ISE as Standalone RADIUS Server

PhilippTen · ‎04-08-2013

Hi buddies,

Is there any way to set up our ISE to provide Radius instead of acting as Radius Proxy? In our Company we use ACS 4.2 to provide AAA via Tacacs+ and this works proper with all our Cisco-Switches. Now we are testing the ISE 1.1.1 as NAC-Solution.

I know how to set up the ISE as 'Radius Proxy', configuring the Sequences and Policies, but till now we are using only Tacacs+ for AAA. The current version of ISE does not support Tacacs+ and I don't want to set up a Radius-enviroment in ACS if not necessary. Somewhere ( I think the specs) I read, the ISE is a merge of ACS and NAC. So in my Opinion there should be a way to provide AAA via Radius on the ISE without ACS and without 'Radius Proxy'.

Am i right with that? An if yes, how can i do this?

Thanks

sahseth · ‎04-08-2013

Please find this cisco link: http://www.cisco.com/en/US/docs/security/ise/1.0.4/user_guide/ise10_sw_cnfg.html.

PhilippTen · ‎04-10-2013

Hi,

Thanks but I tried this allready and it doesn't work. Also my question is more about configuring the ISE than the switches. To get a better understanding of my problem: I want to create a user/password-combo on the ISE. Then I want to connect to my switch via console and ssh. At this point I want to use the created user and the switch has to ask the ISE if this user is authorized to 'enable' or some other stuff.

With my ACS and Tacacs+ this works very proper, but in future I want to shut down the ACS. At this Point the ISE shall do the work.

Even some parts in the switch-config seem strange to me. In the part of the 'RADIUS Server Configuration' I have to add the 'radius-server host auth-port 1812 acct-port 1813 ... key 0 ' but a scan on the ISE shows no open ports at 1812, 1813. Is this correct? Even for a radius-proxy?