cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

97
Views
0
Helpful
3
Replies
Beginner

Cisco switch administration through radius using ISE

Hi all,

 

To facilitate switch administration using ISE as radius server, I have configured my ISE (v2.4) with the policy set as below.

1) Condition - Radius: Service-Type Equals NAS Prompt

2) Allowed protocols: PAP

3)also configured the necessary authentication and authorization policy.

 

The above works in terms of administration for my cisco WLC but could not work for my cisco switches.

When i check my ISE logs to verify my admin access for switches via ssh, i notice my attempts to access the switches does not hit the ISE policy set i created, instead it goes to the last default policy set. The endpoint indicated in ise log also reflect the ip address of my client pc attempting ssh to the switch.

 

I have also added the following for my cisco switches but it fail to work. 

1)aaa authentication login default group ISEGRP local

2)aaa authorization exec default group ISEGRP local if-authenticated

 

"ISEGRP" is defined correctly as my 802.1x config on the switch works for 802.1x for user pc connection against ISE.

Please advise. TIA!

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advocate

Re: Cisco switch administration through radius using ISE

Hi @donnie 

 

AirOS and IOS send different RADIUS Attributes during a device authentication - see below what I have configured in ISE:

 

comm03.PNG

 

For IOS you then return the Cisco AV Pair to assign level 0-15 - cisco-avpair= "shell:priv-lvl=15" etc.

 

View solution in original post

3 REPLIES 3
Rising star

Re: Cisco switch administration through radius using ISE

IMO I would recommend looking into using either Radius or Tacacs+ for device access. Note that Radius encrypts only the password in the request packet, and T+ encrypts the entire body in the packet. PAP is clear text so obviously less secure.
Highlighted
VIP Advocate

Re: Cisco switch administration through radius using ISE

Hi @donnie 

 

AirOS and IOS send different RADIUS Attributes during a device authentication - see below what I have configured in ISE:

 

comm03.PNG

 

For IOS you then return the Cisco AV Pair to assign level 0-15 - cisco-avpair= "shell:priv-lvl=15" etc.

 

View solution in original post

Beginner

Re: Cisco switch administration through radius using ISE

Hi Arne,

 

Thank you very much. Your suggestion works.

I will fine tune my authorization policy to segregate between user and full priviledge.