Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5471
Views
0
Helpful
3
Replies

Cisco ISE - radius proxy

uzleuven1
Level 1
Level 1

‎05-23-2012 11:21 AM - edited ‎03-10-2019 07:07 PM

Hi,

Is the following possible:

- let the ISE do the authentication and then proxy to another radius server which does the authorization.

At the moment we have a freeradius server that does the following:

1) authenticates 802.1x requests (eap-tls)

2) during authorization the server checks an external database that determines the vlan that should be returned (in radius attribute) based on originating switch and/or mac address.

I am checking if I can migrate to ISE but then the above would have to work.

For MAB I can easily do authentication/authorization on freeradius so I will proxy MAB requests to there.

regards

Thomas

Labels:
0 Helpful
3 Replies 3

Eduardo Aliaga
Level 4
Level 4

‎05-30-2012 08:00 PM

Hello. Yes, ISE can work as a radius proxy. Here's a link and a screenshot

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_auth_pol.html#wp1127216

If you like, you can download an ISE trial of 90 days to test everything before implementation.

Kind regards. Please rate if it helps

0 Helpful

Emerson Rodrigues
Level 1
Level 1
In response to Eduardo Aliaga

‎09-30-2013 10:20 AM

where do i find ISE trial to download? i've tried cisco.com/go/ise  but i only found WCS to download :/

0 Helpful

Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎07-21-2013 02:03 AM

ISE acts as a RADIUS proxy server by proxying the requests from a network access  device (NAD) to a RADIUS server. The RADIUS server processes the request and  returns the result to Cisco ISE. Cisco ISE then sends the response to the  NAD

FYI

you can use the RADIUS server sequences to proxy the requests to a  RADIUS server.

The RADIUS server sequence strips the domain name from the  RADIUS-Username attribute for RADIUS authentications. This domain stripping is  not applicable for EAP authentications, which use the EAP-Identity attribute.  The RADIUS proxy server obtains the username from the RADIUS-Username attribute  and strips it from the character that you specify when you configure the RADIUS  server sequence. For EAP authentications, the RADIUS proxy server obtains the  username from the EAP-Identity attribute. EAP authentications that use the  RADIUS server sequence will succeed only if the EAP-Identity and RADIUS-Username  values are the same.

0 Helpful
Customers Also Viewed These Support Documents