cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

106
Views
5
Helpful
2
Replies
Cisco Employee

CLI Access control with Radius only

Hello,

 

Are we able to do CLI access control with Radius only? I have seen 3rd party examples on ise 1.x but nothing for 2.x and nothing official. Goal would be to control exec level access to Catalyst, ISR, and nexus devices with Radius only. No TACACS license required.

 

 

-Eliott

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advocate

Re: CLI Access control with Radius only

 I can confirm that as long as the network device allows Device Admin using the Radius protocol, then ISE will happily oblige. Cisco WLC and IOS devices all support this.  For ISE it's just a PAP authentication.  You need to figure out what attributes the NAS will include in its Access-Request and then catch that in your Policy Set Authorization Rules.

 

Below is what I figured out recently when I had to do this.

ISE-Radius.PNG

2 REPLIES 2
Highlighted
Cisco Employee

Re: CLI Access control with Radius only

Hello Eliot,

 

of course you should be able to do this,

please check this document 

 

https://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115926-tacacs-radius-devices-00.html#asr

 

i know its for ACS but very much same concept, the idea is to use cisco-av pair on the authorization result and mention the attribute you would like to  push.

 

take a look and if you faced some challenges feel free to ask.

 

Wishes.

 

VIP Advocate

Re: CLI Access control with Radius only

 I can confirm that as long as the network device allows Device Admin using the Radius protocol, then ISE will happily oblige. Cisco WLC and IOS devices all support this.  For ISE it's just a PAP authentication.  You need to figure out what attributes the NAS will include in its Access-Request and then catch that in your Policy Set Authorization Rules.

 

Below is what I figured out recently when I had to do this.

ISE-Radius.PNG