Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1608
Views
2
Helpful
3
Replies

Best practices - RSA token auth with custom attibutes

bperciac
Level 5
Level 5

‎02-05-2016 01:11 PM

I am looking for some assistance on how best to use a RADIUS server to pass RADIUS attributes back to an authenticator.

Currently, the customer uses SteelBelted Radius.  The NAD sends an authentication request to SBR, SBR looks up the local user, authenticates the user/pass against the RSA server, then passes back to the NAD attributes stored in SBR, based on the successful RSA authentication.

They acknowledge that this is a difficult design overall, but from a migration perspective, are looking to be able to replicate this in preparation to migrate to a better design.

Is there a way to do this, or something similar, in ISE?

Thanks!

Bob

0 Helpful
3 Replies 3

howon
Cisco Employee
Cisco Employee

‎02-05-2016 01:21 PM

Bob, this is fairly basic setup with ISE. You can connect to RSA either by native SDI connection or RADIUS with ISE, but since they are already utilizing RADIUS interface for RSA, I suggest doing the same. You can get more information regarding RADIUS token server here:

Cisco Identity Services Engine Administrator Guide, Release 2.0 - Manage Users and External Identity Sources [Cisco Ide…

Hosuk

bperciac
Level 5
Level 5
In response to howon

‎02-05-2016 01:30 PM

I have never tried this type of setup so let me just clarify so I have this right in my head

A local account "bob" exists on ISE, with a custom attribute "foo=yes".

A NAD passes the username "bob" and password "PINCode" to ISE.

ISE passes this to the RSA server, which is accepted.

ISE then passes back to the NAD authentication successful and "foo=yes".

Is this the case that you are highlighting (of a sort) in the link you passed?

Thanks!

Bob

0 Helpful

howon
Cisco Employee
Cisco Employee
In response to bperciac

‎02-05-2016 01:45 PM

No, the link is just for the RADIUS token server part. But what you are describing is certainly possible. In addition to what is described in the link, you also need to create matching internal user name on ISE internal DB. These are high level steps:

1. You need to create a custom attribute called 'foo' for internal database

2. Create matching user 'bob' and fill in the newly created 'foo' attribute with 'yes'. The password wouldn't matter as you are authenticating via RSA

3. Create Authentication policy that uses RADIUS token server

4. Create Authorization profile that sends 'foo' attribute to a RADIUS attribute (i.e. class attribute (25))

5. Create Authorization rule to send Authorization profile created in step 4 when there is a successful authentication and username matches the internal database

Of course there are other steps that are needed such as add NAD to the ISE so ISE can start receiving RADIUS requests from the NAD.

Hosuk

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents