Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1267
Views
0
Helpful
8
Replies

Integration od ISE to existing ACS for role based access (Admin, Supprot user etc) control

Go to solution
Jay Tiwari
Cisco Employee
Cisco Employee

‎12-13-2018 09:29 PM

Hi Guys,

My customer wants to integrate ISE to existing ACS for role based access (Admin, Supprot etc) control. Though i don’t see the way to do such thing because there is no AV-Pair which can do ISE access control with ACS, however, still want to hear if anyone came across such requirement.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Nadav

‎12-22-2018 10:57 AM

Nadav is correct regarding AD/LDAP/ODBC ID sources for external admins. However, RSA or other RADIUS token servers (ACS in this case) are treated differently and require internal admin users shadowing the same usernames and assigned to the desired admin user groups in order to authorize appropriately.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎12-14-2018 05:15 AM

I don’t understand the use case and need more details

ISE replaces ACS . Acs is going away
0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎12-16-2018 05:39 PM

If I understood it correctly, ISE may use ACS as a RADIUS token server and use that as the authentication source for ISE admin users for ISE admin web portal. However, ISE needs internal shadow admin users defined and associated with the desired admin groups, because ISE performs external authentication but internal authorization for such use case. See Configure Admin Access Using an External Identity Store for Authentication with Internal Authorization

0 Helpful

Go to solution
Nadav
Level 7
Level 7
In response to hslai

‎12-22-2018 07:49 AM

For ISE 2.4 and above (I'm not famliar with older versions):

 

When creating external admin groups, you just point your custom group at the external identity group of your choice and it dynamically checks it via Kerberos/LDAPS with each authentication. You don't need to create a shadow admin user. 

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Nadav

‎12-22-2018 10:57 AM

Nadav is correct regarding AD/LDAP/ODBC ID sources for external admins. However, RSA or other RADIUS token servers (ACS in this case) are treated differently and require internal admin users shadowing the same usernames and assigned to the desired admin user groups in order to authorize appropriately.

0 Helpful

Go to solution
Nadav
Level 7
Level 7
In response to hslai

‎12-22-2018 11:22 AM

Any reason why not just duplicate the administration policy from ACS into ISE? ACS is deprecated afterall, it shouldn't become a dependancy for an ISE deployment.

 

Is is a cross-domain issue?

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Nadav

‎12-22-2018 08:33 PM

Not sure. It could be not knowing the passwords of all the admin users.

0 Helpful

Go to solution
Jay Tiwari
Cisco Employee
Cisco Employee
In response to hslai

‎12-23-2018 04:12 AM

Thanks Guys...Integrated ACS with ISE as RADIUS TOKEN identity server and its working as expected.

0 Helpful

Go to solution
CSCO12058043
Level 1
Level 1
In response to Jay Tiwari

‎04-10-2020 02:05 PM

Hi Jatiwari

 

Can you please confirm the steps you took to make this integration with ACS for Admin access to ISE configuration  , We have a similar requirement.

@Jay Tiwari wrote:

Thanks Guys...Integrated ACS with ISE as RADIUS TOKEN identity server and its working as expected.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents