How it Works
Cisco Systems
Loading...
IOS XR
Configuration Manual
254 pgs2.22 Mb0
User Manual
76 pgs735.98 Kb0
User Manual
282 pgs2.97 Mb1
User Manual
222 pgs5.39 Mb1
User Manual 2
28 pgs409.75 Kb0
User Manual 3
100 pgs665.35 Kb0
Table of contents
Loading...

Cisco Systems IOS XR User Manual 3

Download
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
This chapter describes the Cisco IOS XR software commands used to configure authentication, authorization, and accounting (AAA) services.
For detailed information about AAA concepts, configuration tasks, and examples, see the Configuring AAA Services on Cisco IOS XR Software configuration module.
Cisco IOS XR System Security Command Reference
SR-1

aaa accounting

aaa accounting
To create a method list for accounting, use the aaa accounting command in global configuration mode. To remove a list name from the system, use the no form of this command.
aaa accounting {commands | exec} {default | list-name} {start-stop | stop-only}
no aaa accounting {commands | exec} {default | list-name}
{none | group {tacacs+ | radius | group-name}}
Syntax Description
Defaults AAA accounting is disabled.
commands Enables accounting for EXEC shell commands. exec Enables accounting of an EXEC session. default Uses the listed accounting methods that follow this keyword as the default list
of methods for accounting services.
list-name Character string used to name the accounting method list. start-stop Sends a “start accounting” notice at the beginning of a process and a “stop
accounting” notice at the end of a process. The requested user process begins regardless of whether the “start accounting” notice was received by the accounting server.
stop-only Sends a “stop accounting” notice at the end of the requested user process. none Uses no accounting. group tacacs+ Uses the list of all TACACS+ servers for accounting. group radius Uses the list of all RADIUS servers for accounting. group group-name Uses a named subset of TACACS+ or RADIUS servers for accounting, as
defined by the aaa group server tacacs+ command or aaa gbroup server radius command.
Command Modes Global configuration
Command History
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
Cisco IOS XR System Security Command Reference
SR-2
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1. Release 3.0 No modification. Release 3.2 This command was supported on the Cisco XR 12000 Series Router. Release 3.3.0 No modification.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Use the aaa accounting command to create default or named method lists defining specific accounting methods and that can be used on a per-line or per-interface basis. You can specify up to four methods in the method list. The list name can be applied to a line (console, aux, or vty template) to enable accounting on that particular line.
The Cisco IOS XR software supports both TACACS+ and RADIUS methods for accounting. The router reports user activity to the security server in the form of accounting records, which are stored on the security server.
Method lists for accounting define the way accounting is performed, enabling you to designate a particular security protocol to be used on specific lines or interfaces for particular types of accounting services.
For minimal accounting, include the stop-only keyword to send a “stop accounting” notice after the requested user process. Formore accounting, you can include the start-stop keyword, so that TACACS+ or RADIUS sends a “start accounting” notice at the beginning of the requested process and a “stop accounting” notice after the process. The accounting record is stored only on the TACACS+or RADIUS server.
The requested user process begins regardless of whether the “start accounting” notice was received by the accounting server.
aaa accounting
Note This command cannot be used with TACACS or extended TACACS.
Task ID
Task ID Operations
aaa read, write
Examples The following example shows how to define a default commands accounting method list, where
accounting services are provided by a TACACS+ security server, with a stop-only restriction:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa accounting commands default stop-only group tacacs+
Related Commands
Command Description
aaa authorization Creates a method list to be used for authorization.
Cisco IOS XR System Security Command Reference
SR-3

aaa accounting system default

aaa accounting system default
To enable authentication, authorization, and accounting (AAA) system accounting, use the aaa accounting system default command in global configuration mode. To disable system accounting, use the no form of this command.
aaa accounting system default {start-stop | stop-only} {none | method} no aaa accounting system default
Syntax Description
Defaults AAA accounting is disabled.
Command Modes Global configuration
Command History
start-stop Sends a “start accounting” notice during system bootup and a “stop accounting”
notice during system shutdown or reload.
stop-only Sends a “stop accounting” notice during system shutdown or reload. none Uses no accounting.
method Method used to enable AAA system accounting. The value is one of the
following options:
group tacacs+—Uses the list of all TACACS+ servers for accounting.
group radius—Uses the list of all RADIUS servers for accounting.
group named-group—Uses a named subset of TACACS+ or RADIUS
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1. Release 3.0 No modification. Release 3.2 This command was supported on the Cisco XR 12000 Series Router. Release 3.3.0 The method argument was added to specify either group tacacs+, group radius,or
group named-group options.
servers for accounting, as defined by the aaa group server tacacs+ or aaa group server radius command.
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
System accounting does not use named accounting lists; you can define only the default list for system accounting.
Cisco IOS XR System Security Command Reference
SR-4
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
The default method list is automatically applied to all interfaces or lines. If no default method list is defined, then no accounting takes place.
You can specify up to four methods in the method list.
aaa accounting system default
Task ID
Task ID Operations
aaa read, write
Examples The following example shows how to cause a “start accounting” record to be sent to a TACACS+ server
when a router initially boots. A “stop accounting” record is also sent when a router is shut down or reloaded.
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa accounting system default start-stop group tacacs+
Related Commands
Command Description
aaa authentication Creates a method list for authentication. aaa authorization Creates a method list for authorization.
Cisco IOS XR System Security Command Reference
SR-5

aaa authentication

aaa authentication
To create a method list for authentication, use the aaa authentication command in global configuration mode. To disable this authentication method, use the no form of this command.
aaa authentication {login | ppp} {default | list-name | remote} method-list no aaa authentication {login | ppp} {default | list-name | remote} method-list
Syntax Description
login Sets authentication for login. ppp Sets authentication for Point-to-Point Protocol. default Uses the listed authentication methods that follow this keyword as the
default list of methods for authentication.
list-name Character string used to name the authentication method list. remote Uses the listed authentication methods that follow this keyword as the
default list of methods for administrative authentication on a remote nonowner secure domain router. The remote keyword is used only with the login keyword and not with the ppp keyword.
Note The remote keyword is available only on the admin plane.
method-list Method used to enable AAA system accounting. The value is one of the
following options:
group tacacs+—Specifies a method list that uses the list of all
configured TACACS+ servers for authentication.
groupradius—Specifiesamethodlistthat uses the list of all configured
RADIUS servers for authentication.
group named-group—Specifies a method list that uses a named subset
of TACACS+ or RADIUS servers for authentication as defined by the aaa group server tacacs+ or aaa group server radius command.
local—Specifies a method list that uses the local username database
method for authentication. Rollover cannot happen beyond the local method.
line—Specifies a method list that uses the line password for
authentication.
Defaults Default behavior applies the local authentication on all ports.
Command Modes Global configuration
Cisco IOS XR System Security Command Reference
SR-6
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
aaa authentication
Command History
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1. Release 3.0 No modification. Release 3.2 This command was supported on the Cisco XR 12000 Series Router. Release 3.3.0 Themethod-listargumentwas added to specify either group tacacs+, group
radius, group named-group, local, or line options.
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the aaa authentication command to create a series of authentication methods, or method list. You can specify up to four methods in the method list. A method list is a named list describing the authentication methods to be used (such as TACACS+ or RADIUS) in sequence. The subsequent methods of authentication are used only if the initial method is not available, not if it fails.
The default method list is applied for all interfaces for authentication, except when a different named method list is explicitly specified—in which case the explicitly specified method list overrides the default list.
For console and vty access, if no authentication is configured, a default of local method is applied.
Note The group tacacs+, group radius, and group group-name forms of this command refer to a set of
previously defined TACACS+ or RADIUS servers.
Use the tacacs-server host or radius-server host command to configure the host servers.
Use the aaa group server tacacs+ or aaa group server radius command to create a named subset
of servers.
The login keyword, remote keyword, local option, and group option are available only in
administration configuration mode.
Task ID
Task ID Operations
aaa read, write
Examples The following example shows how to specify the default method list to be used for authentication, and
also enable authentication for console:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa authentication login default group tacacs+
Related Commands
Command Description
aaa accounting Creates a method list for accounting. aaa authorization Creates a method list for authorization.
Cisco IOS XR System Security Command Reference
SR-7
aaa authentication
Command Description
aaa group server radius Groups different RADIUS server hosts into distinct lists and distinct
methods.
aaa group server tacacs+ Groups different TACACS+ server hosts into distinct lists and distinct
methods.
login authentication Enables AAA authentication for logins. radius-server host Specifies a RADIUS host. tacacs-server host Specifies a TACACS+ host.
SR-8
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software

aaa authorization

To create a method list for authorization, use the aaa authorization command in global configuration mode. To disable authorization for a function, use the no form of this command.
aaa authorization {commands | exec | network} {default | list-name} {none | local | group
{tacacs+ | radius | group-name}}
no aaa authorization {commands | exec | network} {default | list-name}
aaa authorization
Syntax Description
Defaults Authorization is disabled for all actions (equivalent to the method none keyword).
commands Configures authorization for all EXEC shell commands. exec Configures authorization for an interactive (EXEC) session. network Configures authorization for network services, such as PPP or Internet Key
Exchange (IKE).
default Uses the listed authorization methods that follow this keyword as the default list
of methods for authorization.
list-name Character string used to name the list of authorization methods. none Uses no authorization. If you specify none, no subsequent authorization methods
is attempted. However, the task ID authorization is always required and cannot be disabled.
local Uses local authorization. This method of authorization is not available for
command authorization.
group tacacs+ Uses the list of all configured TACACS+ servers for authorization. group radius Usesthe list of all configured RADIUS servers for authorization. This method of
authorization is not available for command authorization.
group group-name Uses a named subset of TACACS+ or RADIUS servers for authorization as
defined by the aaa group server tacacs+ or aaa group server radius command.
Command Modes Global configuration
Command History
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1. Release 3.0 No modification. Release 3.2 This command was supported on the Cisco XR 12000 Series Router. Release 3.3.0 No modification.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Cisco IOS XR System Security Command Reference
SR-9
aaa authorization
Note The command authorization mentioned here applies to the one performed by an external AAA server and
Note Cisco IOS XR software attempts authorization with the next listed method only when there is no
Use the aaa authorization command to create method lists defining specific authorization methods that can be used on a per-line or per-interface basis. You can specify up to four methods in the method list.
not for task-based authorization.
Method lists for authorization definethewaysauthorization will be performed and the sequence in which these methods will be performed. A method list is a named list describing the authorization methods to be used (such as TACACS+), in sequence. Method lists enable you to designate one or more security protocols to be used for authorization, thus ensuring a backup system in case the initial method fails. Cisco IOS XR software uses the first method listed to authorize users for specific network services; if that method fails to respond, Cisco IOS XR software selects the next method listed in the method list. This process continues until there is successful communication with a listed authorization method or until all methods defined have been exhausted.
response (not a failure) from the previous method. If authorization fails at any point in this cycle—meaning that the security server or local username database responds by denying the user services—the authorization process stops and no other authorization methods are attempted.
The Cisco IOS XR software supports the following methods for authorization:
none—The router does not request authorization information; authorization is not performed over
this line or interface.
local—Use local database for authorization.
group tacacs+—Use the list of all configured TACACS+ servers for authorization.
group radius—Use the list of all configured RADIUS servers for authorization.
group group-name—Uses a named subset of TACACS+ or RADIUS servers for authorization.
Method lists are specific to the type of authorization being requested. The Cisco IOS XR software supports three types of AAA authorization:
Commands authorization: Applies to the EXEC mode commands a user issues. Command
authorization attempts authorization for all EXEC mode commands.
Note “Command” authorization is distinct from “task-based” authorization, which is based on the task profile
established during authentication.
EXEC authorization: Applies authorization for starting an EXEC session.
Network authorization: Applies authorization for network services, such as IKE.
When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type. When defined, method lists must be applied to specific lines or interfaces before any of the defined methods are performed.
Task ID Task ID Operations
aaa read, write
Cisco IOS XR System Security Command Reference
SR-10
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
aaa authorization
Examples The following example shows how to define the network authorization method list named listname1,
which specifies that TACACS+ authorization is used:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa authorization commands listname1 group tacacs+
Related Commands Command Description
aaa accounting Creates a method list for accounting.
Cisco IOS XR System Security Command Reference
SR-11

aaa default-taskgroup

aaa default-taskgroup
To specify a task group to be used for both remote TACACS+ authentication and RADIUS authentication, use the aaa default-taskgroup command in global configuration mode. To remove this default task group, enter the no form of this command.
aaa default-taskgroup taskgroup-name no aaa default-taskgroup
Syntax Description
Defaults No default task group is assigned for remote authentication.
Command Modes Global configuration
Command History
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
taskgroup-name Name of an existing task group.
Release Modification
Release 3.2 This command was introduced on the Cisco CRS-1 and
Cisco XR 12000 Series Router.
Release 3.3.0 No modification.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the aaa default-taskgroup command to specify an existing task group to be used for remote TACACS+ authentication.
Task ID
Examples Thefollowingexample shows how to specify taskgroup1 as the default task group for remote TACACS+
Cisco IOS XR System Security Command Reference
SR-12
Task ID Operations
aaa read, write
authentication:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa default-taskgroup taskgroup1
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software

aaa group server radius

To group different RADIUS server hosts into distinct lists, use the aaa group server radius command in global configuration mode. To remove a group server from the configurationlist, enter the no form of this command.
aaa group server radius group-name no aaa group server radius group-name
aaa group server radius
Syntax Description
Defaults This command is not enabled.
Command Modes Global configuration
Command History
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
group-name Character string used to name the group of servers.
Release Modification
Release 3.2 This command was introduced on the Cisco CRS-1 and
Cisco XR 12000 Series Router.
Release 3.3.0 No modification.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the aaa group server radius command to group existing server hosts, which allows you to select a subset of the configured server hosts and use them for a particular service. A server group is used in conjunction with a global server-host list. The server group lists the IP addresses or hostnames of the selected server hosts.
Server groups can also include multiple host entries for the same server, as long as each entry has a unique identifier. The combination of an IP address and User Datagram Protocol (UDP) port number creates a unique identifier, allowing different ports to individually defined as RADIUS hosts providing a specific authentication, authorization, and accounting (AAA) service. In other words, this unique identifierenables RADIUS requests to be sent to different UDP ports on a server at the same IP address. If two different host entries on the same RADIUS server are configured for the same service, for example, accounting, the second host entry acts as a failover backup to the first host entry. Using this example, if the firsthost entry fails to provide accounting services, the network access server will try the second host entry on the same device for accounting services. The RADIUS host entries are tried in the order in which they are configured in the server group.
All members of a server group must be the same type, that is, RADIUS. The server group cannot be named radius or tacacs. This command enters server group configuration mode. You can use the server command to associate a
particular RADIUS server with the defined server group.
Cisco IOS XR System Security Command Reference
SR-13
aaa group server radius
Task ID
Task ID Operations
aaa read, write
Examples The following example shows the configuration of an AAA group server named radgroup1, which
comprises three member servers:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa group server radius radgroup1 RP/0/RP0/CPU0:router(config-sg-radius)# server 10.0.0.5 auth-port 1700 acct-port 1701 RP/0/RP0/CPU0:router(config-sg-radius)# server 10.0.0.10 auth-port 1702 acct-port 1703 RP/0/RP0/CPU0:router(config-sg-radius)# server 10.0.0.20 auth-port 1705 acct-port 1706
Note If the auth-port port-number keyword and argument and the acct-port port-number keyword and
argument are not specified, the default value of the port-number argument for the auth-port keyword is 1645 and the default value of the port-number argument for the acct-port keyword is 1646.
Related Commands
Command Description
radius-server host Specifies a RADIUS server host.
SR-14
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software

aaa group server tacacs+

To group different TACACS+ server hosts into distinct lists, use the b command in global configuration mode. To remove a server group from the configuration list, enter the no form of this command.
aaa group server tacacs+ group-name no aaa group server tacacs+ group-name
aaa group server tacacs+
Syntax Description
Defaults This command is not enabled.
Command Modes Global configuration
Command History
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
group-name Character string used to name a group of servers.
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1. Release 3.0 No modification. Release 3.2 This command was supported on the Cisco XR 12000 Series Router. Release 3.3.0 No modification.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The AAA server-group feature introduces a way to group existing server hosts. The feature enables you to select a subset of the configured server hosts and use them for a particular service.
The aaa group server tacacs+ command enters server group configuration mode. The server command associates a particular TACACS+ server with the defined server group.
A server group is a list of server hosts of a particular type. The supported server host type is TACACS+ server hosts. A server group is used with a global server host list. The server group lists the IP addresses or hostnames of the selected server hosts.
The server group cannot be named radius or tacacs.
Task ID
Note Group name methods refer to a set of previously defined TACACS+ servers. Use the tacacs-server host
command to configure the host servers.
Task ID Operations
aaa read, write
Cisco IOS XR System Security Command Reference
SR-15
aaa group server tacacs+
Examples The following example shows the configuration of an AAA group server named tacgroup1, which
comprises three member servers:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa group server tacacs+ tacgroup1 RP/0/RP0/CPU0:router(config-sg-tacacs)# server 192.168.200.226 RP/0/RP0/CPU0:router(config-sg-tacacs)# server 192.168.200.227 RP/0/RP0/CPU0:router(config-sg-tacacs)# server 192.168.200.228
Related Commands Command Description
aaa accounting Creates a method list for accounting. aaa authentication Creates a method list for authentication. aaa authorization Creates a method list for authorization. server (TACACS+) Specifies the host name or IP address of an external TACACS+ server. tacacs-server host Specifies a TACACS+ host.
SR-16
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software

accounting

To enable authentication, authorization, and accounting (AAA) accounting services for a specificline or group of lines, use the accounting command in line configuration mode. To disable AAA accounting services, use the no form of this command.
accounting {commands | exec} {default | list-name} no accounting {commands | exec}
accounting
Syntax Description
Defaults Accounting is disabled.
Command Modes Line configuration
Command History
commands Enables accounting on the selected lines for all EXEC shell commands. exec Enables accounting of an EXEC session. default The name of the default method list, created with the aaa accounting command.
list-name Specifies the name of a list of accounting methods to use. The list is created with the
aaa accounting command.
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1. Release 3.0 No modification. Release 3.2 This command was supported on the Cisco XR 12000 Series Router. Release 3.3.0 No modification.
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
After you enable the aaa accounting command and define a named accounting method list (or use the default method list) for a particular type of accounting, you must apply the defined lists to the appropriate lines for accounting services to take place. Use the accounting command to apply the specified method lists to the selected line or group of lines. If a method list is not specified this way, no accounting is applied to the selected line or group of lines.
Task ID
Task ID Operations
aaa read, write
Cisco IOS XR System Security Command Reference
SR-17
accounting
Examples Thefollowingexampleshowshowtoenable command accounting services using the accounting method
list named listname2 on a line template named configure:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# line template configure RP/0/RP0/CPU0:router(config-line)# accounting commands listname2
Related Commands Command Description
aaa accounting Creates a method list for accounting.
SR-18
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software

authorization

To enable authentication, authorization, and accounting (AAA) authorization for a specific line or group of lines, use the authorization command in line configuration mode. To disable authorization, use the
no form of this command.
authorization {commands | exec} {default | list-name} no authorization {commands | exec}
authorization
Syntax Description
Defaults Authorization is not enabled.
Command Modes Line configuration
Command History
commands Enables authorization on the selected lines for all commands. exec Enables authorization for an interactive (EXEC) session. default Applies the default method list, created with the aaa authorization command.
list-name Specifies the name of a list of authorization methods to use. If no list name is
specified, the system uses the default. The list is created with the aaa authorization command.
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1. Release 3.0 No modification. Release 3.2 This command was supported on the Cisco XR 12000 Series Router. Release 3.3.0 No modification.
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
After you use the aaa authorization command to define a named authorization method list (or use the default method list) for a particular type of authorization, you must apply the defined lists to the appropriate lines for authorization to take place. Use the authorization command to apply the specified method lists (or, if none is specified, the default method list) to the selected line or group of lines.
Task ID
Task ID Operations
aaa read, write
Cisco IOS XR System Security Command Reference
SR-19
authorization
Examples The following example shows how to enable command authorization using the method list named
listname4 on a line template named configure:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# line template configure RP/0/RP0/CPU0:router(config-line)# authorization commands listname4
Related Commands Command Description
aaa authorization Creates a method list for authorization.
SR-20
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software

deadtime (server-group configuration)

To configure the deadtime value at the RADIUS server group level, use the deadtime command in server-group configuration mode. To set deadtime to 0, use the no form of this command.
deadtime minutes no deadtime
deadtime (server-group configuration)
Syntax Description
minutes Length of time, in minutes, for which a RADIUS server is skipped over by
transaction requests, up to a maximum of 1440 (24 hours). The range is from 1 to 1440.
Defaults Deadtime is set to 0.
Command Modes Server-group configuration
Command History
Release Modification
Release 3.3.0 This command was introduced on the Cisco CRS-1 and
Cisco XR 12000 Series Router.
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The value of the deadtime set in the server groups overrides the deadtime that is configured globally. If the deadtime is omitted from the server group configuration, the value is inherited from the master list. If the server group is not configured, the default value of 0 applies to all servers in the group. If the deadtime is set to 0, no servers are marked dead.
Task ID
Task ID Operations
aaa read, write
Examples The following example specifies a one-minute deadtime for RADIUS server group group1 when it has
failed to respond to authentication requests for the deadtime command:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa group server radius group1 RP/0/RP0/CPU0:router(config-sg-radius)# server 1.1.1.1 auth-port 1645 acct-port 1646 RP/0/RP0/CPU0:router(config-sg-radius)# server 2.2.2.2 auth-port 2000 acct-port 2001 RP/0/RP0/CPU0:router(config-sg-radius)# deadtime 1
Cisco IOS XR System Security Command Reference
SR-21
deadtime (server-group configuration)
Related Commands Command Description
aaa group server radius Groups different RADIUS server hosts into distinct lists and
distinct methods.
radius-server dead-criteria time Forces one or both of the criteria that is used to mark a RADIUS
server as dead.
radius-server deadtime Defines the length of time in minutes for a RADIUS server to
remain marked dead.
SR-22
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software

description (AAA)

To create a description of a task group or user group during configuration,use the description command in task group configuration or user group configuration mode. To delete a task group description or user group description, use the no form of this command.
description string no description
description (AAA)
Syntax Description
Defaults The default description is blank.
Command Modes Task group configuration
Command History
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
string Character string describing the task group or user group.
User group configuration
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1. Release 3.0 No modification. Release 3.2 This command was supported on the Cisco XR 12000 Series Router. Release 3.3.0 No modification.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the description command inside the task or user group configuration submode to define a description for the task or user group, respectively.
Task ID
Task ID Operations
aaa read, write
Cisco IOS XR System Security Command Reference
SR-23
description (AAA)
Examples The following example shows the creation of a task group description:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# taskgroup alpha RP/0/RP0/CPU0:router(config-tg)# description this is a sample taskgroup
The following example shows the creation of a user group description:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# usergroup alpha RP/0/RP0/CPU0:router(config-ug)# description this is a sample user group
Related Commands Command Description
taskgroup Accesses task group configuration mode and configures a task group by associating
it with a set of task IDs.
usergroup Accesses user group configuration mode and configures a user group by associating
it with a set of task groups.
SR-24
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software

group

To add a user to a group, use the group command in username configuration mode. To remove the user from a group, use the no form of this command.
group {root-system | root-lr | netadmin | sysadmin | operator | cisco-support | serviceadmin |
group-name}
no group {root-system | root-lr | netadmin | sysadmin | operator | cisco-support |
serviceadmin | group-name}
group
Syntax Description
Defaults No default behavior or values
Command Modes Username configuration
Command History
root-system Adds the user to the predefined root-system group. Only users with root-system
authority may use this option.
root-lr Adds the user to the predefined root-lr group. Only users with root-system
authority or root-lr authority may use this option.
netadmin Adds the user to the predefined network administrators group. sysadmin Adds the user to the predefined system administrators group. operator Adds the user to the predefined operator group. cisco-support Adds the user to the predefined Cisco support personnel group. serviceadmin Adds the user to the predefined service administrators group.
group-name Adds the user to a named user group that has already been defined with the
usergroup command.
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1. Release 3.0 No modification. Release 3.2 This command was supported on the Cisco XR 12000 Series Router. Release 3.3.0 The serviceadmin keyword was added.
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The predefined group root-system may be specified only by root-system users while configuring administration.
Cisco IOS XR System Security Command Reference
SR-25
group
Use the group command in username configuration mode. To access username configuration mode, use the username command in global configuration mode.
If the group command is used in admin configuration mode, only root-system and cisco-support can be specified.
Task ID
Task ID Operations
aaa read, write
Examples The following example shows how to assign the user group operator to the user named user1:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# username user1 RP/0/RP0/CPU0:router(config-un)# group operator
Related Commands
Command Description
password (AAA) Creates a login password for a user. usergroup Configures a user group and associates it with a set of task groups. username Accesses username configuration mode, configures a new user with a username,
and establishes a password and permissions for that user.
SR-26
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software

inherit taskgroup

To enable a task group to derive permissions from another task group, use the inherit taskgroup command in task group configuration mode.
inherit taskgroup {taskgroup-name | netadmin | operator | sysadmin | cisco-support | root-lr |
root-system | serviceadmin}
inherit taskgroup
Syntax Description
Defaults No default behavior or values
Command Modes Task group configuration
Command History
taskgroup-name Name of the task group from which permissions are inherited.
netadmin Inherits permissions from the network administrator task group. operator Inherits permissions from the operator task group. sysadmin Inherits permissions from the system administrator task group. cisco-support Inherits permissions from the cisco support task group. root-lr Inherits permissions from the root-lr task group. root-system Inherits permissions from the root system task group. serviceadmin Inherits permissions from the service administrators task group.
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1. Release 3.0 No modification. Release 3.2 This command was supported on the Cisco XR 12000 Series Router. Release 3.3.0 The serviceadmin keyword was added.
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the inherit taskgroup command to inherit the permissions (task IDs) from one task group into another task group. Any changes made to the taskgroup from which they are inherited are reflected immediately in the group from which they are inherited.
Task ID
Task ID Operations
aaa read, write
Cisco IOS XR System Security Command Reference
SR-27
inherit taskgroup
Examples In the following example, the permissions of task group tg2 are inherited by task group tg1:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# taskgroup tg1 RP/0/RP0/CPU0:router(config-tg)# inherit taskgroup tg2 RP/0/RP0/CPU0:router(config-tg)# end
SR-28
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software

inherit usergroup

To enable a user group to derive characteristics of another user group, use the inherit usergroup command in user group configuration mode.
inherit usergroup usergroup-name
inherit usergroup
Syntax Description
Defaults No default behavior or values
Command Modes User group configuration
Command History
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
usergroup-name Name of the user group from which permissions are to be inherited.
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1. Release 3.0 No modification. Release 3.2 This command was supported on the Cisco XR 12000 Series Router. Release 3.3.0 No modification.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Each user group is associated with a set of task groups applicable to the users in that group. A task group is defined by a collection of task IDs. Task groups contain task ID lists for each class of action. The task permissions for a user are derived (at the start of the EXEC or XML session) from the task groups associated with the user groups to which that user belongs.
User groups support inheritance from other user groups. Use the inherit usergroup command to copy permissions (task ID attributes) from one user group to another user group. The “destination” user group inherits the properties of the inherited group and forms a union of all task IDs specified in those groups. For example, when user group A inherits user group B, the task map of the user group A is a union of that of A and B. Cyclic inclusions are detected and rejected. User groups cannot inherit properties from predefined groups, such as root-system users, root-sdr users, netadmin users, and so on. Any changes made to the usergroup from which it is inherited are reflected immediately in the group from which it is inherited.
Task ID
Task ID Operations
aaa read, write
Cisco IOS XR System Security Command Reference
SR-29
inherit usergroup
Examples The following example shows how to enable the purchasing user group to inherit properties from the
sales user group:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# usergroup purchasing RP/0/RP0/CPU0:router(config-ug)# inherit usergroup sales
Related Commands Command Description
description (AAA) Creates a description of a task group in task group configuration mode, or
creates a description of a user group in user group configuration mode.
taskgroup Configures a task group to be associated with a set of task IDs. usergroup Configures a user group to be associated with a set of task groups.
SR-30
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software

login authentication

To enable authentication, authorization, and accounting (AAA) authentication for logins, use the login authentication command in line configurationmode. To return to the default authentication settings, use the no form of this command.
login authentication {default | list-name} no login authentication
login authentication
Syntax Description
Defaults This command uses the default set with the aaa authentication login command.
Command Modes Line configuration
Command History
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
default Default list of AAA authentication methods, as set by the aaa authentication
login command.
list-name Name of the method list used for authenticating. You specify this list with the aaa
authentication login command
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1. Release 3.0 No modification. Release 3.2 This command was supported on the Cisco XR 12000 Series Router. Release 3.3.0 No modification.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The login authentication command is a per-line command used with AAA that specifies the name of a list of AAA authentication methods to try at login.
Caution If you use a list-name value that was not configured with the aaa authentication login command, the
configuration is rejected.
Entering the no form of the login authentication command has the same effectasentering the command with the default keyword.
Before issuing this command, create a list of authentication processes by using the aaa authentication login global configuration command.
Cisco IOS XR System Security Command Reference
SR-31
login authentication
Task ID
Task ID Operations
aaa read, write tty-access read, write
Examples The following example shows that the default AAA authentication is to be used for the line template
template1:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# line template template1 RP/0/RP0/CPU0:router(config-line)# login authentication default
The following example shows that the AAA authentication list called list1 is to be used for the line template template2:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# line template template2 RP/0/RP0/CPU0:router(config-line)# login authentication list1
Related Commands
Command Description
aaa authentication Creates a method list for authentication.
SR-32
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software

password (AAA)

To create a login password for a user, use the password command in username or line configuration mode. To remove the password, use the no form of this command.
password {0 | 7} password no password {0 | 7} password
password (AAA)
Syntax Description
Defaults No password is specified.
Command Modes Username configuration
Command History
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
0 Specifies that an unencrypted (clear-text) password follows. 7 Specifies that an encrypted password follows.
password Character-string password to be entered by the user to log in.
Line configuration
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1. Release 3.0 No modification. Release 3.2 This command was supported on the Cisco XR 12000 Series Router. Release 3.3.0 No modification.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
You can specify one of two types of passwords: encrypted or clear text. When an EXEC process is started on a line that has password protection, the process prompts for the
password. If the user enters the correct password, the process issues the prompt. The user can try three times to enter a password before the process exits and returns the terminal to the idle state.
Passwords are two-way encrypted and should be used for applications such as PPP that need decryptable passwords.
Task ID
Note The show running-configcommand does not display the login password in clear text when the 0 option
is used to specify an unecrypted password.
Task ID Operations
aaa read, write
Cisco IOS XR System Security Command Reference
SR-33
password (AAA)
Examples The following example shows how to establish the unencrypted password pwd1 for the user user1:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# username user1 RP/0/RP0/CPU0:router(config-un)# password 0 pwd1
Related Commands Command Description
group Adds a user to a group. usergroup Accesses user group configuration mode and configures a user group,
associating it with a set of task groups.
username Accesses username configuration mode and configures a new user with a
username, establishing a password and granting permissions for that user.
SR-34
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software

radius-server dead-criteria time

To specify the minimum amount of time, in seconds, that must elapse from the time that the router last received a valid packet from the RADIUS server to the time the server is marked as dead, use the radius-server dead-criteria time command in global configuration mode. To disable the criteria that were set, use the no form of this command.
radius-server dead-criteria time seconds no radius-server dead-criteria time seconds
radius-server dead-criteria time
Syntax Description
Defaults If the seconds argument is not configured, the number of seconds ranges from 10 to 60 seconds,
Command Modes Global configuration
Command History
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
seconds Length of time, in seconds. The range is from 1 to120 seconds. If the seconds argument
is not configured, the number of seconds ranges from 10 to 60, depending on the transaction rate of the server.
Note The time criterion must be met for the server to be marked as dead.
depending on the transaction rate of the server.
Release Modification
Release 3.3.0 This command was introduced on the Cisco CRS-1 and
Cisco XR 12000 Series Router.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Task ID
Note If you configure the radius-server dead-criteria time command before the radius-server deadtime
command, the radius-server dead-criteria time command may not be enforced.
If a packet has not been received since the router booted and there is a timeout, the time criterion is treated as though it were met.
If the seconds argument is not indicated, the time is set to the defaults.
Task ID Operations
aaa read, write
Cisco IOS XR System Security Command Reference
SR-35
radius-server dead-criteria time
Examples The following example shows how to establish the time for the dead-criteria conditions for a RADIUS
server to be marked as dead for the radius-server dead-criteria time command:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# radius-server dead-criteria time 5
Related Commands Command Description
radius-server dead-criteria tries
Specifies the number of consecutive timeouts that must occur on the router before the RADIUS server is marked as dead.
radius-server deadtime Defines the length of time, in minutes, for a RADIUS server to remain
marked dead.
show radius
Displays information for the dead-server detection criteria.
dead-criteria
SR-36
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software

radius-server dead-criteria tries

To specify the number of consecutive timeouts that must occur on the router before the RADIUS server is marked as dead, use the radius-server dead-criteria tries command in global configuration mode. To disable the criteria that were set, use the no form of this command.
radius-server dead-criteria tries tries no radius-server dead-criteria tries tries
radius-server dead-criteria tries
Syntax Description
Defaults If the tries argument is not configured, the number of consecutive timeouts ranges from 10 to 100,
Command Modes Global configuration
Command History
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
tries Number of timeouts from 1 to 100. If the tries argument is not configured, the number
of consecutive timeouts ranges from 10 to 100, depending on the transaction rate of the server and the number of configured retransmissions.
Note The tries criterion must be met for the server to be marked as dead.
depending on the transaction rate of the server and the number of configured retransmissions.
Release Modification
Release 3.3.0 This command was introduced on the Cisco CRS-1 and
Cisco XR 12000 Series Router.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
If the server performs both authentication and accounting, both types of packet are included in the number. Improperly constructed packets are counted as though they were timeouts. All transmissions, including the initial transmit and all retransmits, are counted.
Task ID
Note If you configure the radius-server dead-criteria tries command before the radius-server deadtime
command, the radius-server dead-criteria tries command may not be enforced.
If the tries argument is not indicated, the number of tries is set to the default.
Task ID Operations
aaa read, write
Cisco IOS XR System Security Command Reference
SR-37
radius-server dead-criteria tries
Examples The following example shows how to establish the number of tries for the dead-criteria conditions for a
RADIUS server to be marked as dead for the radius-server dead-criteria tries command:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# radius-server dead-criteria tries 4
Related Commands Command Description
radius-server dead-criteria time
Definesthe length of time in seconds that must elapse from the time that the router last received a valid packet from the RADIUS server to the time the server is marked as dead.
radius-server deadtime Defines the length of time, in minutes, for a RADIUS server to remain
marked dead.
show radius
Displays information for the dead-server detection criteria.
dead-criteria
SR-38
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software

radius-server deadtime

To improve RADIUS response times when some servers are unavailable and cause the unavailable servers to be skipped immediately, use the radius-server deadtime command in global configuration mode. To set deadtime to 0, use the no form of this command.
radius-server deadtime minutes no radius-server deadtime
radius-server deadtime
Syntax Description
Defaults Dead time is set to 0.
Command Modes Global configuration
Command History
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
minutes Length of time, in minutes, for which a RADIUS server is skipped over by transaction
requests, up to a maximum of 1440 (24 hours). The range is from 1 to 1440. The default value is 0.
Release Modification
Release 3.3.0 This command was introduced on the Cisco CRS-1 and
Cisco XR 12000 Series Router.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
A RADIUS server marked as dead is skipped by additional requests for the duration of minutes unless all other servers are marked dead and there is no rollover method.
Task ID
Examples The following example specifies five minutes of deadtime for RADIUS servers that fail to respond to
Task ID Operations
aaa read, write
authentication requests for the radius-server deadtime command:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# radius-server deadtime 5
Cisco IOS XR System Security Command Reference
SR-39
radius-server deadtime
Related Commands Command Description
deadtime (server-group
Configures the deadtime value at the RADIUS server group level.
configuration) radius-server
dead-criteria time show radius
Forces one or both of the criteria that is used to mark a RADIUS server as dead.
Displays information for the dead-server detection criteria.
dead-criteria
SR-40
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software

radius-server host

To specify a RADIUS server host, use the radius-server host command in global configuration mode. To delete the specified RADIUS host, use the no form of this command.
radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number]
[timeout seconds] [retransmit retries] [key string]
no radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number]
radius-server host
Syntax Description
hostname Domain Name System (DNS) name of the RADIUS server host. ip-address IP address of the RADIUS server host.
auth-port port-number (Optional) Specifies the User Datagram Protocol (UDP) destination port for
authentication requests; the host is not used for authentication if set to 0. If unspecified, the port number defaults to 1645.
acct-port port-number (Optional) Specifies the UDP destination port for accounting requests; the
host is not used for accounting if set to 0. If unspecified, the port number defaults to 1646.
timeout seconds (Optional) The time interval (in seconds) that the router waits for the
RADIUS server to reply before retransmitting. This setting overrides the global value of the radius-server timeout command. If no timeout value is specified,the global valueis used. Enter a valuein the range from 1 to 1000. Default is 5.
retransmit retries (Optional) The number of times a RADIUS request is re-sent to a server, if
that server is not responding or responding slowly.This setting overrides the global setting of the radius-server retransmit command. If no retransmit value is specified,the global value is used. Enter a value in the range from 1 to 100. Default is 3.
key string (Optional) Specifiesthe authentication and encryption key used between the
router and the RADIUS server. This key overrides the global setting of the radius-server key command. If no key string is specified, the global value is used.
The key is a text string that must match the encryption key used on the RADIUS server. Always configure the key as the last item in the radius-server host command syntax. This is because the leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in the key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.
Defaults No RADIUS host is specified; use global radius-server command values.
Command Modes Global configuration
Cisco IOS XR System Security Command Reference
SR-41
radius-server host
Command History
Release Modification
Release 3.2 This command was introduced on the Cisco CRS-1 and
Cisco XR 12000 Series Router.
Release 3.3.0 No modification.
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
You can use multiple radius-server host commands to specify multiple hosts. The Cisco IOS XR software searches for hosts in the order in which you specify them.
If no host-specific timeout, retransmit, or key values are specified, the global values apply to each host
Task ID.
Task ID Operations
aaa read, write
Examples The following example shows how to establish host1 as the RADIUS server and use default ports for
both accounting and authentication:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# radius-server host host1
The following example shows how to establish port 1612 as the destination port for authentication requests and port 1616 as the destination port for accounting requests on the RADIUS host named host1:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# radius-server host host1 auth-port 1612 acct-port 1616
Because entering a line resets all the port numbers, you must specify a host and configure accounting and authentication ports on a single line.
The following example shows how to establish the host with IP address 172.29.39.46 as the RADIUS server,use ports 1612 and 1616 as the authorization and accounting ports, set the timeout value to 6, set the retransmit value to 5, and set “rad123” as the encryption key, matching the key on the RADIUS server:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# radius-server host 172.29.39.46 auth-port 1612 acct-port
1616 timeout 6 retransmit 5 key rad123
To use separate servers for accounting and authentication, use the zero port value as appropriate. The following example shows how to establish that RADIUS server host1 be used for accounting butnot
for authentication, and specify that RADIUS server host2 be used for authentication but not for accounting:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# radius-server host host1.example.com auth-port 0 RP/0/RP0/CPU0:router(config)# radius-server host host2.example.com acct-port 0
SR-42
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Related Commands Command Description
aaa accounting Creates a method list for accounting. aaa authentication Creates a method list for authentication. aaa authorization Creates a method list for authorization. radius-server key Sets the authentication and encryption key for all RADIUS
communications between the router and the RADIUS daemon.
radius-server retransmit Specifieshow many times Cisco IOS XR software retransmits packets to
a server before giving up.
radius-server timeout Sets the interval a router waits for a server host to reply.
radius-server host
Cisco IOS XR System Security Command Reference
SR-43

radius-server key

radius-server key
To set the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon, use the radius-server key command in global configuration mode. Todisable the key, use the no form of this command.
radius-server key {0 clear-text-key | 7 encrypted-key | clear-text-key} no radius-server key
Syntax Description
0 clear-text-key Specifies an unencrypted (cleartext) shared key. 7 encrypted-key Specifies a encrypted shared key.
clear-text-key Specifies an unencrypted (cleartext) shared key.
Defaults The authentication and encryption key is disabled.
Command Modes Global configuration
Command History
Release Modification
Release 3.2 This command was introduced on the Cisco CRS-1 and
Cisco XR 12000 Series Router.
Release 3.3.0 No modification.
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The key entered must match the key used on the RADIUS server. All leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.
Task ID
Task ID Operations
aaa read, write
Examples The following example shows how to set the cleartext key to “samplekey”:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# radius-server key 0 samplekey
The following example shows how to set the encrypted shared key to “anykey”:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# radius-server key 7 anykey
Cisco IOS XR System Security Command Reference
SR-44
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Related Commands Command Description
radius-server host Specifies a RADIUS server host.
radius-server key
Cisco IOS XR System Security Command Reference
SR-45

radius-server retransmit

radius-server retransmit
To specify the number of times the Cisco IOS XR software retransmits a packet to a server before giving up, use the radius-server retransmit command in global configuration mode. To disable retransmission, use the no form of this command.
radius-server retransmit retries no radius-server retransmit
Syntax Description
Defaults The RADIUS servers are retried three times, or until a response is received.
Command Modes Global configuration
Command History
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
retries Maximum number of retransmission attempts. The range is from 1 to 100. Default is 3.
Release Modification
Release 3.2 This command was introduced on the Cisco CRS-1 and
Cisco XR 12000 Series Router.
Release 3.3.0 No modification.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The RADIUS client tries all servers, allowing each one to time out before increasing the retransmit count.
Task ID
Examples The following example shows how to specify a retransmit counter value of five times:
Cisco IOS XR System Security Command Reference
SR-46
Task ID Operations
aaa read, write
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# radius-server retransmit 5
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software

radius-server timeout

To set the interval for which a router waits for a server host to reply before timing out, use the radius-server timeout command in global configuration mode. To restore the default, use the no form of this command.
radius-server timeout seconds no radius-server timeout
radius-server timeout
Syntax Description
Defaults seconds: 5 seconds
Command Modes Global configuration
Command History
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
seconds Number that specifies the timeout interval, in seconds. Range is from 1 to 1000.
Release Modification
Release 3.2 This command was introduced on the Cisco CRS-1 and
Cisco XR 12000 Series Router.
Release 3.3.0 No modification.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the radius-server timeout command to set the number of seconds a router waits for a server host to reply before timing out.
Task ID
Examples The following example shows how to change the interval timer to 10 seconds:
Related Commands
Task ID Operations
aaa read, write
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# radius-server timeout 10
Command Description
radius-server host Specifies a RADIUS server host. radius-server key Sets the authentication and encryption key for all RADIUS communications
between the router and the RADIUS daemon.
Cisco IOS XR System Security Command Reference
SR-47

radius source-interface

radius source-interface
To force RADIUS to use the IP address of a specified interface or subinterface for all outgoing RADIUS packets, use the radius source-interface command in global configuration mode. To prevent only the specifiedinterfacefrom being the default and not from being used for all outgoing RADIUS packets, use the no form of this command.
radius source-interface interface-name no radius source-interface
Syntax Description
Defaults If a specific source interface is not configured, or the interface is down or does not have an IP address
Command Modes Global configuration
Command History
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
interface-name Name of the interface that RADIUS uses for all of its outgoing packets.
configured, the system selects an IP address.
Release Modification
Release 3.2 This command was introduced on the Cisco CRS-1 and
Cisco XR 12000 Series Router.
Release 3.3.0 No modification.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the radius source-interfacecommand to set the IP address of the specifiedinterfaceor subinterface for all outgoing RADIUS packets. This address is used as long as the interface or subinterface is in the up state. In this way, the RADIUS server can use one IP address entry for every network access client instead of maintaining a list of IP addresses.
The specified interface or subinterface must have an IP address associated with it. If the specified interface or subinterface does not have an IP address or is in the down state, then RADIUS reverts to the default. To avoid this, add an IP address to the interface or subinterface or bring the interface to the up state.
The radius source-interface command is especially useful in cases in which the router has many interfaces or subinterfaces and you want to ensure that all RADIUS packets from a particular router have the same IP address.
Task ID
SR-48
Task ID Operations
aaa read, write
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
radius source-interface
Examples The following example shows how to make RADIUS use the IP address of subinterface s2 for all
outgoing RADIUS packets:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# radius source-interface Loopback 10
Cisco IOS XR System Security Command Reference
SR-49

secret

secret
To create a secure login secret for a user, use the secret command in username or line configuration mode. To remove the secure secret, use the no form of this command.
secret {0 | 5} secret no secret {0 | 5} secret
Syntax Description
Defaults No password is specified.
Command Modes Username configuration
Command History
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
0 Specifies that an unencrypted (clear text) secure secret follows. 5 Specifies that an encrypted secure secret follows.
secret Character-string secret to be entered by the user to log in.
Line configuration
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1. Release 3.0 No modification. Release 3.2 This command was supported on the Cisco XR 12000 Series Router. Release 3.3.0 The password argument was replaced with the secret argument.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
You can specify one of two types of secure secrets: encrypted or clear text. When an EXEC process is started on a line that has password protection, the process prompts for the
secret. If the user enters the correct secret, the process issues the prompt. The user can try three times to enter a secret before the process exits and returns the terminal to the idle state.
Secrets are one-way encrypted and should be used for applications such as login that do not need a decryptable secret.
Task ID
SR-50
Note The show running command does not display the login password in clear text when the 0 option is used
to specify an unecrypted password.
Task ID Operations
aaa read, write
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
secret
Examples The following example shows how to establish the secure encrypted secret pwd2 for the user user2:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# username user2 RP/0/RP0/CPU0:router(config-un)# secret 5 pwd2
Related Commands Command Description
group Adds a user to a group. password (AAA) Creates a login password for a user. usergroup Accesses user group configuration mode and configures a user group,
associating it with a set of task groups.
username Accesses username configuration mode and configures a new user with a
username, establishing a password and granting permissions for that user.
Cisco IOS XR System Security Command Reference
SR-51

server (RADIUS)

server (RADIUS)
To associate a particular RADIUS server with a defined server group, use the se rve r command in RADIUS server-group configuration mode. To remove the associated server from the server group, use the no form of this command.
server {hostname | ip-address}[auth-port port-number] [acct-port port-number] no server {hostname | ip-address} [auth-port port-number] [acct-port port-number]
Syntax Description
Defaults If no port attributes are defined, the defaults are as follows:
Command Modes RADIUS server-group configuration
Command History
hostname Character string used to name the server host. ip-address IP address of the RADIUS server host.
auth-port port-number (Optional) Specifies the User Datagram Protocol (UDP) destination port for
authentication requests. The port-number argument specifies the port number for authentication requests. The host is not used for authentication if this value is set to 0. Default is 1645.
acct-port port-number (Optional) Specifies the UDP destination port for accounting requests. The
port-number argument specifies the port number for accounting requests.
The host is not used for accounting services if this value is set to 0. Default is 1646.
Authentication port: 1645
Accounting port: 1646
Release Modification
Release 3.2 This command was introduced on the Cisco CRS-1 and
Cisco XR 12000 Series Router.
Release 3.3.0 No modification.
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the server command to associate a particular RADIUS server with a defined server group. There are two different ways in which you can identify a server,depending on the way you want to offer
AAA services. You can identify the server simply by using its IP address, or you can identify multiple host instances or entries using the optional auth-port and acct-port keywords.
Cisco IOS XR System Security Command Reference
SR-52
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
When you use the optional keywords, the network access server identifies RADIUS security servers and host instances associated with a group server based on their IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS host entries providing a specific AAA service. If two different host entries on the same RADIUS server are configured for the same service, for example, accounting, the second host entry configuredacts as failover backup to the first one. Using this example, if the first host entry fails to provide accounting services, the network access server will try the second host entry configuredon the same device for accounting services. (The RADIUS host entries are tried in the order they are configured.)
server (RADIUS)
Task ID
Task ID Operations
aaa read, write
Examples The following example shows how to use two different host entries on the same RADIUS server that are
configuredfor the same services—authentication and accounting. The second host entry configuredacts as fail-over backup to the first one.
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa group server radius group1 RP/0/RP0/CPU0:router(config-sg-radius)# server 1.1.1.1 auth-port 1645 acct-port 1646 RP/0/RP0/CPU0:router(config-sg-radius)# server 2.2.2.2 auth-port 2000 acct-port 2001
Related Commands
Command Description
aaa group server radius Groups different RADIUS serverhostsintodistinctlistsand distinct
methods.
deadtime (server-group
Configures the deadtime value at the RADIUS server group level.
configuration) radius-server host Specifies a RADIUS server host.
Cisco IOS XR System Security Command Reference
SR-53

server (TACACS+)

server (TACACS+)
To associate a particular TACACS+ server with a defined server group, use the server command in TACACS+ server-group configurationmode. Toremovetheassociated server from the server group, use the no form of this command.
server {hostname | ip-address} no server {hostname | ip-address}
Syntax Description
hostname Character string used to name the server host. ip-address IP address of the server host.
Defaults No default behavior or values
Command Modes TACACS+ server-group configuration
Command History
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1. Release 3.0 No modification. Release 3.2 This command was supported on the Cisco XR 12000 Series Router. Release 3.3.0 No modification.
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the server command to associate a particular TACACS+ server with a defined server group. The server need not be accessible during configuration.Later,you can reference the configuredserver group from the method lists used to configure authentication, authorization, and accounting (AAA).
Task ID
Task ID Operations
aaa read, write
Examples The following example shows how to associate the TACACS+ server with the IP address 192.168.60.15
with the server group tac1:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa group server tacacs+ tac1 RP/0/RP0/CPU0:router(config-sg-tacacs+)# server 192.168.60.15
Cisco IOS XR System Security Command Reference
SR-54
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Related Commands Command Description
aaa group server tacacs+ Groups different TACACS+ server hosts into distinct lists.
server (TACACS+)
Cisco IOS XR System Security Command Reference
SR-55

show aaa

show aaa
To display information about a user group, local user, or task group; to list all task IDs associated with all user groups, local users, or task groups in the system; or to list all task IDs for a specified user group, local user, or task group, use the show aaa command in EXEC mode.
show aaa {usergroup [usergroup-name] | userdb [username] | taskgroup [taskgroup-name]}
Syntax Description
Defaults Details for all user groups, or all local users, or all task groups are listed if no argument is entered.
Command Modes EXEC
Command History
usergroup Displays details for all user groups.
usergroup-name (Optional) User group whose details are to be displayed.
userdb Displays details for all local users and the usergroups to which each
user belongs.
username (Optional) User whose details are to be displayed. taskgroup Displays details for all task groups. taskgroup-name (Optional) Task group whose details are to be displayed.
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1. Release 3.0 No modification. Release 3.2 This command was supported on the Cisco XR 12000 Series Router. Release 3.3.0 No modification.
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the show aaa command to list details for all user groups, local users, or task groups in the system. Use the optional usergroup-name, username, or taskgroup-name argument to display the details for a specified user group, user, or task group, respectively.
Task ID
Cisco IOS XR System Security Command Reference
SR-56
Task ID Operations
aaa read
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Examples The following sample output is from the show aaa usergroup command:
RP/0/RP0/CPU0:router# show aaa usergroup operator
User group 'operator' Inherits from task group 'operator' User group 'operator' has the following combined set of task IDs (including all inherited groups): Task: basic-services : READ WRITE EXECUTE DEBUG Task: cdp : READ Task: diag : READ Task: ext-access : READ EXECUTE Task: logging : READ
The following sample output is from the taskgroup keyword for a task group named netadmin:
RP/0/RP0/CPU0:router# show aaa taskgroup netadmin
Task group 'netadmin'
Task group 'netadmin' has the following combined set of task IDs (including all inherited groups):
show aaa
Task: aaa : READ Task: acl : READ WRITE EXECUTE DEBUG Task: admin : READ Task: atm : READ WRITE EXECUTE DEBUG Task: basic-services : READ WRITE EXECUTE DEBUG Task: bcdl : READ Task: bfd : READ WRITE EXECUTE DEBUG Task: bgp : READ WRITE EXECUTE DEBUG Task: boot : READ WRITE EXECUTE DEBUG Task: bundle : READ WRITE EXECUTE DEBUG Task: cdp : READ WRITE EXECUTE DEBUG Task: cef : READ WRITE EXECUTE DEBUG Task: cisco-support : READ Task: config-mgmt : READ WRITE EXECUTE DEBUG Task: config-services : READ WRITE EXECUTE DEBUG Task: crypto : READ WRITE EXECUTE DEBUG Task: diag : READ WRITE EXECUTE DEBUG Task: disallowed : READ Task: drivers : READ Task: ext-access : READ WRITE EXECUTE DEBUG Task: fabric : READ WRITE EXECUTE DEBUG Task: fault-mgr : READ WRITE EXECUTE DEBUG Task: filesystem : READ WRITE EXECUTE DEBUG Task: fr : READ WRITE EXECUTE DEBUG Task: hdlc : READ WRITE EXECUTE DEBUG Task: host-services : READ WRITE EXECUTE DEBUG Task: hsrp : READ WRITE EXECUTE DEBUG Task: interface : READ WRITE EXECUTE DEBUG Task: inventory : READ Task: ip-services : READ WRITE EXECUTE DEBUG Task: ipv4 : READ WRITE EXECUTE DEBUG Task: ipv6 : READ WRITE EXECUTE DEBUG Task: isis : READ WRITE EXECUTE DEBUG Task: logging : READ WRITE EXECUTE DEBUG Task: lpts : READ WRITE EXECUTE DEBUG Task: monitor : READ Task: mpls-ldp : READ WRITE EXECUTE DEBUG Task: mpls-static : READ WRITE EXECUTE DEBUG Task: mpls-te : READ WRITE EXECUTE DEBUG Task: multicast : READ WRITE EXECUTE DEBUG
Cisco IOS XR System Security Command Reference
SR-57
show aaa
Task: netflow : READ WRITE EXECUTE DEBUG Task: network : READ WRITE EXECUTE DEBUG Task: ospf : READ WRITE EXECUTE DEBUG Task: ouni : READ WRITE EXECUTE DEBUG Task: pkg-mgmt : READ Task: pos-dpt : READ WRITE EXECUTE DEBUG Task: ppp : READ WRITE EXECUTE DEBUG Task: qos : READ WRITE EXECUTE DEBUG Task: rib : READ WRITE EXECUTE DEBUG Task: rip : READ WRITE EXECUTE DEBUG Task: root-lr : READ Task: route-map : READ WRITE EXECUTE DEBUG Task: route-policy : READ WRITE EXECUTE DEBUG Task: snmp : READ WRITE EXECUTE DEBUG Task: sonet-sdh : READ WRITE EXECUTE DEBUG Task: static : READ WRITE EXECUTE DEBUG Task: sysmgr : READ Task: system : READ WRITE EXECUTE DEBUG Task: transport : READ WRITE EXECUTE DEBUG Task: tty-access : READ WRITE EXECUTE DEBUG Task: tunnel : READ WRITE EXECUTE DEBUG Task: universal : READ Task: vlan : READ WRITE EXECUTE DEBUG Task: vrrp : READ WRITE EXECUTE DEBUG
The sample output is from the taskgroup keyword for an operator. The task group operator has the following combined set of task IDs, which includes all inherited groups:
Task: basic-services : READ WRITE EXECUTE DEBUG Task: cdp : READ Task: diag : READ Task: ext-access : READ EXECUTE Task: logging : READ
The sample output is from the taskgroupkeyword for a root-system. The task group root-system has the following combined set of task IDs, which includes all inherited groups:
Task: aaa : READ WRITE EXECUTE DEBUG Task: acl : READ WRITE EXECUTE DEBUG Task: admin : READ WRITE EXECUTE DEBUG Task: atm : READ WRITE EXECUTE DEBUG Task: basic-services : READ WRITE EXECUTE DEBUG Task: bcdl : READ WRITE EXECUTE DEBUG Task: bfd : READ WRITE EXECUTE DEBUG Task: bgp : READ WRITE EXECUTE DEBUG Task: boot : READ WRITE EXECUTE DEBUG Task: bundle : READ WRITE EXECUTE DEBUG Task: cdp : READ WRITE EXECUTE DEBUG Task: cef : READ WRITE EXECUTE DEBUG Task: config-mgmt : READ WRITE EXECUTE DEBUG Task: config-services : READ WRITE EXECUTE DEBUG Task: crypto : READ WRITE EXECUTE DEBUG Task: diag : READ WRITE EXECUTE DEBUG Task: drivers : READ WRITE EXECUTE DEBUG Task: ext-access : READ WRITE EXECUTE DEBUG Task: fabric : READ WRITE EXECUTE DEBUG Task: fault-mgr : READ WRITE EXECUTE DEBUG Task: filesystem : READ WRITE EXECUTE DEBUG Task: fr : READ WRITE EXECUTE DEBUG Task: hdlc : READ WRITE EXECUTE DEBUG Task: host-services : READ WRITE EXECUTE DEBUG Task: hsrp : READ WRITE EXECUTE DEBUG Task: interface : READ WRITE EXECUTE DEBUG
SR-58
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Task: inventory : READ WRITE EXECUTE DEBUG Task: ip-services : READ WRITE EXECUTE DEBUG Task: ipv4 : READ WRITE EXECUTE DEBUG Task: ipv6 : READ WRITE EXECUTE DEBUG Task: isis : READ WRITE EXECUTE DEBUG Task: logging : READ WRITE EXECUTE DEBUG Task: lpts : READ WRITE EXECUTE DEBUG Task: monitor : READ WRITE EXECUTE DEBUG Task: mpls-ldp : READ WRITE EXECUTE DEBUG Task: mpls-static : READ WRITE EXECUTE DEBUG Task: mpls-te : READ WRITE EXECUTE DEBUG Task: multicast : READ WRITE EXECUTE DEBUG Task: netflow : READ WRITE EXECUTE DEBUG Task: network : READ WRITE EXECUTE DEBUG Task: ospf : READ WRITE EXECUTE DEBUG Task: ouni : READ WRITE EXECUTE DEBUG Task: pkg-mgmt : READ WRITE EXECUTE DEBUG Task: pos-dpt : READ WRITE EXECUTE DEBUG Task: ppp : READ WRITE EXECUTE DEBUG Task: qos : READ WRITE EXECUTE DEBUG Task: rib : READ WRITE EXECUTE DEBUG Task: rip : READ WRITE EXECUTE DEBUG Task: root-lr : READ WRITE EXECUTE DEBUG Task: root-system : READ WRITE EXECUTE DEBUG Task: route-map : READ WRITE EXECUTE DEBUG Task: route-policy : READ WRITE EXECUTE DEBUG Task: snmp : READ WRITE EXECUTE DEBUG Task: sonet-sdh : READ WRITE EXECUTE DEBUG Task: static : READ WRITE EXECUTE DEBUG Task: sysmgr : READ WRITE EXECUTE DEBUG Task: system : READ WRITE EXECUTE DEBUG Task: transport : READ WRITE EXECUTE DEBUG Task: tty-access : READ WRITE EXECUTE DEBUG Task: tunnel : READ WRITE EXECUTE DEBUG Task: universal : READ WRITE EXECUTE DEBUG Task: vlan : READ WRITE EXECUTE DEBUG Task: vrrp : READ WRITE EXECUTE DEBUG
show aaa
The following sample output is from show aaa command with the userdb keyword:
RP/0/RP0/CPU0:router# show aaa userdb
Username lab (admin plane)
User group root-system User group cisco-support
Username acme
User group root-system
Related Commands Command Description
show user Displays task IDs enabled for the currently logged-in user.
Cisco IOS XR System Security Command Reference
SR-59

show radius

show radius
To display information about the RADIUS servers that are configured in the system, use the show radius command in EXEC mode.
show radius
Syntax Description This command has no arguments or keywords.
Defaults If no radius servers are configured, no output is displayed.
Command Modes EXEC
Command History
Release Modification
Release 3.3.0 This command was introduced on the Cisco CRS-1 and
Cisco XR 12000 Series Router.
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the show radius command to display statistics for each configured RADIUS server.
Task ID
Task ID Operations
aaa read
Examples The following sample output is for the show radius command:
RP/0/RP0/CPU0:router# show radius
Global dead time: 0 minute(s)
Server: 1.1.1.1/1/2 is UP Timeout: 5 sec, Retransmit limit: 3 Authentication: 0 requests, 0 pending, 0 retransmits 0 accepts, 0 rejects, 0 challenges 0 timeouts, 0 bad responses, 0 bad authenticators 0 unknown types, 0 dropped, 0 ms latest rtt
SR-60
Accounting: 0 requests, 0 pending, 0 retransmits 0 responses, 0 timeouts, 0 bad responses 0 bad authenticators, 0 unknown types, 0 dropped 0 ms latest rtt
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Table 2 describes the significant fields shown in the display.
Table 2 show radius Field Descriptions
Field Description
Server Server IP address/UDP destination port for authentication requests/UDP
destination port for accounting requests. Timeout Number of seconds the router waits for a server host to reply before timing out. Retransmit limit Numberoftimes the Cisco IOS XR softwaresearchesthe list of RADIUS server
hosts before giving up.
show radius
Related Commands
Command Description
radius-server host Specifies a RADIUS server host. radius-server retransmit Specifies how many times Cisco IOS XR software searches the list
of RADIUS server hosts before giving up.
radius-server timeout Sets the interval for which a router waits for a server host to reply.
Cisco IOS XR System Security Command Reference
SR-61

show radius accounting

show radius accounting
To obtain information and detailed statistics for the RADIUS accounting server and port, use the show radius accounting command in EXEC mode.
show radius accounting
Syntax Description This command has no arguments or keywords.
Defaults If no RADIUS servers are configured on the router, the output is empty. If the default values are for the
counter (for example, request and pending), the values are all zero because the RADIUS server was just defined and not used yet.
Command Modes EXEC
Command History
Release Modification
Release 3.3.0 This command was introduced on the Cisco CRS-1 and
Cisco XR 12000 Series Router.
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Task ID
Task ID Operations
aaa read
Examples The following sample output is displayed on a per-server basis for the show radius accounting
command:
RP/0/RP0/CPU0:router# show radius accounting
Server: 12.26.25.61, port: 1813 0 requests, 0 pending, 0 retransmits 0 responses, 0 timeouts, 0 bad responses 0 bad authenticators, 0 unknown types, 0 dropped 0 ms latest rtt
SR-62
Server: 12.26.49.12, port: 1813 0 requests, 0 pending, 0 retransmits 0 responses, 0 timeouts, 0 bad responses 0 bad authenticators, 0 unknown types, 0 dropped 0 ms latest rtt
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Server: 12.38.28.18, port: 29199 0 requests, 0 pending, 0 retransmits 0 responses, 0 timeouts, 0 bad responses 0 bad authenticators, 0 unknown types, 0 dropped 0 ms latest rtt RP/0/RP0/CPU0:router#
Table 3 describes the significant fields shown in the display.
Table 3 show radius accounting Field Descriptions
Field Description
Server Server IP address/UDP destination port for authentication requests; UDP
destination port for accounting requests.
show radius accounting
Related Commands
Command Description
aaa accounting Creates a method list for accounting. aaa authentication Creates a method list for authentication. show radius authentication Obtains information and detailed statistics for the RADIUS
authentication server and port.
Cisco IOS XR System Security Command Reference
SR-63

show radius authentication

show radius authentication
To obtain information and detailed statistics for the RADIUS authentication server and port, use the
show radius authentication command in EXEC mode.
show radius authentication
Syntax Description This command has no arguments or keywords.
Defaults If no RADIUS servers are configured on the router, the output is empty. If the default values are for the
counter (for example, request and pending), the values are all zero because the RADIUS server was just defined and not used yet.
Command Modes EXEC
Command History
Release Modification
Release 3.3.0 This command was introduced on the Cisco CRS-1 and
Cisco XR 12000 Series Router.
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Task ID
Task ID Operations
aaa read
Examples The following sample output is for the show radius authentication command:
RP/0/RP0/CPU0:router# show radius authentication
Server: 12.26.25.61, port: 1812 0 requests, 0 pending, 0 retransmits 0 accepts, 0 rejects, 0 challenges 0 timeouts, 0 bad responses, 0 bad authenticators 0 unknown types, 0 dropped, 0 ms latest rtt
SR-64
Server: 12.26.49.12, port: 1812 0 requests, 0 pending, 0 retransmits 0 accepts, 0 rejects, 0 challenges 0 timeouts, 0 bad responses, 0 bad authenticators 0 unknown types, 0 dropped, 0 ms latest rtt
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Server: 12.38.28.18, port: 21099 0 requests, 0 pending, 0 retransmits 0 accepts, 0 rejects, 0 challenges 0 timeouts, 0 bad responses, 0 bad authenticators 0 unknown types, 0 dropped, 0 ms latest rtt RP/0/RP0/CPU0:router#
Table 4 describes the significant fields shown in the display.
Table 4 show radius authentication Field Descriptions
Field Description
Server Server IP address/UDP destination port for authentication requests; UDP
destination port for accounting requests.
show radius authentication
Related Commands
Command Description
aaa accounting Creates a method list for accounting. aaa authentication Creates a method list for authentication. show radius accounting Obtains information and detailed statistics for the RADIUS
accounting server and port.
Cisco IOS XR System Security Command Reference
SR-65

show radius client

show radius client
To obtain general information about the RADIUS client on Cisco IOS XR software, use the show radius client command in EXEC mode.
show radius client
Syntax Description This command has no arguments or keywords.
Defaults The default value for the counters (for example, an invalid address) is 0. The network access server
(NAS) identifier is the hostname that is defined on the router.
Command Modes EXEC
Command History
Release Modification
Release 3.3.0 This command was introduced on the Cisco CRS-1 and
Cisco XR 12000 Series Router.
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The show radius client command displaysthe authentication and accounting responses that are received from the invalidRADIUSservers,for example, unknownto the NAS. In addition, the show radius client command displays the hostname or NAS identifier for the RADIUS authentication client, accounting client, or both.
Task ID
Task ID Operations
aaa read
Examples The following sample output is for the show radius client command:
RP/0/RP0/CPU0:router# show radius client
Client NAS identifier: miniq Authentication responses from invalid addresses: 0 Accounting responses from invalid addresses: 0
SR-66
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Table 5 describes the significant fields shown in the display.
Table 5 show radius client Field Descriptions
Field Description
Client NAS identifier Identifies the NAS-identifier of the RADIUS authentication client.
show radius client
Related Commands
Command Description
radius-server host Specifies a RADIUS server host. server (RADIUS) Associates a particular RADIUS server with a defined server group. show radius Displays information about the RADIUS servers that are configured
in the system.
Cisco IOS XR System Security Command Reference
SR-67

show radius dead-criteria

show radius dead-criteria
To obtain information about the dead server detection criteria, use the show radius dead-criteria command in EXEC mode.
show radius dead-criteria host ip-addr [auth-port auth-port] [acct-port acct-port]
Syntax Description
host ip-addr Specifies the name or IP address of the configured RADIUS server. auth-port auth-port (Optional) Specifies the authentication port for the RADIUS server. The
default value is 1645.
acct-port acct-port (Optional) Specifies the accounting port for the RADIUS server. The
default value is 1646.
Defaults The default values for time and tries are not fixed to a single value; therefore, they are calculated and fall
within a range of 10 to 60 seconds for time and 10 to 100 for tries.
Command Modes EXEC
Command History
Release Modification
Release 3.3.0 This command was introduced on the Cisco CRS-1 and
Cisco XR 12000 Series Router.
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Task ID
Task ID Operations
aaa read
Examples The following sample output is for the show radius dead-criteria command:
RP/0/RP0/CPU0:router# show radius dead-criteria host 12.26.49.12 auth-port 11000 acct-port 11001
Server: 12.26.49.12/11000/11001 Dead criteria time: 10 sec (computed) tries: 10 (computed)
Cisco IOS XR System Security Command Reference
SR-68
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Table 6 describes the significant fields shown in the display.
Table 6 show radius dead-criteria Field Descriptions
Field Description
Server Server IP address/UDP destination port for authentication requests/UDP
destination port for accounting requests. Timeout Number of seconds the router waits for a server host to reply before timing out. Retransmits Number of times Cisco IOS XR software searches the list of RADIUS server
hosts before giving up.
show radius dead-criteria
Related Commands
Command Description
radius-server dead-criteria time
Forces one or both of the criteria that is used to mark a RADIUS server as dead.
radius-server deadtime Definesthe length of time in minutes for a RADIUS server to remain
marked dead.
Cisco IOS XR System Security Command Reference
SR-69

show radius server-groups

show radius server-groups
To display information about the RADIUS server groups that are configured in the system, use the show radius server-groups command in EXEC mode.
show radius server-groups
Syntax Description This command has no arguments or keywords.
Defaults No default behavior or values
Command Modes EXEC
Command History
Release Modification
Release 3.2 This command was introduced on the Cisco CRS-1 and
Cisco XR 12000 Series Router.
Release 3.3.0 No modification.
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the show radius server-groups command to display information about each configured RADIUS server group, including the group name, numbers of servers in the group, and a list of servers in the named server group. A global list of all configured RADIUS servers, along with authentication and accounting port numbers, is also displayed.
Task ID
Task ID Operations
aaa read
Examples Theinheritedglobal message is displayed if no group level deadtime is defined for this group; otherwise,
the group level deadtime value is displayed and this message is omitted. The following sample output is for the show radius server-groups command:
RP/0/RP0/CPU0:router# show radius server-groups
SR-70
Global list of servers
Contains 1 servers
Server 12.26.49.12/11000/11001
Server group 'radgroup' has 1 servers
Dead time: 0 minute(s) (inherited from global) Contains 1 servers
Server 12.26.49.12/11000/11001
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Table 7 describes the significant fields shown in the display.
Table 7 show radius server-groups Field Descriptions
Field Description
Server Server IP address/UDP destination port for authentication requests/UDP destination
port for accounting requests.
show radius server-groups
Related Commands
Command Description
radius-server host Specifies a RADIUS server host.
Cisco IOS XR System Security Command Reference
SR-71

show tacacs

show tacacs
To display information about the TACACS+ servers that are configured in the system, use the show tacacs command in EXEC mode.
show tacacs
Syntax Description This command has no arguments or keywords.
Defaults No default behavior or values
Command Modes EXEC
Command History
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1. Release 3.0 No modification. Release 3.2 This command was supported on the Cisco XR 12000 Series Router. Release 3.3.0 No modification.
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the show tacacs command to display statistics for each configured TACACS+ server.
Task ID
Task ID Operations
aaa read
Examples The following is sample output from the show tacacs command:
RP/0/RP0/CPU0:router# show tacacs
Server:1.1.1.1/21212 opens=0 closes=0 aborts=0 errors=0 packets in=0 packets out=0 status=up single-connect=false
SR-72
Server:2.2.2.2/21232 opens=0 closes=0 aborts=0 errors=0 packets in=0 packets out=0 status=up single-connect=false
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Table 8 describes the significant fields shown in the display.
Table 8 show tacacs Field Descriptions
Field Description
Server Server IP address. opens Number of socket opens to the external server. closes Number of socket closes to the external server. aborts Number of tacacs requests that have been aborted midway. errors Number of error replies from the external server. packets in Number of TCP packets that have been received from the external server. packets out Number of TCP packets that have been sent to the external server.
show tacacs
Cisco IOS XR System Security Command Reference
SR-73

show tacacs server-groups

show tacacs server-groups
To display information about the TACACS+ server groups that are configured in the system, use the
show tacacs server-groups command in EXEC mode.
show tacacs server-groups
Syntax Description This command has no arguments or keywords.
Defaults No default behavior or values
Command Modes EXEC
Command History
Release Modification
Release 3.2 This command was introduced on the Cisco CRS-1 and
Cisco XR 12000 Series Router.
Release 3.3.0 No modification.
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the show tacacs server-groups command to display information about each configured TACACS+ server group, including the group name, numbers of servers in the group, and a list of servers in the named server group. A global list of all configured TACACS+ servers is also displayed.
Task ID
Task ID Operations
aaa read
Examples The following is sample output from the show tacacs server-groups command:
RP/0/RP0/CPU0:router# show tacacs server-groups
Global list of servers Server 12.26.25.61/23456 Server 12.26.49.12/12345 Server 12.26.49.12/9000 Server 12.26.25.61/23432 Server 5.5.5.5/23456 Server 1.1.1.1/49
SR-74
Server group ‘tac100’ has 1 servers
Server 12.26.49.12
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Table 9 describes the significant fields shown in the display.
Table 9 show tacacs server-groups Field Descriptions
Field Description
Server Server IP address.
show tacacs server-groups
Related Commands
Command Description
tacacs-server host Specifies a TACACS+ server host.
Cisco IOS XR System Security Command Reference
SR-75

show task supported

show task supported
To display all task IDs available in the system, use the show task supported command in EXEC mode.
show task supported
Syntax Description This command has no arguments or keywords.
Defaults No default behavior or values
Command Modes EXEC
Command History
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1. Release 3.0 No modification. Release 3.2 This command was supported on the Cisco XR 12000 Series Router. Release 3.3.0 The example is updated to display the task ID for eigrp.
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the show task supported command to display all task IDs available in the system.
Task ID
Task ID Operations
none
Examples The following sample output is from the show task supported command. Task IDs are displayed in
alphabetical order.
RP/0/RP0/CPU0:router# show task supported
SR-76
aaa acl admin atm basic-services bcdl bfd bgp boot bundle cdp cef
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
cisco-support config-mgmt config-services crypto diag disallowed drivers eigrp ext-access fabric fault-mgr filesystem firewall fr hdlc host-services hsrp interface inventory ip-services ipv4 ipv6 isis logging lpts monitor mpls-ldp mpls-static mpls-te multicast netflow network ospf ouni pkg-mgmt pos-dpt ppp qos rib rip root-lr root-system route-map route-policy sbc snmp sonet-sdh static sysmgr system transport tty-access tunnel universal vlan vrrp
show task supported
Related Commands Command Description
show aaa Displays the task maps for selected user groups, local users, or task groups. show user Displays task IDs enabled for the currently logged-in user.
Cisco IOS XR System Security Command Reference
SR-77

show user

show user
To display all user groups and task IDs associated with the currently logged-in user, use the show user command in EXEC mode.
show user [all | authentication | group | tasks]
Syntax Description
Defaults No default behavior or values
Command Modes EXEC
Command History
all (Optional) Displays all user groups and task IDs for the currently logged-in user. authentication (Optional) Displays authentication parameters for the currently logged-in user. group (Optional) Displays the user groups associated with the currently logged-in user. tasks (Optional) Displays task IDs associated with the currently logged-in user. The tasks
keyword indicates which task is reserved in the sample output.
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1. Release 3.0 No modification. Release 3.2 This command was supported on the Cisco XR 12000 Series Router. Release 3.3.0 The following enhancements are added:
An example was added to display all the group and tasks.
The authentication keyword was added.
The sample output for the group keyword was updated.
The sample output to display whether or not a task is reserved for the
tasks keyword was updated.
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the show user command to display all user groups and task IDs associated with the currently logged-in user.
Task ID
Cisco IOS XR System Security Command Reference
SR-78
Task ID Operations
none
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
show user
Examples The following sample output displays the authentication parameters from the show user command:
RP/0/RP0/CPU0:router# show user authentication method
local
The following sample output displays the groups from the show user command:
RP/0/RP0/CPU0:router# show user group
root-system
The following sample output displays all the information for the group and tasks from the show user command:
RP/0/RP0/CPU0:router# show user all
Username: lab Groups: root-system Authenticated using method local User lab has the following Task ID(s):
Task: aaa : READ WRITE EXECUTE DEBUG Task: acl : READ WRITE EXECUTE DEBUG Task: admin : READ WRITE EXECUTE DEBUG Task: atm : READ WRITE EXECUTE DEBUG Task: basic-services : READ WRITE EXECUTE DEBUG Task: bcdl : READ WRITE EXECUTE DEBUG Task: bfd : READ WRITE EXECUTE DEBUG Task: bgp : READ WRITE EXECUTE DEBUG Task: boot : READ WRITE EXECUTE DEBUG Task: bundle : READ WRITE EXECUTE DEBUG Task: cdp : READ WRITE EXECUTE DEBUG Task: cef : READ WRITE EXECUTE DEBUG Task: config-mgmt : READ WRITE EXECUTE DEBUG Task: config-services : READ WRITE EXECUTE DEBUG Task: crypto : READ WRITE EXECUTE DEBUG Task: diag : READ WRITE EXECUTE DEBUG Task: drivers : READ WRITE EXECUTE DEBUG Task: eigrp : READ WRITE EXECUTE DEBUG Task: ext-access : READ WRITE EXECUTE DEBUG Task: fabric : READ WRITE EXECUTE DEBUG Task: fault-mgr : READ WRITE EXECUTE DEBUG Task: filesystem : READ WRITE EXECUTE DEBUG Task: firewall : READ WRITE EXECUTE DEBUG Task: fr : READ WRITE EXECUTE DEBUG Task: hdlc : READ WRITE EXECUTE DEBUG Task: host-services : READ WRITE EXECUTE DEBUG Task: hsrp : READ WRITE EXECUTE DEBUG Task: interface : READ WRITE EXECUTE DEBUG Task: inventory : READ WRITE EXECUTE DEBUG Task: ip-services : READ WRITE EXECUTE DEBUG Task: ipv4 : READ WRITE EXECUTE DEBUG Task: ipv6 : READ WRITE EXECUTE DEBUG Task: isis : READ WRITE EXECUTE DEBUG Task: logging : READ WRITE EXECUTE DEBUG Task: lpts : READ WRITE EXECUTE DEBUG Task: monitor : READ WRITE EXECUTE DEBUG Task: mpls-ldp : READ WRITE EXECUTE DEBUG Task: mpls-static : READ WRITE EXECUTE DEBUG Task: mpls-te : READ WRITE EXECUTE DEBUG Task: multicast : READ WRITE EXECUTE DEBUG Task: netflow : READ WRITE EXECUTE DEBUG
Cisco IOS XR System Security Command Reference
SR-79
show user
Task: network : READ WRITE EXECUTE DEBUG Task: ospf : READ WRITE EXECUTE DEBUG Task: ouni : READ WRITE EXECUTE DEBUG Task: pkg-mgmt : READ WRITE EXECUTE DEBUG Task: pos-dpt : READ WRITE EXECUTE DEBUG Task: ppp : READ WRITE EXECUTE DEBUG Task: qos : READ WRITE EXECUTE DEBUG Task: rib : READ WRITE EXECUTE DEBUG Task: rip : READ WRITE EXECUTE DEBUG Task: root-lr : READ WRITE EXECUTE DEBUG (reserved) Task: root-system : READ WRITE EXECUTE DEBUG (reserved) Task: route-map : READ WRITE EXECUTE DEBUG Task: route-policy : READ WRITE EXECUTE DEBUG Task: sbc : READ WRITE EXECUTE DEBUG Task: snmp : READ WRITE EXECUTE DEBUG Task: sonet-sdh : READ WRITE EXECUTE DEBUG Task: static : READ WRITE EXECUTE DEBUG Task: sysmgr : READ WRITE EXECUTE DEBUG Task: system : READ WRITE EXECUTE DEBUG Task: transport : READ WRITE EXECUTE DEBUG Task: tty-access : READ WRITE EXECUTE DEBUG Task: tunnel : READ WRITE EXECUTE DEBUG Task: universal : READ WRITE EXECUTE DEBUG (reserved) Task: vlan : READ WRITE EXECUTE DEBUG Task: vrrp : READ WRITE EXECUTE DEBUG
The following sample output displays the tasks and indicates which tasks are reserved from the show user command:
RP/0/RP0/CPU0:router# show user tasks
Task: aaa : READ WRITE EXECUTE DEBUG Task: acl : READ WRITE EXECUTE DEBUG Task: admin : READ WRITE EXECUTE DEBUG Task: atm : READ WRITE EXECUTE DEBUG Task: basic-services : READ WRITE EXECUTE DEBUG Task: bcdl : READ WRITE EXECUTE DEBUG Task: bfd : READ WRITE EXECUTE DEBUG Task: bgp : READ WRITE EXECUTE DEBUG Task: boot : READ WRITE EXECUTE DEBUG Task: bundle : READ WRITE EXECUTE DEBUG Task: cdp : READ WRITE EXECUTE DEBUG Task: cef : READ WRITE EXECUTE DEBUG Task: config-mgmt : READ WRITE EXECUTE DEBUG Task: config-services : READ WRITE EXECUTE DEBUG Task: crypto : READ WRITE EXECUTE DEBUG Task: diag : READ WRITE EXECUTE DEBUG Task: drivers : READ WRITE EXECUTE DEBUG Task: eigrp : READ WRITE EXECUTE DEBUG Task: ext-access : READ WRITE EXECUTE DEBUG Task: fabric : READ WRITE EXECUTE DEBUG Task: fault-mgr : READ WRITE EXECUTE DEBUG Task: filesystem : READ WRITE EXECUTE DEBUG Task: firewall : READ WRITE EXECUTE DEBUG Task: fr : READ WRITE EXECUTE DEBUG Task: hdlc : READ WRITE EXECUTE DEBUG Task: host-services : READ WRITE EXECUTE DEBUG Task: hsrp : READ WRITE EXECUTE DEBUG Task: interface : READ WRITE EXECUTE DEBUG Task: inventory : READ WRITE EXECUTE DEBUG Task: ip-services : READ WRITE EXECUTE DEBUG Task: ipv4 : READ WRITE EXECUTE DEBUG Task: ipv6 : READ WRITE EXECUTE DEBUG Task: isis : READ WRITE EXECUTE DEBUG
SR-80
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Task: logging : READ WRITE EXECUTE DEBUG Task: lpts : READ WRITE EXECUTE DEBUG Task: monitor : READ WRITE EXECUTE DEBUG Task: mpls-ldp : READ WRITE EXECUTE DEBUG Task: mpls-static : READ WRITE EXECUTE DEBUG Task: mpls-te : READ WRITE EXECUTE DEBUG Task: multicast : READ WRITE EXECUTE DEBUG Task: netflow : READ WRITE EXECUTE DEBUG Task: network : READ WRITE EXECUTE DEBUG Task: ospf : READ WRITE EXECUTE DEBUG Task: ouni : READ WRITE EXECUTE DEBUG Task: pkg-mgmt : READ WRITE EXECUTE DEBUG Task: pos-dpt : READ WRITE EXECUTE DEBUG Task: ppp : READ WRITE EXECUTE DEBUG Task: qos : READ WRITE EXECUTE DEBUG Task: rib : READ WRITE EXECUTE DEBUG Task: rip : READ WRITE EXECUTE DEBUG Task: root-lr : READ WRITE EXECUTE DEBUG (reserved) Task: root-system : READ WRITE EXECUTE DEBUG (reserved) Task: route-map : READ WRITE EXECUTE DEBUG Task: route-policy : READ WRITE EXECUTE DEBUG Task: sbc : READ WRITE EXECUTE DEBUG Task: snmp : READ WRITE EXECUTE DEBUG Task: sonet-sdh : READ WRITE EXECUTE DEBUG Task: static : READ WRITE EXECUTE DEBUG Task: sysmgr : READ WRITE EXECUTE DEBUG Task: system : READ WRITE EXECUTE DEBUG Task: transport : READ WRITE EXECUTE DEBUG Task: tty-access : READ WRITE EXECUTE DEBUG Task: tunnel : READ WRITE EXECUTE DEBUG Task: universal : READ WRITE EXECUTE DEBUG (reserved) Task: vlan : READ WRITE EXECUTE DEBUG Task: vrrp : READ WRITE EXECUTE DEBUG
show user
Related Commands Command Description
show aaa Displays the task maps for selected user groups, local users, or task groups. show task supported Displays all task IDs defined in the system.
Cisco IOS XR System Security Command Reference
SR-81

tacacs-server host

tacacs-server host
To specify a TACACS+ host server, use the tacacs-server host command in global configuration mode. To delete the specified name or address, use the no form of this command.
tacacs-server host host-name [port port-number] [timeout seconds] [ke y [0 | 7] auth-key]
single-connection
no tacacs-server host host-name [port port-number]
Syntax Description
Defaults No TACACS+ host is specified.
host-name Name or IP address of the TACACS+ server.
port port-number (Optional) Specifies a server port number. This option overrides the default,
which is port 49. Valid port numbers range from 1 to 65535.
timeout seconds (Optional) Specifiesatimeout valuethat sets the length of time the authentication,
authorization, and accounting (AAA) server waits to receive a response from the TACACS+ server. This option overrides the global timeout value set with the tacacs-server timeout command for this server only. The valid timeout range is from 1 to 1000 seconds. Default is 5.
key [0 | 7] auth-key (Optional) Specifies an authentication and encryption key shared between the
AAA server and the TACACS+ server. The TACACS+ packets are encrypted using this key. This key must match the key used by the TACACS+ daemon. Specifying this key overrides the key set by the tacacs-server key command for this server only.
(Optional) Entering 0 specifies that an unencrypted (clear-text) key follows. (Optional) Entering 7 specifies that an encrypted key follows. The auth-keyargumentspecifies the unencrypted key to be used between the AAA
server and the TACACS+ server.
single-connection (Optional) Multiplexes all TACACS+ requests to this server over a single TCP
connection. By default, a separate connection is used for each session.
The port keyword, if not specified, defaults to the standard port 49. The timeout keyword, if not specified, defaults to 5 seconds.
Command Modes Global configuration
Command History
Cisco IOS XR System Security Command Reference
SR-82
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1. Release 3.0 No modification. Release 3.2 This command was supported on the Cisco XR 12000 Series Router. Release 3.3.0 The show run command was modified to display the default values for both
the port keyword and the timeout keyword, if values are not specified.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
tacacs-server host
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The key keyword must be entered last because it uses a line (text with breaks) rather than a string (text only, with no breaks). Any text and line breaks up to the time the user presses Enter can be used as part of the key.
You can use multiple tacacs-server host commands to specify additional hosts. Cisco IOS XR software searches for hosts in the order in which you specify them.
Task ID
Task ID Operations
aaa read, write
Examples The following example shows how to specify a TACACS+ host with the IP address 209.165.200.226:
RP/0/RP0/CPU0:router(config)# tacacs-server host 209.165.200.226 RP/0/RP0/CPU0:router(config-tacacs-host)#
The following example shows that the default values from the tacacs-server host command are displayed from the show run command:
RP/0/RP0/CPU0:router# show run
Building configuration... !! Last configuration change at 13:51:56 UTC Mon Nov 14 2005 by lab ! tacacs-server host 209.165.200.226 port 49 timeout 5 !
The following example shows how to specify that the router consult the TACACS+ server host named host1 on port number 51. The timeout value for requests on this connection is 30 seconds; the encryption key is a_secret.
RP/0/RP0/CPU0:router(config)# tacacs-server host host1 port 51 timeout 30 key a_secret
Related Commands
Command Description
tacacs-server key Globally sets the authentication encryption key used for all TACACS+
communications between the router and the TACACS+ daemon.
tacacs-server timeout Globally sets the interval that the router waits for a server host to reply.
Cisco IOS XR System Security Command Reference
SR-83

tacacs-server key

tacacs-server key
To set the authentication encryption key used for all TACACS+ communications between the HF and the TACACS+ daemon, use the tacacs-server key command in global configuration mode. To disable the key, use the no form of this command.
tacacs-server key key-name no tacacs-server key
Syntax Description
Defaults No default behavior or values
Command Modes Global configuration
Command History
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
key-name Name of the key used to set authentication and encryption. This key name must match
the key used on the TACACS+ daemon. This key name applies to all servers that have no individual keys specified.
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1. Release 3.0 No modification. Release 3.2 This command was supported on the Cisco XR 12000 Series Router. Release 3.3.0 No modification.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The key name entered must match the key used on the TACACS+ daemon. All leading spaces are ignored; spaces within and after the key are not. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.
The TACACS server key is used only if no key is configured for an individual TACACS server. Keys configured for an individual TACACS server always override this global key configuration.
Task ID
Examples The following example sets the authentication and encryption key to key1:
Cisco IOS XR System Security Command Reference
SR-84
Task ID Operations
aaa read, write
RP/0/RP0/CPU0:router(config)# tacacs-server key key1
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
Related Commands Command Description
tacacs-server host Specifies a TACACS+ host.
tacacs-server key
Cisco IOS XR System Security Command Reference
SR-85

tacacs-server timeout

tacacs-server timeout
Toset the interval that the server waits for a server host toreply, use the tacacs-server timeout command in global configuration mode. To restore the default, use the no form of this command.
tacacs-server timeout seconds no tacacs-server timeout
Syntax Description
Defaults seconds: 5 seconds
Command Modes Global configuration
Command History
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
seconds Integer that specifies the timeout interval (in seconds) from 1 to 1000.
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1. Release 3.0 No modification. Release 3.2 This command was supported on the Cisco XR 12000 Series Router. Release 3.3.0 No modification.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the tacacs-server timeout command to set the interval that the server waits for a server host to reply. The TACACS+ server timeout is used only if no timeout is configured for an individual TACACS+
server. Timeout intervals configured for an individual TACACS+ server always override this global timeout configuration.
Task ID
Examples The following example shows the interval timer being changed to 10 seconds:
Related Commands
Cisco IOS XR System Security Command Reference
SR-86
Task ID Operations
aaa read, write
RP/0/RP0/CPU0:router(config)# tacacs-server timeout 10
Command Description
tacacs-server host Specifies a TACACS+ host.
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software

