Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1418
Views
5
Helpful
4
Replies

ISE with external Radius Server and SGT assignement

REJR77
Level 1
Level 1

‎05-11-2022 02:00 AM

Hi,

In a SDA context we use ISE to apply SGT / VN / IPPool to the endpoint that connects to the network.

For particular endpoints that should not be directly authenticated by ISE, we need to rely on an external radius server (that is not aware of the SGT, VN etc...) But in the end the endpoints must be placed in the correct VN, witht he good Ip Pool and SGT.

 

Is it possible to rely on the external radius response (with potential radius attributes values that may help) to build/rewrite a dedicated authz profile?

 

The idea would be to use the radius attributes in the radius response to build an ISE authorization profile with the appropriate SGT/VN/IP Pool ?

Any other option for that use case?

 

Thanks

 

Regards

0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎05-11-2022 02:09 AM

@REJR77 yes, you can configure ISE to send authentication requests to an External RADIUS server, once authenticated ISE will authorise the users to apply the SGT/VN etc.

0 Helpful

REJR77
Level 1
Level 1
In response to Rob Ingram

‎05-11-2022 02:20 AM

@Rob IngramThanks for answering. What I do not catch is how/where we can map the external radius reply to an usable ISE authz profile.

0 Helpful

Charlie Moreton
Cisco Employee
Cisco Employee
In response to REJR77

‎05-11-2022 05:51 AM

This is done at the Policy Set level.  Instead of defining an Allowed Protocols, you can define a RADIUS Server Sequence as I've done here with my eduroam RADIUS Server Sequence:

 

RSS.png

 

 

 

For the details on how to configure the RADIUS Server Sequence and the "authorize only" option to continue to ISE authorization after external RADIUS authentication, check out this guide:

 

Configuring eduroam on Cisco Identity Services Engine (ISE) 

REJR77
Level 1
Level 1
In response to Charlie Moreton

‎05-13-2022 08:19 AM

@Charlie Moreton @Rob Ingram Thanks Rob, Charlie

Meanwhile, I would like to understand how ISE can select the correct Authorization Policy when the "Continue to Authorization on Accept" is used.

 

Let's say we have 2 different endpoints that need to be authenticated with 802.1x  through an external radius.

Each endpoint should get a different Authz profile from ISE when accepted. ==> I should have 2 Authz policies with 2 diff Authz profiles

 

What would be the conditions in the Authz Policy since ISE has not authenticated them (not in the Internal endpoint db, or in any identity store)?

Can we use for example a radius Attribute that is part of the External Radius reply, and build a condition with that?

 

Authz1 policy: if (External Radius Attribute = GRP_ENDPOINT1) then (AuthZ Profile) = AUTHZ_ENDPOINT1

Authz2 policy: if (External Radius Attribute = GRP_ENDPOINT2) then (AuthZ Profile) = AUTHZ_ENDPOINT2

 

Thank you for your support

0 Helpful
Customers Also Viewed These Support Documents