10-09-2012 11:55 PM - edited 03-10-2019 07:39 PM
Hi,
does anybody know if Radius device administration authentication and authorization is possible with the actual ISE release? I know that TACACS will be available in future release.
Regards
Joerg
Solved! Go to Solution.
10-11-2012 12:12 AM
Yes it's possible according to "Ask the experts" forum :
--------------------------
https://supportforums.cisco.com/thread/2172532
"If you use RADIUS for device administration, ISE can be utilized using authorization policy elements that return Cisco av-pairs. But personally, I think ACS is currently superior to ISE for this task."
--------------------------
Anyway, I'm about to test "device admin" and "network access" simultaneously in the same switch with Radius and ISE.
Please rate if it helps
10-12-2012 08:49 AM
Yes you can use radius even in the ACS days for device administration, however command authorization is not a feature that works efficiently with radius.
If you are using IOS devices your authorization policy should send back the "cisco-av-pair=priv-lvl=15". Please consult the product documentaiton for a radius authentication and the radius av pair should be present in most guides. I know you can do this with IOS, NX_OS, WLC devce to name a few.
Thanks,
Tarik Admani
*Please rate helpful posts*
10-11-2012 12:12 AM
Yes it's possible according to "Ask the experts" forum :
--------------------------
https://supportforums.cisco.com/thread/2172532
"If you use RADIUS for device administration, ISE can be utilized using authorization policy elements that return Cisco av-pairs. But personally, I think ACS is currently superior to ISE for this task."
--------------------------
Anyway, I'm about to test "device admin" and "network access" simultaneously in the same switch with Radius and ISE.
Please rate if it helps
10-12-2012 01:01 AM
Hi,
thanks for your feedback.
Please post the results of your tests when have done them.
Regards
Joerg
10-12-2012 08:49 AM
Yes you can use radius even in the ACS days for device administration, however command authorization is not a feature that works efficiently with radius.
If you are using IOS devices your authorization policy should send back the "cisco-av-pair=priv-lvl=15". Please consult the product documentaiton for a radius authentication and the radius av pair should be present in most guides. I know you can do this with IOS, NX_OS, WLC devce to name a few.
Thanks,
Tarik Admani
*Please rate helpful posts*
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide