cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

621
Views
0
Helpful
2
Replies
MAGNUS SVENSSON
Beginner

Identity Service Engine (ISE) Admin Access

Is it possible to authenticate the ISE administrator via an external Radius Server? The option I find is that it will not work, 

 

The manual reads: 

In Cisco ISE, you can authenticate administrators via an external identity store such as Active Directory, LDAP, or RSA SecureID. There are two models you can use to provide authentication via an external identity store:

 

Is this the case ?

2 REPLIES 2
cciesec2011
Participant

Yes, it is possible.  in my situation, I have a distributed deployment, 1 primary Admin/Mnt, 1 Secondary Admin/Mnt and 2 PSN nodes and I set up all of them so that different users can access the ISE admin UI via Radius server running on another appliance, ACS server.  The ACS server is integrated into Active Directory. 

 

So the answer is yes.

Charlie Moreton
Cisco Employee

Sure you can!

Make sure you have the RADIUS server added to the ISE (Administration > Identity Management > External Identity Sources  Select RADIUS Token from the left menu).

 

Then head over to Administration > System > Admin Access.  Change the * Identity Source to your RADIUS Server and click Save

 

Log out and you will see an new entry on the log in screen.  Click the dropdown for Identity Source and choose your RADIUS Server.  If this connection gets dropped for any reason, you can always log in using the internal identity source as a fallback.

 

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.

Charles Moreton

Content for Community-Ad