Thursday, February 15, 2018

Using Cisco ISE for Device Administration, but with Radius instead of Tacacs+.

Basically the title covers it. I realize that tacacs+ would be the preferred method, but we didn't get that license.

Presently, anyone that succeeds authentication with AD can log in to our network devices, too.

I've seen some mention that while you can't use authentication to prevent this, you can use an authorization policy to make sure that once they are logged in, they can't actually run any commands.

I'm thinking this would be our best bet, so if anyone knows how this is accomplished or can link to a guide, that'd be super appreciated. I spent most of the day yesterday trying to find a way to do this with radius, but to no avail.

Edit: Thanks guys, I've got it working now, once y'all pointed me in the right direction



No comments:

Post a Comment