cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1046
Views
0
Helpful
3
Replies

How do I create a non-administrative RADIUS user?

alemanetz
Level 1
Level 1

Hello, I have some Cisco 2960X switches in which I authenticate using RADIUS.

 

I was wondering if there's a way to create a non-administrative user for them using a RADIUS server?

This user should only execute the following commands: show interface status, duplex <mode>, switchport, descriptionshutdown and no shutdown.

 

Is this possible?

1 Accepted Solution

Accepted Solutions

Damien Miller
VIP Alumni
VIP Alumni
If the RADIUS server that you are using is ISE, then it is commonly done with TACACS.

You create a shell profile for the device, a command set (limiting commands), and then an authentication and authorization rule that the user/switch matches. This is a good graphical guide showing an example.
https://networkproguide.com/configure-cisco-ise-tacacs-server/

If the RADIUS server you are using doesn't offer TACACS, it still possible to restrict authentication users from accessing config t, just a different guide.

View solution in original post

3 Replies 3

luis_cordova
VIP Alumni
VIP Alumni

Hi @alemanetz ,

 

Maybe this discussion of the community can help you:

https://community.cisco.com/t5/firewalls/privilege-level-assignment-via-radius/td-p/2221818

 

Regards

Damien Miller
VIP Alumni
VIP Alumni
If the RADIUS server that you are using is ISE, then it is commonly done with TACACS.

You create a shell profile for the device, a command set (limiting commands), and then an authentication and authorization rule that the user/switch matches. This is a good graphical guide showing an example.
https://networkproguide.com/configure-cisco-ise-tacacs-server/

If the RADIUS server you are using doesn't offer TACACS, it still possible to restrict authentication users from accessing config t, just a different guide.

Thanks for your answer!

 

I'm using NPS as my RADIUS server. How would I go around this?