02-26-2019 05:08 AM - edited 03-08-2019 07:14 PM
Hi ISE Experts, I have a specific query from a customer relating to Cisco ISE RADIUS Proxy functionality that I'm struggling with. The customer query is below and I have attached a pdf that shows what the customer is trying to achieve. The authentication will be via machine auth, with certificates on the PCs. We are ideally looking for ISE to identify the realm from the EAP-TLS outer header information, and via some sort of lookup logic then proxy the EAP request to a particular back-end RADIUS server (likely to be Microsoft NPS in front of AD) in the appropriate tenant's network. The aim here is for the EAP session not to terminate on ISE but to be carried through to the back-end RADIUS server.
The selected back-end infrastructure will validate the certificate and if all is well, send back a VSA denoting the name of the VLAN to be applied to the port.
As I understand it, the two important factors here are:
1. Being able to identify the realm from the EAP-TLS outer header, and use that with some logic to determine which back-end network to send it to for auth.
2. Not terminating the EAP session on ISE but proxying it through to the chosen back-end infrastructure.
The alternative would be to terminate the EAP session on ISE, and still use the realm logic to determine the back-end server. The auth request could then be LDAP to the back-end AD (rather than to the NPS RADIUS server). However, this would mean that the dynamic VLAN information would have to come from ISE rather than the back-end infrastructures. We would like to keep the responsibility for maintaining the device to VLAN mapping within each tenant's infrastructure if possible.
Solved! Go to Solution.
04-19-2019 05:59 AM
Hi @lcartwri
In the basic Proxy case, ISE does not get involved at all in the processing of the radius request. In the simplest case, you are just forwarding on the Radius packet to another server and then when the response comes back from that server, you can choose whether to add/remove some attributes. But you don't process the EAP contents. There is an option in ISE to pass the request through authentication/authorization but this is not enabled by default.
So yes you're right - you look at the realm of the username and then decide where to send the request.
Where the Allowed Protocols shown above (EXTRADSEQ and EXTRADSEQ_2) are the external radius server sequences
04-19-2019 05:59 AM
Hi @lcartwri
In the basic Proxy case, ISE does not get involved at all in the processing of the radius request. In the simplest case, you are just forwarding on the Radius packet to another server and then when the response comes back from that server, you can choose whether to add/remove some attributes. But you don't process the EAP contents. There is an option in ISE to pass the request through authentication/authorization but this is not enabled by default.
So yes you're right - you look at the realm of the username and then decide where to send the request.
Where the Allowed Protocols shown above (EXTRADSEQ and EXTRADSEQ_2) are the external radius server sequences
04-19-2019 06:00 AM
Hi @lcartwri
In the basic Proxy case, ISE does not get involved at all in the processing of the radius request. In the simplest case, you are just forwarding on the Radius packet to another server and then when the response comes back from that server, you can choose whether to add/remove some attributes. But you don't process the EAP contents. There is an option in ISE to pass the request through authentication/authorization but this is not enabled by default.
So yes you're right - you look at the realm of the username and then decide where to send the request.
Where the Allowed Protocols shown above (EXTRADSEQ and EXTRADSEQ_2) are the external radius server sequences
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide