Solved: Re: CLI Access control with Radius only

estidd · ‎06-03-2019

Hello,

Are we able to do CLI access control with Radius only? I have seen 3rd party examples on ise 1.x but nothing for 2.x and nothing official. Goal would be to control exec level access to Catalyst, ISR, and nexus devices with Radius only. No TACACS license required.

-Eliott

Arne Bier · ‎06-04-2019

I can confirm that as long as the network device allows Device Admin using the Radius protocol, then ISE will happily oblige. Cisco WLC and IOS devices all support this. For ISE it's just a PAP authentication. You need to figure out what attributes the NAS will include in its Access-Request and then catch that in your Policy Set Authorization Rules.

Below is what I figured out recently when I had to do this.

View solution in original post

yalbikaw · ‎06-03-2019

Hello Eliot,

of course you should be able to do this,

please check this document

https://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115926-tacacs-radius-devices-00.html#asr

i know its for ACS but very much same concept, the idea is to use cisco-av pair on the authorization result and mention the attribute you would like to push.

take a look and if you faced some challenges feel free to ask.

Wishes.

Arne Bier · ‎06-04-2019

I can confirm that as long as the network device allows Device Admin using the Radius protocol, then ISE will happily oblige. Cisco WLC and IOS devices all support this. For ISE it's just a PAP authentication. You need to figure out what attributes the NAS will include in its Access-Request and then catch that in your Policy Set Authorization Rules.

Below is what I figured out recently when I had to do this.