Is it possible to setup RSA SecurID token access to allow permissions to the same user to different device groups? For instance if I want a user to have token access to Cisco Wireless LAN Controllers with read/write permissions but read-only permissions on Cisco Routers, would this be possible?
More in depth, would I be able to make permissions even more granular for instance in Cisco prime, setting user permissions to apply beyond read/write or read/only and actually limit users down to certain virtual domains using various strings?
You can do this with radius authentication and setting up a radius profile for the user with 'Cisco specific' radius return attributes that tell the Cisco (a) this user is authenticated [access-accept] and (b) here are additional settings for the user. This depends on the Cisco device being able to use radius (most or all can) and also understand incoming attributes (most Cisco devices that can do radius auth can handle attributes). So seek Cisco documentation on which attributes can do [what you want] and after that it is somewhat trivial to make the RSA server send those attributes for a user. You can pile on the attributes and send many of them, up to the maximum size limit of a radius packet payload (depending on the payload this can be 50 to 100 attributes or more) and per radius RFC, if radius device sees an attribute it doesn't need or want it should ignore it and just process the ones it needs. So, essentially yes, you can do a lot with radius attributes and instruct the Cisco that 'this user needs exec-level privileges and needs these IP networks and ....' whatever the Cisco device is capable of doing with attributes.
Very common is the cisco-avpair attribute with multiple things it can do...a few examples
cisco-avpair= ”ip:addr-pool=first“
cisco-avpair= ”shell:priv-lvl=15“
The first example causes Cisco’s Multiple Named ip address Pools” feature to be activated during IP authorization (during PPP’s IPCP address assignment).
The second example causes a user logging in from a network access server to have immediate access to EXEC commands.
NOTE: RSA radius does not handle any form of CHAP, so avoid configuring radius CHAP options on the Cisco side.