Showing results for 
Search instead for 
Did you mean: 

using OTP for Authentication and ISE for Authorization in Cisco Switches

Level 1
Level 1


I was wondering if it is possible to Authenticate users with radius server and Authorize them with ISE when they want to login to my switch through VTY lines. (my radius server is OTP and it does not support tacacs so i need to authenticate my secondary admins with my OTP server and authorize them with ISE tacacs so they login with lower privilege). Can i do this?

5 Replies 5

Rahul Govindan
VIP Alumni
VIP Alumni

If you are just looking to assign privilege levels to the user, you don't need to use TACACS - you can use RADIUS to do that using Cisco A/V pairs. The Radius auth can be forwarded to a token server on ISE and the subsequent Authorization can send Access-Accept with the right shell-privilege. A good example of that is here:

Thanks for you reply. Actually i should've mentioned that I'm using a radius server which is an OTP and I'm authenticating my users via that server not ISE. and also the users on my OTP server are local which means they have not been fetched from Active Directory. My question is, can i connect the OTP to ISE(with this condition that my OTP users have different password when they login to sitches and ISE that just check the username and not their password), so when my users authenticate with OTP the ISE authorization be assigned to them?

* My OTP server is webadm openotp.

Sorry, but i'm new to aaa servers and I'm trying to learn...

I really haven't tried this, but you could try changing the "aaa authorization exec" command to point to the ISE server and leave the "aaa authentication" commands the same.

Another suggestion is what I mentioned earlier, point both to ISE using radius. Authentication is forwarded to your OTP server and proceeds as usual. ISE server then does the authorization for the same user.

Actually I tried the to point the Authorization to the ISE but my users kept login in to the switch with privilege 15 (sadly :d).

You are right. I'm gonna test it and get back to you with the results. Thanks.

Hi, Sorry for delay. i just wanted you to know that I solved the problem using,"External Radius Server" and configuring sequence rules and external servers.