Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1413
Views
0
Helpful
7
Replies

ISE system administration via ACS 5.5

Thiruchelvam Thurairaj
Level 1
Level 1

‎05-07-2015 05:28 AM - edited ‎03-10-2019 10:43 PM

Hi,

Here is the scenario.

Our client has asked if it's possible to use ACS for system administration on ISE. I have previous experiences to use an AD for these kind of authentication. But using ACS for role based system administration on ISE is new for me.

What I do know is that you can use some Radius Attributes to push roles into the ISE from ACS, with something like this "CiscoSecure-Group-Id".

To be clear, user id's will be created in the ACS en ISE administrators use this credentials to log in to the ISE.

Can someone help me with this?

Labels:
0 Helpful
7 Replies 7

nspasov
Cisco Employee
Cisco Employee

‎05-07-2015 11:02 AM

Are they trying to do this for GUI based admins or for CLI based admins?

 

Thank you for rating helpful posts!

0 Helpful

Thiruchelvam Thurairaj
Level 1
Level 1
In response to nspasov

‎05-08-2015 04:42 AM

GUI based administration. Thank you for the reply
 

0 Helpful

Thiruchelvam Thurairaj
Level 1
Level 1
In response to Thiruchelvam Thurairaj

‎05-08-2015 05:52 AM

I have already fouond an other discussion regarding the same issue.

https://supportforums.cisco.com/discussion/11779811/ise-admin-access-authentication-against-external-radius

Though It´s not working for me yet following those steps.

0 Helpful

jan.nielsen
Level 7
Level 7
In response to Thiruchelvam Thurairaj

‎05-09-2015 02:49 AM

Using external radius to authenticate users logging into the ISE gui is not supported, you can only use internal users or AD for that.

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to jan.nielsen

‎05-10-2015 11:47 PM

Jan is correct with the exception that you can also use LDAP in addition to AD. I did some digging and there is no way to use an external RADIUS server for this. 

 

Thank you for rating helpful posts!

0 Helpful

Thiruchelvam Thurairaj
Level 1
Level 1
In response to nspasov

‎05-12-2015 05:32 AM

If you dont have the option to use an external Radius server, why do you have this information provided in the authorization field at "RADIUS Token Identity Sources"

The RADIUS Token server may be configured to return a value in a Cisco av-pair with the format:attribute_name. If this is received from the Token Server, it may be placed into a dictionary value for subsequent authorization policy. To enable this feature, enter a name for the RADIUS Token Dictionary attribute below.

A common case is a "CiscoSecure-Group-Id" in the Cisco av-pair, using the name CiscoSecure-Group-Id.


* Attribute Name: xxxxxxxxxxxx    


And to be clear, authentications are successful. But I don't know know how to create an proper "Authorization Profile" and use it in  the default network access rule I have created.

Authentication Result
RadiusPacketType=AccessReject
 AuthenticationResult=Passed

Authentication failed : 15039 Selected Authorization Profile is DenyAccess

0 Helpful

tony.dodson
Level 1
Level 1

‎11-19-2015 02:44 PM

Did you ever get and answer to this?  I have the same problem.

0 Helpful
Customers Also Viewed These Support Documents