How to configure RADIUS profiles to segment user permissions in Cisco devices for RSA Authentication Manager 8.x
RSA Product Set: SecurID RSA Product/Service Type: Authentication Manager RSA Version/Condition: 8.1 or later
Customer network devices are getting authenticated through RSA Authentication Manager using an Active Directory account.
Currently these users have full access to the network devices.
The requirement is to grant Read-Write access for administrative users while Read-Only access for other users, the Service Desk for example.
Create the RSA RADIUS client for a Cisco network device. In the Security Console.
Click RADIUS > RADIUS Clients > AddNew.
Important: For the Make/Model option select Cisco IOS 11.1 or later.
Complete the form and click Save with associated agent. .
In the Security Console, click RADIUS > RADIUS Profiles > AddNew.
Create a RADIUS profile, selecting the Return List attribute of Cisco-AVPAIR then configure the value with shell:priv-lvl=<integer between 1 to 15>. The administrative attribute for Read-Write should be either
The av-pair, that is shell:priv-lvl=15
The attribute for read-only can be the av-pair shell:priv-lvl=1
Note that the priv-lvl value ranges from 1 to 15 depending on your router enable privilege config.
The 15 represents full admin access into the Cisco device and the lower values represent a lesser privilege than 15/full admin access.
In the Security Console, click RADIUS > RADIUS Profiles > Manage Existing and select the profile from the context menu.
Select Associated Users.
Click Assign to More.
Search for the users to link to this profile and select them.