Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
609
Views
0
Helpful
4
Replies

Authenticated on ISE 1.2 (as admin) against an external radius server

jeanluchelion
Level 1
Level 1

‎02-26-2014 07:12 AM - edited ‎03-10-2019 09:27 PM

Hello

Our customer wants to be authenticated on ISE 1.2 (as admin) against an external radius server (like ACS not microsoft). How could i do that ?

Is it possible while retaining internal admin users database in a sequence "external_radius or internal"

thank you in advance.

Best regards

Labels:
0 Helpful
4 Replies 4

Charlie Moreton
Cisco Employee
Cisco Employee

‎02-26-2014 07:54 AM

Jean-Luc,

Sure thing!

Make sure your RADIUS Server is already added in the External Identity Sources.  To do this, navigate to Administration > Identity Management > External Identity Sources:

ADMIN_RADIUS1.GIF

From there, navigate to Administration > System > Admin Access.  In the Authentication entry on the Left Menu, choose the Identity Source from the drop-down menu.

ADMIN_RADIUS2.GIF

Click Save and Logout.  You will now see a new Identity Source drop-down on the login page.  From here you can select RADIUS or Internal.

ADMIN_RADIUS3.GIF

This will allow local logins in case the RADIUS server is down for any reason.

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.

Charles Moreton

0 Helpful

jeanluchelion
Level 1
Level 1
In response to Charlie Moreton

‎02-28-2014 02:30 AM

Hello Charles,

Many thanks for your help. That works fine !!

Best regards,

0 Helpful

Charlie Moreton
Cisco Employee
Cisco Employee
In response to jeanluchelion

‎02-28-2014 04:51 AM

Great news!  Glad this worked for you.

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.

Charles Moreton

0 Helpful

jsteffensen
Level 1
Level 1
In response to Charlie Moreton

‎01-15-2015 01:43 AM

External authentication is supported only with internal authorization:

 

External Authentication + Internal Authorization

When configuring Cisco ISE to provide administrator authentication using an external RSA SecurID identity store, administrator credential authentication is performed by the RSA identity store. However, authorization (policy application) is still done according to the Cisco ISE internal database. In addition, there are two important factors to remember that are different from External Authentication + External Authorization:

  • You do not need to specify any particular external administrator groups for the administrator.
  • You must configure the same username in both the external identity store and the local Cisco ISE database.

To create a new Cisco ISE administrator that authenticates via the external identity store, complete the following steps:

Step 1 Choose Administration > System > Admin Access > Administrators > Local Administrators.

The Administrators window appears, listing all existing locally defined administrators.

Step 2 Follow the guidelines at Creating a New Cisco ISE Administrator to ensure that the administrator username on the external RSA identity store is also present in Cisco ISE. Be sure to click the External option under Password.

Note Remember: you do not need to specify a password for this external administrator user ID, nor are you required to apply any specially configured external administrator group to the associated RBAC policy.

 

Step 3 Click Save .

0 Helpful
Customers Also Viewed These Support Documents