04-29-2017 06:49 PM
I am setting up my WSA to use ISE as an external authentication method. I have several other Cisco devices using ISE for Device Administration (RADIUS, not TACACS). The routers and switches set their service type as Login. The WSA sets its service type as 134217728. I'd rather not create another Top Level Entry in my policy sets to handle the WSA. I am looking to create a compound condition with a Boolean OR for the devices. I can select RADIUS service type virtual for the routers and switched but I cannot enter 134217728 as a valid service type. I only get the system provided drop downs.
Is is possible to add this to the existing RADIUS> Service Type dictionary or can I create my own dictionary with the service type of 134217728?
I know I can key on other attributes but I would like to use other attributes that come from the machine logins.
Regards.
Sam
Solved! Go to Solution.
05-01-2017 07:11 AM
Currently, the RADIUS-IETF dictionary cannot be modified. You could try creating a NDG with WSAs, and then craft a policy set condition that reads NDG = WSA or Service-Type = Login to satisfy both in a single policy set.
05-01-2017 07:11 AM
Currently, the RADIUS-IETF dictionary cannot be modified. You could try creating a NDG with WSAs, and then craft a policy set condition that reads NDG = WSA or Service-Type = Login to satisfy both in a single policy set.
05-01-2017 07:15 AM
Thanks Hosuk. The customer ended up going with NDG configuration. As an FYI, the WSA sends a Service-Type value of 134217728, not Login.
12-04-2019 05:13 PM
Do you know if WSA can use TACACS+ as external authentication service in the latest version?
thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide