topic Re: Device Administration using RADIUS for authorization & account in Network Access Control

Device Administration using RADIUS for authorization & accounting

Eman.Bakri — Sat, 27 Aug 2022 11:07:26 GMT

Hi all,

I have ISE VM without device admin license and I want to use RADIUS for device administration, does RADIUS device admin support authorization and accounting, or I need to have device admin license in order to do accounting, could you please help me, and if there is any cisco document contains this details please share it with me.

Thanks.

Re: Device Administration using RADIUS for authorization & account

Ambuj M — Sat, 27 Aug 2022 11:17:31 GMT

No command accounting with just radius based device administration.
here is a guide for device administration using radius : https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215525-use-radius-for-device-administration-wit.html

For more difference in radius vs tacacs : https://www.geeksforgeeks.org/difference-between-tacacs-and-radius/

Re: Device Administration using RADIUS for authorization & account

Eman.Bakri — Sat, 27 Aug 2022 11:20:46 GMT

Thanks for your reply, you mean that i cannot use ISE for accounting unless I have device administration license?

what if the devices does not support tacacs ?

Re: Device Administration using RADIUS for authorization & account

Eman.Bakri — Sat, 27 Aug 2022 11:39:46 GMT

I didnot understand the meaning of no accounting command, can you please clarify it to me?

Also, I checked the link you shared about difference between RADIUS and TACACS and found that the RADIUS support accounting

I need your support please

Re: Device Administration using RADIUS for authorization & account

Ambuj M — Sat, 27 Aug 2022 11:45:28 GMT

Command accounting is when you run a command on device being administered and it gets logs in ise, later you can run a report to see what command was run at what time etc, May be for audit or keeping track of changes. You can still do session start-stop accounting.

for complete detail see radius accounting here : https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/xe-3se/3650/sec-user-8021x-xe-3se-3650-book/sec-ieee-802x-rad-account.pdf#page3

If a device do not support tacacs then radius is your only option.

Re: Device Administration using RADIUS for authorization & account

Eman.Bakri — Sat, 27 Aug 2022 11:48:24 GMT

Sorry, but is still not clear for me, yes I need to have logs of all commands that done in network devices (routers, switches,...)

does this can be done using session start-stop accounting. or you mean this not supported at all when using RADIUS for device Admin?

Many thanks

Re: Device Administration using RADIUS for authorization & account

Eman.Bakri — Sat, 27 Aug 2022 11:52:41 GMT

My scope is the accounting for commands done in the network devices itself and not for endpoints.

Re: Device Administration using RADIUS for authorization & account

Ambuj M — Sat, 27 Aug 2022 23:40:49 GMT

I was never talking about endpoints.
If you need command accounting for network devices you need tacacs feature on your ise, so you should get device administration license. You can just get one license and use one of your ise node for tacacs function.

having said that keep in mind that Ise comes with 90 day full feature trial including device administration so you also have option to test out both radius and tacacs and see what works best for you.

cisco has done an excellent job putting together Ise configuration examples and knowledge base that you can explore here : https://community.cisco.com/t5/security-knowledge-base/cisco-ise-amp-nac-resources/ta-p/3621621#Learn

Re: Device Administration using RADIUS for authorization & account

Marcelo Morais — Sun, 28 Aug 2022 00:44:27 GMT

Hi @Eman.Bakri ,

remember that TACACS+ provides more control over the Authorization of commands, in RADIUS no external Authorization of commands is supported.

Note: for a better understand, please take a look at RADIUS Accounting.

Hope this helps !!!