We currently have AAA authentication setup for LDAP integration with our Radius server. However it is an all or none. Users either are part of the Cisco Admins group and can log in to Routers and Switches or cannot at all. We would like to express the idea of having a separate group for our help desk staff to at least have the ability to login and run show commands in privilege exec mode but not access global config. Is this doable or wishful thinking?
RADIUS ( ACS or ISE),
you can created 2 Groups in ACS for the admin and users add the help desk to read group, engineers to admin group.
Yup you can
make sure to configure a correct associated priv level with its command
you can do this locally on the network device
Then on ISE for the read group give them Priv level that you customized for read only and it should works
remember this the limitation we have because on radius there is no command authorization
if you have any question we are here to help you :)
let me know how it goes