cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

663
Views
0
Helpful
3
Replies
alemanetz
Beginner

How do I create a non-administrative RADIUS user?

Hello, I have some Cisco 2960X switches in which I authenticate using RADIUS.

 

I was wondering if there's a way to create a non-administrative user for them using a RADIUS server?

This user should only execute the following commands: show interface status, duplex <mode>, switchport, descriptionshutdown and no shutdown.

 

Is this possible?

1 ACCEPTED SOLUTION

Accepted Solutions
Damien Miller
VIP Advisor

If the RADIUS server that you are using is ISE, then it is commonly done with TACACS.

You create a shell profile for the device, a command set (limiting commands), and then an authentication and authorization rule that the user/switch matches. This is a good graphical guide showing an example.
https://networkproguide.com/configure-cisco-ise-tacacs-server/

If the RADIUS server you are using doesn't offer TACACS, it still possible to restrict authentication users from accessing config t, just a different guide.

View solution in original post

3 REPLIES 3
luis_cordova
VIP Advisor

Hi @alemanetz ,

 

Maybe this discussion of the community can help you:

https://community.cisco.com/t5/firewalls/privilege-level-assignment-via-radius/td-p/2221818

 

Regards

Damien Miller
VIP Advisor

If the RADIUS server that you are using is ISE, then it is commonly done with TACACS.

You create a shell profile for the device, a command set (limiting commands), and then an authentication and authorization rule that the user/switch matches. This is a good graphical guide showing an example.
https://networkproguide.com/configure-cisco-ise-tacacs-server/

If the RADIUS server you are using doesn't offer TACACS, it still possible to restrict authentication users from accessing config t, just a different guide.

Thanks for your answer!

 

I'm using NPS as my RADIUS server. How would I go around this?

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube