current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
Sign up ×
Network Engineering Stack Exchange is a question and answer site for network engineers. It's 100% free, no registration required.
up vote 4 down vote favorite

I'm trying to configure the dedicated XML agent on IOS XR 4.2.3 (ASR9K) . The API guide says to do the

xml agent
aaa authorization exec default local

which I did, and I can connect to the router on port 38751, but then I get

telnet 10.1.1.1 38751

Escape character is '^]'.


User Access Verification

Username: aaronw
Password: blah


User Access Verification

Username: aaronw
Password: realpassword
Session start failed :'AAA API' detected the 'fatal' condition
'No method could process the authorisation request'Connection closed by foreign host.

So if I put in a fake password, it knows that it's the wrong one, and doesn't go any further, but when I put in my real password it looks like I'm missing some kind of link-up between the authorization engine and the XML engine. If I take out the aaa authorizaion exec default local, I get a slightly different error:

Session start failed :'AAA API' detected the 'fatal' condition 
'Requested function is     not configured'

I know the API guide linked is the 4.1 version, but I can't find the 4.2 version of the same document. Also, the XML tty agent (i.e., typing 'XML' at the # prompt) does work as expected.

RP/0/RSP0/CPU0:ios#xml echo format 
Tue May 21 20:32:01.802 UTC
XML> exit
RP/0/RSP0/CPU0:ios#
share|improve this question
1  
Is the box currently set up to talk AAA to something? What happens when you repeat the above but have the ASR configured for local authentication only? (While it probably "officially" isn't, this smells like NETCONF, and NETCONF relies on SSH for transport. At least with the Brocade implementation, AAA is queried for NETCONF sessions to the box). – John Jensen May 21 '13 at 20:39
2  
So after taking your comments and rolling them around in my head a little bit, it seems that the XR XML agent requires 'authorization' to start its own little 'exec'. As you surmise, we use group before local for aaa, so I had to do 'aaa authorization exec default group tacacs+ local' to get it to work in the expected manner. – Aaron May 21 '13 at 21:48
    
John, maybe you could add the solution as an answer, so this question can be marked as answered. – JelmerS May 22 '13 at 13:56
    
@JelmerS I didn't do this intentionally because I wasn't confident that my troubleshooting suggestion was going to solve Aaron's problem, so I relied on him to post his own answer, as he's done below. :-) – John Jensen May 23 '13 at 21:28

1 Answer 1

up vote 3 down vote accepted

In IOS-XR, there are different concepts of authorization than in classic IOS. In classic IOS, there's only command authorization, which allows or denies specific commands, typically sent to a tacacs+ or radius server. In IOS-XR, there is command authorization (aaa authorization commands) (but you're better off doing this via task-groups) and exec authorization(aaa authorization exec) , which controls who can actually start an exec session.

It appears that using the normal access method (ssh/telnet to the vtys) that if you're authenticated, no other authorization is necessary, but if you start the XML agent on its own dedicated port, then that use must be authorized. In my particular case, we are using a TACACS server for authentication, and I was specifying to use local authorization. The username does not exist on the router, so using the local method 'aaa authorization exec default local' caused authorization to fail. Changing it to 'aaa authorization exec group tacacs+ local' caused it to get the 'authorization OK' from the TACACS servers, and all is well.

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.