ISE Admin access using external RADIUS

joplant · ‎02-24-2020

Trying to get clear understanding of utilizing an external RADIUS server for ISE admin access.

As I understand it, "RADIUS Token" external ID store is basically just RADIUS with only a single attribute supported.

I have a customer that needs to use an external RADIUS server (not OTP/Token) for ISE admin access. The documentation mentions RSA SecureID as supported for Administrative access, but no mention of standard RADIUS auth.

"External Authentication and Internal Authorization—The administrator’s authentication credentials come from the external identity source, and authorization and administrator role assignment take place using the local Cisco ISE database. This model is used for RSA SecurID authentication. This method requires you to configure the same username in both the external identity store and the local Cisco ISE database."

Can a standard RADIUS server be used in the same way?

Greg Gibbs · ‎02-24-2020

Hi JD,

I'm not sure if it's officially documented as 'supported' anywhere, but I just setup a test in my lab using 2 ISE servers and I can successfully authenticate to the ISE GUI via a second external ISE server. My setup is [ISE 2.7] <=> [ISE 2.6].

My 'ise27' is configured as a RADIUS client in 'ise26' and the necessary Policy Set, AuthC and AuthZ Policies are configured to simply return an ACCESS-ACCEPT result. I'm using an Internal User to test, but it should work with an external ID store as well.

In 'ise27' I configured 'ise26' as a RADIUS Token server and configured the Admin Access to use 'ise26' for Authentication.

As with the OTP use case, ISE can only use internal authorisation, so you'll have to create shadow (External) user accounts in ISE for any RADIUS users that will need to connect to the ISE GUI.

Cheers,

Greg