06-03-2019 11:47 AM
Hello,
Are we able to do CLI access control with Radius only? I have seen 3rd party examples on ise 1.x but nothing for 2.x and nothing official. Goal would be to control exec level access to Catalyst, ISR, and nexus devices with Radius only. No TACACS license required.
-Eliott
Solved! Go to Solution.
06-04-2019 05:46 AM
I can confirm that as long as the network device allows Device Admin using the Radius protocol, then ISE will happily oblige. Cisco WLC and IOS devices all support this. For ISE it's just a PAP authentication. You need to figure out what attributes the NAS will include in its Access-Request and then catch that in your Policy Set Authorization Rules.
Below is what I figured out recently when I had to do this.
06-03-2019 02:53 PM
Hello Eliot,
of course you should be able to do this,
please check this document
i know its for ACS but very much same concept, the idea is to use cisco-av pair on the authorization result and mention the attribute you would like to push.
take a look and if you faced some challenges feel free to ask.
Wishes.
06-04-2019 05:46 AM
I can confirm that as long as the network device allows Device Admin using the Radius protocol, then ISE will happily oblige. Cisco WLC and IOS devices all support this. For ISE it's just a PAP authentication. You need to figure out what attributes the NAS will include in its Access-Request and then catch that in your Policy Set Authorization Rules.
Below is what I figured out recently when I had to do this.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: