ā12-13-2018 09:29 PM
Hi Guys,
My customer wants to integrate ISE to existing ACS for role based access (Admin, Supprot etc) control. Though i donāt see the way to do such thing because there is no AV-Pair which can do ISE access control with ACS, however, still want to hear if anyone came across such requirement.
Solved! Go to Solution.
ā12-22-2018 10:57 AM
Nadav is correct regarding AD/LDAP/ODBC ID sources for external admins. However, RSA or other RADIUS token servers (ACS in this case) are treated differently and require internal admin users shadowing the same usernames and assigned to the desired admin user groups in order to authorize appropriately.
ā12-14-2018 05:15 AM
ā12-16-2018 05:39 PM
If I understood it correctly, ISE may use ACS as a RADIUS token server and use that as the authentication source for ISE admin users for ISE admin web portal. However, ISE needs internal shadow admin users defined and associated with the desired admin groups, because ISE performs external authentication but internal authorization for such use case. See Configure Admin Access Using an External Identity Store for Authentication with Internal Authorization
ā12-22-2018 07:49 AM
For ISE 2.4 and above (I'm not famliar with older versions):
When creating external admin groups, you just point your custom group at the external identity group of your choice and it dynamically checks it via Kerberos/LDAPS with each authentication. You don't need to create a shadow admin user.
ā12-22-2018 10:57 AM
Nadav is correct regarding AD/LDAP/ODBC ID sources for external admins. However, RSA or other RADIUS token servers (ACS in this case) are treated differently and require internal admin users shadowing the same usernames and assigned to the desired admin user groups in order to authorize appropriately.
ā12-22-2018 11:22 AM
Any reason why not just duplicate the administration policy from ACS into ISE? ACS is deprecated afterall, it shouldn't become a dependancy for an ISE deployment.
Is is a cross-domain issue?
ā12-22-2018 08:33 PM
Not sure. It could be not knowing the passwords of all the admin users.
ā12-23-2018 04:12 AM
Thanks Guys...Integrated ACS with ISE as RADIUS TOKEN identity server and its working as expected.
ā04-10-2020 02:05 PM
Hi Jatiwari
Can you please confirm the steps you took to make this integration with ACS for Admin access to ISE configuration , We have a similar requirement.
@Jay Tiwari wrote:Thanks Guys...Integrated ACS with ISE as RADIUS TOKEN identity server and its working as expected.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide