Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
766
Views
4
Helpful
2
Replies

ISE - choose RADIUS server based on AD group membership?

Go to solution
amoskvit
Level 1
Level 1

‎10-08-2017 06:00 PM

Hello

Will ISE be able to first check AD group membership and then base don it forward RADIUS request to one of multiple RADIUS servers based on it?

Below is full description of customer request

Current State:

We have ISE active as a RADIUS server, in front of a RSA SecurID server, which is used for checkpoint VPNs and Netscaler authentication (for Citrix).

Proposed Idea

We want to add a separate MFA provider (which has a Radius interface), to sit next to RSA SecurID and have ISE determine which MFA provider to send the request to based on the authenticating users AD group membership (e.g. if a user is in Group A they are pushed to RSA, if in group B, their request goes to the new MFA server.     (the reason for this is it would allow a gradual migration of RSA).

1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎10-09-2017 06:30 AM

No possible for a simple authentication flow as authentications need to take place before determine AD group memberships.

It might be possible to use CWA chaining, such that the sessions are authenticated using another ID source (e.g. AD), redirected to different ISE guest portals based on AD group memberships, and each ISE guest portals use a different ID source sequence for MFA.

View solution in original post

2 Replies 2

Go to solution
hslai
Cisco Employee
Cisco Employee

‎10-09-2017 06:30 AM

No possible for a simple authentication flow as authentications need to take place before determine AD group memberships.

It might be possible to use CWA chaining, such that the sessions are authenticated using another ID source (e.g. AD), redirected to different ISE guest portals based on AD group memberships, and each ISE guest portals use a different ID source sequence for MFA.

Go to solution
paul
Level 10
Level 10
In response to hslai

‎10-09-2017 06:53 AM

Theorycrafting here, but you could define each RSA server into ISE.  Then define all the users as local users in ISE but tie them into the appropriate RSA server for their password.  Finally, use the local user identity store in the authentication policy.


Most likely this is not practical if there are many users.  This would be only needed during the migration. Once everything is migrated you change the authentication to use the RSA server and remove all the local user accounts.

Customers Also Viewed These Support Documents