topic Re: Authorization policy of External Radius Server in Network Access Control

Authorization policy of External Radius Server

etzhou — Fri, 29 Dec 2017 10:27:24 GMT

There is " On access-accept, continue to Authorization Policy" in advanced attribute of external radius server. But where we can define authorization policy of external radius server?

There is no authorization policy in policy set.

Re: Authorization policy of External Radius Server

ognyan.totev — Fri, 29 Dec 2017 11:53:09 GMT

Hi,this is what i found :

The Cisco Cisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, the Cisco Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. The Cisco Cisco ISE accepts the results of the requests and returns them to the NAS. You must configure the external RADIUS servers in the Cisco Cisco ISE to enable it to forward requests to the external RADIUS servers. You can define the timeout period and the number of connection attempts.

The Cisco Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. This External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name.

rule1-authen - wired 802.1x / wifi 802.1x - external radius sequence.

authorization policy

rule1-author - human_resources_Group / and profilling (windows) / posture / acl permit all

Re: Authorization policy of External Radius Server

etzhou — Fri, 29 Dec 2017 12:27:48 GMT

I am using ISE2.3. Where to define this authorization policy of this?

I use radius proxy as the allowed protocols/server sequences, there is no authorization policy I can choose in the policy set. As I see in the Radius live log, the default of authorization policy of this rule is used. But I can not see where to configure this default authz policy of this rule.

(If I use default network access as the allowed protocols/server sequences of the authentication policy rule, I can configure authorization policy I can choose in the policy set).

Re: Authorization policy of External Radius Server

ognyan.totev — Fri, 29 Dec 2017 12:30:41 GMT

It used default because there is no match of other rule . U must create it in policy sets. And if match it will used it.

Re: Authorization policy of External Radius Server

Jason Kunst — Fri, 29 Dec 2017 22:28:04 GMT

ISE only proxies Authentications to external servers

Authorization has to be done on ISE

Re: Authorization policy of External Radius Server

etzhou — Sat, 30 Dec 2017 00:23:29 GMT

Where to define in the authorization policy when the allowed protocol and server seqence is external radius?

In ISE2.3, You can not go in to this rule and define the authorization rule.

Re: Authorization policy of External Radius Server

Jason Kunst — Sat, 30 Dec 2017 00:48:16 GMT

Only authentication can be proxied

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_0100101.html#ID839

Re: Authorization policy of External Radius Server

etzhou — Sat, 30 Dec 2017 05:45:27 GMT

Not the Authentication. I need the authorization based on the attribute external radius returns.

There is no authorization configuration in the link.

Re: Authorization policy of External Radius Server

Craig Hyps — Sat, 30 Dec 2017 15:16:17 GMT

The two common types of integration with external RADIUS servers include:

RADIUS Proxy
RADIUS Token Server

In the case of Proxy, the RADIUS request is relayed to external RADIUS server where authentication is terminated and authorization returned, just as if communication was between NAD and external RADIUS server. Any authorization returned by external server can be relayed back to the NAD. Cisco ISE offers an enhancement to the flow to modify ingress or egress attributes, as well as process return request by ISE local policy. This is the "Continue to Authorization on Accept" checkbox. The selected policy rule set is that which matches the flow. So you have a choice to simply relay external RADIUS server attributes or augment them before sent to NAD.

In the case of Token, the external RADIUS server only serves as an external Identity store and can optionally return a SINGLE RADIUS attribute back to ISE, by default the CiscoSecure group attribute. Here ISE is the termination point for authentication and can leverage the external server for Token/OTP lookups, or even authorization (single attribute), but all authorization is processed by ISE local policy per the matching rule set.

If matching the wrong rule set, then need to modify Policy Set or auth policy conditions to ensure match to desired rule.

/Craig

Re: Authorization policy of External Radius Server

hslai — Mon, 01 Jan 2018 10:03:59 GMT

It looks like you hit CSCvg03448, which is currently being addressed in ISE 2.3 Patch 2.

Re: Authorization policy of External Radius Server

etzhou — Tue, 02 Jan 2018 04:14:37 GMT

Thanks a lot. Your help is great.

Re: Authorization policy of External Radius Server

REJR77 — Fri, 13 May 2022 15:07:59 GMT

Hi @Craig Hyps , you clearly described the feature. Meanwhile, I would like to understand how ISE can select the correct Authorization Policy when the "Continue to Authorization on Accept" is used.

Let's say we have 2 different endpoints that need to be authenticated with 802.1x with an external radius.

Eaxh endpint should get a different Authz profile from ISE when accepted.

What would be the conditions in the Authz Policy since ISE has not authenticated them (not in the Internal endpoint db, or in any identity store)?

Re: Authorization policy of External Radius Server

Marcelo Morais — Sat, 14 May 2022 04:16:24 GMT

Hi @REJR77 ,

some examples ... you are able to use AD.ExternalGroups or Cisco.cisco-av-pair.

Hope this helps !!!