topic ISE RADIUS Proxy - Authentication Policy in Network Access Control

ISE RADIUS Proxy - Authentication Policy

Krzysztof Grabowski — Mon, 15 Jul 2019 14:01:12 GMT

Hi Guys,

I wanted to confirm the purpose of "Authentication Policy" when RADIUS Proxy is enabled along with "On Access-Accept, continue to Authorization Policy". It is displayed and is configurable under Policy Set set for RADIUS Proxy with above option enabled.

I would expect authentication to be fully delegated to remote RADIUS server; then once RADIUS Access-Accept is received local authorization policy would be applied to add new attributes. Authentication Policy seems redundant here.

Can you please confirm if the Authentication Policy in such case is just a dummy or could actually be used for some advanced use-cases with double authentication/failover?

Cheers,
Chris

Re: ISE RADIUS Proxy - Authentication Policy

Surendra — Mon, 15 Jul 2019 14:50:59 GMT

Authentication policy is just there to direct the authentications to the external RADIUS server. More about External RADIUS servers here : https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/213239-configure-external-radius-servers-on-ise.html

Re: ISE RADIUS Proxy - Authentication Policy

Krzysztof Grabowski — Mon, 15 Jul 2019 16:16:51 GMT

Hi Surendra,

Thanks for quick reply. In the RADIUS Proxy scenario the external RADIUS server (RADIUS Sequence) is configured on the Policy Set level in the "Allowed Protocols/Server Sequence" field. The Authentication Policy within the Policy set is not configured at all. The question is about the latter. I suspect the Authentication Policy is not evaluated by ISE in that scenario...

Cheers,
Chris

Re: ISE RADIUS Proxy - Authentication Policy

Krzysztof Grabowski — Tue, 16 Jul 2019 07:52:40 GMT

Thanks Surendra,

May we please sync-up offline regarding this question?

Cheers,
Chris