Cisco ISE AAA configuration for VTY logins

Cisco ISE AAA configuration for VTY logins

Switch configuration ( 3750X – IOS 15.0(1)SE3 )

username admin secret pa55w0rd 
aaa new-model
aaa group server radius radius-ise-group
 server name radius-ise
aaa authentication login default none
aaa authentication login VTY_authen group radius-ise-group local
aaa authorization exec default none
aaa authorization exec VTY_author group radius-ise-group local
aaa accounting exec default start-stop group radius-ise-group
radius server radius-ise 
 address ipv4 auth-port 1812 acct-port 1813 
 key Rad1u5 
line vty 0 15
  authorization exec VTY_author
  login authentication VTY_authen
  • username admin secret pa55w0rd – fall back user account in the event of RADIUS failing
  • aaa new-model – enables the AAA command options
  • aaa authentication login default none – Configures the default login method to ‘none’ (no authentication). This method applies to the console by default
  • aaa authentication login VTY_authen group radius-ise-group local – Creates authentication list ‘VTY_authen’ to RADIUS group ‘radius-ise-group’ and ‘local’ (see first username command) as a secondary fallback

Cisco ISE – create the various smaller objects

Administration -> Network Resources -> Network Device Groups: Groups -> All Device Types

Create a network device group for participating switches.

Administration -> Network Resources -> Network Devices

Each device which needs to use ISE for AAA needs to be defined here. The password entered under ‘Authentication Settings’ needs to be that same radius key that was used in the switch configuration.

Policy -> Policy Elements -> Results : Authorization -> Authorization Profiles

Define RADIUS AV-pair attributes that will be sent to AAA client initiating the request authorization request. We will define the standard ‘Radius:Service-Type’ attribute and also the Cisco specific ‘Cisco:cisco-av-pair’ attribute which will determine the privilege level granted to the user.
Create two authorization profiles ‘Shell_priv_15’ and ‘Shell_priv_7’, with the specific cisco-av-pair attribute of ‘shell:priv-lvl=15′ and shell:priv-lvl7’ respectively.

Policy -> Policy Elements -> Results : Authentication -> Allowed Protocols

When using RADIUS the NAS will send the Access-Request packet with a PAP encoded password by default when connection originate from the Console, VTY and AUX devices. There is no command in IOS to change this challenge-response protocol.
We can use this fact to create a protocol filter ‘PAP-only’ which will accept only PAP/ASCII packets.

Administration -> Identity Management -> Groups

Create two user groups ‘CLI-users-15’ and ‘CLI-users-7’.

Administration -> Identity Management -> Identities : Users

Create user accounts for individuals requiring VTY access to the ‘Cisco managed-switches’ group. Ensure that each user is a member of the correct user group.

Cisco ISE – Creating the AAA polices

Policy -> Authorization

Create two polices (‘CLI-access-15’ and ‘CLI-access-7’) which tie together User Groups and Authorization Profiles.

Policy → Authentication

Finally create an authentication policy which pulls together all the policies and objects we have created. The conditions specified are self-explanatory, but it is worth noting the use of ‘Internal users’. This directs the policy to use the internal ISE database instead of other external identity sources such as Active Directory.

Cisco ISE – Validation

Operations → Authentications

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at

Up ↑

%d bloggers like this: