Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4098
Views
0
Helpful
5
Replies

ISE Admin Access Authentication to RADIUS Token Server

Michael Langerreiter
Level 1
Level 1

‎06-25-2013 12:06 AM - edited ‎03-10-2019 08:35 PM

Hi all!

I want to use an External  RADIUS Token Server for ISE Admin Access Authentication and Authorization.

Authentication works, but how do I map the users  to Admin Groups? Is there a way  to map a returned RADIUS Attribute  (IETF "Class" or Cisco-AVPair "CiscoSecure-Group-Id") to an Admin Group?

Thanks in advance,

Michael Langerreiter

2 people had this problem
Labels:
0 Helpful
5 Replies 5

Ravi Singh
Level 7
Level 7

‎06-25-2013 01:52 AM

Hello Michael,

As you are using external radius token server for ISE admin access authentication and Authorization, you need to create a admin group on radius server and assign the user to this group whom you want to give full permission. When they will be authenticated by ISE they will get full rights automatically

0 Helpful

Vivek Ganapathi
Level 4
Level 4

‎08-13-2014 10:46 PM

Hi Michael,

Just wondering if you were successful to sort this out? I have a similar requirement to achieve. If you have sorted this out, please let me know what has to be done. I don't see any specific documents explaining this.

 

Regards

Vivek

0 Helpful

jsteffensen
Level 1
Level 1

‎01-15-2015 01:47 AM

Hi Michael

 

You have to add each and every ISE Admin-User locally, and specify the external Radius-Token users to be external.

 

  • You do not need to specify any particular external administrator groups for the administrator.
  • You must configure the same username in both the external identity store and the local Cisco ISE database.

Step 1 Choose Administration > System > Admin Access > Administrators > Local Administrators.

Step 2 Follow the guidelines at Creating a New Cisco ISE Administrator to ensure that the administrator username on the external RSA identity store is also present in Cisco ISE. Be sure to click the External option under Password.

Step 3 Click Save .

 

0 Helpful

jsteffensen
Level 1
Level 1
In response to jsteffensen

‎01-15-2015 01:54 AM

ISE 1.3 does have an bug: Authentication failed due to zero RBAC Groups.

 

Cisco Bug: CSCur76447 - External Admin access fails with shadow user & Radius token

 

Last Modified

Nov 25, 2014

Product

Cisco Identity Services Engine (ISE) 3300 Series Appliances

Known Affected Releases

1.3(0.876)

Description (partial)

Symptom:
ISE 1.3 RBAC fails with shadow user & Radius token
Operations > Reports > Deployment Status > Administrator Logins report shows
Authentication failed due to zero RBAC Groups

Conditions:
RBAC with shadow user & Radius token

 

 

 

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.
 
 
0 Helpful

cciesec2011
Level 3
Level 3
In response to jsteffensen

‎01-15-2015 12:54 PM

The bug was originally reported by me :-)

0 Helpful
Customers Also Viewed These Support Documents