Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5953
Views
5
Helpful
6
Replies

ISE as a Proxy

Go to solution
erazvi
Cisco Employee
Cisco Employee

‎07-02-2015 04:56 PM - edited ‎03-10-2019 10:52 PM

I am configuring ISE as a Proxy and I have added an External RADIUS Server in ISE and also WLC in the NADs.

Next when it comes to configuring the WLC.

1) Do I add just ISE under Security > RADIUS > AuthC and Accounting or also need to add the External RADIUS Server as well.

2) I noticed there is an option called "TUNNEL PROXY” (see below) do I need to enable that as well if I want ISE to work as Proxy. I am not able to find any information on TUNNEL PROXY.

3) This is only for Wireless so do I still need to Add the Switch in ISE NAD and also configure the Switch (WLC is connected to 6509-E Switch) and enable AAA.

I am really lost and your help is highly appreciate.  

 

Labels:
Preview file
119 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to erazvi

‎07-03-2015 06:50 AM

Re Question1: On the WLC specify each ISE PSN as a RADIUS server. On ISE, make sure you configure each WLC under Administration -> Network Devices.

 

Re Question2: There is no need to enable 'Tunnel Proxy'

 

As far as devices connecting to ISE for AAA are concerned, ISE is the sole source of information. Connecting devices do not require any configuration detailing the external identity sources (RADIUS, MS AD, etc) you may be using.

 

cheers,

Seb.

View solution in original post

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to erazvi

‎07-04-2015 10:01 AM

ISE PSN(s) and only ISE PSN(s) should be defined as the RADIUS server(s) on your WLC and any other Network Access Devices (NADs - i.e WLCs, wired switches or ASAs).

The NADs do not need to be informed about - and will only be confused - if they ask any RADIUS server other than ISE for AAA services.

I have set this up in production personally- Cisco WLCs and switches with ISE PSNs as the RADIUS servers and external identity sources including both AD (multiple domains) and foreign RADIUS servers (EDUROAM Top Level RADIUS Servers in a higher education environment).

Only ISE needs to know the external identity sources. It handles all the external calls / proxying for your NADs. It returns the Authentication results and sends any Authorization policies and collects all Accounting information (AAA).

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎07-03-2015 04:32 AM

Hi there,

If your intention is for the WLC to use ISE for AAA, then add each ISE PSN under 'Security -> RADIUS -> Auth/ Acct' .

Unless you want your 6509 to use ISE for 802.1x on its switchports or VTY's then there is no need to configure AAA on the switch.

 

cheers,

Seb.

Go to solution
erazvi
Cisco Employee
Cisco Employee
In response to Seb Rupik

‎07-03-2015 06:11 AM

Thanks for your response.

The External RADIUS Server that I am adding into ISE, is some other third-party AAA Server (NOT ISE) and which will be used for AAA.

So as I understand, once I add External RADIUS Server into ISE, then ISE will act as proxy to the External RADIUS.

Based on above, Thanks for answering my Q.3 but I still need to figure out Q.1 & Q.2.

Thanks
 

 

 

 

 

0 Helpful

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to erazvi

‎07-03-2015 06:50 AM

Re Question1: On the WLC specify each ISE PSN as a RADIUS server. On ISE, make sure you configure each WLC under Administration -> Network Devices.

 

Re Question2: There is no need to enable 'Tunnel Proxy'

 

As far as devices connecting to ISE for AAA are concerned, ISE is the sole source of information. Connecting devices do not require any configuration detailing the external identity sources (RADIUS, MS AD, etc) you may be using.

 

cheers,

Seb.

0 Helpful

Go to solution
erazvi
Cisco Employee
Cisco Employee
In response to Seb Rupik

‎07-03-2015 07:53 AM

Thank you so much for clarifying it further in detail.

One last question to double-check regarding question1, Currently the External RADIUS server that is added to ISE under NADs, is also added to WLC.

Should I delete/disable the External RADIUS server from WLC and ONLY add ISE PSN.

Basically what I am trying to understand is, when client is trying to AuthC will ISE (once Ext RADIUS Server setting is configured) able to inform the client that ISE is only acting as a PROXY and to AuthC it must go to External RADIUS server to AuthC OR the WLC also need to have the External RADIUS server configured.

Thanks for all your time and really appreciate all your help.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to erazvi

‎07-04-2015 10:01 AM

ISE PSN(s) and only ISE PSN(s) should be defined as the RADIUS server(s) on your WLC and any other Network Access Devices (NADs - i.e WLCs, wired switches or ASAs).

The NADs do not need to be informed about - and will only be confused - if they ask any RADIUS server other than ISE for AAA services.

I have set this up in production personally- Cisco WLCs and switches with ISE PSNs as the RADIUS servers and external identity sources including both AD (multiple domains) and foreign RADIUS servers (EDUROAM Top Level RADIUS Servers in a higher education environment).

Only ISE needs to know the external identity sources. It handles all the external calls / proxying for your NADs. It returns the Authentication results and sends any Authorization policies and collects all Accounting information (AAA).

0 Helpful

Go to solution
erazvi
Cisco Employee
Cisco Employee
In response to Marvin Rhoads

‎07-04-2015 10:01 AM

Thank you so much for a detailed clarification.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents