cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

88
Views
0
Helpful
1
Replies
Highlighted
Contributor

Radius proxy use cases

Hi There,

There is an option on ISE where it could be used as a radius proxy server.
I am quite curious what could be such use case where this could be implemented?
Could you please list and explain such use cases?

Thank you

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Engager

Re: Radius proxy use cases

Are you asking when to use RADIUS proxy vs. RADIUS token server setup?  Or just why would you send request to another RADIUS server?

 

If you are asking the first one basically it boils down to being able to pass back all the attributes from the external RADIUS server.  When you use a RADIUS proxy setup all AV pairs handed back from the RADIUS server are sent back to the client.  If you use a RADIUS token server setup you can select on attribute to receive back from the external RADIUS server.  I prefer the RADIUS token server setup as it looks like any other identity source.  In most cases I don't need any attributes coming back from the external RADIUS server.

 

As to why you would use an external RADIUS server the most common use case is MFA/2FA.  You are passing the authentication over to an external MFA/2FA RADIUS server to get processed and ISE can still do the authorization phase.

View solution in original post

1 REPLY 1
VIP Engager

Re: Radius proxy use cases

Are you asking when to use RADIUS proxy vs. RADIUS token server setup?  Or just why would you send request to another RADIUS server?

 

If you are asking the first one basically it boils down to being able to pass back all the attributes from the external RADIUS server.  When you use a RADIUS proxy setup all AV pairs handed back from the RADIUS server are sent back to the client.  If you use a RADIUS token server setup you can select on attribute to receive back from the external RADIUS server.  I prefer the RADIUS token server setup as it looks like any other identity source.  In most cases I don't need any attributes coming back from the external RADIUS server.

 

As to why you would use an external RADIUS server the most common use case is MFA/2FA.  You are passing the authentication over to an external MFA/2FA RADIUS server to get processed and ISE can still do the authorization phase.

View solution in original post