cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1724
Views
2
Helpful
3
Replies

Best practices - RSA token auth with custom attibutes

bperciac
Level 5
Level 5

I am looking for some assistance on how best to use a RADIUS server to pass RADIUS attributes back to an authenticator.

Currently, the customer uses SteelBelted Radius.  The NAD sends an authentication request to SBR, SBR looks up the local user, authenticates the user/pass against the RSA server, then passes back to the NAD attributes stored in SBR, based on the successful RSA authentication.

They acknowledge that this is a difficult design overall, but from a migration perspective, are looking to be able to replicate this in preparation to migrate to a better design.

Is there a way to do this, or something similar, in ISE?

Thanks!

Bob

3 Replies 3

howon
Cisco Employee
Cisco Employee

Bob, this is fairly basic setup with ISE. You can connect to RSA either by native SDI connection or RADIUS with ISE, but since they are already utilizing RADIUS interface for RSA, I suggest doing the same. You can get more information regarding RADIUS token server here:

Cisco Identity Services Engine Administrator Guide, Release 2.0 - Manage Users and External Identity Sources [Cisco Ide…

Hosuk

I have never tried this type of setup so let me just clarify so I have this right in my head

A local account "bob" exists on ISE, with a custom attribute "foo=yes".

A NAD passes the username "bob" and password "PINCode" to ISE.

ISE passes this to the RSA server, which is accepted.

ISE then passes back to the NAD authentication successful and "foo=yes".

Is this the case that you are highlighting (of a sort) in the link you passed?

Thanks!

Bob

No, the link is just for the RADIUS token server part. But what you are describing is certainly possible. In addition to what is described in the link, you also need to create matching internal user name on ISE internal DB. These are high level steps:

1. You need to create a custom attribute called 'foo' for internal database

2. Create matching user 'bob' and fill in the newly created 'foo' attribute with 'yes'. The password wouldn't matter as you are authenticating via RSA

3. Create Authentication policy that uses RADIUS token server

4. Create Authorization profile that sends 'foo' attribute to a RADIUS attribute (i.e. class attribute (25))

5. Create Authorization rule to send Authorization profile created in step 4 when there is a successful authentication and username matches the internal database

Of course there are other steps that are needed such as add NAD to the ISE so ISE can start receiving RADIUS requests from the NAD.

Hosuk