https://community.cisco.com/t5/network-access-control/cli-access-control-with-radius-only/m-p/3866997#M472505 <P>Hello,</P> <P>&nbsp;</P> <P>Are we able to do CLI access control with Radius only? I have seen 3rd party examples on ise 1.x but nothing for 2.x and nothing official. Goal would be to control exec level access to Catalyst, ISR, and nexus devices with Radius only. No TACACS license required.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>-Eliott</P> Mon, 03 Jun 2019 18:47:18 GMT estidd 2019-06-03T18:47:18Z https://community.cisco.com/t5/network-access-control/cli-access-control-with-radius-only/m-p/3866997#M472505 <P>Hello,</P> <P>&nbsp;</P> <P>Are we able to do CLI access control with Radius only? I have seen 3rd party examples on ise 1.x but nothing for 2.x and nothing official. Goal would be to control exec level access to Catalyst, ISR, and nexus devices with Radius only. No TACACS license required.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>-Eliott</P> Mon, 03 Jun 2019 18:47:18 GMT https://community.cisco.com/t5/network-access-control/cli-access-control-with-radius-only/m-p/3866997#M472505 estidd 2019-06-03T18:47:18Z https://community.cisco.com/t5/network-access-control/cli-access-control-with-radius-only/m-p/3867086#M472506 <P>Hello Eliot,</P> <P>&nbsp;</P> <P>of course you should be able to do this,</P> <P>please check this document&nbsp;</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115926-tacacs-radius-devices-00.html#asr" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115926-tacacs-radius-devices-00.html#asr</A></P> <P>&nbsp;</P> <P>i know its for ACS but very much same concept, the idea is to use cisco-av pair on the authorization result and mention the attribute you would like to&nbsp; push.</P> <P>&nbsp;</P> <P>take a look and if you faced some challenges feel free to ask.</P> <P>&nbsp;</P> <P>Wishes.</P> <P>&nbsp;</P> Mon, 03 Jun 2019 21:53:43 GMT https://community.cisco.com/t5/network-access-control/cli-access-control-with-radius-only/m-p/3867086#M472506 yalbikaw 2019-06-03T21:53:43Z https://community.cisco.com/t5/network-access-control/cli-access-control-with-radius-only/m-p/3867362#M472508 <P>&nbsp;I can confirm that as long as the network device allows Device Admin using the Radius protocol, then ISE will happily oblige. Cisco WLC and IOS devices all support this.&nbsp; For ISE it's just a PAP authentication.&nbsp; You need to figure out what attributes the NAS will include in its Access-Request and then catch that in your Policy Set Authorization Rules.</P> <P>&nbsp;</P> <P>Below is what I figured out recently when I had to do this.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ISE-Radius.PNG" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/37989iD03874E902230C3B/image-size/large?v=v2&amp;px=999" role="button" title="ISE-Radius.PNG" alt="ISE-Radius.PNG" /></span></P> Tue, 04 Jun 2019 12:46:52 GMT https://community.cisco.com/t5/network-access-control/cli-access-control-with-radius-only/m-p/3867362#M472508 Arne Bier 2019-06-04T12:46:52Z