Hi ISE Experts, I have a specific query from a customer relating to Cisco ISE RADIUS Proxy functionality that I'm struggling with. The customer query is below and I have attached a pdf that shows what the customer is trying to achieve. The authentication will be via machine auth, with certificates on the PCs. We are ideally looking for ISE to identify the realm from the EAP-TLS outer header information, and via some sort of lookup logic then proxy the EAP request to a particular back-end RADIUS server (likely to be Microsoft NPS in front of AD) in the appropriate tenant's network. The aim here is for the EAP session not to terminate on ISE but to be carried through to the back-end RADIUS server.

The selected back-end infrastructure will validate the certificate and if all is well, send back a VSA denoting the name of the VLAN to be applied to the port.

As I understand it, the two important factors here are:
1. Being able to identify the realm from the EAP-TLS outer header, and use that with some logic to determine which back-end network to send it to for auth.
2. Not terminating the EAP session on ISE but proxying it through to the chosen back-end infrastructure.

The alternative would be to terminate the EAP session on ISE, and still use the realm logic to determine the back-end server. The auth request could then be LDAP to the back-end AD (rather than to the NPS RADIUS server). However, this would mean that the dynamic VLAN information would have to come from ISE rather than the back-end infrastructures. We would like to keep the responsibility for maintaining the device to VLAN mapping within each tenant's infrastructure if possible.