cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4097
Views
0
Helpful
5
Replies

ISE Admin Access Authentication to RADIUS Token Server

Hi all!

I want to use an External  RADIUS Token Server for ISE Admin Access Authentication and Authorization.

Authentication works, but how do I map the users  to Admin Groups? Is there a way  to map a returned RADIUS Attribute  (IETF "Class" or Cisco-AVPair "CiscoSecure-Group-Id") to an Admin Group?

Thanks in advance,

Michael Langerreiter

5 Replies 5

Ravi Singh
Level 7
Level 7

Hello Michael,

As you are using external radius token server for ISE admin access authentication and Authorization, you need to create a admin group on radius server and assign the user to this group whom you want to give full permission. When they will be authenticated by ISE they will get full rights automatically

Vivek Ganapathi
Level 4
Level 4

Hi Michael,

Just wondering if you were successful to sort this out? I have a similar requirement to achieve. If you have sorted this out, please let me know what has to be done. I don't see any specific documents explaining this.

 

Regards

Vivek

jsteffensen
Level 1
Level 1

Hi Michael

 

You have to add each and every ISE Admin-User locally, and specify the external Radius-Token users to be external.

 

  • You do not need to specify any particular external administrator groups for the administrator.
  • You must configure the same username in both the external identity store and the local Cisco ISE database.

Step 1 Choose Administration > System > Admin Access > Administrators > Local Administrators.

Step 2 Follow the guidelines at Creating a New Cisco ISE Administrator to ensure that the administrator username on the external RSA identity store is also present in Cisco ISE. Be sure to click the External option under Password.

Step 3 Click Save .

 

ISE 1.3 does have an bug: Authentication failed due to zero RBAC Groups.

 

Cisco Bug: CSCur76447 - External Admin access fails with shadow user & Radius token

 

Last Modified

Nov 25, 2014

Product

Cisco Identity Services Engine (ISE) 3300 Series Appliances

Known Affected Releases

1.3(0.876)

Description (partial)

Symptom:
ISE 1.3 RBAC fails with shadow user & Radius token
Operations > Reports > Deployment Status > Administrator Logins report shows
Authentication failed due to zero RBAC Groups

Conditions:
RBAC with shadow user & Radius token

 

 

 

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.
 
 

The bug was originally reported by me :-)