cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1629
Views
1
Helpful
11
Replies

ISE 2.3 RADIUS Proxy disables AuthZ Policy

vibobrov
Cisco Employee
Cisco Employee

Hi Experts,

I recently had to use a RADIUS proxy configuration in ISE 2.3 and, much to my surprise, I found that the new Policy GUI hides the Authorization Policy altogether when we point the Authentication rule to RADIUS Proxy Sequence. I did enable the checkbox on the sequence to proceed to Authorization Policy on Access-Accept.

Is this a known/documented limitation on this? Is there a plan to restore that functionality?

Thank you

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

Please apply ISE 2.3 Patch 2, if not done already. It seems you might have hit CSCvg03448.

View solution in original post

11 Replies 11

Yep, i'm aware of that. However, the GUI in 2.3 changed and the authorization policy gets completely hidden in policy sets when we send authentication to a proxy sequence.

hslai
Cisco Employee
Cisco Employee

Please apply ISE 2.3 Patch 2, if not done already. It seems you might have hit CSCvg03448.

I'm seeing this in two different deployments running 2.3 Patch 2. One was a clean install and another is upgrade from a previous version

Actually, looks like one if the deployments is working after upgrade to Patch 2.

I will double check the patch level of the other one.

In case still an issue, please get a copy of the ISE CFG backup, restore it to your lab setup to check, and involve Cisco TAC as needed.

I have a tangent question on this post.  I never use the external RADIUS definitions when hooking to an external RADIUS server.  I always use the RADIUS token configuration under External Identity Sources.  I have never had an issue talking to any RADIUS server doing this and then I can use the definition like any other external identity source (AD/LDAP/etc.). 

Is there any downside for doing this?  I haven't come across any.  I have definitely seen customers try to use the External RADIUS Definitions and hit odd issues.  Every time I tell them to convert to RADIUS token definitions things go much smoother.

hslai
Cisco Employee
Cisco Employee

Mainly on the supported protocols. Internal and External Identity Sources shows RADIUS token sources are supporting EAP-GTC and PAP only.

To add to Hsing's comment, there are many use cases where proxy is needed to defer to a foreign AAA server's policy which customer may not control, or in the process of transition, and other cases where EAP session must be terminated on foreign server.  Token is also limited to one RADIUS authorization attribute returned from external server.

Thanks Craig and Hsing for the thoughts. I have proxied to almost every MFA vendor out there and I guess I have never run into the limitations of the RADIUS token server. Almost all use cases are for VPN in my setups and I just need the RADIUS server to run the MFA piece while ISE does the authorization and attribute setting.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Patch 2 resolved the issue. Thank you very much

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: