Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
654
Views
0
Helpful
2
Replies

Microsoft RADIUS aaa and ability to lock users down

glenn@netravine.com
Level 1
Level 1

‎08-26-2022 09:02 AM

Our team has grown and we are looking to segment out access to devices.  Today we have a mix of Cisco ASA firewalls, Routers, Cisco catalyst switches, and some Nexus switches in our environment.  Since our team has grown we are wanting to restrict access to devices based on user ID in RADIUS authentication.  We do not have ISE and are looking at if we can do this without TACACS or ISE.  We simply have a Microsoft RADIUS server we use that points to our LDAP.  Just simple auth for now.  Has anyone been able to setup RADIUS to compartmentalize access to specific devices?  As an example, user XYZ should only have access to switches, while user ABC should only have access to ASA Firewalls.  Can we match on specific attributes returned by Cisco devices?  

 

Update: Just found out we do have Cisco ISE but we do not have the TACACS license, so we can only support RADIUS.  If we can only use RADIUS on our ISE can we still lock down users to specific devices using Cisco ISE with RADIUS?  OR do you have to have TACACS ?

Labels:
0 Helpful
2 Replies 2

davidgfriedman
Level 1
Level 1

‎08-26-2022 09:58 AM

We happen to use our ISE with the device management license to control switches, firewalls, webapps (yes webaps), Infoblox, etc. with a combination of Radius policies and TACACS+ polices.  FWIW, most people here interchange "NAC" with the word "ISE" now in meetings, so I jokingly call ISE device management TACISE.  

Anyway, we have users defined with Windows roles, which are used for some devices with Radius or TACACS+ protocols. In some cases those policies send back attributes, like you'd see on Infoblox appliances or Palo Alto Firewalls, and in some cases they check individual commands, like on Cisco ASAs, Cisco switches, certain voice gateways, etc.  You can go as deep down the rabbit hole as you want, control-wise. Just be sure to define your device groups correctly and your policy sets or radius attributes will work fine for the desired group + equipment combinations.

Regards,
David

0 Helpful

Marcelo Morais
VIP
VIP

‎08-26-2022 09:16 PM

Hi glenn@netravine.com ,

 1st TACACS+ provides more control over the Authorization of commands, in RADIUS, no external Authorization of commands is supported.

 2nd please take a look at How to Configure SGT using Cisco ISE.

Hope this helps !!!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents