Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4615
Views
0
Helpful
5
Replies

using OTP for Authentication and ISE for Authorization in Cisco Switches

mesarasimth1
Level 1
Level 1

‎01-24-2017 01:35 AM - edited ‎03-11-2019 12:23 AM

Hi,

I was wondering if it is possible to Authenticate users with radius server and Authorize them with ISE when they want to login to my switch through VTY lines. (my radius server is OTP and it does not support tacacs so i need to authenticate my secondary admins with my OTP server and authorize them with ISE tacacs so they login with lower privilege). Can i do this?

Labels:
0 Helpful
5 Replies 5

Rahul Govindan
VIP Alumni
VIP Alumni

‎01-24-2017 06:48 AM

If you are just looking to assign privilege levels to the user, you don't need to use TACACS - you can use RADIUS to do that using Cisco A/V pairs. The Radius auth can be forwarded to a token server on ISE and the subsequent Authorization can send Access-Accept with the right shell-privilege. A good example of that is here:

https://www.youtube.com/watch?v=VH98hTMeEvk

0 Helpful

mesarasimth1
Level 1
Level 1
In response to Rahul Govindan

‎01-27-2017 12:38 AM

Thanks for you reply. Actually i should've mentioned that I'm using a radius server which is an OTP and I'm authenticating my users via that server not ISE. and also the users on my OTP server are local which means they have not been fetched from Active Directory. My question is, can i connect the OTP to ISE(with this condition that my OTP users have different password when they login to sitches and ISE that just check the username and not their password), so when my users authenticate with OTP the ISE authorization be assigned to them?

* My OTP server is webadm openotp.

Sorry, but i'm new to aaa servers and I'm trying to learn...

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to mesarasimth1

‎01-27-2017 07:15 PM

I really haven't tried this, but you could try changing the "aaa authorization exec" command to point to the ISE server and leave the "aaa authentication" commands the same.

Another suggestion is what I mentioned earlier, point both to ISE using radius. Authentication is forwarded to your OTP server and proceeds as usual. ISE server then does the authorization for the same user.

0 Helpful

mesarasimth1
Level 1
Level 1
In response to Rahul Govindan

‎01-31-2017 09:38 AM

Actually I tried the to point the Authorization to the ISE but my users kept login in to the switch with privilege 15 (sadly :d).

You are right. I'm gonna test it and get back to you with the results. Thanks.

0 Helpful

mesarasimth1
Level 1
Level 1
In response to Rahul Govindan

‎05-15-2017 12:21 AM

Hi, Sorry for delay. i just wanted you to know that I solved the problem using,"External Radius Server" and configuring sequence rules and external servers.

0 Helpful
Customers Also Viewed These Support Documents