06-03-2019 11:47 AM
Hello,
Are we able to do CLI access control with Radius only? I have seen 3rd party examples on ise 1.x but nothing for 2.x and nothing official. Goal would be to control exec level access to Catalyst, ISR, and nexus devices with Radius only. No TACACS license required.
-Eliott
Solved! Go to Solution.
06-04-2019 05:46 AM
I can confirm that as long as the network device allows Device Admin using the Radius protocol, then ISE will happily oblige. Cisco WLC and IOS devices all support this. For ISE it's just a PAP authentication. You need to figure out what attributes the NAS will include in its Access-Request and then catch that in your Policy Set Authorization Rules.
Below is what I figured out recently when I had to do this.
06-03-2019 02:53 PM
Hello Eliot,
of course you should be able to do this,
please check this document
i know its for ACS but very much same concept, the idea is to use cisco-av pair on the authorization result and mention the attribute you would like to push.
take a look and if you faced some challenges feel free to ask.
Wishes.
06-04-2019 05:46 AM
I can confirm that as long as the network device allows Device Admin using the Radius protocol, then ISE will happily oblige. Cisco WLC and IOS devices all support this. For ISE it's just a PAP authentication. You need to figure out what attributes the NAS will include in its Access-Request and then catch that in your Policy Set Authorization Rules.
Below is what I figured out recently when I had to do this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide