ā05-23-2012 11:21 AM - edited ā03-10-2019 07:07 PM
Hi,
Is the following possible:
- let the ISE do the authentication and then proxy to another radius server which does the authorization.
At the moment we have a freeradius server that does the following:
1) authenticates 802.1x requests (eap-tls)
2) during authorization the server checks an external database that determines the vlan that should be returned (in radius attribute) based on originating switch and/or mac address.
I am checking if I can migrate to ISE but then the above would have to work.
For MAB I can easily do authentication/authorization on freeradius so I will proxy MAB requests to there.
regards
Thomas
ā05-30-2012 08:00 PM
Hello. Yes, ISE can work as a radius proxy. Here's a link and a screenshot
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_auth_pol.html#wp1127216
If you like, you can download an ISE trial of 90 days to test everything before implementation.
Kind regards. Please rate if it helps
ā09-30-2013 10:20 AM
where do i find ISE trial to download? i've tried cisco.com/go/ise but i only found WCS to download :/
ā07-21-2013 02:03 AM
ISE acts as a RADIUS proxy server by proxying the requests from a network access device (NAD) to a RADIUS server. The RADIUS server processes the request and returns the result to Cisco ISE. Cisco ISE then sends the response to the NAD
FYI
you can use the RADIUS server sequences to proxy the requests to a RADIUS server.
The RADIUS server sequence strips the domain name from the RADIUS-Username attribute for RADIUS authentications. This domain stripping is not applicable for EAP authentications, which use the EAP-Identity attribute. The RADIUS proxy server obtains the username from the RADIUS-Username attribute and strips it from the character that you specify when you configure the RADIUS server sequence. For EAP authentications, the RADIUS proxy server obtains the username from the EAP-Identity attribute. EAP authentications that use the RADIUS server sequence will succeed only if the EAP-Identity and RADIUS-Username values are the same.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide