cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ISE 2.4 third party apps compatibility

alan.ramirez
Beginner
Beginner

Dear all

Doing some research I'm aware that the cisco ISE is able to use an external identity source (such as LDAP, ODBC etc) to validate information like a username and password provided by an end-user who tries to access the network. Is there a way to configure the ISE so it can validate itself (via local database)  a username and password provided by a third party application?

More precisely what are the options (standards, protocols) ISE has to interact with third party applications in the way explained previously where the App is the one providing the ISE with the username and password and the ISE just has to validate that info against the local database? or is this not possible at all?

Thank you

1 ACCEPTED SOLUTION

Accepted Solutions

Sounds like you’re looking for an IAM Type of service

No ISE doesn’t provide that, we only communicate via radius and tacacs like you said, if the service can use that then it will work

View solution in original post

4 REPLIES 4

Jason Kunst
Cisco Employee
Cisco Employee

I really don’t understand what you’re trying to accomplish

Perhaps you can explain another way

Sure, let's say we have users in a LAN that are trying to access an application from a third party vendor which is hosted in a server also in that LAN. What I want to know is if the following procedure can be done:


1.- Users try to access the application

2.- The application ask the user to provide a username and password

3.- The application receives the username and password provided by the user

4.- The application forwards this information to ISE

5.- ISE checks if the username and password exist in the ISE local database

6.- ISE communicates back to the application the validity of the info

7.- Application permits/denies access to the user


Is that better? as far as I know cisco ISE can authenticate users who want to gain access to the network through RADIUS or if users want to manage network devices such as switches, routers etc. ISE uses TACACS but I don't know if what i described on the seven steps is possible since the user is not trying to get access to the network nor the network devices. The users are trying to get access to an app instead

Sounds like you’re looking for an IAM Type of service

No ISE doesn’t provide that, we only communicate via radius and tacacs like you said, if the service can use that then it will work

The app could also use pxGrid or TrustSec to make decision on access based on its auth status or role assignment in ISE.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: