Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3216
Views
0
Helpful
8
Replies

Authenticate users in my python application using RADIUS on Cisco ISE

Go to solution
jesse.vdk
Level 1
Level 1

‎11-23-2021 07:31 AM

Hello,

 

I'm working on a project where I need to authenticate and authorize users in my python application.

I want to use Cisco ISE as my Radius server, but I can't get it to work. 

Does anyone know a good tutorial or know if its even possible. 

 

Using LDAP+ is not a option because I don't have the right license.

 

Greetings,
Jesse

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to jesse.vdk

‎11-24-2021 02:43 PM

That is a very generic question and we couldn't possibly teach someone how ISE works in a single community post. Here are some salient points.

ISE will listen for RADIUS traffic as longs as the node has the PSN persona enabled and a Base/Essentials license.

For your use case, I would take the following steps from a base ISE build:

  1. Create a new Network Device Group (Python App) for the Ubuntu server(s)
  2. Add the Ubuntu python box(es) as Network Devices and assign them to the NDG
  3. Create a User Identity Group (Python_App_Users) and internal users as members
  4. Create an Allowed Protocols list that uses only PAP/ASCII
  5. Create an AuthZ Profile (AuthZ-Python-App) that returns an ACCESS_ACCEPT
  6. Create a Policy Set, AuthC Policy, and AuthZ Policy to use those elements

Screen Shot 2021-11-25 at 9.38.34 am.png

Screen Shot 2021-11-25 at 9.39.07 am.png

 

For more details on these aspects, see the various resources in the Learn section of the Community.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎11-23-2021 08:50 AM

is this to log in to the device? using Radius? can show us the code and what is not working?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
jesse.vdk
Level 1
Level 1
In response to balaji.bandi

‎11-23-2021 10:09 AM

Hi @balaji.bandi,

 

I want to make the Cisco ISE server a radius server,

My Python application now it running on local accounts but I want to change that so that it uses the Cisco ISE accounts for to authenticate and authorize users.

My code is just simple for now:

import radius

radius.authenticate(username, password, secret, host='ISE server', port=1812)

 I just don't seem to get the right Radius configuration on ISE.

Thanks for your help already

Greetings,
Jesse

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to jesse.vdk

‎11-23-2021 12:11 PM

what is the use case here? is your Python device running is in ISE? 

 

Let me clarify this again, is this script run against devices ? using Radius authentication, then you do not need to get connected to ISE

when you connect the device, does the device automatically requests with ISE for the AAA information?

 

or am I missing something here?

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
jesse.vdk
Level 1
Level 1
In response to balaji.bandi

‎11-23-2021 01:15 PM

Hey @balaji.bandi ,

 

For my internship I am creating a web portal where people can manage there own identity groups.

The portal talks to ise server using a REST api.

The script/portal is running on a Ubuntu machine and only talks to people using http and talks to ISE server using Rest API / Radius.

On the web portal people can log in using accounts from the ISE server. 

The reason I want this is so that I don't have to use local accounts on my Ubuntu machine. 

I hope this helps to clarify things.

Thank you so much already

Greetings Jesse

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to jesse.vdk

‎11-23-2021 03:31 PM

What part is not working? Is your code not generating RADIUS requests to send to ISE? Is it generating RADIUS traffic, but you're seeing specific errors in ISE?

If you're not doing so, you would likely need to use a python module like pyrad, that can build and decode the RADIUS requests/responses. You would then need to add your Ubuntu box as a Network Device in ISE and specify the shared secret. The requests would likely use PAP, so you would need to build the AuthC/AuthZ policies appropriately to check against either an external Identity Store (AD, LDAP) or the internal ISE user store.

0 Helpful

Go to solution
jesse.vdk
Level 1
Level 1
In response to Greg Gibbs

‎11-24-2021 04:01 AM

Hi @Greg Gibbs ,

The code is generating traffic, but its getting no response.

The reason for that is that I don't really know what settings I need to enable in ISE to enable radius. 


I followed this guide to implement Radius: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215525-use-radius-for-device-administration-wit.html 
But when I am implementing it, it feels like I'm taking way more steps then needed. And it feels like this guide is not trying to accomplish the same goal as me. 

I tried searching for other guides that try to accomplish the same goal but I only found one for LDAP (I can't use this because I don't have the right license). https://dev.to/enmedina/authenticate-and-authorize-users-in-your-application-using-tacacs-with-cisco-ise-1o71 

Do you know what settings I need to enable for radius?

Thank you.

Greetings, Jesse

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to jesse.vdk

‎11-24-2021 02:43 PM

That is a very generic question and we couldn't possibly teach someone how ISE works in a single community post. Here are some salient points.

ISE will listen for RADIUS traffic as longs as the node has the PSN persona enabled and a Base/Essentials license.

For your use case, I would take the following steps from a base ISE build:

  1. Create a new Network Device Group (Python App) for the Ubuntu server(s)
  2. Add the Ubuntu python box(es) as Network Devices and assign them to the NDG
  3. Create a User Identity Group (Python_App_Users) and internal users as members
  4. Create an Allowed Protocols list that uses only PAP/ASCII
  5. Create an AuthZ Profile (AuthZ-Python-App) that returns an ACCESS_ACCEPT
  6. Create a Policy Set, AuthC Policy, and AuthZ Policy to use those elements

Screen Shot 2021-11-25 at 9.38.34 am.png

Screen Shot 2021-11-25 at 9.39.07 am.png

 

For more details on these aspects, see the various resources in the Learn section of the Community.

0 Helpful

Go to solution
jesse.vdk
Level 1
Level 1
In response to Greg Gibbs

‎11-25-2021 06:40 AM

Hi @Greg Gibbs ,

 

Thank you so much. 
This is really helpful because now I know what steps to take

 

Greetings,

Jesse

0 Helpful
Customers Also Viewed These Support Documents