Tags

, ,


Ok, final post on IOS-XR before the workbook is published in its entirety.
 
So you want to secure your IOS-XR device using TACACS.
The first example I will use will be using the default VRF for TACACS authorization and the second will be using a different VRF. For these examples, the tacacs server is at IP 192.168.100.100 and the password is TacacsPassword
First up, we need to configure our source interface for TACACS, here we will use loopback0 and the default VRF.
RP/0/RSP0/CPU0:PE2(config)#tacacs source-interface Loopback0 vrf default
Now we can configure our TACACS server and Password
RP/0/RSP0/CPU0:PE2(config)#tacacs-server host 192.168.100.100
RP/0/RSP0/CPU0:PE2(config-tacacs-host)#key 0 TacacsPassword
RP/0/RSP0/CPU0:PE2(config-tacacs-host)#exit
RP/0/RSP0/CPU0:PE2(config)#
Time to create a local console authenticaion method, this way console does not rely on TACACS.
You may or may not want to do this, but I am showing it for these examples.
RP/0/RSP0/CPU0:PE2(config)#aaa authentication login console local
RP/0/RSP0/CPU0:PE2(config)#aaa authorization commands console none
Apply the console loging to the line console
RP/0/RSP0/CPU0:PE2(config)#line console
RP/0/RSP0/CPU0:PE2(config-line)#login authentication console
RP/0/RSP0/CPU0:PE2(config-line)#authorization commands console
RP/0/RSP0/CPU0:PE2(config-line)#exit
RP/0/RSP0/CPU0:PE2(config)#

Now we can start to configure our AAA for login, here I am using default
RP/0/RSP0/CPU0:PE2(config)#aaa authentication login default group tacacs+ local
Now for some command authorization, if you want it
RP/0/RSP0/CPU0:PE2(config)#aaa authorization commands default group tacacs+
And accounting as well.
RP/0/RSP0/CPU0:PE2(config)#aaa accounting exec default start-stop group tacacs+
RP/0/RSP0/CPU0:PE2(config)#aaa accounting system default start-stop group tacacs+
RP/0/RSP0/CPU0:PE2(config)#aaa accounting commands default start-stop group tacacs+
Since this is IOS XR, I strongly suggest using a commit confirmed here!
RP/0/RSP0/CPU0:PE2(config)#commit confirmed minutes 2
Thu Oct 18 03:22:57.487 UTC
RP/0/RSP0/CPU0:PE2(config)#
From another terminal, SSH into the box using a TACACS account, and if successful, commit again.
RP/0/RSP0/CPU0:PE2(config)#commit
Thu Oct 18 03:23:22.951 UTC
% Confirming commit for trial session.
RP/0/RSP0/CPU0:PE2(config)#
 
That is normal TACACS, now time to add in the challenges of a VRF.
First up, we need to set our source interface, for this one I will use a different Loopback, Lo100 and use VRF CustA
RP/0/RSP0/CPU0:PE2(config)#tacacs source-interface Loopback100 vrf CustA
Now we can configure our TACACS server
RP/0/RSP0/CPU0:PE2(config)#tacacs-server host 192.168.100.100
RP/0/RSP0/CPU0:PE2(config-tacacs-host)#key 0 TacacsPassword
RP/0/RSP0/CPU0:PE2(config-tacacs-host)#exit
RP/0/RSP0/CPU0:PE2(config)#
Now we need to create a server group for the ACS box. This tells it what VRF the server is in.
RP/0/RSP0/CPU0:PE2(config)#aaa group server tacacs+ ACS
RP/0/RSP0/CPU0:PE2(config-sg-tacacs)# server 192.168.100.100
Now we can specify what VRF this server group belongs to.
RP/0/RSP0/CPU0:PE2(config-sg-tacacs)# vrf CustA
Now we can configure our local logins for the console:
RP/0/RSP0/CPU0:PE2(config)#aaa authentication login console local
RP/0/RSP0/CPU0:PE2(config)#aaa authorization commands console none
RP/0/RSP0/CPU0:PE2(config)#line console
RP/0/RSP0/CPU0:PE2(config-line)# login authentication console
RP/0/RSP0/CPU0:PE2(config-line)# authorization commands console
Here I would commit the configs that we have done.
RP/0/RSP0/CPU0:PE2(config)#commit
And finally configure our AAA for login
RP/0/RSP0/CPU0:PE2(config)#aaa authentication login default group ACS local
RP/0/RSP0/CPU0:PE2(config)#aaa authorization commands default group ACS none
RP/0/RSP0/CPU0:PE2(config)#aaa accounting exec default start-stop group ACS
RP/0/RSP0/CPU0:PE2(config)#aaa accounting system default start-stop group ACS
RP/0/RSP0/CPU0:PE2(config)#aaa accounting commands default start-stop group ACS
RP/0/RSP0/CPU0:PE2(config)#
And finally do the commit confirmed here again
RP/0/RSP0/CPU0:PE2(config)#commit confirmed minutes 2
Test remote access via SSH, and if all works – commit it to save
RP/0/RSP0/CPU0:PE2(config)#commit
% Confirming commit for trial session.
And we are done!