https://community.cisco.com/t5/network-access-control/radius-token-vs-external-radius-server-differences/m-p/4131332#M562149 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/192011">@paul</a>&nbsp;, just to have a follow up question.</P><P>If I use RADIUS Token Server for the integration of my ISE, do I need to configure the username stored locally in ISE database? What I noticed in my client's setup is that they configured their own local username (same username as in their 2FA server) stored in the ISE local DB.</P><P>How can I setup ISE so that my users can authenticate (username and passcode) directly to the 2FA? Do I need to integrate my 2FA as RADIUS Token or External RADIUS Server?</P><P>Thanks</P> Thu, 06 Aug 2020 09:54:20 GMT fatalXerror 2020-08-06T09:54:20Z https://community.cisco.com/t5/network-access-control/radius-token-vs-external-radius-server-differences/m-p/3735566#M488912 <P>What are the differences when configuring Radius with ISE between defining a "radius token" or "external radius server"?</P> Tue, 30 Oct 2018 12:47:55 GMT https://community.cisco.com/t5/network-access-control/radius-token-vs-external-radius-server-differences/m-p/3735566#M488912 Steven Williams 2018-10-30T12:47:55Z https://community.cisco.com/t5/network-access-control/radius-token-vs-external-radius-server-differences/m-p/3735589#M488914 <P>RADIUS token server is used when you only really need an accept/reject back from the external RADIUS server.&nbsp; You can map one attribute coming back from the RADIUS server to a AV pair value if needed.&nbsp; The RADIUS token is treated like another identity store and can be used on its own or in a sequence.</P> <P>&nbsp;</P> <P>The RADIUS radius server is a full proxied RADIUS setup where all attributes from the external RADIUS server are passed back and accepted by ISE and in turn passed back to the NAD.&nbsp;</P> <P>&nbsp;</P> <P>I typically use the RADIUS token server definition for most of my external RADIUS setups to keep things simple unless I need AV pairs from the external RADIUS server.</P> Tue, 30 Oct 2018 13:21:33 GMT https://community.cisco.com/t5/network-access-control/radius-token-vs-external-radius-server-differences/m-p/3735589#M488914 paul 2018-10-30T13:21:33Z https://community.cisco.com/t5/network-access-control/radius-token-vs-external-radius-server-differences/m-p/4131332#M562149 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/192011">@paul</a>&nbsp;, just to have a follow up question.</P><P>If I use RADIUS Token Server for the integration of my ISE, do I need to configure the username stored locally in ISE database? What I noticed in my client's setup is that they configured their own local username (same username as in their 2FA server) stored in the ISE local DB.</P><P>How can I setup ISE so that my users can authenticate (username and passcode) directly to the 2FA? Do I need to integrate my 2FA as RADIUS Token or External RADIUS Server?</P><P>Thanks</P> Thu, 06 Aug 2020 09:54:20 GMT https://community.cisco.com/t5/network-access-control/radius-token-vs-external-radius-server-differences/m-p/4131332#M562149 fatalXerror 2020-08-06T09:54:20Z https://community.cisco.com/t5/network-access-control/radius-token-vs-external-radius-server-differences/m-p/4131543#M562164 <P>You can setup your network devices to point directly at the 2FA solution for authentication and point to ISE for authorization.&nbsp; In your ISE policy set you can set the authentication to go against the Internal User Database and set the "User not Found" condition to Continue.&nbsp; This allows you to essentially bypass authentication in ISE and perform authorization functions.&nbsp; There is no need to have any local usernames in the ISE database.</P> Thu, 06 Aug 2020 16:22:12 GMT https://community.cisco.com/t5/network-access-control/radius-token-vs-external-radius-server-differences/m-p/4131543#M562164 paul 2020-08-06T16:22:12Z