topic Re: ISE 2.4 third party apps compatibility in Network Access Control

ISE 2.4 third party apps compatibility

alan.ramirez — Wed, 30 May 2018 23:01:43 GMT

Dear all

Doing some research I'm aware that the cisco ISE is able to use an external identity source (such as LDAP, ODBC etc) to validate information like a username and password provided by an end-user who tries to access the network. Is there a way to configure the ISE so it can validate itself (via local database) a username and password provided by a third party application?

More precisely what are the options (standards, protocols) ISE has to interact with third party applications in the way explained previously where the App is the one providing the ISE with the username and password and the ISE just has to validate that info against the local database? or is this not possible at all?

Thank you

Re: ISE 2.4 third party apps compatibility

Jason Kunst — Wed, 30 May 2018 23:14:44 GMT

I really don’t understand what you’re trying to accomplish

Perhaps you can explain another way

Re: ISE 2.4 third party apps compatibility

alan.ramirez — Thu, 31 May 2018 01:26:02 GMT

Sure, let's say we have users in a LAN that are trying to access an application from a third party vendor which is hosted in a server also in that LAN. What I want to know is if the following procedure can be done:

1.- Users try to access the application

2.- The application ask the user to provide a username and password

3.- The application receives the username and password provided by the user

4.- The application forwards this information to ISE

5.- ISE checks if the username and password exist in the ISE local database

6.- ISE communicates back to the application the validity of the info

7.- Application permits/denies access to the user

Is that better? as far as I know cisco ISE can authenticate users who want to gain access to the network through RADIUS or if users want to manage network devices such as switches, routers etc. ISE uses TACACS but I don't know if what i described on the seven steps is possible since the user is not trying to get access to the network nor the network devices. The users are trying to get access to an app instead

Re: ISE 2.4 third party apps compatibility

Jason Kunst — Thu, 31 May 2018 01:36:40 GMT

Sounds like you’re looking for an IAM Type of service

No ISE doesn’t provide that, we only communicate via radius and tacacs like you said, if the service can use that then it will work

Re: ISE 2.4 third party apps compatibility

Craig Hyps — Thu, 31 May 2018 18:18:43 GMT

The app could also use pxGrid or TrustSec to make decision on access based on its auth status or role assignment in ISE.