cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
451
Views
3
Helpful
2
Replies

What attributes can we send from ISE to an external radius authentication servers

edmcnich
Cisco Employee
Cisco Employee

I have a customer that is integrating ISE with an external radius provider (onelogin) for authentication. This radius instance also provides risk based (adaptive) authentication, where it will challenge based off of client information (Source IP, OS, NAD, etc...). Does ISE forward over any contextual information to the external radius provider during authentication, or is this configurable?

1 Accepted Solution

Accepted Solutions

Craig Hyps
Advocate
Advocate

It depends on the RADIUS integration method.   The two fundamental methods is RADIUS Token and RADIUS Proxy.  With proxy we relay all attributes to external RADIUS instance.  ISE can also manipulate attributes in flight to or from external.

In RADIUS Token case, it is a basic RADIUS PAP request with username (identity) where ISE is the NAD (RADIUS client) to external RADIUS server.  In response, we accept a single authorization attribute.

Craig

View solution in original post

2 Replies 2

Craig Hyps
Advocate
Advocate

It depends on the RADIUS integration method.   The two fundamental methods is RADIUS Token and RADIUS Proxy.  With proxy we relay all attributes to external RADIUS instance.  ISE can also manipulate attributes in flight to or from external.

In RADIUS Token case, it is a basic RADIUS PAP request with username (identity) where ISE is the NAD (RADIUS client) to external RADIUS server.  In response, we accept a single authorization attribute.

Craig

Thanks Craig

Thanks!

Ed

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: