topic The bug was originally in Network Access Control

ISE Admin Access Authentication to RADIUS Token Server

Michael Langerreiter — Mon, 11 Mar 2019 03:35:04 GMT

Hi all!

I want to use an External RADIUS Token Server for ISE Admin Access Authentication and Authorization.

Authentication works, but how do I map the users to Admin Groups? Is there a way to map a returned RADIUS Attribute (IETF "Class" or Cisco-AVPair "CiscoSecure-Group-Id") to an Admin Group?

Thanks in advance,

Michael Langerreiter

ISE Admin Access Authentication to RADIUS Token Server

Ravi Singh — Tue, 25 Jun 2013 08:52:03 GMT

Hello Michael,

As you are using external radius token server for ISE admin access authentication and Authorization, you need to create a admin group on radius server and assign the user to this group whom you want to give full permission. When they will be authenticated by ISE they will get full rights automatically

Hi Michael,Just wondering if

Vivek Ganapathi — Thu, 14 Aug 2014 05:46:31 GMT

Hi Michael,

Just wondering if you were successful to sort this out? I have a similar requirement to achieve. If you have sorted this out, please let me know what has to be done. I don't see any specific documents explaining this.

Regards

Vivek

Hi Michael You have to add

jsteffensen — Thu, 15 Jan 2015 09:47:09 GMT

Hi Michael

You have to add each and every ISE Admin-User locally, and specify the external Radius-Token users to be external.

You do not need to specify any particular external administrator groups for the administrator.
You must configure the same username in both the external identity store and the local Cisco ISE database.

Step 1 Choose Administration > System > Admin Access > Administrators > Local Administrators.

Step 2 Follow the guidelines at Creating a New Cisco ISE Administrator to ensure that the administrator username on the external RSA identity store is also present in Cisco ISE. Be sure to click the External option under Password.

Step 3 Click Save .

ISE 1.3 does have an bug:

jsteffensen — Thu, 15 Jan 2015 09:54:45 GMT

ISE 1.3 does have an bug: Authentication failed due to zero RBAC Groups.

Cisco Bug: CSCur76447 - External Admin access fails with shadow user & Radius token

Last Modified

Nov 25, 2014

Product

Cisco Identity Services Engine (ISE) 3300 Series Appliances

Known Affected Releases

1.3(0.876)

Description (partial)

Symptom:
ISE 1.3 RBAC fails with shadow user & Radius token
Operations > Reports > Deployment Status > Administrator Logins report shows
Authentication failed due to zero RBAC Groups

Conditions:
RBAC with shadow user & Radius token

View Bug Details in Bug Search Tool

Why Is Login Required?

Bug Details Include

Full Description (including symptoms, conditions and workarounds)
Status
Severity
Known Fixed Releases
Related Community Discussions
Number of Related Support Cases

Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.

The bug was originally

cciesec2011 — Thu, 15 Jan 2015 20:54:41 GMT

The bug was originally reported by me 🙂