The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes the compilation of attributes that various Cisco and non-Cisco products expect to receive from an AAA server like a Cisco ISE.
Cisco and non-Cisco products expect to receive a compilation of attributes from an authentication, authorization, and accounting (AAA) server. In this case, the server is a Cisco ISE and the ISE would return these attributes along with an Access-Accept as a part of an authorization profile (RADIUS).
This document provides step-by-step instructions on how to add custom attribute authorization profiles and also contains a list of devices and the RADIUS attributes that the devices expect to see returned from the AAA server. All topics include examples.
The list of attributes provided in this document is neither exhaustive nor authoritative and can change at any time without an update to this document.
Device Administration of a network device is generally achieved with TACACS+ protocol but if the network device does not support TACACS+ or if ISE does not have a device administration license, it can be achieved with RADIUS as well if the network device supports RADIUS device administration. Some devices support both of the protocols and it is up to the users to decide which protocol to use but TACACS+ can be favorable as it has features such as command authorization and command accounting.
Cisco recommends you have the knowledge of these:
The information in this document is based on Cisco Identity Services Engine (ISE) 3.x and higher versions of ISE.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Step 1. Create the Vendor-Specific Attributes (VSA)
There can be various dictionaries created for each of the vendors, and attributes can be added to each of these dictionaries. Each dictionary can have multiple attributes that can be used in the authorization profiles. Each attribute, in general, defines the different role of device administration a user could get when he logs in to the network device. However, the attribute can be intended for different purposes of operation or configuration on the network device.
ISE comes with pre-defined attributes for a few vendors. If the vendor is not listed, it can be added as a dictionary with attributes. For some network devices, the attributes are configurable and can be changed for various types of access, if that is the case, ISE has to be configured with attributes the network device expects for different types of access.
The attributes which are expected to be sent with a Radius Access-Accept are defined as here:
Note: Each of the fields entered as values in this section are to be provided by the vendor themselves. The vendor websites can be visited or vendor support can be contacted in case these are not known.
Note: Not all of the vendors require a specific dictionary to be added. If the vendor can use the radius attributes defined by IETF, which exist on ISE already, this step can be skipped.
Step 2. Create a Network Device Profile
This section is not mandatory. A network device profile helps segregate the type of network device which is added and create appropriate authorization profiles for them. Just like radius dictionaries, ISE does have a few pre-defined profiles which can be used. If not already present, a new device profile can be created.
This is the procedure to add a network profile :
Step 3. Add the Network Device on ISE
The network device on which device administration is achieved has to be added on ISE along with a key that is defined on the network device. On the network device, ISE is added as a radius AAA server with this key.
This is the procedure to add a device on ISE:
Step 4. Create Authorization Profiles
The final result that is pushed from ISE as an Access-Accept or Access-Reject is defined in an authorization profile. Each authorization profile can push additional attributes that the network device expects.
This is the procedure to create an authorization profile:
The types of profiles that can be added are Access-Accept and Access-Reject.
This profile is used for some kind of access to the network device. This profile can have multiple attributes passed along with it. Here are the steps:
Create multiple Authorization Profiles for each of the results/roles/authorizations ISE is expected to send.
Note: The consolidated attributes can be verified under the Attribute Details field.
This profile is used to send a rejection for device administration but can still be used to send attributes along with it. This is used to send a Radius Access-Reject packet. The steps remain the same except step one where Access-Reject has to be chosen instead of Access-Accept for the Access Type.
Step 5. Create a Policy Set
Policy sets on ISE are evaluated top to down and the first one which satisfies the condition set in the policy sets is responsible for the ISE's response to the Radius Access-Request packet sent by the network device. Cisco recommends a unique policy set for each type of device. The condition to evaluate the user's authentication and authorization happen at evaluation. If ISE has external identity sources, it can be used for the type of authorization.
A typical policy set is created this way:
Any device that supports device administration with Radius can be added on ISE with a few modifications to all the steps mentioned in the previous section. Hence, this document has a list of devices that work with the information provided in this section. The list of attributes and values provided in this document is neither exhaustive nor authoritative and can change at any time without an update to this document. Please consult the vendor websites and vendor support for validation.
Separate dictionary and VSAs need not be created for this as it uses Cisco AV pairs which are already present on ISE.
Attribute(s): cisco-av-pair
Value(s): shell:tasks="#<role-name>,<permission>:<process>"
Usage:Set the values of<role-name>to the name of a role locally defined on the router. The role hierarchy can be described in terms of a tree, where the role#rootis at the top of the tree, and the role#leafadds additional commands. These two roles can be combined and passed back if:shell:tasks="#root,#leaf".
Permissions can also be passed back on an individual process basis, so that a user can be granted read, write, and execute privileges for certain processes. For example, in order to grant a user read and write privileges for the BGP process, set the value to:shell:tasks="#root,rw:bgp". The order of the attributes does not matter; the result is the same whether the value is set toshell:tasks="#root,rw:bgp"or toshell:tasks="rw:bgp,#root".
Example: Add the Attribute to an Authorization Profile.
Dictionary Type | RADIUS Attribute | Attribute Type | Attribute Value |
---|---|---|---|
RADIUS-Cisco | cisco-av-pair | String | shell:tasks="#root,#leaf,rwx:bgp,r:ospf" |
Separate dictionary and VSAs need not be created for this as it uses RADIUS attributes that are already present on ISE.
Attribute(s):cisco-av-pair
Value(s):shell:priv-lvl=<level>
Usage:Set the values of<level>to the numbers which are basically the number of privileges to be sent. Typically, if 15 is sent, it means read-write, if 7 is sent it means read-only.
Example: Add the Attribute to an Authorization Profile.
Dictionary Type | RADIUS Attribute | Attribute Type | Attribute Value |
---|---|---|---|
RADIUS-Cisco | cisco-av-pair | String | shell:priv-lvl=15 |
Attribute(s):Packeteer-AVPair
Value(s):access=<level>
Usage:<level>is the level of access to grant. Touch access is equivalent to read-write, while look access is equivalent to read-only.
Create a Dictionary as shown in this document with these values:
Enter the details of the attribute:
Example: Add the Attribute to an Authorization Profile (for read-only access).
Dictionary Type | RADIUS Attribute | Attribute Type | Attribute Value |
---|---|---|---|
RADIUS-Packeteer | Packeteer-AVPair | String | access=look |
Example: Add the Attribute to an Authorization Profile (for read-write access).
Dictionary Type | RADIUS Attribute | Attribute Type | Attribute Value |
---|---|---|---|
RADIUS-Packeteer | Packeteer-AVPair | String | access=touch |
Attribute(s): Blue-Coat-Authorization
Value(s): <level>
Usage:<level>is the level of access to grant. 0 means no access, 1 means read-only access while 2 means read-write access. Blue-Coat-Authorization attribute is the one responsible for the level of access.
Create a Dictionary as shown in this document with these values:
Enter the details of the attribute:
Enter the details of the second attribute:
Example: Add the Attribute to an Authorization Profile (for no access).
Dictionary Type | RADIUS Attribute | Attribute Type | Attribute Value |
---|---|---|---|
RADIUS-BlueCoat | Blue-Coat-Group | UINT32 | 0 |
Example: Add the Attribute to an Authorization Profile (for read-only access).
Dictionary Type | RADIUS Attribute | Attribute Type | Attribute Value |
---|---|---|---|
RADIUS-BlueCoat | Blue-Coat-Group | UINT32 | 1 |
Example: Add the Attribute to an Authorization Profile (for read-write access).
Dictionary Type | RADIUS Attribute | Attribute Type | Attribute Value |
---|---|---|---|
RADIUS-BlueCoat | Blue-Coat-Group | UINT32 | 2 |
Separate dictionary and VSAs need not be created for this as it uses RADIUS attributes that are already present on ISE.
Attribute(s): Tunnel-Private-Group-ID
Value(s):U:<VLAN1>; T:<VLAN2>
Usage:Set<VLAN1>to the value of the data VLAN. Set<VLAN2>to the value of the voice VLAN. In this example, the data VLAN is VLAN 10, and the voice VLAN is VLAN 21.
Example: Add the Attribute to an Authorization Profile.
Dictionary Type | RADIUS Attribute | Attribute Type | Attribute Value |
---|---|---|---|
RADIUS-IETF | Tunnel-Private-Group-ID | Tagged String | U:10;T:21 |
Attribute(s):Infoblox-Group-Info
Value(s):<group-name>
Usage:<group-name>is the name of the group with the privileges that the user is granted. This group must be configured on the Infoblox device. In this configuration example, the group name is MyGroup.
Create a Dictionary as shown in this document with these values:
Enter the details of the attribute:
Example: Add the Attribute to an Authorization Profile.
Dictionary Type | RADIUS Attribute | Attribute Type | Attribute Value |
---|---|---|---|
RADIUS-Infoblox | Infoblox-Group-Info | String | MyGroup |
Separate dictionary and VSAs need not be created for this as it uses RADIUS attributes that are already present on ISE.
Attribute(s):cisco-av-pair
Value(s): Class–[25]=<role>
Usage:Set the values of<role>to the names of roles locally defined on the FMC. Create multiple roles such as admin and read-only user on the FMC and assign the values to the attributes on ISE to be received by the FMC likewise.
Example: Add the Attribute to an Authorization Profile.
Dictionary Type | RADIUS Attribute | Attribute Type | Attribute Value |
---|---|---|---|
RADIUS-Cisco | cisco-av-pair | String | Class–[25]=NetAdmins |
Separate dictionary and VSAs need not be created for this as it uses RADIUS attributes that are already present on ISE.
Attribute(s):cisco-av-pair
Value(s):shell:roles="<role1> <role2>"
Usage:Set the values of<role1>and<role2>to the names of roles locally defined on the switch. When multiple roles are created, separate them with a space character. When multiple roles are passed back from the AAA server to the Nexus switch, the result is that the user has access to commands defined by the union of all three roles.
The built-in roles are defined inConfigure User Accounts and RBAC.
Example: Add the Attribute to an Authorization Profile.
Dictionary Type | RADIUS Attribute | Attribute Type | Attribute Value |
---|---|---|---|
RADIUS-Cisco | cisco-av-pair | String | shell:roles="network-admin vdc-admin vdc-operator" |
Separate dictionary and VSAs need not be created for this as it uses RADIUS attributes that are already present on ISE.
Attribute(s):Service-Type
Value(s):Administrative (6) / NAS-Prompt (7)
Usage:In order to grant the user read/write access to the Wireless LAN Controller (WLC), the value must be Administrative; for read-only access, the value must be NAS-Prompt.
For details, seeRADIUS Server Authentication of Management Users on Wireless LAN Controller (WLC) Configuration Example
Example: Add the Attribute to an Authorization Profile (for read-only access).
Dictionary Type | RADIUS Attribute | Attribute Type | Attribute Value |
---|---|---|---|
RADIUS-IETF | Service-Type | Enumeration | NAS-Prompt |
Example: Add the Attribute to an Authorization Profile (for read-write access).
Dictionary Type | RADIUS Attribute | Attribute Type | Attribute Value |
---|---|---|---|
RADIUS-IETF | Service-Type | Enumeration | Administrative |
DCNM must be restarted after the authentication method is changed. Otherwise, it can assign network-operator privilege instead of network-admin.
Separate dictionary and VSAs need not be created for this as it uses RADIUS attributes that are already present on ISE.
Attribute(s):cisco-av-pair
Value(s):shell:roles=<role>
DCNM Role | RADIUS Cisco-AV-Pair |
---|---|
User | shell:roles = "network-operator" |
Administrator | shell:roles = "network-admin" |
Attribute(s): ACL-Auth-Level
Value(s): ACL-Auth-Level = "<integer>"
Usage:<integer>is the level of access to grant. A value of ACL-Auth-Level attribute with name ACL-Auth-UserLevel of 50 for the user, a value of ACL-Auth-Level attribute with name ACL-Auth-AdminLevel of value100 for admin and value of ACL-Auth-Level with name ACL-Auth-SecurityAdminLevel of value 200 for security admin. The names can be skipped and the values for attributes can be given directly as value for the authorization profile advanced AV pair.
Create a Dictionary as shown in this document with these values:
Enter the details of the attribute:
Example: Add the Attribute to an Authorization Profile (for user).
Dictionary Type | RADIUS Attribute | Attribute Type | Attribute Value |
---|---|---|---|
RADIUS-AudioCodes | ACL-Auth-Level | Integer | 50 |
Example: Add the Attribute to an Authorization Profile (for admin).
Dictionary Type | RADIUS Attribute | Attribute Type | Attribute Value |
---|---|---|---|
RADIUS-AudioCodes | ACL-Auth-Level | Integer | 100 |
Example: Add the Attribute to an Authorization Profile (for security admin).
Dictionary Type | RADIUS Attribute | Attribute Type | Attribute Value |
---|---|---|---|
RADIUS-AudioCodes | ACL-Auth-Level | Integer | 200 |
Revision | Publish Date | Comments |
---|---|---|
3.0 |
24-Oct-2022 |
Recertification. |
2.0 |
24-Oct-2022 |
Updated technical content to make it current.
Updated formatting, legal disclaimer, alt tags, gerunds, machine translation, style requirements. |
1.0 |
15-May-2020 |
Initial Release |