Solved: ISE admin access, authentication against external radius

Giuliano Gerardi · ‎04-02-2013

Please don't ask me why,

the customer insists and wants to be authenticated on ise (as admin) against an external (microsoft) radius server

is it possible while retaining internal admin users database in a sequence Internal>external_radius or internal>AD ?

thank you in advance for whatever may help

jorge-mora · ‎04-17-2013

Here's how I did it:

Step 1) Link ISE to AD

Step 2) Import AD groups (at least the ones used for admin access)

Step 3) Enable AD external identity source for admin authentication

Step 4) Create an external admin group on ISE admin groups and link it to the corresponding external AD group. If the previous step is not done, the list won’t be populated! I learnt the hard way…

Step 5) Create an admin policy where you assign permissions to the new group (in this case, super admin permissions are assigned)

Step 6) Once you save your policies (it can take a couple or minutes or more) you can log in using your AD credentials.

Result:

I hope this is useful for everyone!

View solution in original post

Andrew Phirsov · ‎04-02-2013

As i can see on the administration/admin access page, under authentication there's an option to choose an Identity store but there's no option to coose an Identity source sequence. So, as far as i understand (never tried it myself) it's possible to use radius-server for admin authentication, but not possible to use sequential order of identity sources.

jrabinow · ‎04-02-2013

The way it works is that can choose to select an external database as the source for administrator authentication. Then when login to the ISE application can select to either authenticate against the internal or configured external database.

Internal database is always available as a fallback in case communication to the external database is not available

When external database is used, either LDAP or AD, further configure mapping between groups and the defined roles in ISE

Andrew Phirsov · ‎04-02-2013

Good to know. That makes sense.

bhthapa · ‎04-04-2013

For this you can Integrating Cisco ISE with Active Directory.

For more details and assistance you can refer

http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_admin.html

If there is a firewall between Cisco ISE and AD, these ports need to be opened to allow Cisco ISE to communicate with Active Directory. Ensure that the following default ports are

open:

Protocol Port Number

LDAP 389 (UDP)

SMB1 445 (TCP)

KDC2 88 (TCP)

Global Catalog 3268 (TCP), 3269

KPASS 464 (TCP)

NTP 123 (UDP)

LDAP 389 (TCP)

LDAPS3 636 (TCP)

jorge-mora · ‎04-17-2013

Here's how I did it:

Step 1) Link ISE to AD

Step 2) Import AD groups (at least the ones used for admin access)

Step 3) Enable AD external identity source for admin authentication

Step 4) Create an external admin group on ISE admin groups and link it to the corresponding external AD group. If the previous step is not done, the list won’t be populated! I learnt the hard way…

Step 5) Create an admin policy where you assign permissions to the new group (in this case, super admin permissions are assigned)

Step 6) Once you save your policies (it can take a couple or minutes or more) you can log in using your AD credentials.

Result:

I hope this is useful for everyone!

Giuliano Gerardi · ‎04-18-2013

thank you for the detailed instructions

jsteffensen · ‎01-15-2015

Correct me if i am wrong, but the solution decribes how to Authentication ageinst external AD and not against a external RADIUS server...

Does anyon know how to authenticate agains an external RADIUS Server, and what Radius Attributes this can/mus/should send to diferentiate the dfferent administrator groups?

Best Regards

jsteffensen · ‎01-15-2015

According to Cisco:

External Authentication AND external Authorisation for Admin acces son the ISE can only be done by using LDAP or AD.

For Radius Servers there are a solution for external Authentication and internal Authorisation on the ise:

External Authentication + Internal Authorization

When configuring Cisco ISE to provide administrator authentication using an external RSA SecurID identity store, administrator credential authentication is performed by the RSA identity store. However, authorization (policy application) is still done according to the Cisco ISE internal database. In addition, there are two important factors to remember that are different from External Authentication + External Authorization:

You do not need to specify any particular external administrator groups for the administrator.
You must configure the same username in both the external identity store and the local Cisco ISE database.

To create a new Cisco ISE administrator that authenticates via the external identity store, complete the following steps:

Step 1 Choose Administration > System > Admin Access > Administrators > Local Administrators.

The Administrators window appears, listing all existing locally defined administrators.

Step 2 Follow the guidelines at Creating a New Cisco ISE Administrator to ensure that the administrator username on the external RSA identity store is also present in Cisco ISE. Be sure to click the External option under Password.

Note Remember: you do not need to specify a password for this external administrator user ID, nor are you required to apply any specially configured external administrator group to the associated RBAC policy.

Step 3 Click Save .