cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

746
Views
5
Helpful
3
Replies

CISCO ISE :- External radius server

Hello Team,

 

Customer wants to integrate ISE with external radius server rather than AD directly. However they also need to implement TACACS features.

 

So my understanding is ....     user ------> ISE server -----> external radius server (microsoft NPS)------->AD

 

I have below queries:-

1. Since in TACACS configuration, as per my understanding to gain access of any network device we need to define AD group in authorization condition. so that only perticuler AD group can execute set of commands but in case if we use external radius server then is it possible to call perticuler AD group in TACACS authorization policy ?? or in that case AD integration is complusory ??

 

Thanks in advance.

Your help is highly appreciated.

 

 

 

 

 

 

3 REPLIES 3
thomas
Cisco Employee

User --> NetworkDevice --> ISE --> external radius server (NPS) --> AD

 

The rule with AD is typically like this below with AD. However with the proxy to NPS it probably depends on what the NPS server returns to ISE in the form of RADIUS attributes.

 

TACACS Authorization Rule:

Status Rule Name Conditions Command Sets Shell Profiles Hits Actions
NetAdmin
AND subdomain.domain.com:ExternalGroups EQUALS subdomain.domain.com/Users/Domain Users
PermitAccess   0

Hello Thomos,

 

Thanks for your revert.

 

Yes totally agree with you but what is cisco recommedation ?? Which method is better & Why. if you share some document then that will be great ..1.Integrate external radius server with ISE or 2. Direclty integrate AD to ISE ?? 

 

And also, can we configure NPS server to return specific AD group in radius attibute to ISE server ??

so if i need only read-only users group from AD then is it possible to fetch from NPS server ??

Integrating directly with AD is much preferred to get the exact groups and attributes you want. 95% of customers do this. For gory details, see What's new in ISE Active Directory connector - BRKSEC-2132

 

I did a basic internet search and found this as the #1 hit :

Configure External RADIUS Servers on ISE - Cisco

Please consult the NPS documentation for what NPS can do with your version of Windows.

 

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube