Showing results for 
Search instead for 
Did you mean: 

ISE with external Radius Server and SGT assignement

Level 1
Level 1


In a SDA context we use ISE to apply SGT / VN / IPPool to the endpoint that connects to the network.

For particular endpoints that should not be directly authenticated by ISE, we need to rely on an external radius server (that is not aware of the SGT, VN etc...) But in the end the endpoints must be placed in the correct VN, witht he good Ip Pool and SGT.


Is it possible to rely on the external radius response (with potential radius attributes values that may help) to build/rewrite a dedicated authz profile?


The idea would be to use the radius attributes in the radius response to build an ISE authorization profile with the appropriate SGT/VN/IP Pool ?

Any other option for that use case?





4 Replies 4

@REJR77 yes, you can configure ISE to send authentication requests to an External RADIUS server, once authenticated ISE will authorise the users to apply the SGT/VN etc.

@Rob IngramThanks for answering. What I do not catch is how/where we can map the external radius reply to an usable ISE authz profile.

This is done at the Policy Set level.  Instead of defining an Allowed Protocols, you can define a RADIUS Server Sequence as I've done here with my eduroam RADIUS Server Sequence:






For the details on how to configure the RADIUS Server Sequence and the "authorize only" option to continue to ISE authorization after external RADIUS authentication, check out this guide:


Configuring eduroam on Cisco Identity Services Engine (ISE) 

@Charlie Moreton @Rob Ingram Thanks Rob, Charlie

Meanwhile, I would like to understand how ISE can select the correct Authorization Policy when the "Continue to Authorization on Accept" is used.


Let's say we have 2 different endpoints that need to be authenticated with 802.1x  through an external radius.

Each endpoint should get a different Authz profile from ISE when accepted. ==> I should have 2 Authz policies with 2 diff Authz profiles


What would be the conditions in the Authz Policy since ISE has not authenticated them (not in the Internal endpoint db, or in any identity store)?

Can we use for example a radius Attribute that is part of the External Radius reply, and build a condition with that?


Authz1 policy: if (External Radius Attribute = GRP_ENDPOINT1) then (AuthZ Profile) = AUTHZ_ENDPOINT1

Authz2 policy: if (External Radius Attribute = GRP_ENDPOINT2) then (AuthZ Profile) = AUTHZ_ENDPOINT2


Thank you for your support