I am using ISE2.3. Where to define this authorization policy of this?

I use radius proxy as the allowed protocols/server sequences, there is no authorization policy I can choose in the policy set. As I see in the Radius live log, the default of authorization policy of this rule is used. But I can not see where to configure this default authz policy of this rule.

(If I use default network access as the allowed protocols/server sequences of the authentication policy rule, I can configure authorization policy I can choose in the policy set).

Where to define in the authorization policy when the allowed protocol and server seqence is external radius?

In ISE2.3, You can not go in to this rule and define the authorization rule.

Only authentication can be proxied

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_0100101.html#ID839

Not the Authentication. I need the authorization based on the attribute external radius returns.

There is no authorization configuration in the link.

The two common types of integration with external RADIUS servers include:

• RADIUS Proxy
• RADIUS Token Server

In the case of Proxy, the RADIUS request is relayed to external RADIUS server where authentication is terminated and authorization returned, just as if communication was between NAD and external RADIUS server.  Any authorization returned by external server can be relayed back to the NAD.  Cisco ISE offers an enhancement to the flow to modify ingress or egress attributes, as well as process return request by ISE local policy.  This is the "Continue to Authorization on Accept" checkbox.  The selected policy rule set is that which matches the flow.  So you have a choice to simply relay external RADIUS server attributes or augment them before sent to NAD.

In the case of Token, the external RADIUS server only serves as an external Identity store and can optionally return a SINGLE RADIUS attribute back to ISE, by default the CiscoSecure group attribute.  Here ISE is the termination point for authentication and can leverage the external server for Token/OTP lookups, or even authorization (single attribute), but all authorization is processed by ISE local policy per the matching rule set.

If matching the wrong rule set, then need to modify Policy Set or auth policy conditions to ensure match to desired rule.

/Craig

Hi @Craig Hyps , you clearly described the feature. Meanwhile, I would like to understand how ISE can select the correct Authorization Policy when the "Continue to Authorization on Accept" is used.

Let's say we have 2 different endpoints that need to be authenticated with 802.1x with an external radius.

Eaxh endpint should get a different Authz profile from ISE when accepted.

What would be the conditions in the Authz Policy since ISE has not authenticated them (not in the Internal endpoint db, or in any identity store)?

Hi @REJR77 ,

 some examples ... you are able to use AD.ExternalGroups or Cisco.cisco-av-pair.

Hope this helps !!!

Thanks a lot.  Your help is great.