https://community.cisco.com/t5/network-access-control/cisco-ise-external-radius-server/m-p/4055424#M559263 <P>Hello Thomos,</P><P>&nbsp;</P><P>Thanks for your revert.</P><P>&nbsp;</P><P>Yes totally agree with you but what is cisco recommedation ?? Which method is better &amp; Why. if you share some document then that will be great ..1.Integrate external radius server with ISE or 2. Direclty integrate AD to ISE ??&nbsp;</P><P>&nbsp;</P><P>And also, can we configure&nbsp;<SPAN>NPS server to return specific AD group in radius attibute to ISE server ??</SPAN></P><P><SPAN>so if i need only read-only users group from AD then is it possible to fetch from NPS server ??</SPAN></P> Mon, 30 Mar 2020 18:44:39 GMT siddhesh.parab@orange.com1 2020-03-30T18:44:39Z https://community.cisco.com/t5/network-access-control/cisco-ise-external-radius-server/m-p/4055369#M559258 <P>Hello Team,</P><P>&nbsp;</P><P>Customer wants to integrate ISE with external radius server rather than AD directly. However they also need to implement TACACS features.</P><P>&nbsp;</P><P>So my understanding is ....&nbsp; &nbsp; &nbsp;user ------&gt; ISE server -----&gt; external radius server (microsoft NPS)-------&gt;AD</P><P>&nbsp;</P><P>I have below queries:-</P><P>1. Since in TACACS configuration, as per my understanding to gain access of any network device we need to define AD group in authorization condition. so that only perticuler AD group can execute set of commands but in case if we use external radius server then is it possible to call perticuler AD group in TACACS authorization policy ?? or in that case AD integration is complusory ??</P><P>&nbsp;</P><P>Thanks in advance.</P><P>Your help is highly&nbsp;appreciated.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 30 Mar 2020 17:52:13 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-external-radius-server/m-p/4055369#M559258 siddhesh.parab@orange.com1 2020-03-30T17:52:13Z https://community.cisco.com/t5/network-access-control/cisco-ise-external-radius-server/m-p/4055409#M559261 <P>User --&gt; NetworkDevice --&gt; ISE --&gt; external radius server (NPS) --&gt; AD</P> <P>&nbsp;</P> <P>The rule with AD is typically like this below with AD. However with the proxy to NPS it probably depends on what the NPS server returns to ISE in the form of RADIUS attributes.</P> <P>&nbsp;</P> <P>TACACS Authorization Rule:</P> <TABLE style="border-collapse: collapse; font-size: .8em;" cellspacing="0" cellpadding="1" border="1"> <THEAD> <TR> <TH>Status</TH> <TH>Rule Name</TH> <TH>Conditions</TH> <TH>Command Sets</TH> <TH>Shell Profiles</TH> <TH>Hits</TH> <TH>Actions</TH> </TR> </THEAD> <TBODY> <TR> <TD style="text-align: center;"><SPAN style="font-size: 1.5em; color: #6cc04a;">✔</SPAN></TD> <TD>NetAdmin</TD> <TD> <TABLE style="border-style: hidden; margin: 0.2em;"> <TBODY> <TR> <TD>AND</TD> <TD><EM>subdomain.domain.com</EM>:ExternalGroups EQUALS <EM>subdomain.domain.com</EM>/Users/Domain Users</TD> </TR> </TBODY> </TABLE> </TD> <TD>PermitAccess</TD> <TD>&nbsp;</TD> <TD style="text-align: right;"><SPAN style="color: #00ccff;">0</SPAN></TD> <TD style="font-size: 1.5em; text-align: center;">⚙</TD> </TR> </TBODY> </TABLE> Mon, 30 Mar 2020 18:30:14 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-external-radius-server/m-p/4055409#M559261 thomas 2020-03-30T18:30:14Z https://community.cisco.com/t5/network-access-control/cisco-ise-external-radius-server/m-p/4055424#M559263 <P>Hello Thomos,</P><P>&nbsp;</P><P>Thanks for your revert.</P><P>&nbsp;</P><P>Yes totally agree with you but what is cisco recommedation ?? Which method is better &amp; Why. if you share some document then that will be great ..1.Integrate external radius server with ISE or 2. Direclty integrate AD to ISE ??&nbsp;</P><P>&nbsp;</P><P>And also, can we configure&nbsp;<SPAN>NPS server to return specific AD group in radius attibute to ISE server ??</SPAN></P><P><SPAN>so if i need only read-only users group from AD then is it possible to fetch from NPS server ??</SPAN></P> Mon, 30 Mar 2020 18:44:39 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-external-radius-server/m-p/4055424#M559263 siddhesh.parab@orange.com1 2020-03-30T18:44:39Z https://community.cisco.com/t5/network-access-control/cisco-ise-external-radius-server/m-p/4057252#M559346 <P>Integrating directly with AD is much preferred to get the exact groups and attributes you want. 95% of customers do this. For gory details, see <A href="https://www.ciscolive.com/global/on-demand-library.html?search=ise%20active%20directory#/session/14525434149870017MRf" target="_self">What's new in ISE Active Directory connector - BRKSEC-2132</A></P> <P><LI-WRAPPER></LI-WRAPPER></P> <P>&nbsp;</P> <P>I did a basic <A href="https://duckduckgo.com/?t=ffab&amp;q=ise+radius+proxy+to+nps" target="_self">internet search</A> and found this as the #1 hit :</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/213239-configure-external-radius-servers-on-ise.html" rel="noopener" target="_blank">Configure External RADIUS Servers on ISE - Cisco</A></P> <P>Please consult the NPS documentation for what NPS can do with your version of Windows.</P> <P>&nbsp;</P> Thu, 02 Apr 2020 00:48:13 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-external-radius-server/m-p/4057252#M559346 thomas 2020-04-02T00:48:13Z