Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
17734
Views
9
Helpful
10
Replies

Cisco ISE: External RADIUS Server

Go to solution
Pongsatorn Maneesud
Level 1
Level 1

‎11-21-2012 04:10 AM - edited ‎03-10-2019 07:48 PM

Hi,

I would like to forward RADIUS from PSN to another PSN. I already defined "External RADIUS Servers".

So, how can I use this external RADIUS server to process my request ?

Looking at the user guide but didn't find any information about this setting (For rule based not simple rule)

If anyone use this, please suggest this to me.

Thanks,

Pongsatorn

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
jrabinow
Level 7
Level 7

‎11-21-2012 04:39 AM

Please clarify which release you are using. There were enhancements to the proxy functionality in ISE 1.1.1

This can be used as follows:

- Define "External RADIUS Server"

- Define "RADIUS Server Sequence". This allows you to define a sequence of proxies that will send requests to until get a response

- In authentication policy when defines rules instead of selecting Allowed Protocols can select a "RADIUS Server Sequence"

View solution in original post

Go to solution
harvisin
Level 3
Level 3

‎03-01-2013 05:40 PM

Defining an External RADIUS Server

The Cisco Cisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, the Cisco Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. The Cisco Cisco ISE accepts the results of the requests and returns them to the NAS. You must configure the external RADIUS servers in the Cisco Cisco ISE to enable it to forward requests to the external RADIUS servers. You can define the timeout period and the number of connection attempts.

The Cisco Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. This External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description or both.

To create an external RADIUS server, complete the following steps:

Step 1 Choose Administration > Network Resources > External RADIUS Servers.

The RADIUS Servers page appears with a list of external RADIUS servers that are defined in Cisco ISE.

Step 2 Click Add to add an external RADIUS server.

Step 3 Enter the values as described:

•Name—(Required) Enter the name of the external RADIUS server.

•Description—Enter a description of the external RADIUS server.

•Host IP—(Required) Enter the IP address of the external RADIUS server.

•Shared Secret—(Required) Enter the shared secret between Cisco Cisco ISE and the external RADIUS server that is used for authenticating the external RADIUS server. A shared secret is an expected string of text that a user must provide to enable the network device to authenticate a username and password. The connection is rejected until the user supplies the shared secret. The shared secret can be up to 128 characters in length.

•Enable KeyWrap—This option increases RADIUS protocol security via an AES KeyWrap algorithm, to help enable FIPS 140-2 compliance in Cisco ISE.

•Key Encryption Key—This key is used for session encryption (secrecy).

•Message Authenticator Code Key—This key is used for keyed HMAC calculation over RADIUS messages.

•Key Input Format—Specify the format you want to use to enter the Cisco ISE FIPS encryption key, so that it matches the configuration that is available on the WLAN controller. (The value you specify must be the correct [full] length for the key as defined below—shorter values are not permitted.)

–ASCII—The Key Encryption Key must be 16 characters (bytes) long, and the Message Authenticator Code Key must be 20 characters (bytes) long.

–Hexadecimal—The Key Encryption Key must be 32 bytes long, and the Message Authenticator Code Key must be 40 bytes long.

•Authentication Port—(Required) Enter the RADIUS authentication port number. The valid range is from 1 to 65535. The default is 1812.

•Accounting Port—(Required) Enter the RADIUS accounting port number. The valid range is from 1 to 65535. The default is 1813.

•Server Timeout—(Required) Enter the number of seconds that the Cisco Cisco ISE waits for a response from the external RADIUS server. The default is 5 seconds. Valid values are from 5 to 120.

•Connection Attempts—(Required) Enter the number of times that the Cisco Cisco ISE attempts to connect to the external RADIUS server. The default is 3 attempts. Valid values are from 1 to 9.

Step 4 Click Submit to save the external RADIUS server configuration.

View solution in original post

10 Replies 10

Go to solution
jrabinow
Level 7
Level 7

‎11-21-2012 04:39 AM

Please clarify which release you are using. There were enhancements to the proxy functionality in ISE 1.1.1

This can be used as follows:

- Define "External RADIUS Server"

- Define "RADIUS Server Sequence". This allows you to define a sequence of proxies that will send requests to until get a response

- In authentication policy when defines rules instead of selecting Allowed Protocols can select a "RADIUS Server Sequence"

Go to solution
Pongsatorn Maneesud
Level 1
Level 1
In response to jrabinow

‎11-21-2012 04:44 AM

I'm using the latest release.

Thanks for your help.

0 Helpful

Go to solution
jrabinow
Level 7
Level 7
In response to Pongsatorn Maneesud

‎11-21-2012 05:02 AM

Note that basic proxy will send the request to the proxy and return the response

There are also advanced capabilities that may be useful

- can add attributes to the request before it is sent to the proxy server

- can perform authorization policy processing after receipt of response from the proxy server

- can remove attributes before sending the final reply to the client

0 Helpful

Go to solution
borislavpopov
Level 1
Level 1
In response to jrabinow

‎02-20-2013 04:20 AM

Hi,

Can the ISE use information form the machine/user certificate in order to chose to which external RADIUS server to send the request to?

In brief:

ISE acting as RADIUS proxy

802.1x, EAP-TLS

External RADIUS servers

Decision to which external RADIUS server the ISE will forward the request based on the information in the certificate (machine/user)

Kind regards

0 Helpful

Go to solution
Tiago Andrade de Paula
Level 1
Level 1
In response to borislavpopov

‎02-27-2013 06:21 AM

Guys,
I´m using this feature (external radius proxy) in my customer now.
Some informations about this process isn´t clear form me.
In Authentication Policy  ok - I can configure this instead Default network protocols ( > external radius sequence).
But in Authorization policy, Posture Policy  I can find any away to do something when we talk about Identities.  Cuz the ISE configuration when we click and Identities (internal or external)  we have ActiveDirectory, Radius Token and etc.

In ISE with I have to do something like that:

authentication policy

rule1-authen   -   wired 802.1x / wifi 802.1x - external radius sequence.

authorization policy

rule1-author -  human_resources_Group / and profilling (windows)  /   posture  /   acl permit all

when I send the authentications requests to another radius server, I can search the Groups ou mapped groups to do something like that.

some help?

0 Helpful

Go to solution
harvisin
Level 3
Level 3

‎03-01-2013 05:40 PM

Defining an External RADIUS Server

The Cisco Cisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, the Cisco Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. The Cisco Cisco ISE accepts the results of the requests and returns them to the NAS. You must configure the external RADIUS servers in the Cisco Cisco ISE to enable it to forward requests to the external RADIUS servers. You can define the timeout period and the number of connection attempts.

The Cisco Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. This External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description or both.

To create an external RADIUS server, complete the following steps:

Step 1 Choose Administration > Network Resources > External RADIUS Servers.

The RADIUS Servers page appears with a list of external RADIUS servers that are defined in Cisco ISE.

Step 2 Click Add to add an external RADIUS server.

Step 3 Enter the values as described:

•Name—(Required) Enter the name of the external RADIUS server.

•Description—Enter a description of the external RADIUS server.

•Host IP—(Required) Enter the IP address of the external RADIUS server.

•Shared Secret—(Required) Enter the shared secret between Cisco Cisco ISE and the external RADIUS server that is used for authenticating the external RADIUS server. A shared secret is an expected string of text that a user must provide to enable the network device to authenticate a username and password. The connection is rejected until the user supplies the shared secret. The shared secret can be up to 128 characters in length.

•Enable KeyWrap—This option increases RADIUS protocol security via an AES KeyWrap algorithm, to help enable FIPS 140-2 compliance in Cisco ISE.

•Key Encryption Key—This key is used for session encryption (secrecy).

•Message Authenticator Code Key—This key is used for keyed HMAC calculation over RADIUS messages.

•Key Input Format—Specify the format you want to use to enter the Cisco ISE FIPS encryption key, so that it matches the configuration that is available on the WLAN controller. (The value you specify must be the correct [full] length for the key as defined below—shorter values are not permitted.)

–ASCII—The Key Encryption Key must be 16 characters (bytes) long, and the Message Authenticator Code Key must be 20 characters (bytes) long.

–Hexadecimal—The Key Encryption Key must be 32 bytes long, and the Message Authenticator Code Key must be 40 bytes long.

•Authentication Port—(Required) Enter the RADIUS authentication port number. The valid range is from 1 to 65535. The default is 1812.

•Accounting Port—(Required) Enter the RADIUS accounting port number. The valid range is from 1 to 65535. The default is 1813.

•Server Timeout—(Required) Enter the number of seconds that the Cisco Cisco ISE waits for a response from the external RADIUS server. The default is 5 seconds. Valid values are from 5 to 120.

•Connection Attempts—(Required) Enter the number of times that the Cisco Cisco ISE attempts to connect to the external RADIUS server. The default is 3 attempts. Valid values are from 1 to 9.

Step 4 Click Submit to save the external RADIUS server configuration.

Go to solution
siddhesh.parab@orange.com1
Level 1
Level 1
In response to harvisin

‎03-06-2020 07:58 AM

What is the use of integrating external radius server with cisco ISE.

 

Your help will be really appreciated. 

0 Helpful

Go to solution
erazvi
Cisco Employee
Cisco Employee

‎07-04-2015 01:01 PM

I hope you can clarify this. If I am only using ONE Ext RADIUS server, do I still have to create RADIUS Server Sequence OR does it automatically take cares of forwarding AuthC request (to Ext RADIUS) once you add the External RADIUS server.

0 Helpful

Go to solution
edwardzeng
Level 1
Level 1
In response to erazvi

‎01-19-2017 06:22 PM

Please correct me if I am wrong, I think it still needs to create a RADIUS Server Sequence, because the individual External Radius server could be found from authentication.

0 Helpful

Go to solution
jrabinow
Level 7
Level 7
In response to edwardzeng

‎01-22-2017 04:44 AM

Per the steps posted later in the thread these are as follows

- Define "External RADIUS Server"

- Define "RADIUS Server Sequence". This allows you to define a sequence of proxies that will send requests to until get a response

- In authentication policy when defines rules instead of selecting Allowed Protocols can select a "RADIUS Server Sequence"

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents