Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
876
Views
2
Helpful
4
Replies

ISE 2.4 third party apps compatibility

Go to solution
alan.ramirez
Level 1
Level 1

‎05-30-2018 04:01 PM

Dear all

Doing some research I'm aware that the cisco ISE is able to use an external identity source (such as LDAP, ODBC etc) to validate information like a username and password provided by an end-user who tries to access the network. Is there a way to configure the ISE so it can validate itself (via local database)  a username and password provided by a third party application?

More precisely what are the options (standards, protocols) ISE has to interact with third party applications in the way explained previously where the App is the one providing the ISE with the username and password and the ISE just has to validate that info against the local database? or is this not possible at all?

Thank you

1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to alan.ramirez

‎05-30-2018 06:36 PM

Sounds like you’re looking for an IAM Type of service

No ISE doesn’t provide that, we only communicate via radius and tacacs like you said, if the service can use that then it will work

View solution in original post

4 Replies 4

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎05-30-2018 04:14 PM

I really don’t understand what you’re trying to accomplish

Perhaps you can explain another way

0 Helpful

Go to solution
alan.ramirez
Level 1
Level 1
In response to Jason Kunst

‎05-30-2018 06:26 PM

Sure, let's say we have users in a LAN that are trying to access an application from a third party vendor which is hosted in a server also in that LAN. What I want to know is if the following procedure can be done:


1.- Users try to access the application

2.- The application ask the user to provide a username and password

3.- The application receives the username and password provided by the user

4.- The application forwards this information to ISE

5.- ISE checks if the username and password exist in the ISE local database

6.- ISE communicates back to the application the validity of the info

7.- Application permits/denies access to the user


Is that better? as far as I know cisco ISE can authenticate users who want to gain access to the network through RADIUS or if users want to manage network devices such as switches, routers etc. ISE uses TACACS but I don't know if what i described on the seven steps is possible since the user is not trying to get access to the network nor the network devices. The users are trying to get access to an app instead

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to alan.ramirez

‎05-30-2018 06:36 PM

Sounds like you’re looking for an IAM Type of service

No ISE doesn’t provide that, we only communicate via radius and tacacs like you said, if the service can use that then it will work

Go to solution
Craig Hyps
Level 10
Level 10
In response to Jason Kunst

‎05-31-2018 11:18 AM

The app could also use pxGrid or TrustSec to make decision on access based on its auth status or role assignment in ISE.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents