In this post, I’m going to show you how to assign privilege level 15 with Cisco ISE through RADIUS.

In addition, there are some other configuration required to be applied on the network devices themselves mainly to enable AAA and RADIUS authentication and authorisation. We will go only through the most relevant configuration parts in this post.

Let’s get started with ISE configuration. First we will create a new authorisation profile and we will call it R1_PRIV_15. The option we are after is called Web Authentication (Local Web Auth). This option allows ISE to push Cisco AV Pair attribute priv-lvl=15 inside the RADIUS packets to the network device:

Let’s enable this option, and verify what attributes will be associated with it:

As we can see, by enabling the Web Authentication (Local Web Auth) option we can see the Cisco AV Pair attribute priv-lvl=15 in the attributes details section.

ADD the NETWORK DEVICE

Now let’s create a network device and configure its Device Type as IOS. The Device Type will be used in the top conditions on the policy set, we will see this later. We are going to call the network device Router-01:

JOIN ISE TO THE AD

Now let’s make sure we have the AD group LabAdmins already added:

As we can see the last group on the list is the LabAdmins group.

ISE POLICY SET

Now let’s create a new policy set and call it ADMIN_ACCESS_PRIV_15. As mentioned above this policy set will have some conditions on the top to match the traffic coming from the network device Router-01. The conditions are the Device Type which we configured as IOS, the RADIUS NAS Port Type which is Virtual in this case, and the RADIUS Service Type which is Login.

All these conditions should match for any SSH connection to Router-01. The point here is to make the policy set as much accurate as possible to match the exact traffic that should be served by itself. In the authentication section we will configure the authentication against the AD which is already joined to ISE.

And finally in the authorisation section we will configure a rule with a condition to check if the users are located in the AD group LabAdmins, if so, then the authorisation profile we created earlier which is called R1_PRIV_15 will be applied, instead if no match, the default authorisation rule will be applied which will deny accesses:

ROUTER RADIUS CONFIGURATION

Now that we have applied all the required configuration on ISE, let’s move on and apply the required configuration on the Router-01. Mainly what we need is to enable AAA, configure the RADIUS authentication and authorisation, associating AAA authentication and authorisation method lists to the VTY lines, and restricting the accesses to the VTY lines for SSH only:

One thing worth mentioning here is that if we want to use the RADIUS Service Type in our conditions on ISE, then we need to enable radius-server attribute 6 on-for-login-auth, if not the RADIUS Service Type would be ignored in the RADIUS packets.

VERIFICATION

All the required configurations are now in place. Let’s do some tests by initiating SSH connection from the client, and trying to connect to the router with the admin1 username which is located in the AD group LabAdmins:

As we can see, we have successfully logged into the router, and we have been straightaway placed into privilege level 15. We can verify that by looking at the # symbol or by using the command show privilege. We can also verify the connected username by using the command show users:

Finally, let’s look at RADIUS debugs and see what are the most relevant attributes for our SSH connection that have been exchanged between Router-01 and ISE:

This wraps up this Privilege Level 15 with Cisco ISE post. I hope you enjoyed it, and as always, I would love to hear your feedback. Thanks for reading!