Authentication Policy ISE with External RADIUS Server

Pongsatorn Maneesud · ‎12-12-2012

Hi All,
I would like to authenticate client by using External RADIUS. Once I create authentication policy using the new compound condition (wireless dot1x + Radius Username Matches "domainB\") I would like to forward the user authentication who make an authen using domainB\username to the External RADIUS Server Sequence. But when I check on the authentication dashboard, it still authenticate using the default authentication rule.

Please suggest about this scenario.

Regards,

Sent from Cisco Technical Support Android App

Tarik Admani · ‎12-13-2012

Hi,

Can you please post a screenshot of the authentication policy and the attributes from the monitoring report?

Tarik Admani
*Please rate helpful posts*

Pongsatorn Maneesud · ‎12-16-2012

Hi, Tarik,

Please see screenshots of the authentication policy I have created.

Thanks,

Pongsatorn

jrabinow · ‎12-17-2012

Can you please also share a copy of the authentication details for requests that do not match as expected.

This should also giev soem additional information

Pongsatorn Maneesud · ‎12-17-2012

Hi jrabinow,

Which details you would like to see ?

Here is some infos.

ISEs are deployed in 2 domains such as "acme.com" and "sub.acme.com"

Each domain does not make a trusted relationship so these 2 domains cannot communicate between them.

Each domain has owned Enterprise Root CA (Microsoft)

Client who need to access the network need to authenticate with EAP-TLS.

My environment

My ISE node joined into domain "acme.com"

User will be "name1@acme.com"

Once the user from "name2@sub.acme.com" try to authenticate, I would like to forward the RADIUS request from ISEs (acme.com) to other ISEs (sub.acme.com)

After ISEs in "sub.acme.com" return RADIUS-ACCEPT then ISEs in "acme.com" will process an authorization policy.

Regards,

Pongsatorn