This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
We have a custom build of FreeRADIUS that does some unique username based hashing for VLAN assignment. I'd like to be able to utilize ISE as the authentication and authorization server, but have it send the username to an external RADIUS server, then "consume" the VLAN ID sent from that external server and send it as a CoA to the NAD. Is this possible?
Solved! Go to Solution.
If you define it as an External RADIUS server then you should be able to consume attributes sent from the the RADIUS server in the authorization phase. Based on those authorization phase matches you should be able to set a VLAN assignment. It wouldn't be a CoA, it would be part of the initial authentication/authorization. In the advanced attributes settings of the RADIUS server sequence you can tell ISE to "On Access-Accept, continue to Authorization Policy".
I haven't tested this, but in theory that is how it is supposed to work.
If you define it as an External RADIUS server then you should be able to consume attributes sent from the the RADIUS server in the authorization phase. Based on those authorization phase matches you should be able to set a VLAN assignment. It wouldn't be a CoA, it would be part of the initial authentication/authorization. In the advanced attributes settings of the RADIUS server sequence you can tell ISE to "On Access-Accept, continue to Authorization Policy".
I haven't tested this, but in theory that is how it is supposed to work.