cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Please be advised, the GuideMe Wizard is no longer available on the Small Business Support Community. For search capability please use the community search field to find content related to Cisco Small Business documents, videos, and discussions.
457
Views
0
Helpful
4
Replies
Beginner

Privilege level assignment via RADIUS

We currently have AAA authentication setup for LDAP integration with our Radius server. However it is an all or none. Users either are part of the Cisco Admins group and can log in to Routers and Switches or cannot at all. We would like to express the idea of having a separate group for our help desk staff to at least have the ability to login and run show commands in privilege exec mode but not access global config. Is this doable or wishful thinking? 

 

4 REPLIES 4
VIP Advisor

Re: Privilege level assignment via RADIUS

RADIUS ( ACS or ISE),

you can created 2 Groups in ACS for the admin and users add the help desk to read group, engineers to admin group.

 

BB
*** Rate All Helpful Responses ***
Highlighted
Cisco Employee

Re: Privilege level assignment via RADIUS

Yup you can 

make sure to configure a correct associated priv level with its command 

you can do this locally on the network device

 

https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfpass.html

 

 

Then on ISE for the read group give them Priv level that you customized for read only and it should works 

 

remember this the limitation we have because on radius there is no command authorization 

 

if you have any question we are here to help you :) 

let me know how it goes 

 

Yazan 

Rising star

Re: Privilege level assignment via RADIUS

I would just like to add that if you want to send a priv-level via RADIUS to a Cisco device you have to use the cisco av-pair attribute, and set it to "priv-lvl=NUMBER" where NUMBER is between 0 and 15.

For ISE this would be under an authorization profile. The authorization profile can be set under an authorization policy in your policy set.
Beginner

Re: Privilege level assignment via RADIUS

Thank you for the response.
Here is what we have built in Radius. The Cisco Admins group works. However the Cisco Users does not..
[cid:image001.png@01D47CC5.01C2C450]
Here is what we have configured on our devices. Could I be possibly missing something?
[cid:image002.png@01D47CC5.6ACFECC0]
Thanks,
Michael Krempges
Network Technician
Horizon Health Care, Inc.
109 N Main Street, PO Box 99
Howard, SD 57349
Office: 605.772.4525
Fax: 605.772.4514
www.horizonhealthcare.org<>