cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

13836
Views
9
Helpful
10
Replies

Cisco ISE: External RADIUS Server

Hi,

I would like to forward RADIUS from PSN to another PSN. I already defined "External RADIUS Servers".

So, how can I use this external RADIUS server to process my request ?

Looking at the user guide but didn't find any information about this setting (For rule based not simple rule)

If anyone use this, please suggest this to me.

Thanks,

Pongsatorn

2 ACCEPTED SOLUTIONS

Accepted Solutions
jrabinow
Rising star

Please clarify which release you are using. There were enhancements to the proxy functionality in ISE 1.1.1

This can be used as follows:

- Define "External RADIUS Server"

- Define "RADIUS Server Sequence". This allows you to define a sequence of proxies that will send requests to until get a response

- In authentication policy when defines rules instead of selecting Allowed Protocols can select a "RADIUS Server Sequence"

View solution in original post

harvisin
Participant

Defining an External RADIUS Server

The Cisco Cisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, the Cisco Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. The Cisco Cisco ISE accepts the results of the requests and returns them to the NAS. You must configure the external RADIUS servers in the Cisco Cisco ISE to enable it to forward requests to the external RADIUS servers. You can define the timeout period and the number of connection attempts.

The Cisco Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. This External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description or both.

To create an external RADIUS server, complete the following steps:

Step 1 Choose Administration > Network Resources > External RADIUS Servers.

The RADIUS Servers page appears with a list of external RADIUS servers that are defined in Cisco ISE.

Step 2 Click Add to add an external RADIUS server.

Step 3 Enter the values as described:

•Name—(Required) Enter the name of the external RADIUS server.

•Description—Enter a description of the external RADIUS server.

•Host IP—(Required) Enter the IP address of the external RADIUS server.

•Shared Secret—(Required) Enter the shared secret between Cisco Cisco ISE and the external RADIUS server that is used for authenticating the external RADIUS server. A shared secret is an expected string of text that a user must provide to enable the network device to authenticate a username and password. The connection is rejected until the user supplies the shared secret. The shared secret can be up to 128 characters in length.

•Enable KeyWrap—This option increases RADIUS protocol security via an AES KeyWrap algorithm, to help enable FIPS 140-2 compliance in Cisco ISE.

•Key Encryption Key—This key is used for session encryption (secrecy).

•Message Authenticator Code Key—This key is used for keyed HMAC calculation over RADIUS messages.

•Key Input Format—Specify the format you want to use to enter the Cisco ISE FIPS encryption key, so that it matches the configuration that is available on the WLAN controller. (The value you specify must be the correct [full] length for the key as defined below—shorter values are not permitted.)

–ASCII—The Key Encryption Key must be 16 characters (bytes) long, and the Message Authenticator Code Key must be 20 characters (bytes) long.

–Hexadecimal—The Key Encryption Key must be 32 bytes long, and the Message Authenticator Code Key must be 40 bytes long.

•Authentication Port—(Required) Enter the RADIUS authentication port number. The valid range is from 1 to 65535. The default is 1812.

•Accounting Port—(Required) Enter the RADIUS accounting port number. The valid range is from 1 to 65535. The default is 1813.

•Server Timeout—(Required) Enter the number of seconds that the Cisco Cisco ISE waits for a response from the external RADIUS server. The default is 5 seconds. Valid values are from 5 to 120.

•Connection Attempts—(Required) Enter the number of times that the Cisco Cisco ISE attempts to connect to the external RADIUS server. The default is 3 attempts. Valid values are from 1 to 9.

Step 4 Click Submit to save the external RADIUS server configuration.

View solution in original post

10 REPLIES 10
jrabinow
Rising star

Please clarify which release you are using. There were enhancements to the proxy functionality in ISE 1.1.1

This can be used as follows:

- Define "External RADIUS Server"

- Define "RADIUS Server Sequence". This allows you to define a sequence of proxies that will send requests to until get a response

- In authentication policy when defines rules instead of selecting Allowed Protocols can select a "RADIUS Server Sequence"

View solution in original post

I'm using the latest release.

Thanks for your help.

Note that basic proxy will send the request to the proxy and return the response

There are also advanced capabilities that may be useful

- can add attributes to the request before it is sent to the proxy server

- can perform authorization policy processing after receipt of response from the proxy server

- can remove attributes before sending the final reply to the client

Hi,

Can the ISE use information form the machine/user certificate in order to chose to which external RADIUS server to send the request to?

In brief:

ISE acting as RADIUS proxy

802.1x, EAP-TLS

External RADIUS servers

Decision to which external RADIUS server the ISE will forward the request based on the information in the certificate (machine/user)

Kind regards

Guys,
I´m using this feature (external radius proxy) in my customer now.
Some informations about this process isn´t clear form me.
In Authentication Policy  ok - I can configure this instead Default network protocols ( > external radius sequence).
But in Authorization policy, Posture Policy  I can find any away to do something when we talk about Identities.  Cuz the ISE configuration when we click and Identities (internal or external)  we have ActiveDirectory, Radius Token and etc.

In ISE with I have to do something like that:

authentication policy

rule1-authen   -   wired 802.1x / wifi 802.1x - external radius sequence.

authorization policy

rule1-author -  human_resources_Group / and profilling (windows)  /   posture  /   acl permit all

when I send the authentications requests to another radius server, I can search the Groups ou mapped groups to do something like that.

some help?

harvisin
Participant

Defining an External RADIUS Server

The Cisco Cisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, the Cisco Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. The Cisco Cisco ISE accepts the results of the requests and returns them to the NAS. You must configure the external RADIUS servers in the Cisco Cisco ISE to enable it to forward requests to the external RADIUS servers. You can define the timeout period and the number of connection attempts.

The Cisco Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. This External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description or both.

To create an external RADIUS server, complete the following steps:

Step 1 Choose Administration > Network Resources > External RADIUS Servers.

The RADIUS Servers page appears with a list of external RADIUS servers that are defined in Cisco ISE.

Step 2 Click Add to add an external RADIUS server.

Step 3 Enter the values as described:

•Name—(Required) Enter the name of the external RADIUS server.

•Description—Enter a description of the external RADIUS server.

•Host IP—(Required) Enter the IP address of the external RADIUS server.

•Shared Secret—(Required) Enter the shared secret between Cisco Cisco ISE and the external RADIUS server that is used for authenticating the external RADIUS server. A shared secret is an expected string of text that a user must provide to enable the network device to authenticate a username and password. The connection is rejected until the user supplies the shared secret. The shared secret can be up to 128 characters in length.

•Enable KeyWrap—This option increases RADIUS protocol security via an AES KeyWrap algorithm, to help enable FIPS 140-2 compliance in Cisco ISE.

•Key Encryption Key—This key is used for session encryption (secrecy).

•Message Authenticator Code Key—This key is used for keyed HMAC calculation over RADIUS messages.

•Key Input Format—Specify the format you want to use to enter the Cisco ISE FIPS encryption key, so that it matches the configuration that is available on the WLAN controller. (The value you specify must be the correct [full] length for the key as defined below—shorter values are not permitted.)

–ASCII—The Key Encryption Key must be 16 characters (bytes) long, and the Message Authenticator Code Key must be 20 characters (bytes) long.

–Hexadecimal—The Key Encryption Key must be 32 bytes long, and the Message Authenticator Code Key must be 40 bytes long.

•Authentication Port—(Required) Enter the RADIUS authentication port number. The valid range is from 1 to 65535. The default is 1812.

•Accounting Port—(Required) Enter the RADIUS accounting port number. The valid range is from 1 to 65535. The default is 1813.

•Server Timeout—(Required) Enter the number of seconds that the Cisco Cisco ISE waits for a response from the external RADIUS server. The default is 5 seconds. Valid values are from 5 to 120.

•Connection Attempts—(Required) Enter the number of times that the Cisco Cisco ISE attempts to connect to the external RADIUS server. The default is 3 attempts. Valid values are from 1 to 9.

Step 4 Click Submit to save the external RADIUS server configuration.

View solution in original post

What is the use of integrating external radius server with cisco ISE.

 

Your help will be really appreciated. 

erazvi
Cisco Employee

I hope you can clarify this. If I am only using ONE Ext RADIUS server, do I still have to create RADIUS Server Sequence OR does it automatically take cares of forwarding AuthC request (to Ext RADIUS) once you add the External RADIUS server.

Please correct me if I am wrong, I think it still needs to create a RADIUS Server Sequence, because the individual External Radius server could be found from authentication.

Per the steps posted later in the thread these are as follows

- Define "External RADIUS Server"

- Define "RADIUS Server Sequence". This allows you to define a sequence of proxies that will send requests to until get a response

- In authentication policy when defines rules instead of selecting Allowed Protocols can select a "RADIUS Server Sequence"

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel