12-13-2018 09:29 PM
Hi Guys,
My customer wants to integrate ISE to existing ACS for role based access (Admin, Supprot etc) control. Though i don’t see the way to do such thing because there is no AV-Pair which can do ISE access control with ACS, however, still want to hear if anyone came across such requirement.
Solved! Go to Solution.
12-22-2018 10:57 AM
Nadav is correct regarding AD/LDAP/ODBC ID sources for external admins. However, RSA or other RADIUS token servers (ACS in this case) are treated differently and require internal admin users shadowing the same usernames and assigned to the desired admin user groups in order to authorize appropriately.
12-14-2018 05:15 AM
12-16-2018 05:39 PM
If I understood it correctly, ISE may use ACS as a RADIUS token server and use that as the authentication source for ISE admin users for ISE admin web portal. However, ISE needs internal shadow admin users defined and associated with the desired admin groups, because ISE performs external authentication but internal authorization for such use case. See Configure Admin Access Using an External Identity Store for Authentication with Internal Authorization
12-22-2018 07:49 AM
For ISE 2.4 and above (I'm not famliar with older versions):
When creating external admin groups, you just point your custom group at the external identity group of your choice and it dynamically checks it via Kerberos/LDAPS with each authentication. You don't need to create a shadow admin user.
12-22-2018 10:57 AM
Nadav is correct regarding AD/LDAP/ODBC ID sources for external admins. However, RSA or other RADIUS token servers (ACS in this case) are treated differently and require internal admin users shadowing the same usernames and assigned to the desired admin user groups in order to authorize appropriately.
12-22-2018 11:22 AM
Any reason why not just duplicate the administration policy from ACS into ISE? ACS is deprecated afterall, it shouldn't become a dependancy for an ISE deployment.
Is is a cross-domain issue?
12-22-2018 08:33 PM
Not sure. It could be not knowing the passwords of all the admin users.
12-23-2018 04:12 AM
Thanks Guys...Integrated ACS with ISE as RADIUS TOKEN identity server and its working as expected.
04-10-2020 02:05 PM
Hi Jatiwari
Can you please confirm the steps you took to make this integration with ACS for Admin access to ISE configuration , We have a similar requirement.
@Jay Tiwari wrote:Thanks Guys...Integrated ACS with ISE as RADIUS TOKEN identity server and its working as expected.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: