cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

137
Views
0
Helpful
1
Replies
Highlighted
Cisco Employee

External RADIUS attribute

We have a custom build of FreeRADIUS that does some unique username based hashing for VLAN assignment.  I'd like to be able to utilize ISE as the authentication and authorization server, but have it send the username to an external RADIUS server, then "consume" the VLAN ID sent from that external server and send it as a CoA to the NAD.  Is this possible?

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advocate

Re: External RADIUS attribute

If you define it as an External RADIUS server then  you should be able to consume attributes sent from the the RADIUS server in the authorization phase.  Based on those authorization phase matches you should be able to set a VLAN assignment.  It wouldn't be a CoA, it would be part of the initial authentication/authorization.  In the advanced attributes settings of the RADIUS server sequence you can tell ISE to "On Access-Accept, continue to Authorization Policy". 

 

I haven't tested this, but in theory that is how it is supposed to work.

 

 

View solution in original post

1 REPLY 1
Highlighted
VIP Advocate

Re: External RADIUS attribute

If you define it as an External RADIUS server then  you should be able to consume attributes sent from the the RADIUS server in the authorization phase.  Based on those authorization phase matches you should be able to set a VLAN assignment.  It wouldn't be a CoA, it would be part of the initial authentication/authorization.  In the advanced attributes settings of the RADIUS server sequence you can tell ISE to "On Access-Accept, continue to Authorization Policy". 

 

I haven't tested this, but in theory that is how it is supposed to work.

 

 

View solution in original post