Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1152
Views
0
Helpful
3
Replies

How do I create a non-administrative RADIUS user?

Go to solution
alemanetz
Level 1
Level 1

‎04-15-2019 04:14 PM - edited ‎02-21-2020 11:04 AM

Hello, I have some Cisco 2960X switches in which I authenticate using RADIUS.

 

I was wondering if there's a way to create a non-administrative user for them using a RADIUS server?

This user should only execute the following commands: show interface status, duplex <mode>, switchport, descriptionshutdown and no shutdown.

 

Is this possible?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎04-15-2019 05:52 PM

If the RADIUS server that you are using is ISE, then it is commonly done with TACACS.

You create a shell profile for the device, a command set (limiting commands), and then an authentication and authorization rule that the user/switch matches. This is a good graphical guide showing an example.
https://networkproguide.com/configure-cisco-ise-tacacs-server/

If the RADIUS server you are using doesn't offer TACACS, it still possible to restrict authentication users from accessing config t, just a different guide.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
luis_cordova
VIP Alumni
VIP Alumni

‎04-15-2019 05:10 PM

Hi @alemanetz ,

 

Maybe this discussion of the community can help you:

https://community.cisco.com/t5/firewalls/privilege-level-assignment-via-radius/td-p/2221818

 

Regards

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎04-15-2019 05:52 PM

If the RADIUS server that you are using is ISE, then it is commonly done with TACACS.

You create a shell profile for the device, a command set (limiting commands), and then an authentication and authorization rule that the user/switch matches. This is a good graphical guide showing an example.
https://networkproguide.com/configure-cisco-ise-tacacs-server/

If the RADIUS server you are using doesn't offer TACACS, it still possible to restrict authentication users from accessing config t, just a different guide.
0 Helpful

Go to solution
alemanetz
Level 1
Level 1
In response to Damien Miller

‎04-16-2019 06:39 AM

Thanks for your answer!

 

I'm using NPS as my RADIUS server. How would I go around this?

0 Helpful
Top