cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1058
Views
0
Helpful
1
Replies

Cisco ISE IPEP and Non Radius Authenticator

miwynston
Level 1
Level 1

Is it possible for a Juniper FW or Aruba Wireless or anything else that does native AD authentication can use an IPEP for policy enforcement without converting the authenticator (juniper / aruba etc…) to a Radius request to a PDP for the IPEP to build the session from?

Does the IPEP simply "sniff" the packets and build a session from that or does it require RADIUS authentication to pass through for the IPEP to function?

I believe RADIUS is required but the client said he was told it is not and the authenticator can pass the traffic through the IPEP even if it authenticates clients by Native AD.

Anyone have any exmaples or traffic flows if this is possible?

Thanks,

Michael Wynston

1 Reply 1

miwynston
Level 1
Level 1

Got my answer and it is as I thought. The iPEP only works if it sees RADIUS requests to a PDP that then provides the iPEP with the policy to enforce.

Have a client migrating from CCA which will natively check AD inline based on seen authentication requests. They were told (not by me) ISE can do that too.
Guess not

Sent from Cisco Technical Support iPhone App