tacacs source-interface

To specify the source IP address of a selected interface for all outgoing TACACS+ packets, use the tacacs source-interface command in global configuration mode. To disable use of the specified interface IP address, use the no form of this command.
tacacs source-interface type instance no tacacs source-interface type instance
tacacs source-interface
Syntax Description
type Interface type. For more information, use the question mark (?) online help
function.
instance Either a physical interface instance or a virtual interface instance as follows:
Physical interface instance. Naming notation is rack/slot/module/port and a
slash between values is required as part of the notation.
rack: Chassis number of the rack.
slot: Physical slot number of the modular services card or line card.
module: Module number. A physical layer interface module (PLIM) is always 0.
port: Physical port number of the interface.
Note In references to a Management Ethernet interface located on a route
processor card, the physical slot number is alphanumeric (RP0 or RP1) and the module is CPU0. Example: interface MgmtEth0/RP1/CPU0/0.
Virtual interface instance. Number range varies depending on interface type.
For more information about the syntax for the router, use the question mark (?) online help function.
Defaults If a specific source interface is not configured, or the interface is down or does not have an IP address
configured, the system selects an IP address.
Command Modes Global configuration
Command History
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1. Release 3.0 No modification. Release 3.2 This command was supported on the Cisco XR 12000 Series Router. Release 3.3.0 No modification.
Cisco IOS XR System Security Command Reference
SR-87
tacacs source-interface
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the tacacs source-interface command to set the IP address of the specifiedinterfacefor all outgoing TACACS+ packets. This address is used as long as the interface is in the up state. In this way, the TACACS+ server can use one IP address entry associated with the network access client instead of maintaining a list of all IP addresses.
This command is especially useful in cases where the router has many interfaces and you want to ensure that all TACACS+ packets from a particular router have the same IP address.
When the specified interface does not have an IP address or is in a down state, TACACS+ behaves as if no source interface configuration is used.
Task ID
Task ID Operations
aaa read, write
Examples The following example shows how to set the IP address of the specified POS interface for all outgoing
TACACS+ packets:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# tacacs source-interface POS 0/1/0/1
Related Commands
Command Description
aaa group server radius Groups different server hosts into distinct lists and distinct methods.
SR-88
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software

task

To add a task ID to a task group, use the task command in task group configuration mode. To remove a task ID from a task group, use the no form of this command.
task {read | write | execute | debug} taskid-name no task {read | write | execute | debug} taskid-name
task
Syntax Description
read Enables read-only privileges for the named task ID. write Enables write privileges for the named task ID. The term “write” implies read also. execute Enables execute privileges for the named task ID. debug Enables debug privileges for the named task ID.
taskid-name Name of the task ID.
Defaults No task IDs are assigned to a newly created task group.
Command Modes Task group configuration
Command History
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1. Release 3.0 No modification. Release 3.2 This command was supported on the Cisco XR 12000 Series Router. Release 3.3.0 No modification.
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the task command in task group configuration mode. Toaccess task group configuration mode, use the taskgroup command in global configuration mode.
Task ID
Task ID Operations
aaa read, write
Examples The following example shows how to enable execute privileges for the config-services task ID and
associate that task ID with the task group named taskgroup1:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# taskgroup taskgroup1 RP/0/RP0/CPU0:router(config-tg)# task execute config-services
Cisco IOS XR System Security Command Reference
SR-89
task
Related Commands Command Description
taskgroup Configures a task group to be associated with a set of task IDs.
SR-90
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software

taskgroup

To configure a task group to be associated with a set of task IDs, and to enter task group configuration mode, use the taskgroup command in globalconfigurationmode. To delete a task group, use the no form of this command.
taskgroup taskgroup-name [description string | task {read | write | execute | debug}
taskid-name | inherit taskgroup taskgroup-name]
no taskgroup taskgroup-name
taskgroup
Syntax Description
Defaults Five predefined user groups are available by default.
Command Modes Global configuration
Command History
taskgroup-name Name of a particular task group.
description (Optional) Enables you to create a description for the named task group.
string (Optional) Character string used for the task group description.
task (Optional) Specifies that a task ID is to be associated with the named task group. read (Optional) Specifies that the named task ID permits read access only. write (Optional) Specifies that the named task ID permits read and write access only. execute (Optional) Specifies that the named task ID permits execute access. debug (Optional) Specifies that the named task ID permits debug access only.
taskid-name (Optional) Name of a task: the task ID.
inherit taskgroup (Optional) Copies permissions from the named task group.
taskgroup-name (Optional) Name of the task group from which permissions are to be inherited.
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1. Release 3.0 No modification. Release 3.2 This command was supported on the Cisco XR 12000 Series Router. Release 3.3.0 Support was added to display all task groups in global configuration mode.
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Task groups are configured with a set of task IDs for each action type. Deleting a task group that is still referenced in the system results in a warning and rejection of the deletion.
From global configuration mode, you can display all the configured task groups. However, you cannot display all the configured task groups in taskgroup configuration mode.
Cisco IOS XR System Security Command Reference
SR-91
taskgroup
Entering the taskgroup command with no keywordsor arguments enters task group configurationmode, in which you can use the description, inherit, show, and task commands.
Task ID
Task ID Operations
aaa read, write
Examples The following example assigns read bgp permission to the task group named alpha:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# taskgroup alpha RP/0/RP0/CPU0:router(config-tg)# task read bgp
Related Commands
Command Description
description (AAA) Creates a task group description in task configuration mode. task Adds a task ID to a task group.
SR-92
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software

timeout login response

To set the interval that the server waits for a reply to a login, use the timeout login response command in line configuration mode. To restore the default, use the no form of this command.
timeout login response seconds no timeout login response seconds
timeout login response
Syntax Description
seconds Integer that specifies the timeout interval (in seconds) from 0 to 300.
Defaults seconds: 30 seconds
Command Modes Line configuration
Command History
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1. Release 3.0 No modification. Release 3.2 This command was supported on the Cisco XR 12000 Series Router. Release 3.3.0 No modification.
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the timeout login response command in line configuration mode to set the timeout value. This timeout value applies to all terminal lines to which the entered line template is applied. This timeout valuecan also be applied to line console. After the timeout value has expired, the user is prompted again. The retry is allowed three times.
Task ID
Task ID Operations
aaa read, write
Examples The following example shows how to change the interval timer to 20 seconds:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# line template alpha RP/0/RP0/CPU0:router(config-line)# timeout login response 20
Cisco IOS XR System Security Command Reference
SR-93
timeout login response
Related Commands Command Description
login authentication Enables AAA authentication for logins.
SR-94
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software

usergroup

To configurea user group and associate it with a set of task groups, and to enter user group configuration mode, use the usergroup command in global configuration mode. To delete a user group, or to delete a task-group association with the specified user group, use the no form of this command.
usergroup usergroup-name [description string | taskgroup taskgroup-name | inherit usergroup
usergroup-name]
no usergroup usergroup-name [description string | taskgroup taskgroup-name | inherit
usergroup usergroup-name]
usergroup
Syntax Description
Defaults Five predefined user groups are available by default.
Command Modes Global configuration
Command History
usergroup-name Name of the user group. The usergroup-name argument can be
only one word. Spaces and quotation marks are not allowed.
description string (Optional) Describes the user group. taskgroup taskgroup-name (Optional) Associates the specified task group with the named
user group and inherits the task group permissions into this user group.
inherit usergroup usergroup-name (Optional) Copies permissions from another user group.
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1. Release 3.0 No modification. Release 3.2 This command was supported on the Cisco XR 12000 Series Router. Release 3.3.0 Support was added to display all user groups in global configuration mode.
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
User groups are configured with the command parameters for a set of users, such as task groups. You can remove specific user groups by using the no form of the usergroup command. You can remove the user group itself by using the no form of the command without giving any parameters. Deleting a user group that is still referenced in the system results in a warning and a rejection of the deletion.
Use the inherit usergroup command to copy permissions from other user groups. The user group is inherited by the parent group and forms a union of all task IDs specified in those groups. Cyclic inclusions are detected and rejected. User groups cannot inherit properties from predefined groups, such as root-system and owner-sdr.
Cisco IOS XR System Security Command Reference
SR-95
usergroup
From global configuration mode, you can display all the configured user groups. However, you cannot display all the configured user groups in usergroup configuration mode.
Task ID
Task ID Operations
aaa read, write
Examples The following example shows how to add permissions from the user group beta to the user group alpha:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# usergroup alpha RP/0/RP0/CPU0:router(config-ug)# inherit usergroup beta
Related Commands
Command Description
description (AAA) Creates a description of a task group during configuration. inherit usergroup Enables a user group to derive permissions from another user group. taskgroup Configures a task group to be associated with a set of task IDs.
SR-96
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software

username

To configure a new user with a username, establish a password, and grant permissions for the user, and to enter username configuration mode, use the username command in global configuration mode. To delete a user from the database, use the no form of this command.
username user-name [password {0 | 7} password | secret {0 | 5} password | group
usergroup-name]
no username user-name [password {0 | 7} password | secret {0 | 5} password | group
usergroup-name]
username
Syntax Description
Defaults No usernames are defined in the system.
Command Modes Global configuration
Command History
user-name Name of the user. The user-name argument can be only one word. Spaces and
quotation marks are not allowed.
password (Optional) Enables a password to be created for the named user. 0 (Optional) Specifies that an unencrypted (clear-text) password follows. 7 (Optional) Specifies that an encrypted password follows.
password (Optional) Specifiesthe character-string password to be entered by the user to log in.
secret (Optional) Enables a secure password to be created for the named user. 0 (Optional) Specifies that an unencrypted (clear-text) secret follows. 5 (Optional) Specifies an encrypted password follows. group (Optional) Enables a named user to be associated with a user group. usergroup-name (Optional) Name of a user group as defined with the usergroup command.
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1. Release 3.0 No modification. Release 3.2 This command was supported on the Cisco XR 12000 Series Router. Release 3.3.0 Support was added to display all user names in global configuration mode.
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the username command to identify the user and enter username configuration mode. Password and user group assignments can be made from either global configuration mode or username configuration submode. Permissions (task IDs) are assigned by associating the user with one or more defined user groups.
Cisco IOS XR System Security Command Reference
SR-97
username
From global configuration mode, you can display all the configured usernames. However, you cannot display all the configured usernames in username configuration mode.
Each user is identified by a username that is unique across the administrative domain. Each user should be made a member of at least one user group. Deleting a user group may orphan the users associated with that group. The AAA server authenticates orphaned users but most commands are not authorized.
If you want to require a username and password on the console or for Telnet sessions, configure authentication using both the aaa authentication login default local command and the username command.
The predefined group root-system may be specified only by root-system users while administration is configured.
Note To enable the local networking device to respond to remote CHAP challenges, one username command
entry must be the same as the hostname entry that has already been assigned to the other networking device.
Task ID
Task ID Operations
aaa read, write
Examples The following example shows how to establish the unencrypted password password1 for the user user1:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# username user1 RP/0/RP0/CPU0:router(config-un)# password 0 password1
Related Commands
Command Description
aaa authentication Defines a method list for authentication. group Adds a user to a group. password (AAA) Creates a login password for a user.
SR-98
Cisco IOS XR System Security Command Reference
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software

users group

To associate a user group and its privileges with a line, use the users group command in line configuration mode. To delete a user group association with a line, use the no form of this command.
users group {usergroup-name | cisco-support | netadmin | operator | root-lr | root-system |
sysadmin}
no users group {usergroup-name | cisco-support | netadmin | operator | root-lr | root-system |
serviceadim | sysadmin}
users group
Syntax Description
Defaults No default behavior or values
Command Modes Line configuration
usergroup-name Name of the user group. The usergroup-name argument can be only one word.
Spaces and quotation marks are not allowed.
cisco-support Specifies that users logging in through the line are given Cisco support personnel
privileges.
netadmin Specifies that users logging in through the line are given network administrator
privileges.
operator Specifies that users logging in through the line are given operator privileges. root-lr Specifies that users logging in through the line are given root logical router (LR)
privileges.
root-system Specifies that users logging in through the line are given root system privileges. serviceadmin Specifies that users logging in through the line are given service administrator
group privileges.
sysadmin Specifies that users logging in through the line are given system administrator
privileges.
Command History
Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1. Release 3.0 No modification. Release 3.2 This command was supported on the Cisco XR 12000 Series Router. Release 3.3.0 The serviceadmin keyword was added.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the users group command to enable a user group and its privileges to be associated with a line, meaning that users logging in through the line are given the privileges of the particular user group.
Cisco IOS XR System Security Command Reference
SR-99
users group
Task ID
Task ID Operations
aaa read, write
Examples Inthe following example, if a vty-pool is created with line template vty, users logging in through vty are
given operator privileges:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa authen login vty-authen line RP/0/RP0/CPU0:router(config)# commit RP/0/RP0/CPU0:router(config)# line template vty RP/0/RP0/CPU0:router(config-line)# users group operator RP/0/RP0/CPU0:router(config-line)# login authentication
SR-100
Cisco IOS XR System Security Command Reference
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use