I have two Radius server(Cisco ISE) installed in my company and all corporate clients are authenticating via these RADIUSE server using EAP-TLS.
Now due to office 365, we have few new clients which dont have our company certificates. So external company installed a cloud radius server and provided me the IP, port and shared secret details and asked me to configure it under my corporate WLAN so that new clients connect to same WLAN but authenticate using Cloud radius server.
Is it possible or not ? If yes then what i need to do ?
Info: I already configured cloud radius server on WLC and added it under WLAN as 3rd Radius server. Will it work ?
Because i heard that If the client cant get authenticated in the first radius server, that radius server will most probably send back a radius reject which means the WLC should not authenticate the user. The 2nd radius server will not be checked.!!!
I don’t understand why you say that due to office 365? Put it this way, you secure your network by using certificates and having computers joined to the domain. Never have an external company tell you that you should point to their radius server. Who is controlling what devices can and really shouldn’t be on your network. Place these devices on a different ssid that you control or don’t allow them on your network. If you have a guest network and the user has vpn, let them connect that way or find another solution.
I understand your point but still i want to test as we are installing office 365 and cloud based radius server with the help of External company.
I just want that with same corporate ssid, could I use cloud based radius and few non domain clients to authenticate. Means, normal domain computer will authenticate with my cisco ISE radius servers and few non domain computer which will will authenticate from Cloud based radius server.
These new non domain computer will also have local/root certificate which will be authenticated by Cloud based radius server.
There are possibilities, but I've never tried it with certificates.
In the case of username & password authentication, you would send all radius requests to the ISE and depending on the domain (firstname.lastname@example.org) you would proxy it to the Office365 radius for authentication.