Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
352
Views
0
Helpful
1
Replies

RADIUS assistance between switch and ISE 1.4

Brett Verney
Level 1
Level 1

‎08-07-2016 07:08 PM - edited ‎03-10-2019 11:58 PM

Hi there,

I have a client who is using ISE 1.4 for RADIUS access for all their network infrastructure access (switches/routers, WLCs and ASAs) as well as wired 802.1X for various devices.

When a network administrator uses SSH to access the switches and routers, they are immediately put in to 'privileged exec' mode (privilege level 15). They want to change this so they initially get put in to 'user exec' mode (privilege level 1), with the option of typing 'enable' to get put in to privileged exec.

This is more for the junior guys, who want the extra level of caution when typing the base level show commands. But they still want to be able to make changes when authorized.

What is the best way to do this?

I am used to TACACs for Device Administration, not so much RADIUS. I know ISE 2.0 has the ability to pass down the 'default privilege level' of 1 and a 'maximum privilege level' of 15 to achieve the same result, but unfortunately we are not ready to move to TACACs or ISE 2.0.

Switch config = 

aaa new-model
!
!
aaa group server radius ISE
 server name ise1
 server name ise2
 ip radius source-interface Vlan100
 load-balance method least-outstanding batch-size 5
!
aaa authentication login default local group radius
aaa authentication dot1x default group ISE
aaa authorization exec default local group ISE 
aaa authorization network default group ISE 
aaa authorization auth-proxy default group ISE 
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group ISE
aaa accounting system default start-stop group ISE
!
!
!
!
aaa server radius dynamic-author
 client 10.207.89.78 server-key 7 xxxxxxxxxx
 client 10.207.89.79 server-key 7 xxxxxxxxxx
!
aaa session-id common
!
ip radius source-interface Vlan899 
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server deadtime 5
radius-server vsa send accounting
radius-server vsa send authentication
!
radius server ise1
 address ipv4 10.207.89.78 auth-port 1812 acct-port 1813
 key 7 xxxxxxxxxx
!
radius server ise2
 address ipv4 10.207.89.79 auth-port 1812 acct-port 1813
 key 7 xxxxxxxxxx
!

ISE AuthZ Config = 

AD:ExternalGroups EQUALS Infrastructure Admins )     then     Access-Accept & cisco-av-pair = shell:priv-lvl=15

Thanks!

-Brett

Labels:
0 Helpful
1 Reply 1

jkuehl
Level 1
Level 1

‎08-12-2016 01:36 PM 

AD:ExternalGroups EQUALS Junior Admins )     then     Access-Accept-lvl-1 & cisco-av-pair = shell:priv-lvl=1


you can try setting something like this up where the Junior guys are in their own AD group and get authorized with a different profile.
0 Helpful
Customers Also Viewed These Support Documents