Solved: ISE Sponsor Authentication via RADIUS

descalante2007 · ‎05-29-2013

My client is requesting us to change the way the sponsor users are authenticated and authorized to access the ISE Sponsor Portal.

Their like to pass the ISE request to AD through a RADIUS server first. They said "to avoid sending AD credentials to ISE directly". Under this requirements,

My search and limited knowledge give me to assume I should define a Proxy RADIUS

I think I can Define an External RADIUS server, but I wonder if creating this, it would be available as an Identity Source for the "Sponsor Portal Sequence".

If not, how can I add this? After that, what conditions or attributes should I look for to use in the "Sponsor Group Policy" in order to filter username/password and allow access only to employees and deny access to anyone else?

I will appreciate any advice you can give me to offer the best recommendation to the customer.

Regards.

Daniel Escalante.

Richard Atkin · ‎06-05-2013

Hi Saurav,

Unfortunately that document is not relevant to what Daniel is trying to achieve. He needs to be able to reference a RADIUS Server as part of the Sponsor Authentication process, which isn't possible today. The only possibilities are what I outlined in my original response.

Richard

View solution in original post

Nicholas Poole · ‎06-06-2013

One of ISE's benefits is that it can talk directly to AD. What is the reason why they want to avoid this? It cant be a security issue to avoid any communications between ISE and AD otherwise at a guess ISE probably isnt doing a lot for you?

View solution in original post

Richard Atkin · ‎06-05-2013

I don't think you can do RADIUS for this, your options are basically;

ISE Internal User DB

Integrate with AD

Integrate with LDAP

Saurav Lodh · ‎06-05-2013

I would like you to go through this

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html

Richard Atkin · ‎06-05-2013

Hi Saurav,

Unfortunately that document is not relevant to what Daniel is trying to achieve. He needs to be able to reference a RADIUS Server as part of the Sponsor Authentication process, which isn't possible today. The only possibilities are what I outlined in my original response.

Richard

descalante2007 · ‎06-06-2013

Thank's Richard, also today I found the compatibility matrix for ISE (http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html), I think the table 2 in page 4 is what answer very specifically the custormer request.

Just to clarify my mind: Referencing a RADIUS server as part of the Sponsor Authentication process (if that would be possible) would make the ISE to behave as RADIUS client, but it is RADIUS server ... it isn't?

Nicholas Poole · ‎06-06-2013

One of ISE's benefits is that it can talk directly to AD. What is the reason why they want to avoid this? It cant be a security issue to avoid any communications between ISE and AD otherwise at a guess ISE probably isnt doing a lot for you?

descalante2007 · ‎06-11-2013

I think I understood the customer concern. This is quoted from Microsoft http://support.microsoft.com/kb/321051

"The Lightweight Directory Access Protocol (LDAP) is used to read from and write to Active Directory. By default, LDAP traffic is transmitted unsecured. You can make LDAP traffic confidential and secure by using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology."

So the question now is how can we be sure the ISE communication is secure? ... I understand port 636 is used to transport LDAP-Secure ...

The ISE User Gude indicates that one of the ports required to be open in the case a firewall exists between ISE and ADE is 636 (LDAPS). -(ISE User Guide Page 5-6)

In my case there is no FW between ISE and AD, so where or how can I show the customer we are using LDAPS?

Regards.