cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2116
Views
0
Helpful
5
Replies
Highlighted

ISE Admin Access Authentication to RADIUS Token Server

Hi all!

I want to use an External  RADIUS Token Server for ISE Admin Access Authentication and Authorization.

Authentication works, but how do I map the users  to Admin Groups? Is there a way  to map a returned RADIUS Attribute  (IETF "Class" or Cisco-AVPair "CiscoSecure-Group-Id") to an Admin Group?

Thanks in advance,

Michael Langerreiter

Everyone's tags (5)
5 REPLIES 5
Highlighted
Rising star

ISE Admin Access Authentication to RADIUS Token Server

Hello Michael,

As you are using external radius token server for ISE admin access authentication and Authorization, you need to create a admin group on radius server and assign the user to this group whom you want to give full permission. When they will be authenticated by ISE they will get full rights automatically

Highlighted
Enthusiast

Hi Michael,Just wondering if

Hi Michael,

Just wondering if you were successful to sort this out? I have a similar requirement to achieve. If you have sorted this out, please let me know what has to be done. I don't see any specific documents explaining this.

 

Regards

Vivek

Highlighted
Beginner

Hi Michael You have to add

Hi Michael

 

You have to add each and every ISE Admin-User locally, and specify the external Radius-Token users to be external.

 

  • You do not need to specify any particular external administrator groups for the administrator.
  • You must configure the same username in both the external identity store and the local Cisco ISE database.

Step 1 Choose Administration > System > Admin Access > Administrators > Local Administrators.

Step 2 Follow the guidelines at Creating a New Cisco ISE Administrator to ensure that the administrator username on the external RSA identity store is also present in Cisco ISE. Be sure to click the External option under Password.

Step 3 Click Save .

 

Highlighted
Beginner

ISE 1.3 does have an bug:

ISE 1.3 does have an bug: Authentication failed due to zero RBAC Groups.

 

Cisco Bug: CSCur76447 - External Admin access fails with shadow user & Radius token

 

Last Modified

Nov 25, 2014

Product

Cisco Identity Services Engine (ISE) 3300 Series Appliances

Known Affected Releases

1.3(0.876)

Description (partial)

Symptom:
ISE 1.3 RBAC fails with shadow user & Radius token
Operations > Reports > Deployment Status > Administrator Logins report shows
Authentication failed due to zero RBAC Groups

Conditions:
RBAC with shadow user & Radius token

 

 

 

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.
 
 
Highlighted
Participant

The bug was originally

The bug was originally reported by me :-)