View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0036 - ISE 1.1 Device Admin RADIUS Authorization

Rating: 
5
Average: 5 (2 votes)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>

 

The video walks you through how to configure Cisco ISE to provide device admin authorization via RADIUS. We will look at how to restrict access on a Cisco switch based on group membership of both AD user group and local Identity Group. In addition, we will attempt to automatically assign shell privilege level using RADIUS attribute at user login.
Note:
  •  Per-command authorization is not available as it is not natively supported by RADIUS. This would require TACACS+, which is not available as of ISE 1.1.2.
Topic
  • Device admin authorization based on group (local and AD) membership
  • Policy Element (Authorization Condition)
  • Policy Element (Authorization Profile)
  • RADIUS Attribute for Privilege 15
  • 'aaa authorization exec'

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.

6 comments

Hello,

Apart from testing user privilege with a switch, how can one test to ensure various permission are effective?

Thank You

It depends on what device you are testing with and what RADIUS attributes are supported. An example would be Wireless LAN Controller that takes various set of RADIUS attributes to allow different level of access.

I have create a Downloadables ACLs to prevent user pass authorizations access NOC network. But after user authorization success, they still can access NOC network. That mean the Downloadables ACLs not take effect. I has check the log, these user match the right rule with right Download ACLs. The only problem here is Downloadables ACLs have no effect. Do i have to assgin ACL to port, which do authorization to Downloadables ACLs take effect ? I use Cisco switch SG200 and i don't think its support ACL. Any way out for me please ???

We are not seeing SG200 listed under the link below so mostly likely dACL is not supported.

http://www.cisco.com/c/en/us/td/docs/security/ise/2-2/compatibility/ise_...

 

So if my Switch support Downloadables ACLs, do i need to do something else for Downloadables ACLs take effect. Or i just need to create an Downloadables ACLs on ISE, add it to authorization profile and specific that authorization profile in authorization rule is enough ?

You will need to make sure the switch is configured for aaa authorization network as well otherwise it won't accepy dACL from ISE. Check out our ISE swich config video to make sure you have all the commands.