Solved: Re: ISE 2.3 RADIUS Proxy disables AuthZ Policy

vibobrov · ‎03-13-2018

Hi Experts,

I recently had to use a RADIUS proxy configuration in ISE 2.3 and, much to my surprise, I found that the new Policy GUI hides the Authorization Policy altogether when we point the Authentication rule to RADIUS Proxy Sequence. I did enable the checkbox on the sequence to proceed to Authorization Policy on Access-Accept.

Is this a known/documented limitation on this? Is there a plan to restore that functionality?

Thank you

hslai · ‎03-14-2018

Please apply ISE 2.3 Patch 2, if not done already. It seems you might have hit CSCvg03448.

View solution in original post

ognyan.totev · ‎03-14-2018

Hi there ,look here ISE in Radius Proxy mode and here Cisco ISE - radius proxy - Cisco Support Community

vibobrov · ‎03-14-2018

Yep, i'm aware of that. However, the GUI in 2.3 changed and the authorization policy gets completely hidden in policy sets when we send authentication to a proxy sequence.

hslai · ‎03-14-2018

Please apply ISE 2.3 Patch 2, if not done already. It seems you might have hit CSCvg03448.

vibobrov · ‎03-14-2018

I'm seeing this in two different deployments running 2.3 Patch 2. One was a clean install and another is upgrade from a previous version

vibobrov · ‎03-14-2018

Actually, looks like one if the deployments is working after upgrade to Patch 2.

I will double check the patch level of the other one.

hslai · ‎03-14-2018

In case still an issue, please get a copy of the ISE CFG backup, restore it to your lab setup to check, and involve Cisco TAC as needed.

paul · ‎03-15-2018

I have a tangent question on this post. I never use the external RADIUS definitions when hooking to an external RADIUS server. I always use the RADIUS token configuration under External Identity Sources. I have never had an issue talking to any RADIUS server doing this and then I can use the definition like any other external identity source (AD/LDAP/etc.).

Is there any downside for doing this? I haven't come across any. I have definitely seen customers try to use the External RADIUS Definitions and hit odd issues. Every time I tell them to convert to RADIUS token definitions things go much smoother.

hslai · ‎03-15-2018

Mainly on the supported protocols. Internal and External Identity Sources shows RADIUS token sources are supporting EAP-GTC and PAP only.

Craig Hyps · ‎03-16-2018

To add to Hsing's comment, there are many use cases where proxy is needed to defer to a foreign AAA server's policy which customer may not control, or in the process of transition, and other cases where EAP session must be terminated on foreign server. Token is also limited to one RADIUS authorization attribute returned from external server.

paul · ‎03-16-2018

Thanks Craig and Hsing for the thoughts. I have proxied to almost every MFA vendor out there and I guess I have never run into the limitations of the RADIUS token server. Almost all use cases are for VPN in my setups and I just need the RADIUS server to run the MFA piece while ISE does the authorization and attribute setting.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

vibobrov · ‎03-19-2018

Patch 2 resolved the issue. Thank you very much