cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

451
Views
5
Helpful
4
Replies
RD77
Beginner

ISE with external Radius Server and SGT assignement

Hi,

In a SDA context we use ISE to apply SGT / VN / IPPool to the endpoint that connects to the network.

For particular endpoints that should not be directly authenticated by ISE, we need to rely on an external radius server (that is not aware of the SGT, VN etc...) But in the end the endpoints must be placed in the correct VN, witht he good Ip Pool and SGT.

 

Is it possible to rely on the external radius response (with potential radius attributes values that may help) to build/rewrite a dedicated authz profile?

 

The idea would be to use the radius attributes in the radius response to build an ISE authorization profile with the appropriate SGT/VN/IP Pool ?

Any other option for that use case?

 

Thanks

 

Regards

4 REPLIES 4
Rob Ingram
VIP Expert

@RD77 yes, you can configure ISE to send authentication requests to an External RADIUS server, once authenticated ISE will authorise the users to apply the SGT/VN etc.

@Rob IngramThanks for answering. What I do not catch is how/where we can map the external radius reply to an usable ISE authz profile.

This is done at the Policy Set level.  Instead of defining an Allowed Protocols, you can define a RADIUS Server Sequence as I've done here with my eduroam RADIUS Server Sequence:

 

RSS.png

 

 

 

For the details on how to configure the RADIUS Server Sequence and the "authorize only" option to continue to ISE authorization after external RADIUS authentication, check out this guide:

 

Configuring eduroam on Cisco Identity Services Engine (ISE) 

@Charlie Moreton @Rob Ingram Thanks Rob, Charlie

Meanwhile, I would like to understand how ISE can select the correct Authorization Policy when the "Continue to Authorization on Accept" is used.

 

Let's say we have 2 different endpoints that need to be authenticated with 802.1x  through an external radius.

Each endpoint should get a different Authz profile from ISE when accepted. ==> I should have 2 Authz policies with 2 diff Authz profiles

 

What would be the conditions in the Authz Policy since ISE has not authenticated them (not in the Internal endpoint db, or in any identity store)?

Can we use for example a radius Attribute that is part of the External Radius reply, and build a condition with that?

 

Authz1 policy: if (External Radius Attribute = GRP_ENDPOINT1) then (AuthZ Profile) = AUTHZ_ENDPOINT1

Authz2 policy: if (External Radius Attribute = GRP_ENDPOINT2) then (AuthZ Profile) = AUTHZ_ENDPOINT2

 

Thank you for your support

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube