Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1426
Views
5
Helpful
3
Replies

CISCO ISE :- External radius server

siddhesh.parab@orange.com1
Level 1
Level 1

‎03-30-2020 10:52 AM

Hello Team,

 

Customer wants to integrate ISE with external radius server rather than AD directly. However they also need to implement TACACS features.

 

So my understanding is ....     user ------> ISE server -----> external radius server (microsoft NPS)------->AD

 

I have below queries:-

1. Since in TACACS configuration, as per my understanding to gain access of any network device we need to define AD group in authorization condition. so that only perticuler AD group can execute set of commands but in case if we use external radius server then is it possible to call perticuler AD group in TACACS authorization policy ?? or in that case AD integration is complusory ??

 

Thanks in advance.

Your help is highly appreciated.

 

 

 

 

 

 

0 Helpful
3 Replies 3

thomas
Cisco Employee
Cisco Employee

‎03-30-2020 11:30 AM

User --> NetworkDevice --> ISE --> external radius server (NPS) --> AD

 

The rule with AD is typically like this below with AD. However with the proxy to NPS it probably depends on what the NPS server returns to ISE in the form of RADIUS attributes.

 

TACACS Authorization Rule:

Status Rule Name Conditions Command Sets Shell Profiles Hits Actions
NetAdmin
AND subdomain.domain.com:ExternalGroups EQUALS subdomain.domain.com/Users/Domain Users
PermitAccess   0
0 Helpful

siddhesh.parab@orange.com1
Level 1
Level 1
In response to thomas

‎03-30-2020 11:44 AM

Hello Thomos,

 

Thanks for your revert.

 

Yes totally agree with you but what is cisco recommedation ?? Which method is better & Why. if you share some document then that will be great ..1.Integrate external radius server with ISE or 2. Direclty integrate AD to ISE ?? 

 

And also, can we configure NPS server to return specific AD group in radius attibute to ISE server ??

so if i need only read-only users group from AD then is it possible to fetch from NPS server ??

0 Helpful

thomas
Cisco Employee
Cisco Employee
In response to siddhesh.parab@orange.com1

‎04-01-2020 05:48 PM

Integrating directly with AD is much preferred to get the exact groups and attributes you want. 95% of customers do this. For gory details, see What's new in ISE Active Directory connector - BRKSEC-2132

 

I did a basic internet search and found this as the #1 hit :

Configure External RADIUS Servers on ISE - Cisco

Please consult the NPS documentation for what NPS can do with your version of Windows.

 

Customers Also Viewed These Support Documents