cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
450
Views
0
Helpful
2
Replies

Microsoft RADIUS aaa and ability to lock users down

Our team has grown and we are looking to segment out access to devices.  Today we have a mix of Cisco ASA firewalls, Routers, Cisco catalyst switches, and some Nexus switches in our environment.  Since our team has grown we are wanting to restrict access to devices based on user ID in RADIUS authentication.  We do not have ISE and are looking at if we can do this without TACACS or ISE.  We simply have a Microsoft RADIUS server we use that points to our LDAP.  Just simple auth for now.  Has anyone been able to setup RADIUS to compartmentalize access to specific devices?  As an example, user XYZ should only have access to switches, while user ABC should only have access to ASA Firewalls.  Can we match on specific attributes returned by Cisco devices?  

 

Update: Just found out we do have Cisco ISE but we do not have the TACACS license, so we can only support RADIUS.  If we can only use RADIUS on our ISE can we still lock down users to specific devices using Cisco ISE with RADIUS?  OR do you have to have TACACS ?

2 Replies 2

davidgfriedman
Beginner
Beginner

We happen to use our ISE with the device management license to control switches, firewalls, webapps (yes webaps), Infoblox, etc. with a combination of Radius policies and TACACS+ polices.  FWIW, most people here interchange "NAC" with the word "ISE" now in meetings, so I jokingly call ISE device management TACISE.  

Anyway, we have users defined with Windows roles, which are used for some devices with Radius or TACACS+ protocols. In some cases those policies send back attributes, like you'd see on Infoblox appliances or Palo Alto Firewalls, and in some cases they check individual commands, like on Cisco ASAs, Cisco switches, certain voice gateways, etc.  You can go as deep down the rabbit hole as you want, control-wise. Just be sure to define your device groups correctly and your policy sets or radius attributes will work fine for the desired group + equipment combinations.

Regards,
David

Marcelo Morais
VIP Advisor VIP Advisor
VIP Advisor

Hi glenn@netravine.com ,

 1st TACACS+ provides more control over the Authorization of commands, in RADIUS, no external Authorization of commands is supported.

 2nd please take a look at How to Configure SGT using Cisco ISE.

Hope this helps !!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers