
DefaultsNo default behavior or values
Command ModesEXEC
Command History
ReleaseModification
Release 3.2This command was introduced on the Cisco CRS-1 and
Cisco XR 12000 Series Router.
Release 3.3.0No modification.
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the show tacacs server-groups command to display information about each configured TACACS+
server group, including the group name, numbers of servers in the group, and a list of servers in the
named server group. A global list of all configured TACACS+ servers is also displayed.
Task ID
Task IDOperations
aaaread
ExamplesThe following is sample output from the show tacacs server-groups command:
RP/0/RP0/CPU0:router# show tacacs server-groups
Global list of servers
Server 12.26.25.61/23456
Server 12.26.49.12/12345
Server 12.26.49.12/9000
Server 12.26.25.61/23432
Server 5.5.5.5/23456
Server 1.1.1.1/49
SR-74
Server group ‘tac100’ has 1 servers
Server 12.26.49.12
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Table 9 describes the significant fields shown in the display.
Table 9show tacacs server-groups Field Descriptions
FieldDescription
ServerServer IP address.
show tacacs server-groups
Related Commands
CommandDescription
tacacs-server hostSpecifies a TACACS+ server host.
Cisco IOS XR System Security Command Reference
SR-75
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
show task supported
show task supported
To display all task IDs available in the system, use the show task supported command in EXEC mode.
show task supported
Syntax DescriptionThis command has no arguments or keywords.
DefaultsNo default behavior or values
Command ModesEXEC
Command History
ReleaseModification
Release 2.0This command was introduced on the Cisco CRS-1.
Release 3.0No modification.
Release 3.2This command was supported on the Cisco XR 12000 Series Router.
Release 3.3.0The example is updated to display the task ID for eigrp.
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the show task supported command to display all task IDs available in the system.
Task ID
Task IDOperations
none—
ExamplesThe following sample output is from the show task supported command. Task IDs are displayed in
show aaaDisplays the task maps for selected user groups, local users, or task groups.
show userDisplays task IDs enabled for the currently logged-in user.
Cisco IOS XR System Security Command Reference
SR-77
show user
show user
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
To display all user groups and task IDs associated with the currently logged-in user, use the show user
command in EXEC mode.
show user [all | authentication | group | tasks]
Syntax Description
DefaultsNo default behavior or values
Command ModesEXEC
Command History
all(Optional) Displays all user groups and task IDs for the currently logged-in user.
authentication (Optional) Displays authentication parameters for the currently logged-in user.
group(Optional) Displays the user groups associated with the currently logged-in user.
tasks(Optional) Displays task IDs associated with the currently logged-in user. The tasks
keyword indicates which task is reserved in the sample output.
ReleaseModification
Release 2.0This command was introduced on the Cisco CRS-1.
Release 3.0No modification.
Release 3.2This command was supported on the Cisco XR 12000 Series Router.
Release 3.3.0The following enhancements are added:
• An example was added to display all the group and tasks.
• The authentication keyword was added.
• The sample output for the group keyword was updated.
• The sample output to display whether or not a task is reserved for the
tasks keyword was updated.
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the show user command to display all user groups and task IDs associated with the currently
logged-in user.
Task ID
Cisco IOS XR System Security Command Reference
SR-78
Task IDOperations
none—
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
show user
ExamplesThe following sample output displays the authentication parameters from the show user command:
RP/0/RP0/CPU0:router# show user authentication method
local
The following sample output displays the groups from the show user command:
RP/0/RP0/CPU0:router# show user group
root-system
The following sample output displays all the information for the group and tasks from the show user
command:
RP/0/RP0/CPU0:router# show user all
Username: lab
Groups: root-system
Authenticated using method local
User lab has the following Task ID(s):
show aaaDisplays the task maps for selected user groups, local users, or task groups.
show task supportedDisplays all task IDs defined in the system.
Cisco IOS XR System Security Command Reference
SR-81
tacacs-server host
tacacs-server host
To specify a TACACS+ host server, use the tacacs-server host command in global configuration mode.
To delete the specified name or address, use the no form of this command.
no tacacs-server host host-name [port port-number]
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Syntax Description
DefaultsNo TACACS+ host is specified.
host-nameName or IP address of the TACACS+ server.
port port-number (Optional) Specifies a server port number. This option overrides the default,
which is port 49. Valid port numbers range from 1 to 65535.
timeout seconds(Optional) Specifiesatimeout valuethat sets the length of time the authentication,
authorization, and accounting (AAA) server waits to receive a response from the
TACACS+ server. This option overrides the global timeout value set with the
tacacs-server timeout command for this server only. The valid timeout range is
from 1 to 1000 seconds. Default is 5.
key [0 | 7] auth-key (Optional) Specifies an authentication and encryption key shared between the
AAA server and the TACACS+ server. The TACACS+ packets are encrypted
using this key. This key must match the key used by the TACACS+ daemon.
Specifying this key overrides the key set by the tacacs-server key command for
this server only.
(Optional) Entering 0 specifies that an unencrypted (clear-text) key follows.
(Optional) Entering 7 specifies that an encrypted key follows.
The auth-keyargumentspecifies the unencrypted key to be used between the AAA
server and the TACACS+ server.
single-connection (Optional) Multiplexes all TACACS+ requests to this server over a single TCP
connection. By default, a separate connection is used for each session.
The port keyword, if not specified, defaults to the standard port 49.
The timeout keyword, if not specified, defaults to 5 seconds.
Command ModesGlobal configuration
Command History
Cisco IOS XR System Security Command Reference
SR-82
ReleaseModification
Release 2.0This command was introduced on the Cisco CRS-1.
Release 3.0No modification.
Release 3.2This command was supported on the Cisco XR 12000 Series Router.
Release 3.3.0The show run command was modified to display the default values for both
the port keyword and the timeout keyword, if values are not specified.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
tacacs-server host
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on
Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The key keyword must be entered last because it uses a line (text with breaks) rather than a string (text
only, with no breaks). Any text and line breaks up to the time the user presses Enter can be used as part
of the key.
You can use multiple tacacs-server host commands to specify additional hosts. Cisco IOS XR software
searches for hosts in the order in which you specify them.
Task ID
Task IDOperations
aaaread, write
ExamplesThe following example shows how to specify a TACACS+ host with the IP address 209.165.200.226:
The following example shows that the default values from the tacacs-server host command are
displayed from the show run command:
RP/0/RP0/CPU0:router# show run
Building configuration...
!! Last configuration change at 13:51:56 UTC Mon Nov 14 2005 by lab
!
tacacs-server host 209.165.200.226 port 49
timeout 5
!
The following example shows how to specify that the router consult the TACACS+ server host named
host1 on port number 51. The timeout value for requests on this connection is 30 seconds; the encryption
key is a_secret.
RP/0/RP0/CPU0:router(config)# tacacs-server host host1 port 51 timeout 30 key a_secret
Related Commands
CommandDescription
tacacs-server keyGlobally sets the authentication encryption key used for all TACACS+
communications between the router and the TACACS+ daemon.
tacacs-server timeoutGlobally sets the interval that the router waits for a server host to reply.
Cisco IOS XR System Security Command Reference
SR-83
tacacs-server key
tacacs-server key
To set the authentication encryption key used for all TACACS+ communications between the HF and the
TACACS+ daemon, use the tacacs-server key command in global configuration mode. To disable the
key, use the no form of this command.
tacacs-server key key-name
no tacacs-server key
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Syntax Description
DefaultsNo default behavior or values
Command ModesGlobal configuration
Command History
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
key-nameName of the key used to set authentication and encryption. This key name must match
the key used on the TACACS+ daemon. This key name applies to all servers that have
no individual keys specified.
ReleaseModification
Release 2.0This command was introduced on the Cisco CRS-1.
Release 3.0No modification.
Release 3.2This command was supported on the Cisco XR 12000 Series Router.
Release 3.3.0No modification.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The key name entered must match the key used on the TACACS+ daemon. All leading spaces are
ignored; spaces within and after the key are not. If you use spaces in your key, do not enclose the key in
quotation marks unless the quotation marks themselves are part of the key.
The TACACS server key is used only if no key is configured for an individual TACACS server. Keys
configured for an individual TACACS server always override this global key configuration.
Task ID
ExamplesThe following example sets the authentication and encryption key to key1:
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Related CommandsCommandDescription
tacacs-server hostSpecifies a TACACS+ host.
tacacs-server key
Cisco IOS XR System Security Command Reference
SR-85
tacacs-server timeout
tacacs-server timeout
Toset the interval that the server waits for a server host toreply, use the tacacs-server timeout command
in global configuration mode. To restore the default, use the no form of this command.
tacacs-server timeout seconds
no tacacs-server timeout
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Syntax Description
Defaultsseconds: 5 seconds
Command ModesGlobal configuration
Command History
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
secondsInteger that specifies the timeout interval (in seconds) from 1 to 1000.
ReleaseModification
Release 2.0This command was introduced on the Cisco CRS-1.
Release 3.0No modification.
Release 3.2This command was supported on the Cisco XR 12000 Series Router.
Release 3.3.0No modification.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the tacacs-server timeout command to set the interval that the server waits for a server host to reply.
The TACACS+ server timeout is used only if no timeout is configured for an individual TACACS+
server. Timeout intervals configured for an individual TACACS+ server always override this global
timeout configuration.
Task ID
ExamplesThe following example shows the interval timer being changed to 10 seconds:
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
tacacs source-interface
To specify the source IP address of a selected interface for all outgoing TACACS+ packets, use the
tacacs source-interface command in global configuration mode. To disable use of the specified
interface IP address, use the no form of this command.
tacacs source-interface type instance
no tacacs source-interface type instance
tacacs source-interface
Syntax Description
typeInterface type. For more information, use the question mark (?) online help
function.
instanceEither a physical interface instance or a virtual interface instance as follows:
• Physical interface instance. Naming notation is rack/slot/module/port and a
slash between values is required as part of the notation.
–
rack: Chassis number of the rack.
–
slot: Physical slot number of the modular services card or line card.
–
module: Module number. A physical layer interface module (PLIM) is
always 0.
–
port: Physical port number of the interface.
NoteIn references to a Management Ethernet interface located on a route
processor card, the physical slot number is alphanumeric (RP0 or RP1)
and the module is CPU0.
Example: interface MgmtEth0/RP1/CPU0/0.
• Virtual interface instance. Number range varies depending on interface type.
For more information about the syntax for the router, use the question mark (?)
online help function.
DefaultsIf a specific source interface is not configured, or the interface is down or does not have an IP address
configured, the system selects an IP address.
Command ModesGlobal configuration
Command History
ReleaseModification
Release 2.0This command was introduced on the Cisco CRS-1.
Release 3.0No modification.
Release 3.2This command was supported on the Cisco XR 12000 Series Router.
Release 3.3.0No modification.
Cisco IOS XR System Security Command Reference
SR-87
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
tacacs source-interface
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on
Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the tacacs source-interface command to set the IP address of the specifiedinterfacefor all outgoing
TACACS+ packets. This address is used as long as the interface is in the up state. In this way, the
TACACS+ server can use one IP address entry associated with the network access client instead of
maintaining a list of all IP addresses.
This command is especially useful in cases where the router has many interfaces and you want to ensure
that all TACACS+ packets from a particular router have the same IP address.
When the specified interface does not have an IP address or is in a down state, TACACS+ behaves as if
no source interface configuration is used.
Task ID
Task IDOperations
aaaread, write
ExamplesThe following example shows how to set the IP address of the specified POS interface for all outgoing
aaa group server radiusGroups different server hosts into distinct lists and distinct methods.
SR-88
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
task
To add a task ID to a task group, use the task command in task group configuration mode. To remove a
task ID from a task group, use the no form of this command.
readEnables read-only privileges for the named task ID.
writeEnables write privileges for the named task ID. The term “write” implies read also.
executeEnables execute privileges for the named task ID.
debugEnables debug privileges for the named task ID.
taskid-nameName of the task ID.
DefaultsNo task IDs are assigned to a newly created task group.
Command ModesTask group configuration
Command History
ReleaseModification
Release 2.0This command was introduced on the Cisco CRS-1.
Release 3.0No modification.
Release 3.2This command was supported on the Cisco XR 12000 Series Router.
Release 3.3.0No modification.
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the task command in task group configuration mode. Toaccess task group configuration mode, use
the taskgroup command in global configuration mode.
Task ID
Task IDOperations
aaaread, write
ExamplesThe following example shows how to enable execute privileges for the config-services task ID and
associate that task ID with the task group named taskgroup1:
taskgroupConfigures a task group to be associated with a set of task IDs.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
SR-90
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
taskgroup
To configure a task group to be associated with a set of task IDs, and to enter task group configuration
mode, use the taskgroup command in globalconfigurationmode. To delete a task group, use the no form
of this command.
DefaultsFive predefined user groups are available by default.
Command ModesGlobal configuration
Command History
taskgroup-nameName of a particular task group.
description(Optional) Enables you to create a description for the named task group.
string(Optional) Character string used for the task group description.
task(Optional) Specifies that a task ID is to be associated with the named task group.
read(Optional) Specifies that the named task ID permits read access only.
write(Optional) Specifies that the named task ID permits read and write access only.
execute(Optional) Specifies that the named task ID permits execute access.
debug(Optional) Specifies that the named task ID permits debug access only.
taskid-name(Optional) Name of a task: the task ID.
inherit taskgroup (Optional) Copies permissions from the named task group.
taskgroup-name(Optional) Name of the task group from which permissions are to be inherited.
ReleaseModification
Release 2.0This command was introduced on the Cisco CRS-1.
Release 3.0No modification.
Release 3.2This command was supported on the Cisco XR 12000 Series Router.
Release 3.3.0Support was added to display all task groups in global configuration mode.
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Task groups are configured with a set of task IDs for each action type. Deleting a task group that is still
referenced in the system results in a warning and rejection of the deletion.
From global configuration mode, you can display all the configured task groups. However, you cannot
display all the configured task groups in taskgroup configuration mode.
Cisco IOS XR System Security Command Reference
SR-91
taskgroup
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Entering the taskgroup command with no keywordsor arguments enters task group configurationmode,
in which you can use the description, inherit, show, and task commands.
Task ID
Task IDOperations
aaaread, write
ExamplesThe following example assigns read bgp permission to the task group named alpha:
description (AAA)Creates a task group description in task configuration mode.
taskAdds a task ID to a task group.
SR-92
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
timeout login response
To set the interval that the server waits for a reply to a login, use the timeout login response command
in line configuration mode. To restore the default, use the no form of this command.
timeout login response seconds
no timeout login response seconds
timeout login response
Syntax Description
secondsInteger that specifies the timeout interval (in seconds) from 0 to 300.
Defaultsseconds: 30 seconds
Command ModesLine configuration
Command History
ReleaseModification
Release 2.0This command was introduced on the Cisco CRS-1.
Release 3.0No modification.
Release 3.2This command was supported on the Cisco XR 12000 Series Router.
Release 3.3.0No modification.
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the timeout login response command in line configuration mode to set the timeout value. This
timeout value applies to all terminal lines to which the entered line template is applied. This timeout
valuecan also be applied to line console. After the timeout value has expired, the user is prompted again.
The retry is allowed three times.
Task ID
Task IDOperations
aaaread, write
ExamplesThe following example shows how to change the interval timer to 20 seconds:
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
timeout login response
Related CommandsCommandDescription
login authenticationEnables AAA authentication for logins.
SR-94
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
usergroup
To configurea user group and associate it with a set of task groups, and to enter user group configuration
mode, use the usergroup command in global configuration mode. To delete a user group, or to delete a
task-group association with the specified user group, use the no form of this command.
no usergroup usergroup-name [description string | taskgroup taskgroup-name | inherit
usergroup usergroup-name]
usergroup
Syntax Description
DefaultsFive predefined user groups are available by default.
Command ModesGlobal configuration
Command History
usergroup-nameName of the user group. The usergroup-name argument can be
only one word. Spaces and quotation marks are not allowed.
description string(Optional) Describes the user group.
taskgroup taskgroup-name(Optional) Associates the specified task group with the named
user group and inherits the task group permissions into this user
group.
inherit usergroup usergroup-name (Optional) Copies permissions from another user group.
ReleaseModification
Release 2.0This command was introduced on the Cisco CRS-1.
Release 3.0No modification.
Release 3.2This command was supported on the Cisco XR 12000 Series Router.
Release 3.3.0Support was added to display all user groups in global configuration mode.
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
User groups are configured with the command parameters for a set of users, such as task groups. You
can remove specific user groups by using the no form of the usergroup command. You can remove the
user group itself by using the no form of the command without giving any parameters. Deleting a user
group that is still referenced in the system results in a warning and a rejection of the deletion.
Use the inherit usergroup command to copy permissions from other user groups. The user group is
inherited by the parent group and forms a union of all task IDs specified in those groups. Cyclic
inclusions are detected and rejected. User groups cannot inherit properties from predefined groups, such
as root-system and owner-sdr.
Cisco IOS XR System Security Command Reference
SR-95
usergroup
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
From global configuration mode, you can display all the configured user groups. However, you cannot
display all the configured user groups in usergroup configuration mode.
Task ID
Task IDOperations
aaaread, write
ExamplesThe following example shows how to add permissions from the user group beta to the user group alpha:
description (AAA)Creates a description of a task group during configuration.
inherit usergroupEnables a user group to derive permissions from another user group.
taskgroupConfigures a task group to be associated with a set of task IDs.
