cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
381
Views
0
Helpful
1
Replies

Using ISE as PPP Radius server

luckymike33
Level 1
Level 1

Hi,

 

I am looking at configuring an ISE server as a radius server.

 

I need to be able to match on internal users and allocate them to a specific authorization profile as some of the attributes are user-specific (static ip address, static routes) and some can be grouped together and applied via an authorization profile, i.e. VRF.  basically some users have mutliple lines and they will be grouped together into their own VRF.

 

At the moment - I cannot see how it is possible to match against an internal users - I was hoping to use the 'user group's attribute configured when creating each user account. But, I am having trouble configuring ISE to accept this as an authorization condition, my syntax is something as follows:

 

Internal-User:User-group = 'user-group-name'

 

With the 'user-group-name' field being the actual value configured under the user account.

 

Does anyone have any experience with match on internal users, to be able to apply an authorization profile to them?

 

Best wishes

 

Mike

1 Reply 1

Hi Mike,

I am using ISE 2.4 in my lab, I have the condition InternalUser:IdentityGroup (not Internal-User:User-group), this then provides a drop down list of all Internal Groups to select from. It was slightly different to configure in the AuthZ policy in older versions, but you do have the ability to select a local group.

 

HTH

 

identity group.PNG

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: