ISE Admin access using external RADIUS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-24-2020 08:57 AM
Trying to get clear understanding of utilizing an external RADIUS server for ISE admin access.
As I understand it, "RADIUS Token" external ID store is basically just RADIUS with only a single attribute supported.
I have a customer that needs to use an external RADIUS server (not OTP/Token) for ISE admin access. The documentation mentions RSA SecureID as supported for Administrative access, but no mention of standard RADIUS auth.
"External Authentication and Internal Authorization—The administrator’s authentication credentials come from the external identity source, and authorization and administrator role assignment take place using the local Cisco ISE database. This model is used for RSA SecurID authentication. This method requires you to configure the same username in both the external identity store and the local Cisco ISE database."
Can a standard RADIUS server be used in the same way?
- Labels:
-
Identity Services Engine (ISE)

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-24-2020 02:20 PM
Hi JD,
I'm not sure if it's officially documented as 'supported' anywhere, but I just setup a test in my lab using 2 ISE servers and I can successfully authenticate to the ISE GUI via a second external ISE server. My setup is [ISE 2.7] <=> [ISE 2.6].
My 'ise27' is configured as a RADIUS client in 'ise26' and the necessary Policy Set, AuthC and AuthZ Policies are configured to simply return an ACCESS-ACCEPT result. I'm using an Internal User to test, but it should work with an external ID store as well.
In 'ise27' I configured 'ise26' as a RADIUS Token server and configured the Admin Access to use 'ise26' for Authentication.
As with the OTP use case, ISE can only use internal authorisation, so you'll have to create shadow (External) user accounts in ISE for any RADIUS users that will need to connect to the ISE GUI.
Cheers,
Greg
