Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
737
Views
0
Helpful
3
Replies

ISE 2.4 Configuration of external Radius

mpbaker82
Level 1
Level 1

‎06-17-2018 10:04 PM - edited ‎02-21-2020 10:58 AM

Hello

 

Could someone help me with the configuration of external radius between my two ISE severs? 

 

I have installed two trial versions of ISE

isetest1 and isetest2 

 

isetest1 is the front end server and isetest2 is the backend server. If I only need one, let me know. I only installed two as per the documentation which I linked to below. 

 

Im trying to configure my ISE servers to preform radius authenticition in my lab environment. Once I get this working I want to move on to Tacacs. Right now I have a VM running Windows server 2016, Windows 7, and two ISE server instances. All configured with different static IPs. Both the winserver and 7 can ping both the ISE servers. 

 

The ISE servers know nothing of the other devices on the network. I have attempted to follow the guide on Cisco document site found here:

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/213239-configure-external-radius-servers-on-ise.html

 

 

Is it possible to have the ISE server preform radius authenticiton for this small network? I can add more network host if need be. But I figured I would start small then work my way up. 

 

Anyone offer a short and sweet how to that’s a bit more clearer then the document of which I linked to above? 

 

I find it odd that neither ISE server sees anything on the network. No traffic what so ever. 

 

I have much to learn about ISE

 

Any help would be much appreciated 

 

Michael 

 

 

Labels:
0 Helpful
3 Replies 3

Arne Bier
VIP
VIP

‎06-17-2018 10:36 PM

I think you need to share a bit more about your test setup.

What are you using to generate radius access requests into the front-end ISE server?  If ISE01 (front end server) is supposed to act as the proxy, then it needs to be able to receive the traffic from the NAS (client)

 

Are you saying that you cannot see any traffic in that ISE server's Radius LiveLog?  If so, then you need to check the basics, like, IP connectivity between NAS and ISE01 (front end) - can you ping from either end?  Did you add that NAS as a Client into ISE01?  Check that the Radius shared secret is identical in ISE01 config and the NAS.

 

0 Helpful

mpbaker82
Level 1
Level 1
In response to Arne Bier

‎06-18-2018 06:19 AM

I have a Radius Server running on a Ubiquity USG that controls wireless access. However i can install a radius server on my window sever if needed. I was informed that ISE can act as a radius server, i assume that isn't the case. Ill install a Radius Server on the windows server 2016. 

 

I dont have a NAS to act as the client. I was hoping to use a windows machine or Cisco switch or router to act as the radius client. Do I need to find a NAS to make this happen? If so, then ill go buy one.

 

Is there any documentation on how to set this up?

 

Im very new to ISE so im still trying to figure out how it works. Any help would be much appreciated

 

0 Helpful

ajc
Level 7
Level 7
In response to mpbaker82

‎06-18-2018 07:59 AM - edited ‎06-18-2018 08:03 AM

ISE is a Radius Server. Starting on version 1.3 TACACS service was added because ACS is going end of life. You can use a Cisco switch with the proper IOS and practice wired authentication (MAB, 802.11x) on your laptop

 

Go to youtube and look for LABMINUTES videos. They have good examples for practices

0 Helpful
Customers Also Viewed These Support Documents