Solved: External RADIUS attribute

blandrum · ‎02-08-2019

We have a custom build of FreeRADIUS that does some unique username based hashing for VLAN assignment. I'd like to be able to utilize ISE as the authentication and authorization server, but have it send the username to an external RADIUS server, then "consume" the VLAN ID sent from that external server and send it as a CoA to the NAD. Is this possible?

paul · ‎02-08-2019

If you define it as an External RADIUS server then you should be able to consume attributes sent from the the RADIUS server in the authorization phase. Based on those authorization phase matches you should be able to set a VLAN assignment. It wouldn't be a CoA, it would be part of the initial authentication/authorization. In the advanced attributes settings of the RADIUS server sequence you can tell ISE to "On Access-Accept, continue to Authorization Policy".

I haven't tested this, but in theory that is how it is supposed to work.

View solution in original post

paul · ‎02-08-2019

If you define it as an External RADIUS server then you should be able to consume attributes sent from the the RADIUS server in the authorization phase. Based on those authorization phase matches you should be able to set a VLAN assignment. It wouldn't be a CoA, it would be part of the initial authentication/authorization. In the advanced attributes settings of the RADIUS server sequence you can tell ISE to "On Access-Accept, continue to Authorization Policy".

I haven't tested this, but in theory that is how it is supposed to work.