topic Re: Authenticate users in my python application using RADIUS on Cisco in Network Access Control

Authenticate users in my python application using RADIUS on Cisco ISE

jesse.vdk — Tue, 23 Nov 2021 15:31:42 GMT

Hello,

I'm working on a project where I need to authenticate and authorize users in my python application.

I want to use Cisco ISE as my Radius server, but I can't get it to work.

Does anyone know a good tutorial or know if its even possible.

Using LDAP+ is not a option because I don't have the right license.

Greetings,
Jesse

Re: Authenticate users in my python application using RADIUS on Cisco

balaji.bandi — Tue, 23 Nov 2021 16:50:30 GMT

is this to log in to the device? using Radius? can show us the code and what is not working?

Re: Authenticate users in my python application using RADIUS on Cisco

jesse.vdk — Tue, 23 Nov 2021 18:09:44 GMT

Hi @balaji.bandi,

I want to make the Cisco ISE server a radius server,

My Python application now it running on local accounts but I want to change that so that it uses the Cisco ISE accounts for to authenticate and authorize users.

My code is just simple for now:

import radius

radius.authenticate(username, password, secret, host='ISE server', port=1812)

I just don't seem to get the right Radius configuration on ISE.

Thanks for your help already 🙂

Greetings,
Jesse

Re: Authenticate users in my python application using RADIUS on Cisco

balaji.bandi — Tue, 23 Nov 2021 20:11:39 GMT

what is the use case here? is your Python device running is in ISE?

Let me clarify this again, is this script run against devices ? using Radius authentication, then you do not need to get connected to ISE

when you connect the device, does the device automatically requests with ISE for the AAA information?

or am I missing something here?

Re: Authenticate users in my python application using RADIUS on Cisco

jesse.vdk — Tue, 23 Nov 2021 21:15:04 GMT

Hey @balaji.bandi ,

For my internship I am creating a web portal where people can manage there own identity groups.

The portal talks to ise server using a REST api.

The script/portal is running on a Ubuntu machine and only talks to people using http and talks to ISE server using Rest API / Radius.

On the web portal people can log in using accounts from the ISE server.

The reason I want this is so that I don't have to use local accounts on my Ubuntu machine.

I hope this helps to clarify things.

Thank you so much already 🙂

Greetings Jesse

Re: Authenticate users in my python application using RADIUS on Cisco

Greg Gibbs — Tue, 23 Nov 2021 23:31:55 GMT

What part is not working? Is your code not generating RADIUS requests to send to ISE? Is it generating RADIUS traffic, but you're seeing specific errors in ISE?

If you're not doing so, you would likely need to use a python module like pyrad, that can build and decode the RADIUS requests/responses. You would then need to add your Ubuntu box as a Network Device in ISE and specify the shared secret. The requests would likely use PAP, so you would need to build the AuthC/AuthZ policies appropriately to check against either an external Identity Store (AD, LDAP) or the internal ISE user store.

Re: Authenticate users in my python application using RADIUS on Cisco

jesse.vdk — Wed, 24 Nov 2021 12:01:35 GMT

Hi @Greg Gibbs ,

The code is generating traffic, but its getting no response.

The reason for that is that I don't really know what settings I need to enable in ISE to enable radius.

I followed this guide to implement Radius: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215525-use-radius-for-device-administration-wit.html
But when I am implementing it, it feels like I'm taking way more steps then needed. And it feels like this guide is not trying to accomplish the same goal as me.

I tried searching for other guides that try to accomplish the same goal but I only found one for LDAP (I can't use this because I don't have the right license). https://dev.to/enmedina/authenticate-and-authorize-users-in-your-application-using-tacacs-with-cisco-ise-1o71

Do you know what settings I need to enable for radius?

Thank you.

Greetings, Jesse

Re: Authenticate users in my python application using RADIUS on Cisco

Greg Gibbs — Wed, 24 Nov 2021 22:43:30 GMT

That is a very generic question and we couldn't possibly teach someone how ISE works in a single community post. Here are some salient points.

ISE will listen for RADIUS traffic as longs as the node has the PSN persona enabled and a Base/Essentials license.

For your use case, I would take the following steps from a base ISE build:

Create a new Network Device Group (Python App) for the Ubuntu server(s)
Add the Ubuntu python box(es) as Network Devices and assign them to the NDG
Create a User Identity Group (Python_App_Users) and internal users as members
Create an Allowed Protocols list that uses only PAP/ASCII
Create an AuthZ Profile (AuthZ-Python-App) that returns an ACCESS_ACCEPT
Create a Policy Set, AuthC Policy, and AuthZ Policy to use those elements

For more details on these aspects, see the various resources in the Learn section of the Community.

Re: Authenticate users in my python application using RADIUS on Cisco

jesse.vdk — Thu, 25 Nov 2021 14:40:13 GMT

Hi @Greg Gibbs ,

Thank you so much.
This is really helpful because now I know what steps to take 😄

Greetings,

Jesse