000033955 - How to configure RADIUS profiles to segment user permissions in Cisco devices for RSA Authentication Manager 8.x

• Customer network devices are getting authenticated through RSA Authentication Manager using an Active Directory account.
• Currently these users have full access to the network devices.
• The requirement is to grant Read-Write access for administrative users while Read-Only access for other users, the Service Desk for example.

1.  Create the RSA RADIUS client for a Cisco network device. In the Security Console.  
   
   1. Click RADIUS > RADIUS Clients > Add New.  
   2. Important: For the Make/Model option select Cisco IOS 11.1 or later.
   3. Complete the form and click Save with associated agent.  .
   4. Click Save. 
2. In the Security Console, click RADIUS > RADIUS Profiles > Add New.
3. Create a RADIUS profile, selecting the Return List attribute of Cisco-AVPAIR then configure the value with shell:priv-lvl=<integer between 1 to 15>. The administrative attribute for Read-Write should be either
   
   1. The av-pair, that is shell:priv-lvl=15

2. The attribute for read-only can be the av-pair shell:priv-lvl=1

Note that the priv-lvl value ranges from 1 to 15 depending on your router enable privilege config.

The 15 represents full admin access into the Cisco device and the lower values represent a lesser privilege than 15/full admin access.

4. In the Security Console, click RADIUS > RADIUS Profiles > Manage Existing and select the profile from the context menu.
5. Select Associated Users.
6. Click Assign to More.
7. Search for the users to link to this profile and select them.
8. Click Assign Profile.
9. Verify authentication with the user ID.