Lab - AAA (IOS-XR)

Load the MDT topology:

containerlab destroy -a
containerlab deploy -t mdt/mdt.clab.yml --reconfigure

Configure AAA on XR1 using the following guidelines:

  • Configure a RADIUS server at 155.1.1.1 using port 1812 for authentication, port 1813 for accounting, and CISCO123 for the key. Use a timeout of 3 seconds.

  • If the RADIUS server is not available, fallback to local passwords for authentication.

    • Create a user name ADMIN with password CISCO123 with root-lr priviledge

    • Create a user name NOC with password CISCO123 that has access to read the RIB, OSPF, and interfaces.

  • Use the RADIUS server for accounting for each SSH session that is started.

  • Do not require any authorization, as RADIUS or the user database will provide authorization during the authentication process.

  • Enable SSH for the default VRF.

  • Allow SSH for up to 50 simultaneous sessions.

Answer

#XR1
radius-server host 155.1.1.1 auth-port 1812 acct-port 1813
 key CISCO123
 timeout 3
!
aaa group server radius RAD_GROUP
 server 155.1.1.1 auth-port 1812 acct-port 1813
!
username ADMIN
 group root-lr
 password CISCO123
!
taskgroup NOC_TASKS
 task read rib
 task read ospf
 task read interface
!
usergroup NOC_GROUP
 taskgroup NOC_TASKS
!
username NOC
 group NOC_GROUP
 password CISCO123
!
!
aaa accounting exec VTY start-stop group RAD_GROUP
aaa authorization exec VTY none
aaa authentication login VTY group RAD_GROUP local
!
line template VTY
 accounting exec VTY
 authorization exec VTY
 login authentication VTY
!
vty-pool default 0 50 line-template VTY
!
ssh server session-limit 50
ssh server vrf default

Explanation

This lab is fairly straight-forward. We configure a RADIUS server, assign it to a group, and use it for AAA. Just like with IOS-XE, the first method in the list is tried first, and if it fails to return a reply, subsequent methods are attempted.

We create a task group with the granular permissions we are permitting to NOC users, assign this to a user group, and assign the user group to the NOC user.

The method of applying the AAA lists to the VTY lines is different on IOS-XR. We must apply it to a template, and then apply this template to the VTY-pool.

If we SSH from XR2 to XR1 with the user NOC, we can see that many commands are not authorized. Even though we are using authorization none, the authorization comes from the authentication process.

In config mode we do not have the ability to actually set anything:

RP/0/RP0/CPU0:XR1(config)#?
  abort         Abort this configuration session
  alias         Create an alias for entity
  clear         Clear the uncommitted configuration
  commit        Commit the configuration changes via pseudo-atomic operation
  describe      Describe a command without taking real actions
  do            Run an exec command
  end           Exit from configure mode
  exclude-item  Negate a command or set its defaults
  exit          Exit from configure mode
  ip            Deprecated, use ipv4 instead
  no            Negate a command or set its defaults
  root          Exit to the global configuration mode
  service       Modify use of network based services
  show          Show contents of configuration

Last updated