Hello,
Can anyone describe what I doing wrong to get rancid to generate an IOS XR
directory listing?
I recently tacacs-enabled an IOS XR router (ASR 9001). I’m using rancid 3.4.1,
and tac_plus F4.0.4.14-k6. This is the authorization settings applied:
.
.
.
aaa authorization exec default group TACACS_GROUP local
aaa authorization commands default group TACACS_GROUP
.
.
.
I have this configured in tacacs_plus (among a bunch of other things, but zero
deny statements):
.
.
.
service = exec {
# IOS XR and NX-OS both need an exec block, but they need different
mutually-exclusive parameters
# task and shell:roles marked as optional to allow them to work together
# IOS XR
#
https://community.cisco.com/t5/xr-os-and-platforms/creating-username-passwd-on-ios-xr/m-p/2895304/highlight/true#M7066
# there's also this:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuj97480
optional task = "#read-only-tg"
# NX-OS
# need it this way to do both N7k and N5k
optional shell:roles="\"network-operator vdc-admin aaa admin\""
}
cmd = dir {
permit .*
}
.
.
.
but I’m getting this result in rancid:
.
.
.
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all nvram:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all bootflash:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all compactflash:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all compactflasha:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all slot0:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all disk0:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all disk0a:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all slot1:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all disk1:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all disk1a:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all slot2:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all disk2:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all harddisk:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all harddiska:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all harddiskb:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#
.
.
.
If I check, this is what I see for authorization parameters. Clearly it’s not
a tacacs authentication issue on the router, it’s just authorization:
[rancid@nsgv-prod-59 ~]$ plogin -c "show user all" cumm111-bdr-gw01.bu.edu
cumm111-bdr-gw01.bu.edu
spawn telnet cumm111-bdr-gw01.bu.edu
Trying 128.197.254.49...
telnet: connect to address 128.197.254.49: Connection refused
spawn ssh -2 -c
aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc -x
-l rancid cumm111-bdr-gw01.bu.edu
ran...@cumm111-bdr-gw01.bu.edu's password:
RP/0/RSP0/CPU0:cumm111-bdr-gw01#
RP/0/RSP0/CPU0:cumm111-bdr-gw01#terminal length 0
Sat Aug 25 23:03:17.740 EDT
RP/0/RSP0/CPU0:cumm111-bdr-gw01#terminal width 132
Sat Aug 25 23:03:18.085 EDT
RP/0/RSP0/CPU0:cumm111-bdr-gw01#show user all
Sat Aug 25 23:03:18.417 EDT
Username: rancid
Groups: read-only-tg
Authenticated using method TACACS_GROUP
User rancid has the following Task ID(s):
Task: aaa : READ
Task: acl : READ
Task:admin : READ
Task: ancp : READ
Task: atm : READ
Task: basic-services : READ
Task: bcdl : READ
Task: bfd : READ
Task: bgp : READ
Task: boot : READ
Task: bundle : READ
Task:call-home : READ
Task: cdp : READ
Task: cef : READ
Task: cgn : READ
Task:cisco-support : READ (reserved)
Task: config-mgmt : READ
Task: config-services : READ
Task: crypto : READ
Task: diag : READ
Task: disallowed : READ (reserved)
Task: drivers : READ
Task: dwdm : READ
Task: eem : READ
Task:eigrp : READ
Task:ethernet-services : READ
Task: ext-access : READ
Task: fabric : READ
Task:fault-mgr : READ
Task: filesystem : READ
Task: firewall : READ
Task: fr : READ
Task: hdlc : READ
Task:host-services : READ
Task: hsrp : READ
Task:interface : READ
Task:inventory : READ
Task: ip-services : READ
Task: ipv4 : READ
Task: ipv6 : READ
Task: isis :