Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6421
Views
10
Helpful
3
Replies

Radius Token vs External radius server differences?

Go to solution
Steven Williams
Level 4
Level 4

‎10-30-2018 05:47 AM

What are the differences when configuring Radius with ISE between defining a "radius token" or "external radius server"?

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎10-30-2018 06:21 AM

RADIUS token server is used when you only really need an accept/reject back from the external RADIUS server.  You can map one attribute coming back from the RADIUS server to a AV pair value if needed.  The RADIUS token is treated like another identity store and can be used on its own or in a sequence.

 

The RADIUS radius server is a full proxied RADIUS setup where all attributes from the external RADIUS server are passed back and accepted by ISE and in turn passed back to the NAD. 

 

I typically use the RADIUS token server definition for most of my external RADIUS setups to keep things simple unless I need AV pairs from the external RADIUS server.

View solution in original post

3 Replies 3

Go to solution
paul
Level 10
Level 10

‎10-30-2018 06:21 AM

RADIUS token server is used when you only really need an accept/reject back from the external RADIUS server.  You can map one attribute coming back from the RADIUS server to a AV pair value if needed.  The RADIUS token is treated like another identity store and can be used on its own or in a sequence.

 

The RADIUS radius server is a full proxied RADIUS setup where all attributes from the external RADIUS server are passed back and accepted by ISE and in turn passed back to the NAD. 

 

I typically use the RADIUS token server definition for most of my external RADIUS setups to keep things simple unless I need AV pairs from the external RADIUS server.

Go to solution
fatalXerror
Level 5
Level 5
In response to paul

‎08-06-2020 02:54 AM

Hi @paul , just to have a follow up question.

If I use RADIUS Token Server for the integration of my ISE, do I need to configure the username stored locally in ISE database? What I noticed in my client's setup is that they configured their own local username (same username as in their 2FA server) stored in the ISE local DB.

How can I setup ISE so that my users can authenticate (username and passcode) directly to the 2FA? Do I need to integrate my 2FA as RADIUS Token or External RADIUS Server?

Thanks

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to fatalXerror

‎08-06-2020 09:22 AM

You can setup your network devices to point directly at the 2FA solution for authentication and point to ISE for authorization.  In your ISE policy set you can set the authentication to go against the Internal User Database and set the "User not Found" condition to Continue.  This allows you to essentially bypass authentication in ISE and perform authorization functions.  There is no need to have any local usernames in the ISE database.

0 Helpful
Customers Also Viewed These Support Documents