Create User Profiles and Assign Privileges

To provide controlled access to the XR and System Admin configurations on the router, user profiles are created with assigned privileges. The privileges are specified using command rules and data rules.

The authentication, authorization, and accounting (aaa) commands are used for the creation of users, groups, command rules, and data rules. The aaa commands are also used for changing the disaster-recovery password.


Note

You cannot configure the external AAA server and services from the System Admin VM. It can be configured only from the XR VM.

Configure AAA authorization to restrict users from uncontrolled access. If AAA authorization is not configured, the command and data rules associated to the groups that are assigned to the user are bypassed. An IOS-XR user can have full read-write access to the IOS-XR configuration through Network Configuration Protocol (NETCONF), google-defined Remote Procedure Calls (gRPC) or any YANG-based agents. In order to avoid granting uncontrolled access, enable AAA authorization before setting up any configuration.



Note

If any user on XR is deleted, the local database checks whether there is a first user on System Admin VM.

  • If there is a first user, no syncing occurs.

  • If there is no first user, then the first user on XR (based on the order of creation) is synced to System Admin VM.

  • When a user is added in XR, if there is no user on System Admin mode, then the user is synced to sysadmin-vm. After the synchronization, any changes to the user on XR VM does not synchronize on the System Admin VM.

  • A user added on the System Admin VM does not synchronize with XR VM.

  • Only the first user or disaster-recovery user created on System Admin VM synchronizes with the host VM.

  • Changes to credentials of first user or disaster-recovery user on System Admin VM synchronizes with the host VM.

  • The first user or disaster-recovery user deleted on System Admin VM does not synchronize with the host VM. The host VM retains the user.


Users are authenticated using username and password. Authenticated users are entitled to execute commands and access data elements based on the command rules and data rules that are created and applied to user groups. All users who are part of a user group have such access privileges to the system as defined in the command rules and data rules for that user group.

The workflow for creating user profile is represented in this flow chart:
Figure 1. Workflow for Creating User Profiles



Note

The root-lr user, created for the XR VM during initial router start-up, is mapped to the root-system user for the System Admin VM. The root-system user has superuser permissions for the System Admin VM and therefore has no access restrictions.


Use the show run aaa command in the Config mode to view existing aaa configurations.

The topics covered in this chapter are:

Create User Groups

Create a new user group to associate command rules and data rules with it. The command rules and data rules are enforced on all users that are part of the user group.

For extensive information about creating user groups, task groups, RADIUS and TACACS configurations, see the Configuring AAA Services chapter in the System Security Configuration Guide for Cisco NCS 5500 Series Routers. For detailed information about commands, syntax and their description, see the Authentication, Authorization, and Accounting Commands chapter in the System Security Command Reference for Cisco NCS 5500 Series Routers and Cisco NCS 540 and NCS 560 Series Routers.

Configure User Groups in XR VM

User groups are configured with the command parameters for a set of users, such as task groups. Entering the usergroup command accesses the user group configuration submode. Users can remove specific user groups by using the no form of the usergroup command. Deleting a usergroup that is still referenced in the system results in a warning.

Before you begin


Note

Only users associated with the WRITE:AAA task ID can configure user groups. User groups cannot inherit properties from predefined groups, such as owner-sdr.


SUMMARY STEPS

  1. configure
  2. usergroup usergroup-name
  3. description string
  4. inherit usergroup usergroup-name
  5. taskgroup taskgroup-name
  6. Repeat Step for each task group to be associated with the user group named in Step 2.
  7. Use the commit or end command.

DETAILED STEPS


Step 1

configure

Example:


RP/0/RP0/CPU0:router# configure

Enters global configuration mode.

Step 2

usergroup usergroup-name

Example:

 RP/0/RP0/CPU0:router(config)# usergroup beta 

Creates a name for a particular user group and enters user group configuration submode.

  • Specific user groups can be removed from the system by specifying the no form of the usergroup command.

Step 3

description string

Example:

 RP/0/RP0/CPU0:router(config-ug)# 
description this is a sample user group description 

(Optional) Creates a description of the user group named in Step 2.

Step 4

inherit usergroup usergroup-name

Example:

 RP/0/RP0/CPU0:router(config-ug)# 
inherit usergroup sales
  • Explicitly defines permissions for the user group.

Step 5

taskgroup taskgroup-name

Example:

 RP/0/RP0/CPU0:router(config-ug)# taskgroup beta

Associates the user group named in Step 2 with the task group named in this step.

  • The user group takes on the configuration attributes (task ID list and permissions) already defined for the entered task group.

Step 6

Repeat Step for each task group to be associated with the user group named in Step 2.

Step 7

Use the commit or end command.

commit —Saves the configuration changes and remains within the configuration session.

end —Prompts user to take one of these actions:
  • Yes — Saves configuration changes and exits the configuration session.

  • No —Exits the configuration session without committing the configuration changes.

  • Cancel —Remains in the configuration session, without committing the configuration changes.


Create a User Group in System Admin VM

Create a user group for the System Admin VM.

The router supports a maximum of 32 user groups.

Before you begin

Create a user profile. See the Create User section.

SUMMARY STEPS

  1. admin
  2. config
  3. aaa authentication groups group group_name
  4. users user_name
  5. gid group_id_value
  6. Use the commit or end command.

DETAILED STEPS


Step 1

admin

Example:


RP/0/RP0/CPU0:router# admin 

Enters mode.

Step 2

config

Example:

sysadmin-vm:0_RP0#config

Enters System Admin Config mode.

Step 3

aaa authentication groups group group_name

Example:

sysadmin-vm:0_RP0(config)#aaa authentication groups group gr1

Creates a new user group (if it is not already present) and enters the group configuration mode. In this example, the user group "gr1" is created.

Note 

By default, the user group "root-system" is created by the system at the time of root user creation. The root user is part of this user group. Users added to this group will get root user permissions.

Step 4

users user_name

Example:

sysadmin-vm:0_RP0(config-group-gr1)#users us1

Specify the name of the user that should be part of the user group.

You can specify multiple user names enclosed withing double quotes. For example, users "user1 user2 ..." .

Step 5

gid group_id_value

Example:

sysadmin-vm:0_RP0(config-group-gr1)#gid 50

Specify a numeric value. You can enter any 32 bit integer.

Step 6

Use the commit or end command.

commit —Saves the configuration changes and remains within the configuration session.

end —Prompts user to take one of these actions:
  • Yes — Saves configuration changes and exits the configuration session.

  • No —Exits the configuration session without committing the configuration changes.

  • Cancel —Remains in the configuration session, without committing the configuration changes.


What to do next

Create Users

Create new users for the XR VM and System Admin VM.


Note

Users created in the System Admin VM are different from the ones created in XR VM. As a result, the username and password of a System Admin VM user cannot be used to access the XR VM, and vice versa.


XR VM and System Admin VM User Profile Synchronization

When the user profile is created for the first time in XR VM, the user name and password are synced to the System Admin VM if no user already exists in System Admin VM.

However, the subsequent password change or user deletion in XR VM for the synced user is not synchronized with the System Admin VM.

Therefore, the passwords in XR VM and System Admin VM may not be the same. Also, the user synced with the System Admin VM will not be deleted if the user is deleted in XR VM.

For extensive information about creating user groups, task groups, RADIUS and TACACS configurations, see the Configuring AAA Services chapter in the System Security Configuration Guide for Cisco NCS 5500 Series Routers. For detailed information about commands, syntax and their description, see the Authentication, Authorization, and Accounting Commands chapter in the System Security Command Reference for Cisco NCS 5500 Series Routers and Cisco NCS 540 and NCS 560 Series Routers.

Create a User Profile in XR VM

Each user is identified by a username that is unique across the administrative domain. Each user must be a member of at least one user group. Deleting a user group may orphan the users associated with that group. The AAA server authenticates orphaned users but most commands are not authorized.

For more information about AAA, and creating users, see the Configuring AAA Services chapter in the System Security Configuration Guide for Cisco NCS 5500 Series Routers. For detailed information about related commands, syntax and their description, see the Authentication, Authorization, and Accounting Commands chapter in the System Security Command Reference for Cisco NCS 5500 Series Routers and Cisco NCS 540 and NCS 560 Series Routers.

Procedure


Step 1

configure

Example:


RP/0/RP0/CPU0:router# configure

Enters global configuration mode.

Step 2

username user-name

Example:

 RP/0/RP0/CPU0:router(config)# username user1 

Creates a name for a new user (or identifies a current user) and enters username configuration submode.

  • The user-name argument can be only one word. Spaces and quotation marks are not allowed.

Step 3

Do one of the following:

  • password {0 | 7} password
  • secret {0 | 5 | 8 | 9 | 10} secret

Example:

 Router(config-un)# password 0 pwd1 

or

 Router(config-un)# secret 0 sec1 

Specifies a password for the user named in Step 2.

  • Use the secret command to create a secure login password for the user names specified in Step 2.

  • Entering 0 following the password command specifies that an unencrypted (clear-text) password follows. Entering 7 following the password command specifies that an encrypted password follows.

  • For the secret command, the following values can be entered:
    • 0 : specifies that a secure unencrypted (clear-text) password follows

    • 5 : specifies that a secure encrypted password follows that uses MD5 hashing algorithm

    • 8 : specifies that Type 8 secret that uses SHA256 hashing algorithm follows

    • 9 : specifies that Type 9 secret that uses SCrypt hashing algorithm follows

      Note 

      The Type 8 and Type 9 secrets are supported on the IOS XR 64-bit operating system starting from Cisco IOS XR Software Release 7.0.1. Prior to this release, it was supported only on the IOS XR 32-bit operating system.

    • 10 : specifies Type 10 secret that uses SHA512 hashing algorithm
      Note 
      • Type 10 secret is supported only for Cisco IOS XR 64 bit platform.

      • Backward compatibility issues such as configuration loss, authentication failure, and so on, are expected when you downgrade to lower versions that still use MD5 or SHA256 encryption algorithms. If there are any type 10 secrets, convert the secrets to type 5 if you are downgrading the system from versions 7.0.1 and above to versions 6.5.3 and above. If you are downgrading the system from versions 7.0.1 and above to versions below 6.5.3, then un-configure all users from the XR-vm and sysadmin-vm before executing install activate.

      • In a first user configuration scenario or when you reconfigure a user, the system synchronises only the Type 5 and Type 10 secrets from XR VM to System Admin VM and Host VM. It does not synchronize the Type 8 and Type 9 secrets in such scenarios.

  • Type 0 is the default for the password and secret commands.

  • From Cisco IOS XR Software Release 7.0.1 and later, the default hashing type is 10 (SHA512) when clear text secret is configured without choosing the type in the configuration.

Step 4

group group-name

Example:

 RP/0/RP0/CPU0:router(config-un)# group sysadmin 

Assigns the user named in Step 2 to a user group that has already been defined through the usergroup command.

  • The user takes on all attributes of the user group, as defined by that user group’s association to various task groups.

  • Each user must be assigned to at least one user group. A user may belong to multiple user groups.

Step 5

Repeat step 4 for each user group to be associated with the user specified in step 2.

Step 6

Use the commit or end command.

commit —Saves the configuration changes and remains within the configuration session.

end —Prompts user to take one of these actions:
  • Yes — Saves configuration changes and exits the configuration session.

  • No —Exits the configuration session without committing the configuration changes.

  • Cancel —Remains in the configuration session, without committing the configuration changes.


Create a User Profile in System Admin VM

Create new users for the System Admin VM. Users are included in a user group and assigned certain privileges. The users have restricted access to the commands and configurations in the System Admin VM console, based on assigned privileges.

The router supports a maximum of 1024 user profiles.

The root-lr user of XR VM can access the System Admin VM by entering Admin command in the XR EXEC mode. The router does not prompt you to enter any username and password. The XR VM root-lr user is provided full access to the System Admin VM.

SUMMARY STEPS

  1. admin
  2. config
  3. aaa authentication users user user_name
  4. password password
  5. uid user_id_value
  6. gid group_id_value
  7. ssh_keydir ssh_keydir
  8. homedir homedir
  9. Use the commit or end command.

DETAILED STEPS


Step 1

admin

Example:


RP/0/RP0/CPU0:router# admin 

Enters mode.

Step 2

config

Example:

sysadmin-vm:0_RP0#config

Enters System Admin Config mode.

Step 3

aaa authentication users user user_name

Example:

sysadmin-vm:0_RP0(config)#aaa authentication users user us1

Creates a new user and enters user configuration mode. In the example, the user "us1" is created.

Step 4

password password

Example:

sysadmin-vm:0_RP0(config-user-us1)#password pwd1

Enter the password that will be used for user authentication at the time of login into System Admin VM.

Step 5

uid user_id_value

Example:

sysadmin-vm:0_RP0(config-user-us1)#uid 100

Specify a numeric value. You can enter any 32 bit integer.

Step 6

gid group_id_value

Example:

sysadmin-vm:0_RP0(config-user-us1)#gid 50

Specify a numeric value. You can enter any 32 bit integer.

Step 7

ssh_keydir ssh_keydir

Example:

sysadmin-vm:0_RP0(config-user-us1)#ssh_keydir dir1

Specify any alphanumeric value.

Step 8

homedir homedir

Example:

sysadmin-vm:0_RP0(config-user-us1)#homedir dir2

Specify any alphanumeric value.

Step 9

Use the commit or end command.

commit —Saves the configuration changes and remains within the configuration session.

end —Prompts user to take one of these actions:
  • Yes — Saves configuration changes and exits the configuration session.

  • No —Exits the configuration session without committing the configuration changes.

  • Cancel —Remains in the configuration session, without committing the configuration changes.


What to do next

Create Command Rules

Command rules are rules based on which users of a user group are either permitted or denied the use of certain commands. Command rules are associated to a user group and get applied to all users who are part of the user group.

A command rule is created by specifying whether an operation is permitted, or denied, on a command. This table lists possible operation and permission combinations:

Operation Accept Permission Reject Permission
Read (R) Command is displayed on the CLI when "?" is used. Command is not displayed on the CLI when "?" is used.
Execute (X) Command can be executed from the CLI. Command cannot be executed from the CLI.
Read and execute (RX) Command is visible on the CLI and can be executed. Command is neither visible nor executable from the CLI.

By default, all permissions are set to Reject .

Each command rule is identified by a number associated with it. When multiple command rules are applied to a user group, the command rule with a lower number takes precedence. For example, cmdrule 5 permits read access, while cmdrule10 rejects read access. When both these command rules are applied to the same user group, the user in this group gets read access because cmdrule 5 takes precedence.

As an example, in this task, the command rule is created to deny read and execute permissions for the "show platform" command.

Before you begin

Create an user group. See Create a User Group in System Admin VM.

SUMMARY STEPS

  1. admin
  2. config
  3. aaa authorization cmdrules cmdrule command_rule_number
  4. command command_name
  5. ops {r | x | rx}
  6. action { accept | accept_log | reject}
  7. group user_group_name
  8. context connection_type
  9. Use the commit or end command.

DETAILED STEPS


Step 1

admin

Example:


RP/0/RP0/CPU0:router# admin 

Enters mode.

Step 2

config

Example:

sysadmin-vm:0_RP0#config

Enters System Admin Config mode.

Step 3

aaa authorization cmdrules cmdrule command_rule_number

Example:

sysadmin-vm:0_RP0(config)#aaa authorization cmdrules cmdrule 1100

Specify a numeric value as the command rule number. You can enter a 32 bit integer.

Important 
Do no use numbers between 1 to 1000 because they are reserved by Cisco.

This command creates a new command rule (if it is not already present) and enters the command rule configuration mode. In the example, command rule "1100" is created.

Note 

By default "cmdrule 1" is created by the system when the root-system user is created. This command rule provides "accept" permission to "read" and "execute" operations for all commands. Therefore, the root user has no restrictions imposed on it, unless "cmdrule 1" is modified.

Step 4

command command_name

Example:

sysadmin-vm:0_RP0(config-cmdrule-1100)#command "show platform"

Specify the command for which permission is to be controlled.

If you enter an asterisk '*' for command , it indicates that the command rule is applicable to all commands.

Step 5

ops {r | x | rx}

Example:

sysadmin-vm:0_RP0(config-cmdrule-1100)#ops rx

Specify the operation for which permission has to be specified:

  • r — Read

  • x — Execute

  • rx — Read and execute

Step 6

action { accept | accept_log | reject}

Example:

sysadmin-vm:0_RP0(config-cmdrule-1100)#action reject

Specify whether users are permitted or denied the use of the operation.

  • accept — users are permitted to perform the operation

  • accept_log — users are permitted to perform the operation and every access attempt is logged.

  • reject — users are restricted from performing the operation.

Step 7

group user_group_name

Example:

sysadmin-vm:0_RP0(config-cmdrule-1100)#group gr1

Specify the user group on which the command rule is applied.

Step 8

context connection_type

Example:

sysadmin-vm:0_RP0(config-cmdrule-1100)#context *

Specify the type of connection to which this rule applies. The connection type can be netconf (Network Configuration Protocol), cli (Command Line Interface), or xml (Extensible Markup Language ). It is recommended that you enter an asterisk '*'; this indicates that the command rule applies to all connection types.

Step 9

Use the commit or end command.

commit —Saves the configuration changes and remains within the configuration session.

end —Prompts user to take one of these actions:
  • Yes — Saves configuration changes and exits the configuration session.

  • No —Exits the configuration session without committing the configuration changes.

  • Cancel —Remains in the configuration session, without committing the configuration changes.


What to do next

Create data rules. See Create Data Rules.

Create Data Rules

Data rules are rules based on which users of the user group are either permitted, or denied, accessing and modifying configuration data elements. The data rules are associated to a user group. The data rules get applied to all users who are part of the user group.

Each data rule is identified by a number associated to it. When multiple data rules are applied to a user group, the data rule with a lower number takes precedence.

Before you begin

Create an user group. See Create a User Group in System Admin VM.

SUMMARY STEPS

  1. admin
  2. config
  3. aaa authorization datarules datarule data_rule_number
  4. keypath keypath
  5. ops operation
  6. action { accept | accept_log | reject}
  7. group user_group_name
  8. context connection type
  9. namespace namespace
  10. Use the commit or end command.

DETAILED STEPS


Step 1

admin

Example:


RP/0/RP0/CPU0:router# admin 

Enters mode.

Step 2

config

Example:

sysadmin-vm:0_RP0#config

Enters System Admin Config mode.

Step 3

aaa authorization datarules datarule data_rule_number

Example:

sysadmin-vm:0_RP0(config)#aaa authorization datarules datarule 1100

Specify a numeric value as the data rule number. You can enter a 32 bit integer.

Important 
Do no use numbers between 1 to 1000 because they are reserved by Cisco.

This command creates a new data rule (if it is not already present) and enters the data rule configuration mode. In the example, data rule "1100" is created.

Note 

By default "datarule 1" is created by the system when the root-system user is created. This data rule provides "accept" permission to "read", "write", and "execute" operations for all configuration data. Therefore, the root user has no restrictions imposed on it, unless "datarule 1" is modified.

Step 4

keypath keypath

Example:

sysadmin-vm:0_RP0(config-datarule-1100)#keypath  /aaa/disaster-recovery

Specify the keypath of the data element. The keypath is an expression defining the location of the data element. If you enter an asterisk '*' for keypath , it indicates that the command rule is applicable to all configuration data.

Step 5

ops operation

Example:

sysadmin-vm:0_RP0(config-datarule-1100)#ops rw

Specify the operation for which permission has to be specified. Various operations are identified by these letters:

  • c—Create

  • d—Delete

  • u—Update

  • w— Write (a combination of create, update, and delete)

  • r—Read

  • x—Execute

Step 6

action { accept | accept_log | reject}

Example:

sysadmin-vm:0_RP0(config-datarule-1100)#action reject

Specify whether users are permitted or denied the operation.

  • accept — users are permitted to perform the operation

  • accept_log — users are permitted to perform the operation and every access attempt is logged

  • reject — users are restricted from performing the operation

Step 7

group user_group_name

Example:

sysadmin-vm:0_RP0(config-datarule-1100)#group gr1

Specify the user group on which the data rule is applied. Multiple group names can also be specified.

Step 8

context connection type

Example:

sysadmin-vm:0_RP0(config-datarule-1100)#context *

Specify the type of connection to which this rule applies. The connection type can be netconf (Network Configuration Protocol), cli (Command Line Interface), or xml (Extensible Markup Language ). It is recommended that you enter an asterisk '*', which indicates that the command applies to all connection types.

Step 9

namespace namespace

Example:

sysadmin-vm:0_RP0(config-datarule-1100)#namespace *

Enter asterisk '*' to indicate that the data rule is applicable for all namespace values.

Step 10

Use the commit or end command.

commit —Saves the configuration changes and remains within the configuration session.

end —Prompts user to take one of these actions:
  • Yes — Saves configuration changes and exits the configuration session.

  • No —Exits the configuration session without committing the configuration changes.

  • Cancel —Remains in the configuration session, without committing the configuration changes.


Change Disaster-recovery Username and Password

When you define the root-system username and password initially after starting the router, the same username and password gets mapped as the disaster-recovery username and password for the System Admin console. However, it can be changed.

The disaster-recovery username and password is useful in these scenarios:

  • Access the system when the AAA database, which is the default source for authentication in System Admin console is corrupted.

  • Access the system through the management port, when, for some reason, the System Admin console is not working.

  • Create new users by accessing the System Admin console using the disaster-recovery username and password, when the regular username and password is forgotten.


Note

On the router, you can configure only one disaster-recovery username and password at a time.


SUMMARY STEPS

  1. admin
  2. config
  3. aaa disaster-recovery username username password password
  4. Use the commit or end command.

DETAILED STEPS


Step 1

admin

Example:


RP/0/RP0/CPU0:router# admin 

Enters mode.

Step 2

config

Example:

sysadmin-vm:0_RP0#config

Enters System Admin Config mode.

Step 3

aaa disaster-recovery username username password password

Example:

sysadmin-vm:0_RP0(config)#aaa disaster-recovery username us1 password pwd1

Specify the disaster-recovery username and the password. You have to select an existing user as the disaster-recovery user. In the example, 'us1' is selected as the disaster-recovery user and assigned the password as 'pwd1'. The password can be entered as a plain text or md5 digest string.

When you need to make use of the disaster recovery username, you need to enter it as username@localhost .

Step 4

Use the commit or end command.

commit —Saves the configuration changes and remains within the configuration session.

end —Prompts user to take one of these actions:
  • Yes — Saves configuration changes and exits the configuration session.

  • No —Exits the configuration session without committing the configuration changes.

  • Cancel —Remains in the configuration session, without committing the configuration changes.


Recover Password using PXE Boot

If you are unable to login or lost your XR and System administration passwords, use the following steps to create new password. A lost password cannot be recovered, instead a new username and password must be created with a non-graceful PXE boot.

Procedure


Step 1

Boot the router using PXE.

Note 

PXE boot is fully intrusive. The router state, configuration and image is reset.

To PXE boot a router, see Boot the Router Using iPXE.
Step 2

Reset the password.