ISE admin access, authentication against external radius

Similar Messages

• ISE Admin Access Authentication against multiple AD/LDAP Identity Sources

  Hi all!
  We would like to grant admin cccess to our ISE deplyoment to users stored in multiple Active Directories. Since there is no trust relationship between these ADs, we created an LDAP Identity Source for each AD and also an Identity Source Sequence but in the UI we can only select one Identity Source.
  Any ideas how to solve this problem?
  Thanks in advance!
  Kind regards,
  Michael Langerreiter

  I did check in my lab and yes for admin access we can't select identity store sequence in authentication. We can only pick one external database. However, on the login page you may select the appropriate database before you enter the username and password.
  Jatin Katyal
  - Do rate helpful posts -

• ISE Admin Access Authentication to RADIUS Token Server

  Hi all!
  I want to use an External  RADIUS Token Server for ISE Admin Access Authentication and Authorization.
  Authentication works, but how do I map the users  to Admin Groups? Is there a way  to map a returned RADIUS Attribute  (IETF "Class" or Cisco-AVPair "CiscoSecure-Group-Id") to an Admin Group?
  Thanks in advance,
  Michael Langerreiter

  ISE 1.3 does have an bug: Authentication failed due to zero RBAC Groups.
  Cisco Bug: CSCur76447 - External Admin access fails with shadow user & Radius token
  Last Modified
  Nov 25, 2014
  Product
  Cisco Identity Services Engine (ISE) 3300 Series Appliances
  Known Affected Releases
  1.3(0.876)
  Description (partial)
  Symptom:
  ISE 1.3 RBAC fails with shadow user & Radius token
  Operations > Reports > Deployment Status > Administrator Logins report shows
  Authentication failed due to zero RBAC Groups
  Conditions:
  RBAC with shadow user & Radius token
  View Bug Details in Bug Search Tool
  Why Is Login Required?
  Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
  Bug Details Include
  Full Description (including symptoms, conditions and workarounds)
  Status
  Severity
  Known Fixed Releases
  Related Community Discussions
  Number of Related Support Cases
  Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.

• Two factor authentication ACS 5.x against external Radius and Active Directory

  On ACS 5.x I'd like to authenticate against two external Directories
  Active Directory
  Black Shield Token Server (via RADIUS)
  I found a description the meets mostly my requirements at
       http://blog.pbmit.com/digipass2
  Has somebody an Idea how this has to be implemented on Cisco ACS 5.3?
  In the identity store swwquence there's no way to implement a compound condition (if user authenticated against Directory 1 AND Directory 2 then success)
  Active Directory and Cisco ACS
        This solution attempts to solve the limitation described in Solution 1. Instead of letting the Identikey server communicate directly to the AD, we use the Identikey server only to strip the PIN and OTP from the password and loop the authentication request back to the Cisco ACS to utilize its Identity Store Sequence, which can now be set to both Internal Identity Store and AD.

  just following up to see if there was a solution to this.  I am also interested in setting this type of scenerio out.

• Identity Service Engine (ISE) Admin Access

  Is it possible to authenticate the ISE administrator via an external Radius Server? The option I find is that it will not work, 
  The manual reads: 
  In Cisco ISE, you can authenticate administrators via an external identity store such as Active Directory, LDAP, or RSA SecureID. There are two models you can use to provide authentication via an external identity store:
  Is this the case ?

  Sure you can!
  Make sure you have the RADIUS server added to the ISE (Administration > Identity Management > External Identity Sources  Select RADIUS Token from the left menu).
  Then head over to Administration > System > Admin Access.  Change the * Identity Source to your RADIUS Server and click Save
  Log out and you will see an new entry on the log in screen.  Click the dropdown for Identity Source and choose your RADIUS Server.  If this connection gets dropped for any reason, you can always log in using the internal identity source as a fallback.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• ISE 1.2 Patch 2 External RADIUS Server Sequence Broken?

  Hi community,
  We have upgraded our proof of concept ISE 1.2 lab to Patch level 2.
  Our lab design includes the use of external RADIUS servers which we off-load certain authentication rules to.
  To ensure resiliency of the external RADIUS service, we have two of these which we add to a RADIUS Server Sequence, the idea being that if the first in the list is unavailable, ISE will try the second and all will be well.
  Now this worked for us in testing ISE 1.2, but I have noticed that after the upgrade to Patch 2 ISE is sending the majority RADIUS traffic to the first (failed) external RADIUS server, with only the odd RADIUS Access-Request to thte next in the list.
  Anybody else come across this??
  All helpful comments rated!
  Many thanks, Ash.

  I couldn't find any known issues with this feature. Could you please paste the screen shot of external radius sequence and configuration. Also, how are we determing that the first server in the sequence is DEAD?
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Cisco ISE with both internal and External RADIUS Server

  Hi
  I have ISE 1.2 , I configured it as management monitor and PSN and it work fine
  I would like to know if I can integrate an external radius server and work with both internal and External RADIUS Server simultanously
  So some computer (groupe_A in active directory ) will continu to made radius authentication on the ISE internal radius and other computer (groupe_B in active directory) will made radius authentication on an external radius server
  I will like to know if it is possible to configure it and how I can do it ?
  Thanks in advance for your help
  Regards
  Blaise

  Cisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. Cisco ISE accepts the results of the requests and returns them to the NAS.
  Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. The External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description, or both. In both simple and rule-based authentication policies, you can use the RADIUS server sequences to proxy the requests to a RADIUS server.
  The RADIUS server sequence strips the domain name from the RADIUS-Username attribute for RADIUS authentications. This domain stripping is not applicable for EAP authentications, which use the EAP-Identity attribute. The RADIUS proxy server obtains the username from the RADIUS-Username attribute and strips it from the character that you specify when you configure the RADIUS server sequence. For EAP authentications, the RADIUS proxy server obtains the username from the EAP-Identity attribute. EAP authentications that use the RADIUS server sequence will succeed only if the EAP-Identity and RADIUS-Username values are the same.

• ISE Admin Access with AD Credentials fails after upgrade 1.2.1 to 1.3.0

  Hello,
  After upgrading ISE VM from 1.2.1 to 1.3.0.876, I can't connect on ISE with AD Credentials (Invalid Username or Password). It worked find before upgrading to 1.3.
  On another ISE VM in 1.3.0.876 version (w/o upgrade) with this kind of configuration, it's OK.
  I have double check the Post-upgrade tasks (particularly rejoining Active Directory). Everything worked find after this upgrade except the admin access with AD credentials.
  I don't use user certificate-based authentication for admin access. So I didn't execute application start ise safe CLI.
  My 802.1x wireless users passed authentication with AD credentials. So the ISE had correctly join my AD.
  I didn't find anything related to this admin access with AD credentials failure in the output of show logging application ise and show logging.
  I don't find anything related to this in bug search on Cisco tools.
  I tried to :
  - update the SID of my Admin AD Group, the result is still the same.
  - delete my admin access with AD credentials configuration then make this configuration again, but still the same error.
  Any ideas on this ? Could I find elements in another log ?
  Regards.

  Dear Markus,
  After logging as user "prdadm"
  su - prdadm
  bssltests% bash-3.00$ ls -a
  .                            .dbenv_bssltests.sh-old      .sapenv_bssltests.sh         startdb.log
  ..                           .dbenv_bssltests.sh-old10    .sapenv_bssltests.sh-new     startsap_.log
  .bash_history                .dbsrc_bssltests.csh         .sapenv_bssltests.sh-old10   startsap_DVEBMGS00.log
  .cshrc                       .dbsrc_bssltests.sh          .sapsrc_bssltests.csh        startsap_DVEBMGS01.log
  .dbenv_bssltests.csh         .login                       .sapsrc_bssltests.sh         stopdb.log
  .dbenv_bssltests.csh-new     .profile                     dev_sapstart                 stopsap_.log
  .dbenv_bssltests.csh-old     .sapenv_bssltests.csh        local.cshrc                  stopsap_DVEBMGS00.log
  .dbenv_bssltests.csh-old10   .sapenv_bssltests.csh-new    local.login                  stopsap_DVEBMGS01.log
  .dbenv_bssltests.sh          .sapenv_bssltests.csh-old    local.profile                trans.log
  .dbenv_bssltests.sh-new      .sapenv_bssltests.csh-old10  sqlnet.log
  bash-3.00$
  bash-3.00$
  I have changed envt settings in .dbenv_bssltests.csh & .dbenv_bssltests.sh
  .sapenv_bssltests.sh & .sapenv_bssltests.csh  [4 files]
  Regards,
  Ankita

• Authenticate Users against external RADIUS-Server

  Hi,
  i have some users in the local LDAP database of an 10.5 Server.
  Is there a way to store their passwords on an external RADIUS-Server?
  Thank you very much,
  macservo
  Message was edited by: macservo

  CryptoCard does this.
  We use it at one customer for L2TP VPN authentication.
  This way the VPN user get's a yes or no to use the VPN server and then has to give his credentials: name and VPN shared secret or certificate (support for CryptoCard is in the OS X VPN client) to get on the network. The password is in 2 halves, one half is static and the rest is added to it from the Token.
  You then have to authenticate to any service you want to use (Kerberos?).
  We only had to alter a PPP config file on the OS X server and add a small file to both server (and client) to make it contact their Radius server instead of it using Apples regular internal VPN authentication (not the Radius one). And we had to add a shared secret corresponding to what was setup for the customer at CryptoCard (in the server only) for the OS X Server (Radius client) to CryptoCard server (Radius server) communication. You can't use Server Admin to alter VPN settings afterwards without messing up the PPP settings file.
  Maybe possible to us it for Ethernet/Wireless 802.1X authentication too?
  For just AFP server auth I don't know.

• VPN Tunnel w/ 802.1X port authentication against remote RADIUS server

  I have a Cisco 892 setup as a VPN client connecting to an ASA 5515-X.  The tunnel works fine and comes up if theirs correct traffic.  I have two RADIUS servers I want to use certificate based authentication to, that are located behind the ASA 5515-X.
  If I connect a computer that has the correct certificates to ports FA0 through 3, authentication won't work.  I'll see the following.  This happens even if the VPN tunnel is established already by doing something such as connecting a VOIP phone.  No entrys are located in the RADIUS logs, and I also cannot ping the RADIUS servers from VLAN10.
  *Jan 30 19:46:01.435: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.1.100:1812,1813 is not responding.
  *Jan 30 19:46:01.435: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.1.100:1812,1813 is being marked alive.
  *Jan 30 19:46:21.659: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.26.10:1812,1813 is not responding.
  *Jan 30 19:46:21.659: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.26.10:1812,1813 is being marked alive.
  If I connect a second PC to an interface with 802.1X disabled, such as FA6, the VPN tunnel will establish itself correctly.  In this situation, I can ping the RADIUS servers from VLAN10.  If I go ahead and connect another PC with correct certificates to a port with 802.1X enabled such as port FA0 through 3, then 802.1X will suceed.
  Current configuration : 6199 bytes
  ! Last configuration change at 15:40:11 EST Mon Feb 3 2014 by
  version 15.2
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname router1
  boot-start-marker
  boot-end-marker
  aaa new-model
  aaa local authentication default authorization default
  aaa authentication login default local
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa session-id common
  clock timezone EST -5 0
  clock summer-time EDT recurring
  ip cef
  ip dhcp pool pool
  import all
  network 192.168.28.0 255.255.255.248
  bootfile PXEboot.com
  default-router 192.168.28.1
  dns-server 192.168.26.10 192.168.1.100 8.8.8.8 4.2.2.2
  domain-name domain.local
  option 66 ip 192.168.23.10
  option 67 ascii PXEboot.com
  option 150 ip 192.168.23.10
  lease 0 2
  ip dhcp pool phonepool
  network 192.168.28.128 255.255.255.248
  default-router 192.168.28.129
  dns-server 192.168.26.10 192.168.1.100
  option 150 ip 192.168.1.132
