topic Re: ISE admin access, authentication against external radius in Network Access Control

ISE admin access, authentication against external radius

Giuliano Gerardi — Mon, 11 Mar 2019 03:15:56 GMT

Please don't ask me why,

the customer insists and wants to be authenticated on ise (as admin) against an external (microsoft) radius server

is it possible while retaining internal admin users database in a sequence Internal>external_radius or internal>AD ?

thank you in advance for whatever may help

ISE admin access, authentication against external radius

Andrew Phirsov — Tue, 02 Apr 2013 13:03:46 GMT

As i can see on the administration/admin access page, under authentication there's an option to choose an Identity store but there's no option to coose an Identity source sequence. So, as far as i understand (never tried it myself) it's possible to use radius-server for admin authentication, but not possible to use sequential order of identity sources.

ISE admin access, authentication against external radius

jrabinow — Tue, 02 Apr 2013 20:55:33 GMT

The way it works is that can choose to select an external database as the source for administrator authentication. Then when login to the ISE application can select to either authenticate against the internal or configured external database.

Internal database is always available as a fallback in case communication to the external database is not available

When external database is used, either LDAP or AD, further configure mapping between groups and the defined roles in ISE

ISE admin access, authentication against external radius

Andrew Phirsov — Wed, 03 Apr 2013 06:03:17 GMT

Good to know. That makes sense.

ISE admin access, authentication against external radius

bhthapa — Thu, 04 Apr 2013 16:10:00 GMT

For this you can Integrating Cisco ISE with Active Directory.

For more details and assistance you can refer

http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_admin.html

If there is a firewall between Cisco ISE and AD, these ports need to be opened to allow Cisco ISE to communicate with Active Directory. Ensure that the following default ports are

open:

Protocol Port Number

LDAP 389 (UDP)

SMB1 445 (TCP)

KDC2 88 (TCP)

Global Catalog 3268 (TCP), 3269

KPASS 464 (TCP)

NTP 123 (UDP)

LDAP 389 (TCP)

LDAPS3 636 (TCP)

Re: ISE admin access, authentication against external radius

jorge-mora — Wed, 17 Apr 2013 22:57:55 GMT

Here's how I did it:

Step 1) Link ISE to AD

Step 2) Import AD groups (at least the ones used for admin access)

Step 3) Enable AD external identity source for admin authentication

Step 4) Create an external admin group on ISE admin groups and link it to the corresponding external AD group. If the previous step is not done, the list won’t be populated! I learnt the hard way…

Step 5) Create an admin policy where you assign permissions to the new group (in this case, super admin permissions are assigned)

Step 6) Once you save your policies (it can take a couple or minutes or more) you can log in using your AD credentials.

Result:

I hope this is useful for everyone!

Re: ISE admin access, authentication against external radius

Giuliano Gerardi — Thu, 18 Apr 2013 07:19:41 GMT

thank you for the detailed instructions

Correct me if i am wrong, but

jsteffensen — Thu, 15 Jan 2015 08:57:13 GMT

Correct me if i am wrong, but the solution decribes how to Authentication ageinst external AD and not against a external RADIUS server...

Does anyon know how to authenticate agains an external RADIUS Server, and what Radius Attributes this can/mus/should send to diferentiate the dfferent administrator groups?

Best Regards

According to Cisco:External

jsteffensen — Thu, 15 Jan 2015 09:40:39 GMT

According to Cisco:

External Authentication AND external Authorisation for Admin acces son the ISE can only be done by using LDAP or AD.

For Radius Servers there are a solution for external Authentication and internal Authorisation on the ise:

External Authentication + Internal Authorization

When configuring Cisco ISE to provide administrator authentication using an external RSA SecurID identity store, administrator credential authentication is performed by the RSA identity store. However, authorization (policy application) is still done according to the Cisco ISE internal database. In addition, there are two important factors to remember that are different from External Authentication + External Authorization:

You do not need to specify any particular external administrator groups for the administrator.
You must configure the same username in both the external identity store and the local Cisco ISE database.

To create a new Cisco ISE administrator that authenticates via the external identity store, complete the following steps:

Step 1 Choose Administration > System > Admin Access > Administrators > Local Administrators.

The Administrators window appears, listing all existing locally defined administrators.

Step 2 Follow the guidelines at Creating a New Cisco ISE Administrator to ensure that the administrator username on the external RSA identity store is also present in Cisco ISE. Be sure to click the External option under Password.

Note Remember: you do not need to specify a password for this external administrator user ID, nor are you required to apply any specially configured external administrator group to the associated RBAC policy.

Step 3 Click Save .