cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

421
Views
8
Helpful
7
Replies
Highlighted
Cisco Employee

Using ISE as RADIUS server with Win AD

I received this question from a customer, does anyone know the answer?

"The real question here is the customer wants to refer back to LDAP. What they recently found is with the F/W using LDAP for authentication is a user can log in with matching case and is forced to 2 factor auth but if the case isn’t matching they still get logged in but with no 2 factor. The F/W vendor has told them they need to use Radius. So the question is can they use the Radius function in Tacacs and have that refer back to LDAP and still force them to match case? They are looking to not have to have 2 user databases. If they will need to maintain a separate database in the Tacacs server for this they can do that directly in the F/W."

Everyone's tags (8)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Engager

Re: Using ISE as RADIUS server with Win AD

There should be no case sensitivity concerns if you go against ISE. I can’t speak to the current setup but the case involved in the username shouldn’t come into play here as ISE controls exactly where authentications go. So the authentication phase would only allow authentications against the 2FA server. The authorization phase would do an LDAP/AD group lookup.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

7 REPLIES 7
VIP Engager

Re: Using ISE as RADIUS server with Win AD

Not sure what they at trying to do here, but typically if you used ISE you would have ISE send the request to the two factor server via RADIUS then do AD/LDAP lookups on the username during the authorization section of the rules to do group matching or other attribute matching.  So say you wanted two factor authentication plus AD group lookups:

Authentication Phase:

FW->TACACS->ISE->RADIUS->2FA Server

Authorization Phase:

ISE->AD/LDAP Group Lookup

If Member of "Network Admin" group then full access

If Member of "Network Read-Only" group then read-only access

Something like that is pretty typical.  Even if the customer only wants 2FA I still the requests through ISE so I can get uniform logging and have the ability to apply different levels of authorization in the future.

Cisco Employee

Re: Using ISE as RADIUS server with Win AD

I believe their question is regarding remote access VPN on the firewall they referenced.

VIP Engager

Re: Using ISE as RADIUS server with Win AD

Remote access VPN or Admin the answer is the same. Change my if statements to:

If member of “Employee VPN” group then full access

If member of “Vendor X” group then permit access but apply DACL X

If member of “Vendor Y” group then permit access but apply DACL Y

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Cisco Employee

Re: Using ISE as RADIUS server with Win AD

thanks Paul and to be perfectly clear, the answer to case sensitivity is "yes, it will enforce case sensitivity"?

VIP Engager

Re: Using ISE as RADIUS server with Win AD

There should be no case sensitivity concerns if you go against ISE. I can’t speak to the current setup but the case involved in the username shouldn’t come into play here as ISE controls exactly where authentications go. So the authentication phase would only allow authentications against the 2FA server. The authorization phase would do an LDAP/AD group lookup.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Cisco Employee

Re: Using ISE as RADIUS server with Win AD

Paul,

Thank you for your time, expertise, and quick responses!!!

Cisco Employee

Re: Using ISE as RADIUS server with Win AD

more from the customer:

"Second is they recently found an issue with the current  2 factor authentication setup. They are using LDAP for authentication which isn’t case sensitive so if a username is all lower case and they type it in lower case the user will then get prompted for 2 factor auth. If they type anything else they get passed through to LDAP and they get connected without 2 factor authentication.

Username is kdonnelly

As long as I type lowercase I will need 2 factor to get it.

If I type Kdonnelly I get passed through to LDAP and connect without 2 factor.

So if we use the TACACS radius functionality is that case sensitive?"