  domain-name domain.local
  lease 0 2
  ip dhcp pool guestpool
  network 10.254.0.0 255.255.255.0
  dns-server 8.8.8.8 4.2.2.2
  domain-name local
  default-router 10.254.0.1
  lease 0 2
  no ip domain lookup
  ip domain name remote.domain.local
  no ipv6 cef
  multilink bundle-name authenticated
  license udi pid CISCO892-K9
  dot1x system-auth-control
  username somebody privilege 15 password 0 password
  redundancy
  crypto isakmp policy 1
  encr aes 256
  authentication pre-share
  group 5
  crypto isakmp key secretpassword address 123.123.123.123
  crypto ipsec transform-set pix-set esp-aes 256 esp-sha-hmac
  mode tunnel
  crypto map pix 10 ipsec-isakmp
  set peer 123.123.123.123
  set transform-set pix-set
  match address 110
  interface BRI0
  no ip address
  encapsulation hdlc
  shutdown
  isdn termination multidrop
  interface FastEthernet0
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  authentication port-control auto
  dot1x pae authenticator
  spanning-tree portfast
  interface FastEthernet1
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  authentication port-control auto
  dot1x pae authenticator
  spanning-tree portfast
  interface FastEthernet2
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  authentication port-control auto
  dot1x pae authenticator
  spanning-tree portfast
  interface FastEthernet3
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  authentication port-control auto
  dot1x pae authenticator
  spanning-tree portfast
  interface FastEthernet4
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  spanning-tree portfast
  interface FastEthernet5
  switchport access vlan 12
  switchport voice vlan 11
  no ip address
  spanning-tree portfast
  interface FastEthernet6
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  spanning-tree portfast
  interface FastEthernet7
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  authentication port-control auto
  dot1x pae authenticator
  spanning-tree portfast
  interface FastEthernet8
  no ip address
  shutdown
  duplex auto
  speed auto
  interface GigabitEthernet0
  ip address dhcp
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map pix
  interface Vlan1
  no ip address
  interface Vlan10
  ip address 192.168.28.1 255.255.255.248
  ip nat inside
  ip virtual-reassembly in
  interface Vlan11
  ip address 192.168.28.129 255.255.255.248
  interface Vlan12
  ip address 10.254.0.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  ip forward-protocol nd
  ip http server
  ip http authentication local
  ip http secure-server
  ip nat inside source list 101 interface GigabitEthernet0 overload
  ip route 0.0.0.0 0.0.0.0 dhcp
  ip radius source-interface Vlan10
  ip sla auto discovery
  access-list 101 deny   ip 192.168.28.0 0.0.0.255 192.168.0.0 0.0.255.255
  access-list 101 permit ip 192.168.28.0 0.0.0.255 any
  access-list 101 permit ip 10.254.0.0 0.0.0.255 any
  access-list 110 permit ip 192.168.28.0 0.0.0.255 192.168.0.0 0.0.255.255
  access-list 110 permit ip 192.168.29.0 0.0.0.255 192.168.0.0 0.0.255.255
  radius-server host 192.168.1.100 auth-port 1812 acct-port 1813 key secretkey
  radius-server host 192.168.26.10 auth-port 1812 acct-port 1813 key secretkey
  control-plane
  mgcp profile default
  line con 0
  line aux 0
  line vty 0 4
  transport input all
  ntp source FastEthernet0
  ntp server 192.168.26.10
  ntp server 192.168.1.100
  end

  I have 802.1X certificate authentication enabled on the computers.  As described in my post above, authentication will work if theirs another device on the same VLAN that is connected to a port that bypasses authentication.  It seems like I have a chicken and egg scenario, a device needs to be sucessfully connected to VLAN10 before the router will use it's VLAN10 interface to communicate with my remote RADIUS server.

• WLC WLAN Authentication from External RADIUS Server

  Dears,
  How to make WLC Receive PoD (Packet of Disconnect) from the RADIUS server to terminate the session and disconnect authenticating clients.
  Thanks,

  Hi Ahmed,
  Its not documented well, but here is it:
  CSCso52532 No Documentation for sending RADIUS Disconnect-Request (RFC 3576)
  . If a user has to be logged out then, following attributes are expected
    - SSH_RADIUS_AVP_SERVICE_TYPE(6) attribte with following value.
           SSH_RADIUS_SERVICE_TYPE_LOGIN(1)
         - SSH_RADIUS_AVP_CALLING_STATION_ID(31) - this is needed, if
                we want to delete  particular user  session via particular device
                (like PDA, Phone or PC)
         - SSH_RADIUS_AVP_USER_NAME(1)
  . If a management user has to be logged out then, following attributes
  are expected
    - SSH_RADIUS_AVP_SERVICE_TYPE(6) attribte with following value
    - SSH_RADIUS_SERVICE_TYPE_ADMINISTRATIVE
                        OR
     - SSH_RADIUS_SERVICE_TYPE_NAS_PROMPT
     - SSH_RADIUS_AVP_USER_NAME(1)
     - SSH_RADIUS_AVP_FRAMED_IP_ADDRESS(8)
  Eg:
  *Dec 17 12:59:08.926:   Packet contains 14 AVPs:
  *Dec 17 12:59:08.926:       AVP[01] User-Name................................user@domain (17 bytes)
  *Dec 17 12:59:08.926:       AVP[02] Nas-Port.................................0x0000000d (13) (4 bytes)
  *Dec 17 12:59:08.926:       AVP[03] Nas-Ip-Address...........................0x0a0047fb (167790587) (4 bytes)
  *Dec 17 12:59:08.926:       AVP[04] Framed-IP-Address........................0x0a003f1b (167788315) (4 bytes)
  *Dec 17 12:59:08.926:       AVP[05] NAS-Identifier...........................wlcRM_1 (7 bytes)
  *Dec 17 12:59:08.926:       AVP[06] Airespace / WLAN-Identifier..............0x00000004 (4) (4 bytes)
  *Dec 17 12:59:08.926:       AVP[07] Acct-Session-Id..........................4b2a1d0c/00:1c:26:cb:27:71/4 (28 bytes)
  *Dec 17 12:59:08.926:       AVP[08] Acct-Authentic...........................0x00000001 (1) (4 bytes)
  *Dec 17 12:59:08.926:       AVP[09] Tunnel-Type..............................0x0000000d (13) (4 bytes)
  *Dec 17 12:59:08.926:       AVP[10] Tunnel-Medium-Type.......................0x00000006 (6) (4 bytes)
  *Dec 17 12:59:08.926:       AVP[11] Tunnel-Group-Id..........................0x3633 (13875) (2 bytes)
  *Dec 17 12:59:08.926:       AVP[12] Acct-Status-Type.........................0x00000001 (1) (4 bytes)
  *Dec 17 12:59:08.926:       AVP[13] Calling-Station-Id.......................10.0.63.27 (10 bytes)
  *Dec 17 12:59:08.926:       AVP[14] Called-Station-Id........................10.0.71.251 (11 bytes)
  *Dec 17 12:59:10.943: 00:1c:26:cb:27:71 Accounting-Response received from RADIUS server 10.0.71.249 for mobile 00:1c:26:cb:27:71 receiveId = 0
  *Dec 17 12:59:34.044: Received a 'RFC-3576 Disconnect-Request' from 10.0.71.249
  *Dec 17 12:59:34.044:   Packet contains 6 AVPs:
  *Dec 17 12:59:34.044:       AVP[01] Nas-Ip-Address...........................0x0a0047fb (167790587) (4 bytes)
  *Dec 17 12:59:34.044:       AVP[02] User-Name................................user@domain (17 bytes)
  *Dec 17 12:59:34.044:       AVP[03] Acct-Session-Id..........................4b2a1d0c/00:1c:26:cb:27:71/4 (28 bytes)
  *Dec 17 12:59:34.044:       AVP[04] Calling-Station-Id.......................10.0.63.27 (10 bytes)
  *Dec 17 12:59:34.044:       AVP[05] Called-Station-Id........................10.0.71.251 (11 bytes)
  *Dec 17 12:59:34.044:       AVP[06] Service-Type.............................0x00000001 (1) (4 bytes)
  *Dec 17 12:59:34.044: Error cause 503 generated for 'RFC-3576 Disconnect-Request' from 10.0.71.249 (Session Identification attributes not valid)
  *Dec 17 12:59:34.045: Sent a 'RFC-3576 Disconnect-Nak' to 10.0.71.249:3799
  *Dec 17 12:59:36.561: ****Enter processIncomingMessages: response code=5
  **Share your knowledge. It’s a way to achieve immortality.
  --Dalai Lama**
  Please Rate if helpful.
  Regards
  Ed

• OIM 11g Self Registration - authenticated against external data source

  Dear All,
  Out of the box server registration is unauthenticated. How to make it authenticated?
  What configuration should I perform?
  Thank you for your help
  Kind Regards
  Maria Adair
  Edited by: Maria on Oct 25, 2010 9:26 AM

  Hi,
  I am assuming in clustered environment you are having two instances running.
  It must be an issue with a single server,,because the problem is intermittent.
  To see which server is causing problem....just perform the following steps:
  1) Stop server1 and keep running server2..and fire new registration request...
  2) stop server 2..and keep running server1.....and fire new registration request.
  Using above, atleast you can see which server is causing the problem...
  Regards,
  J
  Edited by: J_IDM on Mar 21, 2011 10:52 PM

• Cisco ISE: External RADIUS Server

  Hi,
  I would like to forward RADIUS from PSN to another PSN. I already defined "External RADIUS Servers".
  So, how can I use this external RADIUS server to process my request ?
  Looking at the user guide but didn't find any information about this setting (For rule based not simple rule)
  If anyone use this, please suggest this to me.
  Thanks,
  Pongsatorn

  Defining an External RADIUS Server
  The Cisco Cisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, the Cisco Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. The Cisco Cisco ISE accepts the results of the requests and returns them to the NAS. You must configure the external RADIUS servers in the Cisco Cisco ISE to enable it to forward requests to the external RADIUS servers. You can define the timeout period and the number of connection attempts.
  The Cisco Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. This External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description or both.
  To create an external RADIUS server, complete the following steps:
  Step 1 Choose Administration > Network Resources > External RADIUS Servers.
  The RADIUS Servers page appears with a list of external RADIUS servers that are defined in Cisco ISE.
  Step 2 Click Add to add an external RADIUS server.
  Step 3 Enter the values as described:
  •Name—(Required) Enter the name of the external RADIUS server.
  •Description—Enter a description of the external RADIUS server.
  •Host IP—(Required) Enter the IP address of the external RADIUS server.
  •Shared Secret—(Required) Enter the shared secret between Cisco Cisco ISE and the external RADIUS server that is used for authenticating the external RADIUS server. A shared secret is an expected string of text that a user must provide to enable the network device to authenticate a username and password. The connection is rejected until the user supplies the shared secret. The shared secret can be up to 128 characters in length.
  •Enable KeyWrap—This option increases RADIUS protocol security via an AES KeyWrap algorithm, to help enable FIPS 140-2 compliance in Cisco ISE.
  •Key Encryption Key—This key is used for session encryption (secrecy).
  •Message Authenticator Code Key—This key is used for keyed HMAC calculation over RADIUS messages.
  •Key Input Format—Specify the format you want to use to enter the Cisco ISE FIPS encryption key, so that it matches the configuration that is available on the WLAN controller. (The value you specify must be the correct [full] length for the key as defined below—shorter values are not permitted.)
  –ASCII—The Key Encryption Key must be 16 characters (bytes) long, and the Message Authenticator Code Key must be 20 characters (bytes) long.
  –Hexadecimal—The Key Encryption Key must be 32 bytes long, and the Message Authenticator Code Key must be 40 bytes long.
  •Authentication Port—(Required) Enter the RADIUS authentication port number. The valid range is from 1 to 65535. The default is 1812.
  •Accounting Port—(Required) Enter the RADIUS accounting port number. The valid range is from 1 to 65535. The default is 1813.
  •Server Timeout—(Required) Enter the number of seconds that the Cisco Cisco ISE waits for a response from the external RADIUS server. The default is 5 seconds. Valid values are from 5 to 120.
  •Connection Attempts—(Required) Enter the number of times that the Cisco Cisco ISE attempts to connect to the external RADIUS server. The default is 3 attempts. Valid values are from 1 to 9.
  Step 4 Click Submit to save the external RADIUS server configuration.

• Configuring ISE to proxy Authentications based on email address

  Hi
  I'm looking for a little help configuring ISE to proxy requests to external radius servers based on email address and password. I want to configure eduroam on our WLAN. Eduroam allows students connect to the WIFI of other Campuses using their local credentials
  Workflow:
  User associates to SSID (eduroamTest)
  Prompted for username & password (802.1x)
  User puts in username and password in the form [email protected] (UPN)
  If the user is part of our local institution they are authenticated using our local radius server (ISE)
  If the user is a  member of a partner institution the request is proxied to an external radius server (National Gateways).
  The National Gateways  passes the request to the relevant institution based on the UPN (eg @ucd.ie will be passed to ucd radius servers)
  The institution authenticates the user and passes the  request back to the National Gateways
  The National Gateways passes this request back to our ISE server and the external user is authenticated
  The user can browse the web
  What I have done:
  Setup the National Gateways as external proxy servers
  Created firewall rules to allow the traffic
  Configured the proxy sequence with these servers
  Created a policy to proxy requests to the proxy sequence
  What I need to figure out:
  How to get ISE to authenticate/proxy requests, for the SSID eduroamTest, based on UPN eg (if username = *@rcsi.ie then use local ISE otherwise use proxy service)
  Any help with this configuration would be greatly appreciated as I am new to ISE.
  If you need any more info please let know.
  Kind regards
  John

  Sounds like you did most of the work already. To get ISE to direct certain requests based on attributes in the request to another radius server, all you need to do, is create a new authentication rule, where you check for the following attributes ;
  radius/called-station-id contains "eduroam"
  and
  radius/username ends with "rcsi.ie"
  Then you can select the radius server sequence you created instead of the normal "Allowed protocols" list.
  If you want to be in control of the authorization, there is a flag you must set in the radius server sequence in ISE, this will let you control what rights the client is given locally, while still authenticating the user remotely.

• Authenticated on ISE 1.2 (as admin) against an external radius server

  Hello
  Our customer wants to be authenticated on ISE 1.2 (as admin) against an external radius server (like ACS not microsoft). How could i do that ?
  Is it possible while retaining internal admin users database in a sequence "external_radius or internal"
  thank you in advance.
  Best regards

  External authentication is supported only with internal authorization:
  External Authentication + Internal Authorization
  When configuring Cisco ISE to provide administrator authentication using an external RSA SecurID identity store, administrator credential authentication is performed by the RSA identity store. However, authorization (policy application) is still done according to the Cisco ISE internal database. In addition, there are two important factors to remember that are different from External Authentication + External Authorization:
  You do not need to specify any particular external administrator groups for the administrator.
  You must configure the same username in both the external identity store and the local Cisco ISE database.
  To create a new Cisco ISE administrator that authenticates via the external identity store, complete the following steps:
  Step 1 Choose Administration > System > Admin Access > Administrators > Local Administrators.
  The Administrators window appears, listing all existing locally defined administrators.
  Step 2 Follow the guidelines at Creating a New Cisco ISE Administrator to ensure that the administrator username on the external RSA identity store is also present in Cisco ISE. Be sure to click the External option under Password.
  Note Remember: you do not need to specify a password for this external administrator user ID, nor are you required to apply any specially configured external administrator group to the associated RBAC policy.
  Step 3 Click Save .