Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Authenticated on ISE 1.2 (as admin) against an external radius server

Hello

Our customer wants to be authenticated on ISE 1.2 (as admin) against an external radius server (like ACS not microsoft). How could i do that ?

Is it possible while retaining internal admin users database in a sequence "external_radius or internal"

thank you in advance.

Best regards

4 REPLIES
Cisco Employee

Re: Authenticated on ISE 1.2 (as admin) against an external radi

Jean-Luc,

Sure thing!

Make sure your RADIUS Server is already added in the External Identity Sources.  To do this, navigate to Administration > Identity Management > External Identity Sources:

ADMIN_RADIUS1.GIF

From there, navigate to Administration > System > Admin Access.  In the Authentication entry on the Left Menu, choose the Identity Source from the drop-down menu.

ADMIN_RADIUS2.GIF

Click Save and Logout.  You will now see a new Identity Source drop-down on the login page.  From here you can select RADIUS or Internal.

ADMIN_RADIUS3.GIF

This will allow local logins in case the RADIUS server is down for any reason.

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.

Charles Moreton

New Member

Authenticated on ISE 1.2 (as admin) against an external radius s

Hello Charles,

Many thanks for your help. That works fine !!

Best regards,

Cisco Employee

Authenticated on ISE 1.2 (as admin) against an external radius s

Great news!  Glad this worked for you.

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.

Charles Moreton

New Member

External authentication is

External authentication is supported only with internal authorization:

 

External Authentication + Internal Authorization

When configuring Cisco ISE to provide administrator authentication using an external RSA SecurID identity store, administrator credential authentication is performed by the RSA identity store. However, authorization (policy application) is still done according to the Cisco ISE internal database. In addition, there are two important factors to remember that are different from External Authentication + External Authorization:

  • You do not need to specify any particular external administrator groups for the administrator.
  • You must configure the same username in both the external identity store and the local Cisco ISE database.

To create a new Cisco ISE administrator that authenticates via the external identity store, complete the following steps:


Step 1 Choose Administration > System > Admin Access > Administrators > Local Administrators.

The Administrators window appears, listing all existing locally defined administrators.

Step 2 Follow the guidelines at Creating a New Cisco ISE Administrator to ensure that the administrator username on the external RSA identity store is also present in Cisco ISE. Be sure to click the External option under Password.


Note Remember: you do not need to specify a password for this external administrator user ID, nor are you required to apply any specially configured external administrator group to the associated RBAC policy.


 

Step 3 Click Save .

229
Views
0
Helpful
4
Replies