SR-96
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
username
To configure a new user with a username, establish a password, and grant permissions for the user, and
to enter username configuration mode, use the username command in global configuration mode. To
delete a user from the database, use the no form of this command.
no username user-name [password {0 | 7} password | secret {0 | 5} password | group
usergroup-name]
username
Syntax Description
DefaultsNo usernames are defined in the system.
Command ModesGlobal configuration
Command History
user-nameName of the user. The user-name argument can be only one word. Spaces and
quotation marks are not allowed.
password(Optional) Enables a password to be created for the named user.
0(Optional) Specifies that an unencrypted (clear-text) password follows.
7(Optional) Specifies that an encrypted password follows.
password(Optional) Specifiesthe character-string password to be entered by the user to log in.
secret(Optional) Enables a secure password to be created for the named user.
0(Optional) Specifies that an unencrypted (clear-text) secret follows.
5(Optional) Specifies an encrypted password follows.
group(Optional) Enables a named user to be associated with a user group.usergroup-name (Optional) Name of a user group as defined with the usergroup command.
ReleaseModification
Release 2.0This command was introduced on the Cisco CRS-1.
Release 3.0No modification.
Release 3.2This command was supported on the Cisco XR 12000 Series Router.
Release 3.3.0Support was added to display all user names in global configuration mode.
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the username command to identify the user and enter username configuration mode. Password and
user group assignments can be made from either global configuration mode or username configuration
submode. Permissions (task IDs) are assigned by associating the user with one or more defined user
groups.
Cisco IOS XR System Security Command Reference
SR-97
username
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
From global configuration mode, you can display all the configured usernames. However, you cannot
display all the configured usernames in username configuration mode.
Each user is identified by a username that is unique across the administrative domain. Each user should
be made a member of at least one user group. Deleting a user group may orphan the users associated
with that group. The AAA server authenticates orphaned users but most commands are not authorized.
If you want to require a username and password on the console or for Telnet sessions, configure
authentication using both the aaa authentication login default local command and the username
command.
The predefined group root-system may be specified only by root-system users while administration is
configured.
NoteTo enable the local networking device to respond to remote CHAP challenges, one username command
entry must be the same as the hostname entry that has already been assigned to the other networking
device.
Task ID
Task IDOperations
aaaread, write
ExamplesThe following example shows how to establish the unencrypted password password1 for the user user1:
aaa authenticationDefines a method list for authentication.
groupAdds a user to a group.
password (AAA)Creates a login password for a user.
SR-98
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
users group
To associate a user group and its privileges with a line, use the users group command in line
configuration mode. To delete a user group association with a line, use the no form of this command.
no users group {usergroup-name | cisco-support | netadmin | operator | root-lr | root-system |
serviceadim | sysadmin}
users group
Syntax Description
DefaultsNo default behavior or values
Command ModesLine configuration
usergroup-nameName of the user group. The usergroup-name argument can be only one word.
Spaces and quotation marks are not allowed.
cisco-supportSpecifies that users logging in through the line are given Cisco support personnel
privileges.
netadminSpecifies that users logging in through the line are given network administrator
privileges.
operatorSpecifies that users logging in through the line are given operator privileges.
root-lrSpecifies that users logging in through the line are given root logical router (LR)
privileges.
root-systemSpecifies that users logging in through the line are given root system privileges.
serviceadminSpecifies that users logging in through the line are given service administrator
group privileges.
sysadminSpecifies that users logging in through the line are given system administrator
privileges.
Command History
Usage GuidelinesTo use this command, you must be in a user group associated with a task group that includes the proper
ReleaseModification
Release 2.0This command was introduced on the Cisco CRS-1.
Release 3.0No modification.
Release 3.2This command was supported on the Cisco XR 12000 Series Router.
Release 3.3.0The serviceadmin keyword was added.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services onCisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the users group command to enable a user group and its privileges to be associated with a line,
meaning that users logging in through the line are given the privileges of the particular user group.
Cisco IOS XR System Security Command Reference
SR-99
users group
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Task ID
Task IDOperations
aaaread, write
ExamplesInthe following example, if a vty-pool is created with line template vty, users logging in through vty are
given operator privileges:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# aaa authen login vty-authen line
RP/0/RP0/CPU0:router(config)# commit
RP/0/RP0/CPU0:router(config)# line template vty
RP/0/RP0/CPU0:router(config-line)# users group operator
RP/0/RP0/CPU0:router(config-line)# login authentication
SR-100
Cisco IOS XR System Security Command Reference
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.