Showing results for 
Search instead for 
Did you mean: 

Cisco ACS Migration to ISE - Identity policy




Im planning on migrating from ACS to  ISE and i cant find the same feature in ISE as i've used in ACS.


My devices is using tacacs for authentication, and most of the users is mostly authenticated using external ad groups or local users in ACS. But i have a special case were i need to forward the request to an external radius server.

In ACS i've been able to do this with a identity policy's that checks if a username starts with xxx_, then identity equals my radius server.


Im trying to do the same in Cisco ISE, but i cant figure it out. Is this feature missing, or how am i going about implementing it?


Traffic flow:

Device -> Tacacs+ -> Cisco ISE -> Radius -> External Radius server



1 Accepted Solution

Accepted Solutions

Those return attributes are only used as matching conditions in the AuthZ Policies to provide differentiated access (T+ Command Sets, Shell Profiles, etc).

The connection between the NAD and ISE (and vice-versa) is using TACACS+ which is a different protocol than RADIUS and does not support the same attributes. RADIUS attributes returned by the external RADIUS server to ISE cannot be sent to the NAD via TACACS+. This would be no different between ACS and ISE.

View solution in original post

5 Replies 5

Greg Gibbs
Cisco Employee
Cisco Employee

TACACS+ and RADIUS are different protocols that handle Authentication and Authorization in different ways. ISE cannot translate TACACS+ to RADIUS (I doubt ACS can either), so you cannot configure a RADIUS Proxy service in a Device Admin Policy Set. I suspect you are simply using the external server as a RADIUS Token server.
If this is what you are doing in ACS, you should be able to achieve the same in ISE using these steps:

  1. Configure the RADIUS Token server
  2. In your Device Admin Policy Set, create an Authentication Policy that matches on something like 'Network Access·UserName Starts with xxx_' and Uses your RADIUS Token server
  3. Create your Authorization Policies with matching conditions based on the attribute_name that is returned by the RADIUS Token server (e.g. RADIUS_Token·CiscoSecure-Group-Id Equals GroupA)