11-21-2012 04:10 AM - edited 03-10-2019 07:48 PM
Hi,
I would like to forward RADIUS from PSN to another PSN. I already defined "External RADIUS Servers".
So, how can I use this external RADIUS server to process my request ?
Looking at the user guide but didn't find any information about this setting (For rule based not simple rule)
If anyone use this, please suggest this to me.
Thanks,
Pongsatorn
Solved! Go to Solution.
11-21-2012 04:39 AM
Please clarify which release you are using. There were enhancements to the proxy functionality in ISE 1.1.1
This can be used as follows:
- Define "External RADIUS Server"
- Define "RADIUS Server Sequence". This allows you to define a sequence of proxies that will send requests to until get a response
- In authentication policy when defines rules instead of selecting Allowed Protocols can select a "RADIUS Server Sequence"
03-01-2013 05:40 PM
Defining an External RADIUS Server
The Cisco Cisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, the Cisco Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. The Cisco Cisco ISE accepts the results of the requests and returns them to the NAS. You must configure the external RADIUS servers in the Cisco Cisco ISE to enable it to forward requests to the external RADIUS servers. You can define the timeout period and the number of connection attempts.
The Cisco Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. This External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description or both.
To create an external RADIUS server, complete the following steps:
Step 1 Choose Administration > Network Resources > External RADIUS Servers.
The RADIUS Servers page appears with a list of external RADIUS servers that are defined in Cisco ISE.
Step 2 Click Add to add an external RADIUS server.
Step 3 Enter the values as described:
•Name—(Required) Enter the name of the external RADIUS server.
•Description—Enter a description of the external RADIUS server.
•Host IP—(Required) Enter the IP address of the external RADIUS server.
•Shared Secret—(Required) Enter the shared secret between Cisco Cisco ISE and the external RADIUS server that is used for authenticating the external RADIUS server. A shared secret is an expected string of text that a user must provide to enable the network device to authenticate a username and password. The connection is rejected until the user supplies the shared secret. The shared secret can be up to 128 characters in length.
•Enable KeyWrap—This option increases RADIUS protocol security via an AES KeyWrap algorithm, to help enable FIPS 140-2 compliance in Cisco ISE.
•Key Encryption Key—This key is used for session encryption (secrecy).
•Message Authenticator Code Key—This key is used for keyed HMAC calculation over RADIUS messages.
•Key Input Format—Specify the format you want to use to enter the Cisco ISE FIPS encryption key, so that it matches the configuration that is available on the WLAN controller. (The value you specify must be the correct [full] length for the key as defined below—shorter values are not permitted.)
–ASCII—The Key Encryption Key must be 16 characters (bytes) long, and the Message Authenticator Code Key must be 20 characters (bytes) long.
–Hexadecimal—The Key Encryption Key must be 32 bytes long, and the Message Authenticator Code Key must be 40 bytes long.
•Authentication Port—(Required) Enter the RADIUS authentication port number. The valid range is from 1 to 65535. The default is 1812.
•Accounting Port—(Required) Enter the RADIUS accounting port number. The valid range is from 1 to 65535. The default is 1813.
•Server Timeout—(Required) Enter the number of seconds that the Cisco Cisco ISE waits for a response from the external RADIUS server. The default is 5 seconds. Valid values are from 5 to 120.
•Connection Attempts—(Required) Enter the number of times that the Cisco Cisco ISE attempts to connect to the external RADIUS server. The default is 3 attempts. Valid values are from 1 to 9.
Step 4 Click Submit to save the external RADIUS server configuration.
11-21-2012 04:39 AM
Please clarify which release you are using. There were enhancements to the proxy functionality in ISE 1.1.1
This can be used as follows:
- Define "External RADIUS Server"
- Define "RADIUS Server Sequence". This allows you to define a sequence of proxies that will send requests to until get a response
- In authentication policy when defines rules instead of selecting Allowed Protocols can select a "RADIUS Server Sequence"
11-21-2012 04:44 AM
I'm using the latest release.
Thanks for your help.
11-21-2012 05:02 AM
Note that basic proxy will send the request to the proxy and return the response
There are also advanced capabilities that may be useful
- can add attributes to the request before it is sent to the proxy server
- can perform authorization policy processing after receipt of response from the proxy server
- can remove attributes before sending the final reply to the client
02-20-2013 04:20 AM
Hi,
Can the ISE use information form the machine/user certificate in order to chose to which external RADIUS server to send the request to?
In brief:
ISE acting as RADIUS proxy
802.1x, EAP-TLS
External RADIUS servers
Decision to which external RADIUS server the ISE will forward the request based on the information in the certificate (machine/user)
Kind regards
02-27-2013 06:21 AM
Guys,
I´m using this feature (external radius proxy) in my customer now.
Some informations about this process isn´t clear form me.
In Authentication Policy ok - I can configure this instead Default network protocols ( > external radius sequence).
But in Authorization policy, Posture Policy I can find any away to do something when we talk about Identities. Cuz the ISE configuration when we click and Identities (internal or external) we have ActiveDirectory, Radius Token and etc.
In ISE with I have to do something like that:
authentication policy
rule1-authen - wired 802.1x / wifi 802.1x - external radius sequence.
authorization policy
rule1-author - human_resources_Group / and profilling (windows) / posture / acl permit all
when I send the authentications requests to another radius server, I can search the Groups ou mapped groups to do something like that.
some help?
03-01-2013 05:40 PM
Defining an External RADIUS Server
The Cisco Cisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, the Cisco Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. The Cisco Cisco ISE accepts the results of the requests and returns them to the NAS. You must configure the external RADIUS servers in the Cisco Cisco ISE to enable it to forward requests to the external RADIUS servers. You can define the timeout period and the number of connection attempts.
The Cisco Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. This External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description or both.
To create an external RADIUS server, complete the following steps:
Step 1 Choose Administration > Network Resources > External RADIUS Servers.
The RADIUS Servers page appears with a list of external RADIUS servers that are defined in Cisco ISE.
Step 2 Click Add to add an external RADIUS server.
Step 3 Enter the values as described:
•Name—(Required) Enter the name of the external RADIUS server.
•Description—Enter a description of the external RADIUS server.
•Host IP—(Required) Enter the IP address of the external RADIUS server.
•Shared Secret—(Required) Enter the shared secret between Cisco Cisco ISE and the external RADIUS server that is used for authenticating the external RADIUS server. A shared secret is an expected string of text that a user must provide to enable the network device to authenticate a username and password. The connection is rejected until the user supplies the shared secret. The shared secret can be up to 128 characters in length.
•Enable KeyWrap—This option increases RADIUS protocol security via an AES KeyWrap algorithm, to help enable FIPS 140-2 compliance in Cisco ISE.
•Key Encryption Key—This key is used for session encryption (secrecy).
•Message Authenticator Code Key—This key is used for keyed HMAC calculation over RADIUS messages.
•Key Input Format—Specify the format you want to use to enter the Cisco ISE FIPS encryption key, so that it matches the configuration that is available on the WLAN controller. (The value you specify must be the correct [full] length for the key as defined below—shorter values are not permitted.)
–ASCII—The Key Encryption Key must be 16 characters (bytes) long, and the Message Authenticator Code Key must be 20 characters (bytes) long.
–Hexadecimal—The Key Encryption Key must be 32 bytes long, and the Message Authenticator Code Key must be 40 bytes long.
•Authentication Port—(Required) Enter the RADIUS authentication port number. The valid range is from 1 to 65535. The default is 1812.
•Accounting Port—(Required) Enter the RADIUS accounting port number. The valid range is from 1 to 65535. The default is 1813.
•Server Timeout—(Required) Enter the number of seconds that the Cisco Cisco ISE waits for a response from the external RADIUS server. The default is 5 seconds. Valid values are from 5 to 120.
•Connection Attempts—(Required) Enter the number of times that the Cisco Cisco ISE attempts to connect to the external RADIUS server. The default is 3 attempts. Valid values are from 1 to 9.
Step 4 Click Submit to save the external RADIUS server configuration.
03-06-2020 07:58 AM
What is the use of integrating external radius server with cisco ISE.
Your help will be really appreciated.
07-04-2015 01:01 PM
I hope you can clarify this. If I am only using ONE Ext RADIUS server, do I still have to create RADIUS Server Sequence OR does it automatically take cares of forwarding AuthC request (to Ext RADIUS) once you add the External RADIUS server.
01-19-2017 06:22 PM
Please correct me if I am wrong, I think it still needs to create a RADIUS Server Sequence, because the individual External Radius server could be found from authentication.
01-22-2017 04:44 AM
Per the steps posted later in the thread these are as follows
- Define "External RADIUS Server"
- Define "RADIUS Server Sequence". This allows you to define a sequence of proxies that will send requests to until get a response
- In authentication policy when defines rules instead of selecting Allowed Protocols can select a "RADIUS Server Sequence"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide