05-07-2015 05:28 AM - edited 03-10-2019 10:43 PM
Hi,
Here is the scenario.
Our client has asked if it's possible to use ACS for system administration on ISE. I have previous experiences to use an AD for these kind of authentication. But using ACS for role based system administration on ISE is new for me.
What I do know is that you can use some Radius Attributes to push roles into the ISE from ACS, with something like this "CiscoSecure-Group-Id".
To be clear, user id's will be created in the ACS en ISE administrators use this credentials to log in to the ISE.
Can someone help me with this?
05-07-2015 11:02 AM
Are they trying to do this for GUI based admins or for CLI based admins?
Thank you for rating helpful posts!
05-08-2015 04:42 AM
GUI based administration. Thank you for the reply
05-08-2015 05:52 AM
I have already fouond an other discussion regarding the same issue.
https://supportforums.cisco.com/discussion/11779811/ise-admin-access-authentication-against-external-radius
Though It´s not working for me yet following those steps.
05-09-2015 02:49 AM
Using external radius to authenticate users logging into the ISE gui is not supported, you can only use internal users or AD for that.
05-10-2015 11:47 PM
Jan is correct with the exception that you can also use LDAP in addition to AD. I did some digging and there is no way to use an external RADIUS server for this.
Thank you for rating helpful posts!
05-12-2015 05:32 AM
If you dont have the option to use an external Radius server, why do you have this information provided in the authorization field at "RADIUS Token Identity Sources"
The RADIUS Token server may be configured to return a value in a Cisco av-pair with the format:attribute_name. If this is received from the Token Server, it may be placed into a dictionary value for subsequent authorization policy. To enable this feature, enter a name for the RADIUS Token Dictionary attribute below.
A common case is a "CiscoSecure-Group-Id" in the Cisco av-pair, using the name CiscoSecure-Group-Id.
* Attribute Name: xxxxxxxxxxxx
And to be clear, authentications are successful. But I don't know know how to create an proper "Authorization Profile" and use it in the default network access rule I have created.
Authentication Result
RadiusPacketType=AccessReject
AuthenticationResult=Passed
Authentication failed : 15039 Selected Authorization Profile is DenyAccess
11-19-2015 02:44 PM
Did you ever get and answer to this? I have the same problem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide