Solved: Re: ISE CWA with external radius

Brian McPhillips · ‎10-19-2021

Our customer has a requirement to log BYOD sessions based on Username/IP to a syslog server. We are using Meraki APs and I have tested the Meraki splash page, the generated Syslogs do not contain the usernames. Not sure if this can be collated via the API somehow.

We need to use a dedicated radius server that the customer manages. Meraki Splash page can point to this radius server ok and authenticate but the logging isnt right. We do have ISE for corporate authentication, we can point the Meraki splash page to authenticate via ISE. The ISE syslogs include the Username/Passwords. Is there any way of using the ISE guest portal to authenticate to the external radius server? But keeping authorization managed by ISE to present the ISE portal.

Hopefully this makes sense!

hslai · ‎12-19-2021

If the external RADIUS server is used for credential checks, then we may configure it as a RADIUS token server and include it in an identity source sequence.

View solution in original post

Arne Bier · ‎12-16-2021

Hello @Brian McPhillips

I just stumbled upon this old message.

It appears that the ISE Portal Authentication Method allows Identity Source Sequences - BUT ... the Identity Source Sequence cannot contain a RADIUS Server Sequences (list of external RADIUS proxy servers). At least - that's the case in ISE 2.7

As far as I know, RADIUS Proxy sequences can only be used/specified in ISE in the standard RADIUS Policy Set (under the Allowed Protocols / Server Sequence) as part of the initial Policy Set definition.

I think the answer is no

hslai · ‎12-19-2021

If the external RADIUS server is used for credential checks, then we may configure it as a RADIUS token server and include it in an identity source sequence.