cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

466
Views
0
Helpful
3
Replies
Highlighted
Beginner

How do I create a non-administrative RADIUS user?

Hello, I have some Cisco 2960X switches in which I authenticate using RADIUS.

 

I was wondering if there's a way to create a non-administrative user for them using a RADIUS server?

This user should only execute the following commands: show interface status, duplex <mode>, switchport, descriptionshutdown and no shutdown.

 

Is this possible?

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advisor

Re: How do I create a non-administrative RADIUS user?

If the RADIUS server that you are using is ISE, then it is commonly done with TACACS.

You create a shell profile for the device, a command set (limiting commands), and then an authentication and authorization rule that the user/switch matches. This is a good graphical guide showing an example.
https://networkproguide.com/configure-cisco-ise-tacacs-server/

If the RADIUS server you are using doesn't offer TACACS, it still possible to restrict authentication users from accessing config t, just a different guide.

View solution in original post

3 REPLIES 3
Highlighted
VIP Advisor

Re: How do I create a non-administrative RADIUS user?

Hi @alemanetz ,

 

Maybe this discussion of the community can help you:

https://community.cisco.com/t5/firewalls/privilege-level-assignment-via-radius/td-p/2221818

 

Regards

Highlighted
VIP Advisor

Re: How do I create a non-administrative RADIUS user?

If the RADIUS server that you are using is ISE, then it is commonly done with TACACS.

You create a shell profile for the device, a command set (limiting commands), and then an authentication and authorization rule that the user/switch matches. This is a good graphical guide showing an example.
https://networkproguide.com/configure-cisco-ise-tacacs-server/

If the RADIUS server you are using doesn't offer TACACS, it still possible to restrict authentication users from accessing config t, just a different guide.

View solution in original post

Highlighted
Beginner

Re: How do I create a non-administrative RADIUS user?

Thanks for your answer!

 

I'm using NPS as my RADIUS server. How would I go around this?