https://community.cisco.com/t5/network-access-control/ise-radius-amp-network-device-read-only/m-p/3881087#M442230 as he said not too efficiently, would recommend tacacs, we don't recommend radius as its very limited therefore don't spend much time on it<BR />some thread discussions<BR /><A href="https://www.google.com/search?q=ise+radius+device+administration&amp;oq=ise+radius+device+&amp;aqs=chrome.0.0j69i57j0j69i60j69i64.2540j0j7&amp;sourceid=chrome&amp;ie=UTF-8" target="_blank">https://www.google.com/search?q=ise+radius+device+administration&amp;oq=ise+radius+device+&amp;aqs=chrome.0.0j69i57j0j69i60j69i64.2540j0j7&amp;sourceid=chrome&amp;ie=UTF-8</A><BR /><A href="https://community.cisco.com/t5/policy-and-access/device-administration-using-radius-cisco-ise-2-3/td-p/3309882" target="_blank">https://community.cisco.com/t5/policy-and-access/device-administration-using-radius-cisco-ise-2-3/td-p/3309882</A><BR /> Thu, 27 Jun 2019 20:24:18 GMT Jason Kunst 2019-06-27T20:24:18Z https://community.cisco.com/t5/network-access-control/ise-radius-amp-network-device-read-only/m-p/3820306#M442227 <P>We use our ISE server as a Radius/TACACS for our network devices.&nbsp; Does ISE (if so how) could you configure users on ISE to only have read-only (show commands) on network devices registered to ISE</P> Fri, 21 Feb 2020 19:03:49 GMT https://community.cisco.com/t5/network-access-control/ise-radius-amp-network-device-read-only/m-p/3820306#M442227 jhaddix385 2020-02-21T19:03:49Z https://community.cisco.com/t5/network-access-control/ise-radius-amp-network-device-read-only/m-p/3820380#M442228 <P>You have to use TACACS to do this efficiently.&nbsp; You would configure the device for TACACS command authorization (in addition to authentication and accounting). </P> <P>&nbsp;</P> <P>aaa authorization commands 15 default group ISE-TACACS if-authenticated</P> <P>&nbsp;</P> <P>There is not need to authorize anything but level 15 commands.&nbsp; You should account for level 0, 1 and 15 though in the accounting setup:</P> <P>aaa accounting commands 0 default stop-only group ISE-TACACS</P> <P>aaa accounting commands 1 default stop-only group ISE-TACACS</P> <P>aaa accounting commands 15 default stop-only group ISE-TACACS</P> <P>&nbsp;</P> <P>Depending on your switch the TACACS syntax will be different.&nbsp; Once you have command authorization enabled you would configure a command set in ISE that allows "show" command.&nbsp; All other level 15 commands will be denied.&nbsp; Tie that to your desired TACACS rule for the group of users you want to have read-only access.&nbsp; Setup a TACACS profile that assigned priv level 15 and max priv level 15 to the users as well.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 15 Mar 2019 19:25:30 GMT https://community.cisco.com/t5/network-access-control/ise-radius-amp-network-device-read-only/m-p/3820380#M442228 paul 2019-03-15T19:25:30Z https://community.cisco.com/t5/network-access-control/ise-radius-amp-network-device-read-only/m-p/3881068#M442229 <P>Is there a way to do this with radius?&nbsp; I don't have tacacs licenses on ISE.</P> Thu, 27 Jun 2019 19:46:30 GMT https://community.cisco.com/t5/network-access-control/ise-radius-amp-network-device-read-only/m-p/3881068#M442229 BrianPersaud 2019-06-27T19:46:30Z https://community.cisco.com/t5/network-access-control/ise-radius-amp-network-device-read-only/m-p/3881087#M442230 as he said not too efficiently, would recommend tacacs, we don't recommend radius as its very limited therefore don't spend much time on it<BR />some thread discussions<BR /><A href="https://www.google.com/search?q=ise+radius+device+administration&amp;oq=ise+radius+device+&amp;aqs=chrome.0.0j69i57j0j69i60j69i64.2540j0j7&amp;sourceid=chrome&amp;ie=UTF-8" target="_blank">https://www.google.com/search?q=ise+radius+device+administration&amp;oq=ise+radius+device+&amp;aqs=chrome.0.0j69i57j0j69i60j69i64.2540j0j7&amp;sourceid=chrome&amp;ie=UTF-8</A><BR /><A href="https://community.cisco.com/t5/policy-and-access/device-administration-using-radius-cisco-ise-2-3/td-p/3309882" target="_blank">https://community.cisco.com/t5/policy-and-access/device-administration-using-radius-cisco-ise-2-3/td-p/3309882</A><BR /> Thu, 27 Jun 2019 20:24:18 GMT https://community.cisco.com/t5/network-access-control/ise-radius-amp-network-device-read-only/m-p/3881087#M442230 Jason Kunst 2019-06-27T20:24:18Z