https://community.cisco.com/t5/network-access-control/external-radius-server-sequence-fallback-radius-reject-design-qs/m-p/3796942#M485372 <P>Hi team,</P> <P>&nbsp;</P> <P>I am having a hard time to solve a design issue. There are two companies who have a direct connection between them and time to time the employees move between the companies. Both of the companies are using ISE and have their ADs, Wired/Wireless NAC is also in place. Request is to have the User A from Company A to be able to Authenticate with his credentials on Company B's NADs and same the other way. I am trying to understand the possibility of External RADIUS Server as they don't want to have the Multi-AD integration. If I create a rule with RADIUS Sequence as far as I understand from the document, it will try the first ISE then if it doesn't receive a response, it will move on to the next-one. But how about the RADIUS-Reject scenario? Do we try each RADIUS Servers till we have RADIUS-Accept or finish all the RADIUSes or first time we receive a RADIUS-Reject we stop the process completely? Or how can I achieve the granularity on Authentication Policy based on the company that user belongs to?</P> <P>&nbsp;</P> <P>Any response or guidance will be much appreciated!</P> <P>&nbsp;</P> <P>Regards,<BR />Efe</P> <P>&nbsp;</P> Thu, 07 Feb 2019 15:55:57 GMT hevyapan 2019-02-07T15:55:57Z https://community.cisco.com/t5/network-access-control/external-radius-server-sequence-fallback-radius-reject-design-qs/m-p/3796942#M485372 <P>Hi team,</P> <P>&nbsp;</P> <P>I am having a hard time to solve a design issue. There are two companies who have a direct connection between them and time to time the employees move between the companies. Both of the companies are using ISE and have their ADs, Wired/Wireless NAC is also in place. Request is to have the User A from Company A to be able to Authenticate with his credentials on Company B's NADs and same the other way. I am trying to understand the possibility of External RADIUS Server as they don't want to have the Multi-AD integration. If I create a rule with RADIUS Sequence as far as I understand from the document, it will try the first ISE then if it doesn't receive a response, it will move on to the next-one. But how about the RADIUS-Reject scenario? Do we try each RADIUS Servers till we have RADIUS-Accept or finish all the RADIUSes or first time we receive a RADIUS-Reject we stop the process completely? Or how can I achieve the granularity on Authentication Policy based on the company that user belongs to?</P> <P>&nbsp;</P> <P>Any response or guidance will be much appreciated!</P> <P>&nbsp;</P> <P>Regards,<BR />Efe</P> <P>&nbsp;</P> Thu, 07 Feb 2019 15:55:57 GMT https://community.cisco.com/t5/network-access-control/external-radius-server-sequence-fallback-radius-reject-design-qs/m-p/3796942#M485372 hevyapan 2019-02-07T15:55:57Z https://community.cisco.com/t5/network-access-control/external-radius-server-sequence-fallback-radius-reject-design-qs/m-p/3796949#M485374 <P>I would do the following:</P> <P>&nbsp;</P> <OL> <LI>Company A defined Company B's ISE PSNs as an external RADIUS token server in their ISE deployment.</LI> <LI>Company A defined an identity source sequence that checks Company A AD then Company B external RADIUS server.</LI> <LI>Company B does the reverse of that.</LI> </OL> <P>The only danger in that setup is if an AD account with the exact same name exists in Company A AD for a Company B user, but hopefully that risk should be minimal</P> Thu, 07 Feb 2019 16:00:53 GMT https://community.cisco.com/t5/network-access-control/external-radius-server-sequence-fallback-radius-reject-design-qs/m-p/3796949#M485374 paul 2019-02-07T16:00:53Z