Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
661
Views
0
Helpful
1
Replies

RADIUS proxy to ISE with accounting only for SGT-IP mappings

slevesqu
Cisco Employee
Cisco Employee

‎09-05-2019 11:34 AM

Looking for a design validation for a customer.

 

Customer is using Clearpass for wireless and wants to do:

- RADIUS proxy from Clearpass to ISE but only with RADIUS accounting to extract the username. Clearpass is performing the Authentication/Authorization and these 2 are not proxied

- ISE will then retrieve the AD groups associated to the username and use it to map an SGT.

- This SGT-IP mapping will then be sent via SXP to FMC-FTD for enforcement.

 

Is this a supported design? Do we use the same design criterias for scalability based on concurrent endpoints in this scenario and the same licensing consumption?

 

Thanks

0 Helpful
1 Reply 1

kthiruve
Cisco Employee
Cisco Employee

‎09-05-2019 12:34 PM

Employees are encouraged to use the internal forum for questions

Ask ISE

 

Please reach out to us since this is design related. It needs more information or a further discussion to understand use case, solution options etc.

 

-Krishnan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents