10-30-2018 05:47 AM
What are the differences when configuring Radius with ISE between defining a "radius token" or "external radius server"?
Solved! Go to Solution.
10-30-2018 06:21 AM
RADIUS token server is used when you only really need an accept/reject back from the external RADIUS server. You can map one attribute coming back from the RADIUS server to a AV pair value if needed. The RADIUS token is treated like another identity store and can be used on its own or in a sequence.
The RADIUS radius server is a full proxied RADIUS setup where all attributes from the external RADIUS server are passed back and accepted by ISE and in turn passed back to the NAD.
I typically use the RADIUS token server definition for most of my external RADIUS setups to keep things simple unless I need AV pairs from the external RADIUS server.
10-30-2018 06:21 AM
RADIUS token server is used when you only really need an accept/reject back from the external RADIUS server. You can map one attribute coming back from the RADIUS server to a AV pair value if needed. The RADIUS token is treated like another identity store and can be used on its own or in a sequence.
The RADIUS radius server is a full proxied RADIUS setup where all attributes from the external RADIUS server are passed back and accepted by ISE and in turn passed back to the NAD.
I typically use the RADIUS token server definition for most of my external RADIUS setups to keep things simple unless I need AV pairs from the external RADIUS server.
08-06-2020 02:54 AM
Hi @paul , just to have a follow up question.
If I use RADIUS Token Server for the integration of my ISE, do I need to configure the username stored locally in ISE database? What I noticed in my client's setup is that they configured their own local username (same username as in their 2FA server) stored in the ISE local DB.
How can I setup ISE so that my users can authenticate (username and passcode) directly to the 2FA? Do I need to integrate my 2FA as RADIUS Token or External RADIUS Server?
Thanks
08-06-2020 09:22 AM
You can setup your network devices to point directly at the 2FA solution for authentication and point to ISE for authorization. In your ISE policy set you can set the authentication to go against the Internal User Database and set the "User not Found" condition to Continue. This allows you to essentially bypass authentication in ISE and perform authorization functions. There is no need to have any local usernames in the ISE database.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide