Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
705
Views
0
Helpful
1
Replies

External RADIUS Server Sequence Fallback RADIUS-Reject Design Qs

Go to solution
hevyapan
Cisco Employee
Cisco Employee

‎02-07-2019 07:55 AM

Hi team,

 

I am having a hard time to solve a design issue. There are two companies who have a direct connection between them and time to time the employees move between the companies. Both of the companies are using ISE and have their ADs, Wired/Wireless NAC is also in place. Request is to have the User A from Company A to be able to Authenticate with his credentials on Company B's NADs and same the other way. I am trying to understand the possibility of External RADIUS Server as they don't want to have the Multi-AD integration. If I create a rule with RADIUS Sequence as far as I understand from the document, it will try the first ISE then if it doesn't receive a response, it will move on to the next-one. But how about the RADIUS-Reject scenario? Do we try each RADIUS Servers till we have RADIUS-Accept or finish all the RADIUSes or first time we receive a RADIUS-Reject we stop the process completely? Or how can I achieve the granularity on Authentication Policy based on the company that user belongs to?

 

Any response or guidance will be much appreciated!

 

Regards,
Efe

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎02-07-2019 08:00 AM

I would do the following:

 

  1. Company A defined Company B's ISE PSNs as an external RADIUS token server in their ISE deployment.
  2. Company A defined an identity source sequence that checks Company A AD then Company B external RADIUS server.
  3. Company B does the reverse of that.

The only danger in that setup is if an AD account with the exact same name exists in Company A AD for a Company B user, but hopefully that risk should be minimal

View solution in original post

0 Helpful
1 Reply 1

Go to solution
paul
Level 10
Level 10

‎02-07-2019 08:00 AM

I would do the following:

 

  1. Company A defined Company B's ISE PSNs as an external RADIUS token server in their ISE deployment.
  2. Company A defined an identity source sequence that checks Company A AD then Company B external RADIUS server.
  3. Company B does the reverse of that.

The only danger in that setup is if an AD account with the exact same name exists in Company A AD for a Company B user, but hopefully that risk should be minimal

0 Helpful
Customers Also Viewed These Support Documents