Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
800
Views
0
Helpful
2
Replies

Cisco Wireless - Multiple ISE Instances - RADIUS Proxy Query

Go to solution
bodonogh
Cisco Employee
Cisco Employee

‎07-10-2017 11:22 AM

Hi there,

we have a Health Trust that is split into 7 organisations, who each plan to deploy their own ISE Instances, as well as their own WLCs. Additionally, they each have their own AD domains, separately managed.

They would, however, like doctors/staff members to be able to roam among buildings, and authenticate to a common SSID.

We could approach this from the perspective of defining each ISE instance in each WLC, and that would probably work. I am looking into whether we could define just the local ISE instance on each WLC, and use ISE RADIUS Proxy to proxy authentications back to a staff member's home ISE instance.

Is this worth exploring as a design option? The customer has already dismissed the idea of a central Admin node and PSNs in each Trust.

As a follow-on question, they would like a guest that initially authenticates in one Hospital to be able to roam to any other hospital in the trust w/o having to re-authenticate for a certain duration (days/weeks)...

Best regards,

Brian

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎07-10-2017 01:46 PM

If possible, I would suggest to have ISE instances to join to all these separate domains. More info, see What's new in ISE Active Directory connector (2016 Berlin)

Otherwise, we need to rely on RADIUS:user-name patterns to parse out the requests to different external RADIUS servers. This might not work well, especially for tunneled protocols.

As for ISE guests, I believe we could have the remote ISE instance to return a group id if the endpoint already registered and authorized based on that group ID.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
hslai
Cisco Employee
Cisco Employee

‎07-10-2017 01:46 PM

If possible, I would suggest to have ISE instances to join to all these separate domains. More info, see What's new in ISE Active Directory connector (2016 Berlin)

Otherwise, we need to rely on RADIUS:user-name patterns to parse out the requests to different external RADIUS servers. This might not work well, especially for tunneled protocols.

As for ISE guests, I believe we could have the remote ISE instance to return a group id if the endpoint already registered and authorized based on that group ID.

0 Helpful

Go to solution
gbekmezi-DD
Level 5
Level 5

‎07-10-2017 01:56 PM

I don’t see why your radius proxy approach wouldn’t work. It’s not common though. Are you going to create a full mesh of radius proxies between all of the 7 organizations? I think another option may be to create a hub deployment that is co-managed and serves as the border radius instance which serves as a proxy gateway between all of your organizations. Just a thought.

As for persistent authentication across hospitals…if you are using WPA2 Enterprise, then the endpoint should reauthenticate without any user intervention. Is there another use case you are trying to address?

George

0 Helpful
Customers Also Viewed These Support Documents