Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Cisco ISE - radius proxy

Hi,

Is the following possible:

- let the ISE do the authentication and then proxy to another radius server which does the authorization.

At the moment we have a freeradius server that does the following:

1) authenticates 802.1x requests (eap-tls)

2) during authorization the server checks an external database that determines the vlan that should be returned (in radius attribute) based on originating switch and/or mac address.

I am checking if I can migrate to ISE but then the above would have to work.

For MAB I can easily do authentication/authorization on freeradius so I will proxy MAB requests to there.

regards

Thomas

3 REPLIES

Cisco ISE - radius proxy

Hello. Yes, ISE can work as a radius proxy. Here's a link and a screenshot

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_auth_pol.html#wp1127216

If you like, you can download an ISE trial of 90 days to test everything before implementation.

Kind regards. Please rate if it helps

Community Member

Cisco ISE - radius proxy

where do i find ISE trial to download? i've tried cisco.com/go/ise  but i only found WCS to download :/

Cisco Employee

Cisco ISE - radius proxy

ISE acts as a RADIUS proxy server by proxying the requests from a network access  device (NAD) to a RADIUS server. The RADIUS server processes the request and  returns the result to Cisco ISE. Cisco ISE then sends the response to the  NAD

FYI

you can use the RADIUS server sequences to proxy the requests to a  RADIUS server.

The RADIUS server sequence strips the domain name from the  RADIUS-Username attribute for RADIUS authentications. This domain stripping is  not applicable for EAP authentications, which use the EAP-Identity attribute.  The RADIUS proxy server obtains the username from the RADIUS-Username attribute  and strips it from the character that you specify when you configure the RADIUS  server sequence. For EAP authentications, the RADIUS proxy server obtains the  username from the EAP-Identity attribute. EAP authentications that use the  RADIUS server sequence will succeed only if the EAP-Identity and RADIUS-Username  values are the same.

3534
Views
0
Helpful
3
Replies
CreatePlease to create content