External RADIUS attribute

blandrum — Fri, 08 Feb 2019 17:12:31 GMT

We have a custom build of FreeRADIUS that does some unique username based hashing for VLAN assignment. I'd like to be able to utilize ISE as the authentication and authorization server, but have it send the username to an external RADIUS server, then "consume" the VLAN ID sent from that external server and send it as a CoA to the NAD. Is this possible?

Re: External RADIUS attribute

paul — Fri, 08 Feb 2019 19:47:26 GMT

If you define it as an External RADIUS server then you should be able to consume attributes sent from the the RADIUS server in the authorization phase. Based on those authorization phase matches you should be able to set a VLAN assignment. It wouldn't be a CoA, it would be part of the initial authentication/authorization. In the advanced attributes settings of the RADIUS server sequence you can tell ISE to "On Access-Accept, continue to Authorization Policy".

I haven't tested this, but in theory that is how it is supposed to work.

topic Re: External RADIUS attribute in Network Access Control

External RADIUS attribute

Re: External RADIUS attribute