This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I want to use an External RADIUS Token Server for ISE Admin Access Authentication and Authorization.
Authentication works, but how do I map the users to Admin Groups? Is there a way to map a returned RADIUS Attribute (IETF "Class" or Cisco-AVPair "CiscoSecure-Group-Id") to an Admin Group?
Thanks in advance,
As you are using external radius token server for ISE admin access authentication and Authorization, you need to create a admin group on radius server and assign the user to this group whom you want to give full permission. When they will be authenticated by ISE they will get full rights automatically
Just wondering if you were successful to sort this out? I have a similar requirement to achieve. If you have sorted this out, please let me know what has to be done. I don't see any specific documents explaining this.
You have to add each and every ISE Admin-User locally, and specify the external Radius-Token users to be external.
Step 1 Choose Administration > System > Admin Access > Administrators > Local Administrators.
Step 2 Follow the guidelines at Creating a New Cisco ISE Administrator to ensure that the administrator username on the external RSA identity store is also present in Cisco ISE. Be sure to click the External option under Password.
Step 3 Click Save .
ISE 1.3 does have an bug: Authentication failed due to zero RBAC Groups.
Cisco Bug: CSCur76447 - External Admin access fails with shadow user & Radius token
Symptom: ISE 1.3 RBAC fails with shadow user & Radius token Operations > Reports > Deployment Status > Administrator Logins report shows Authentication failed due to zero RBAC Groups Conditions: RBAC with shadow user & Radius token