Hello,
Can anyone describe what I doing wrong to get rancid to generate an IOS XR directory listing?
I recently tacacs-enabled an IOS XR router (ASR 9001). I’m using rancid 3.4.1, and tac_plus F4.0.4.14-k6. This is the authorization settings applied:
.
.
.
aaa authorization exec default group TACACS_GROUP local
aaa authorization commands default group TACACS_GROUP
.
.
.
I have this configured in tacacs_plus (among a bunch of other things, but zero deny statements):
.
.
.
service = exec {
# IOS XR and NX-OS both need an exec block, but they need different mutually-exclusive parameters
# task and shell:roles marked as optional to allow them to work together
# IOS XR
# https://community.cisco.com/t5/xr-os-and-platforms/creating-username-passwd-on-ios-xr/m-p/2895304/highlight/true#M7066
# there's also this: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuj97480
optional task = "#read-only-tg"
# NX-OS
# need it this way to do both N7k and N5k
optional shell:roles="\"network-operator vdc-admin aaa admin\""
}
cmd = dir {
permit .*
}
.
.
.
but I’m getting this result in rancid:
.
.
.
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all nvram:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all bootflash:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all compactflash:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all compactflasha:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all slot0:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all disk0:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all disk0a:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all slot1:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all disk1:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all disk1a:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all slot2:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all disk2:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all harddisk:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all harddiska:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all harddiskb:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#
.
.
.
If I check, this is what I see for authorization parameters. Clearly it’s not a tacacs authentication issue on the router, it’s just authorization:
[rancid@nsgv-prod-59 ~]$ plogin -c "show user all" cumm111-bdr-gw01.bu.edu
cumm111-bdr-gw01.bu.edu
spawn telnet cumm111-bdr-gw01.bu.edu
Trying 128.197.254.49...
telnet: connect to address 128.197.254.49: Connection refused
spawn ssh -2 -c aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc -x -l rancid cumm111-bdr-gw01.bu.edu
rancid@cumm111-bdr-gw01.bu.edu's password:
RP/0/RSP0/CPU0:cumm111-bdr-gw01#
RP/0/RSP0/CPU0:cumm111-bdr-gw01#terminal length 0
Sat Aug 25 23:03:17.740 EDT
RP/0/RSP0/CPU0:cumm111-bdr-gw01#terminal width 132
Sat Aug 25 23:03:18.085 EDT
RP/0/RSP0/CPU0:cumm111-bdr-gw01#show user all
Sat Aug 25 23:03:18.417 EDT
Username: rancid
Groups: read-only-tg
Authenticated using method TACACS_GROUP
User rancid has the following Task ID(s):
Task: aaa : READ
Task: acl : READ
Task: admin : READ
Task: ancp : READ
Task: atm : READ
Task: basic-services : READ
Task: bcdl : READ
Task: bfd : READ
Task: bgp : READ
Task: boot : READ
Task: bundle : READ
Task: call-home : READ
Task: cdp : READ
Task: cef : READ
Task: cgn : READ
Task: cisco-support : READ (reserved)
Task: config-mgmt : READ
Task: config-services : READ
Task: crypto : READ
Task: diag : READ
Task: disallowed : READ (reserved)
Task: drivers : READ
Task: dwdm : READ
Task: eem : READ
Task: eigrp : READ
Task: ethernet-services : READ
Task: ext-access : READ
Task: fabric : READ
Task: fault-mgr : READ
Task: filesystem : READ
Task: firewall : READ
Task: fr : READ
Task: hdlc : READ
Task: host-services : READ
Task: hsrp : READ
Task: interface : READ
Task: inventory : READ
Task: ip-services : READ
Task: ipv4 : READ
Task: ipv6 : READ
Task: isis : READ
Task: l2vpn : READ
Task: li : READ
Task: lisp : READ
Task: logging : READ
Task: lpts : READ
Task: monitor : READ
Task: mpls-ldp : READ
Task: mpls-static : READ
Task: mpls-te : READ
Task: multicast : READ
Task: netflow : READ
Task: network : READ
Task: nps : READ
Task: ospf : READ
Task: otn : READ
Task: ouni : READ
Task: pbr : READ
Task: pkg-mgmt : READ
Task: pos-dpt : READ
Task: ppp : READ
Task: qos : READ
Task: rcmd : READ
Task: rib : READ
Task: rip : READ
Task: root-lr : READ (reserved)
Task: root-system : READ (reserved)
Task: route-map : READ
Task: route-policy : READ
Task: sbc : READ
Task: snmp : READ
Task: sonet-sdh : READ
Task: static : READ
Task: sysmgr : READ
Task: system : READ
Task: transport : READ
Task: tty-access : READ
Task: tunnel : READ
Task: universal : READ (reserved)
Task: vlan : READ
Task: vpdn : READ
Task: vrrp : READ
RP/0/RSP0/CPU0:cumm111-bdr-gw01#exit
Connection to cumm111-bdr-gw01.bu.edu closed.
[rancid@nsgv-prod-59 ~]$
weylin
Can anyone describe what I doing wrong to get rancid to generate an IOS XR directory listing?
I recently tacacs-enabled an IOS XR router (ASR 9001). I’m using rancid 3.4.1, and tac_plus F4.0.4.14-k6. This is the authorization settings applied:
.
.
.
aaa authorization exec default group TACACS_GROUP local
aaa authorization commands default group TACACS_GROUP
.
.
.
I have this configured in tacacs_plus (among a bunch of other things, but zero deny statements):
.
.
.
service = exec {
# IOS XR and NX-OS both need an exec block, but they need different mutually-exclusive parameters
# task and shell:roles marked as optional to allow them to work together
# IOS XR
# https://community.cisco.com/t5/xr-os-and-platforms/creating-username-passwd-on-ios-xr/m-p/2895304/highlight/true#M7066
# there's also this: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuj97480
optional task = "#read-only-tg"
# NX-OS
# need it this way to do both N7k and N5k
optional shell:roles="\"network-operator vdc-admin aaa admin\""
}
cmd = dir {
permit .*
}
.
.
.
but I’m getting this result in rancid:
.
.
.
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all nvram:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all bootflash:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all compactflash:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all compactflasha:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all slot0:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all disk0:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all disk0a:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all slot1:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all disk1:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all disk1a:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all slot2:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all disk2:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all harddisk:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all harddiska:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all harddiskb:
% This command is not authorized
RP/0/RSP0/CPU0:cumm111-bdr-gw01#
.
.
.
If I check, this is what I see for authorization parameters. Clearly it’s not a tacacs authentication issue on the router, it’s just authorization:
[rancid@nsgv-prod-59 ~]$ plogin -c "show user all" cumm111-bdr-gw01.bu.edu
cumm111-bdr-gw01.bu.edu
spawn telnet cumm111-bdr-gw01.bu.edu
Trying 128.197.254.49...
telnet: connect to address 128.197.254.49: Connection refused
spawn ssh -2 -c aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc -x -l rancid cumm111-bdr-gw01.bu.edu
rancid@cumm111-bdr-gw01.bu.edu's password:
RP/0/RSP0/CPU0:cumm111-bdr-gw01#
RP/0/RSP0/CPU0:cumm111-bdr-gw01#terminal length 0
Sat Aug 25 23:03:17.740 EDT
RP/0/RSP0/CPU0:cumm111-bdr-gw01#terminal width 132
Sat Aug 25 23:03:18.085 EDT
RP/0/RSP0/CPU0:cumm111-bdr-gw01#show user all
Sat Aug 25 23:03:18.417 EDT
Username: rancid
Groups: read-only-tg
Authenticated using method TACACS_GROUP
User rancid has the following Task ID(s):
Task: aaa : READ
Task: acl : READ
Task: admin : READ
Task: ancp : READ
Task: atm : READ
Task: basic-services : READ
Task: bcdl : READ
Task: bfd : READ
Task: bgp : READ
Task: boot : READ
Task: bundle : READ
Task: call-home : READ
Task: cdp : READ
Task: cef : READ
Task: cgn : READ
Task: cisco-support : READ (reserved)
Task: config-mgmt : READ
Task: config-services : READ
Task: crypto : READ
Task: diag : READ
Task: disallowed : READ (reserved)
Task: drivers : READ
Task: dwdm : READ
Task: eem : READ
Task: eigrp : READ
Task: ethernet-services : READ
Task: ext-access : READ
Task: fabric : READ
Task: fault-mgr : READ
Task: filesystem : READ
Task: firewall : READ
Task: fr : READ
Task: hdlc : READ
Task: host-services : READ
Task: hsrp : READ
Task: interface : READ
Task: inventory : READ
Task: ip-services : READ
Task: ipv4 : READ
Task: ipv6 : READ
Task: isis : READ
Task: l2vpn : READ
Task: li : READ
Task: lisp : READ
Task: logging : READ
Task: lpts : READ
Task: monitor : READ
Task: mpls-ldp : READ
Task: mpls-static : READ
Task: mpls-te : READ
Task: multicast : READ
Task: netflow : READ
Task: network : READ
Task: nps : READ
Task: ospf : READ
Task: otn : READ
Task: ouni : READ
Task: pbr : READ
Task: pkg-mgmt : READ
Task: pos-dpt : READ
Task: ppp : READ
Task: qos : READ
Task: rcmd : READ
Task: rib : READ
Task: rip : READ
Task: root-lr : READ (reserved)
Task: root-system : READ (reserved)
Task: route-map : READ
Task: route-policy : READ
Task: sbc : READ
Task: snmp : READ
Task: sonet-sdh : READ
Task: static : READ
Task: sysmgr : READ
Task: system : READ
Task: transport : READ
Task: tty-access : READ
Task: tunnel : READ
Task: universal : READ (reserved)
Task: vlan : READ
Task: vpdn : READ
Task: vrrp : READ
RP/0/RSP0/CPU0:cumm111-bdr-gw01#exit
Connection to cumm111-bdr-gw01.bu.edu closed.
[rancid@nsgv-prod-59 ~]$
weylin