ā01-23-2024 05:29 AM
I have Cisco ISE that is VM and version 2.7, free license, and then I know how to set RADIUS on ISE successful.
However, I'm learning how to set RADIUS account permission in ISE, example...
Allen has full permision like cisco router local account.
Bob can show version, show inventory only, can not show others.
Candy can not show run, but can show others.
Can ISE archieve this demand? Expect someone teach me, THANKS!
Solved! Go to Solution.
ā01-23-2024 05:52 AM
ā01-23-2024 05:33 AM
This done by priv the radius retrun to router for each user
Allen have priv 15
Bob have priv 5 (or any other privilege level)
Note:- you can move command from priv to other this make sure that bob see only command you specify
MHM
ā01-23-2024 05:43 AM
Let me double confirm, your mean account permission function, it is by router.
And then, ISE has provide external account function only.
Is it right?
ā01-23-2024 05:50 AM
Just to confirm we talk about admin of SW and router via ISE
Not admin ISE itself
If yes then
In router or SW we config
Aaa authorization exec defualt <ISE> local < - local if use local as fallback in case ise is down
Here any user when access and auth by ise it exec level is also check by ise.
MHM
ā01-23-2024 05:52 AM
ā01-23-2024 06:08 AM
GOOD document! I will try it, THANKS!
ā01-23-2024 06:06 AM
Aaa authorization exec defualt <ISE> local
Thanks your explain, I understand this command effect.
If I set account name are ćBobć & ćCandyć in ISE, Bob and Candy are external accounts for router switch.
Last, my demand that is Bob can show version, can not show others. Candy can not show run, but can show others. I don't know how config in ISE.
ā01-23-2024 06:12 AM
So link help you to understand the config of ise? If yes please confirm.
Also keep in mind always try make console use local not aaa' it your last resort to access SW/R when the ISE down
MHM
ā01-23-2024 06:18 AM - edited ā01-23-2024 06:21 AM
This for make ISE check each command and authz it for each user
But unfortunately it use only of tacacs not radius' for radius you need to change command priv level.
Note:- I prefer use tacacs for command authz
I am available now ask me anything about this task
Thanks
MHM
ā01-23-2024 06:30 AM
Now, I understand RADIUS can not achieve my demand, but TACACS can.
Before publish this community, I don't know, very grateful your explain.
ā01-23-2024 06:37 AM
You are so so welcome
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide