NAC Guest as external Radius for ISE?

Similar Messages

• Using external radius with ise for guest authentication

  Hi Everyone,
  I am trying to migrate from NAC Guest Server to Cisco ISE Guest CWA on wireless, and can't figure out whether what i am trying is just unsupported or i just can't find out how to do this ?
  I am attempting to authenticate my existing guest users, using a radius lookup towards my existing NAC Guest server, which has many hundred guest users with long account duration, which i really don't want to recreate on ISE, and send new passwords to all those users. Problem is i can't export the user list from NAC guest server with the password intact, and ISE can't import guest users with a set password.
  Any ideas ?

  Setting up ISE as radius  proxy server will work because NAC guest user does not support exporting user information with passwords
  Step 1 Choose Administration > Network Resources > External RADIUS Servers.
  The External RADIUS Servers page appears.
  Step 2 Click Filter > Advanced Filter to perform your search. The Filter page appears.
  Step 3 You must define whether the search should match any or all of the rules that you define on this page.
  Step 4 Enter your search criteria based on the name or description of the RADIUS server, choose an operator, and enter the value.
  Step 5 You can do the following:
  •To add a filter condition, click the plus sign (+).
  •To remove a filter condition, click the minus sign (-).
  •To clear all filter conditions, click Clear Filter.
  Step 6 Click Go to perform your search.
  You can also save the filter criteria so that it can be used again. Click the Save icon to save the filter condition.

• NAC guest server with RADIUS authentication for guests issue.

  Hi all,
  We have just finally successfully installed our Cisco NAC guest server. We have version 2 of the server and basically the topology consists of a wism at the core of the network and a 4402 controller at the dmz, then out the firewall, no issues with that. We do however have a few problems, how can we provide access through a proxy without using pak files obviously, and is there a way to specify different proxies for different guest traffic, based on IP or a radius attribute etc.
  The second problem is more serious; refer to the documentation below from the configuration guide for guest nac server v2. It states that hotspots can be used and the Authentication option would allow radius authentication for guests, I’ve been told otherwise by Cisco and they say it can’t be done, has anyone got radius authentication working for guests.
  https://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_hotspots.html
  -----START QUOTE-----
  Step 7 From the Operation mode dropdown menu, you can select one of the following methods of operation:
  •Payment Provider—This option allows your page to integrate with a payment providing billing system. You need to select a predefined Payment Provider from the dropdown. (Refer to Configuring Payment Providers for details.) Select the relevant payment provider and proceed to Step 8.
  •Self Service—This option allows guest self service. After selection proceed to Step 8.
  •Authentication—This option allows RADIUS authentication for guests. Proceed to Step 9.
  ----- END QUOTE-----
  Your help is much appreciated on this, I’ve been looking forward to this project for a long time and it’s a bit of an anti climax that I can’t authenticate guests with radius (We use ACS and I was hoping to hook radius into an ODBC database we have setup called open galaxy)
  Regards
  Kevin Woodhouse

  Well I will try to answer your 2nd questions.... will it work... yes.  It is like any other radius server (high end:))  But why would you do this for guest.... there is no reason to open up a port on your FW and to add guest accounts to and worse... add them in AD.  Your guest anchor can supply a web-auth, is able to have a lobby admin account to create guest acounts and if you look at it, it leaves everything in the DMZ.
  Now if you are looking at the self service.... what does that really give you.... you won't be able to controll who gets on, people will use bogus info and last but not least.... I have never gotten that to work right.  Had the BU send me codes that never worked, but again... that was like a year ago and maybe they fixed that.  That is my opinion.

• ISE External RADIUS proxy remove attributes

  Hi all,
  I setup external RADIUS for authenticating external users on ISE 1.2  - I need to remove all attributes received from the external RADIUS but I cannot find how to do it.
  I checked the option
  On Access-Accept, continue to Authorization Policy
  in RADIUS server sequense Advanced Attribute settings 
  and in Authorization policy I setup proper attributes but I found the attributes from external RADIUS server are in the Access-Acceept response too.
  This is RADIUS debug from the switch:
  Apr 10 09:35:51 CEST: RADIUS: User-Name [1] 17 "xxxxxxxxxxxxx"
  Apr 10 09:35:51 CEST: RADIUS: Session-Timeout [27] 6 3600
  Apr 10 09:35:51 CEST: RADIUS: Termination-Action [29] 6 1
  Apr 10 09:35:51 CEST: RADIUS: Tunnel-Type [64] 6 00:VLAN [13]
  Apr 10 09:35:51 CEST: RADIUS: Tunnel-Type [64] 6 01:VLAN [13]
  Apr 10 09:35:51 CEST: RADIUS: Tunnel-Medium-Type [65] 6 00:ALL_802 [6]
  Apr 10 09:35:51 CEST: RADIUS: Tunnel-Medium-Type [65] 6 01:ALL_802 [6]
  Apr 10 09:35:51 CEST: RADIUS: EAP-Message [79] 6
  Apr 10 09:35:51 CEST: RADIUS: 03 08 00 04
  Apr 10 09:35:51 CEST: RADIUS: Message-Authenticato[80] 18
  Apr 10 09:35:51 CEST: RADIUS: BA 8C BC 8D 69 23 2B 7D 8A 70 20 D4 DE 96 0B E2 [ i#+}p ]
  Apr 10 09:35:51 CEST: RADIUS: Tunnel-Private-Group[81] 4 "17"
  Apr 10 09:35:51 CEST: RADIUS: Tunnel-Private-Group[81] 7 01:"v230"
  Apr 10 09:35:51 CEST: RADIUS: Vendor, Cisco [26] 22
  Apr 10 09:35:51 CEST: RADIUS: Cisco AVpair [1] 16 ""ssid=eduroam""
  Apr 10 09:35:51 CEST: RADIUS: Vendor, Cisco [26] 37
  Apr 10 09:35:51 CEST: RADIUS: Cisco AVpair [1] 31 "termination-action-modifier=1"
  Apr 10 09:35:51 CEST: RADIUS: Vendor, Microsoft [26] 58
  Apr 10 09:35:51 CEST: RADIUS: MS-MPPE-Send-Key [16] 52 *
  Apr 10 09:35:51 CEST: RADIUS: Vendor, Microsoft [26] 58
  Apr 10 09:35:51 CEST: RADIUS: MS-MPPE-Recv-Key [17] 52 *
  As you can see a lot of attributes are twice in the response. I need only "v230" set as VLAN ID
  I looked for removing the attributes but "Modify attribute" settings (iether "in the request" or "before access-apccept") offer only subset of RADIUS attributes - I need to remove attribute 81 - Tunnel Network Private Group - but it is not offered there.
  Can somebody advice me, how to (idealy) remove all atrributes from external RADIUS or at least remove set of attributes at minimum with attribute 81?
  Thank you for any help

  Thank you,
  I duplicated the Dot1x Authentication Rule, and changed allowed protocols to "RADIUS Server Sequence : MySequence"
  In the RADIUS Server Sequence under the advanced tab I have it set to "Continue to Authorization Policy'.
  Which Authorization rule would match?
  Network Access:RADIUS Server Sequence EQUAL MySequence
  OR
  Network Access:UseCase EQUALS Proxy
  OR
  None of the above?
  Thanks

• NAC Guest Server and Multiple Guest SSID's/Splashpages

  Hi All,
  If I have multiple guest SSID's on a single controller and I use NGS as the Radius. How do I configure NGS to "send" the clients to differnet login pages corresponding to the SSID they came from.
  I can configure different splash pages in HotSpots section but how do I map the different SSID's from the controller to the different splash pages. Then I guess that raises the question when I generate guest users on NGS is it possile to only allow them associate to a specific SSID.
  TIA,
  Eoin.

  Hi Nicolas,
  Thanks for the reply. I can see that config on the WLC and have used it before where there is only a single guest SSID. What I dont know is if the NAC Guest server sees radius requests coming from different guest SSID's on the same WLC. How does the NAC Guest server apply the correct guest policy to that user. And when sponsors genereate guest accounts how do they specific which policy is to be applied to that guest so it can only get access to a specfic guest network/SSID I'm not sure where the "mapping" of accounts/splash pages/policies takes place on the NAC guest server. I've only ever set up NAC Guest when there has been a single guest SSID.
  Regards,
  Eoin.

• ISE MAB to external Radius then MAB internal for Guest User auth

  Hello guys,
  we have the following requirements for our ISE Guest Access Deployment:
  We want to provide guest access but only to non Company Laptops. To check if the Laptop is company or a non company Laptop we have have all MAC Addresses in our ACS server. So in my understanding we have to to the following.
  Check the MAC Address against the External Radius Server (ACS)
  If Access-Accept returns -> Deny Access
  If Access-Deny returns -> Check MAC Address against Internal Endpoint Store
  If User not found -> Guestflow
  Right now i don´t no how i can sould design it but i need two Authentication Policys first for the redirect to the External Radius and then another one for check against internal Identity Endpoint Store. Am i right ? I don´t know if that is possible.
  Really thanks for your help!!
  Greetings
  Philip

  Let me ask you a quick question: Are all domain machines Windows and joined to AD?

• Web-redirect to external radius not wokring on some browsers for Guest SSID

  Hi,
  We are using Cisco 5760 with 3.7, and the guest SSID doesn't perform web-redirect to external radius (cisco NAC appliance), for some browsers. Although the same works on Cisco 5508 and 4402 WLC with the same NAC appliance for all browsers.
  working browsers: IE9.0 and IE 11.0
  Non-working: Chrome all versions, Firefox all versions, Safari all versions.
  Can anyone provide some help if they have seen  this issue before.?

  You need to check the compatibility guide of Cisco WLC and check if those browsers are supported or not.

• Configuring Cisco ISE for Authorization with External Radius Server attribute

  Hi,
  I'm trying to integrate an external radius server with Cisco ISE.
  I created an External Identity Store>Radius Token Server.
  I created a Identity Store sequence with just one identity store just as creadted above.
  And I was able to authenticate successfully.
  But when it comes to authorization.
  I observed we just have one tab named Authorization while creating Radius Token server.
  And it always refers to ACS:attribute_name.
  If I want to define a IETF radius attribute, (lets say class with attribute id as 25), how could I do it.
  In Cisco ACS we have a direct entry option in authorization tab where we can define the radius (IETF) attribute within Radius token server creation (within radius token server>Directory attribute tab).
  How ever I try to define the IETF attribute here (class,IETF:Class) I am not able to authorize with this attribute value.
  I tried with just one single authorization rule where it could hit.But observed it to go the default(as none of the rules defined matches the condition).
  Can anyone guide me how can we define a IETF radius attribute for authorization within Cisco ISE and what policy could we set it to work as authorization.
  Thanks in advance
  Senthil K

  This is the step of Creating and Editing RADIUS Vendors
  To create and edit a RADIUS vendor, complete the following steps:
  Step 1 From the Administration mega menu, choose Resources > RADIUS  Vendors.
  The RADIUS Vendors page appears with a list of RADIUS vendors that ISE  supports.
  Step 2 Click Create to create a new RADIUS vendor or click the radio  button next to the RADIUS vendor that
  you want to edit and click Edit.
  Step 3 Enter the following information:
  • Name—(Required) Name of the RADIUS vendor.
  • Description—An optional description for the vendor.
  • Vendor ID—(Required) The Internet Assigned Numbers Authority  (IANA)-approved ID for the
  vendor.
  • Vendor Attribute Type Field Length—(Required) The number of bytes  taken from the attribute value
  to be used to specify the attribute type. Valid values are 1, 2, and 4.  The default value is 1.
  • Vendor Attribute Size Field Length—(Required) The number of bytes  taken from the attribute value
  to be used to specify the attribute length. Valid values are 0 and 1.  The default value is 1.
  Step 4 Click Submit to save the RADIUS vendor.

• Cisco NAC Guest Server for Wireless Users integration with IP telephony

  Hi Team
  I have a client who has the following requirement. The cleint requires a Guest server inorder to serve wireless needs for guests at their office. They want the guest to get their authentication codes via SMS. The cleint will have a lobby IP Phone where the guest will press the services button confgiured on the IP Phone. IT will then prompt the guest to enter his mobile number. Once the guest enters his mobile number, the guest will recieve a text via sms gateway with login credentials. They want to offload this from the receptionist and it is for this reason that they require this functionality.
  Has anyone done this sort of deployment ? We have already proposed NAC guest server and Wireless controller but we do not know whether the XML application for subscribing the service on the IP Phone is available directly with cisco or does it need to developed.
  Kindly advice on the same.
  Regards
  Azeem

  Hi Vishal,
  Please note that if you want to return ACLs (and usually in wired web auth you need to), you will have to integrate with ACS as NGS itself cannot return ACLs in the reply radius attributes.
  Basically the process is as follows:
  1 - Client plugs cable on switch.
  2 - Web auth is triggered on the port.
  3 - default ACL permiting only DNS and DHCP is applyed so that the client PC can obtain IP address and open a browser.
  4 - Client will be redirected to the NGS hotspot login page.
  5 - Client will enter credentials.
  6 - Client broswer will send an HTTP POST packet containing the credentials.
  7 - The switch will intercept the POS packets and retrieve the credentials entered.
  8 - The switch will send Radius Access-Request to the ACS.
  9 - The ACS will use the NGS as External Identity source to authenticate the client.
  10 - The NGS will reply with Radius Access-Accept to the ACS and the ACS will reply to the switch including the ACL in the Access-Accept.
  11 - the Switch authorizes the client on the port and applies the ACL it received from the ACS.
  Please follow the document Nicolas posted as it is a good one.
  HTH,
  Thanks

• ISE 1.2 Patch 2 External RADIUS Server Sequence Broken?

  Hi community,
  We have upgraded our proof of concept ISE 1.2 lab to Patch level 2.
  Our lab design includes the use of external RADIUS servers which we off-load certain authentication rules to.
  To ensure resiliency of the external RADIUS service, we have two of these which we add to a RADIUS Server Sequence, the idea being that if the first in the list is unavailable, ISE will try the second and all will be well.
  Now this worked for us in testing ISE 1.2, but I have noticed that after the upgrade to Patch 2 ISE is sending the majority RADIUS traffic to the first (failed) external RADIUS server, with only the odd RADIUS Access-Request to thte next in the list.
  Anybody else come across this??
  All helpful comments rated!
  Many thanks, Ash.

  I couldn't find any known issues with this feature. Could you please paste the screen shot of external radius sequence and configuration. Also, how are we determing that the first server in the sequence is DEAD?
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Ise Authentication to two different forests second using External Radius, Not LDAP

  Hi Guys,
  I am hoping someone can help me.  We currently have two AD forests one for staff and one for students.  These forests do not have a two way trust between them nor do we want to. We currently have Ise 1.2 integration with our Student forest using AD working just fine. The ipads and other devices are playing nicely and cooperating well.    We want to get our staff to be able to use ISE as well.  Currently there is no way to use two AD forests so I was directed to use LDAP instead for the second domain.  Unfortunatley after playing around with it LDAP doesn't support mschapv2 which our mobile devices like ipads do play nicely with.  This causes an issue only because we would have to utilize certificates to get everything to work correctly.  This is not the route we want to go.  So i was speaking to Tac and they recommended using an External Radius server.  Then modify my auth profiles to look for the domain name in the authentication string.  If it starts for example student\ then i can have ise forward the auth request to the AD integrated PSNs for auth.  If the auth string starts with staff\ for example i should be able to forward this request to my external radius server. 
  This sounds all good in theory but i have not found any documentation to support this to help me configure it.  Has anyone tried this approach?  Or have any leads on where i can find some good documentation as to what radius servers are supported.  I am hoping Windows server 2008 R2 with a radius role installed, but i am just not sure.
  If anyone can help i would greatly appreciate it.
  Thank you
  Joey

  That is correct! Cisco ISE supports integration with a single Active  Directory identity source. Cisco ISE uses this Active Directory identity  source to join itself to an Active Directory domain. If this Active  Directory source has a multidomain forest, trust relationships must  exist between its domain and the other domains in order for Cisco ISE to  retrieve information from all domains within the forest.
  However,  you may create multiple instances for LDAP. Cisco ISE can communicate  via LDAP to Active Directory servers in an untrusted domain. The only  limitation you would see with LDAP being a database that it doesn't  support PEAP MSCHAPv2 ( native microsoft supplicant). However it does  suppport EAP-TLS.
  For more information you may go through the below listed link
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_45_multiple_active_directories.pdf

• Authenticated on ISE 1.2 (as admin) against an external radius server

  Hello
  Our customer wants to be authenticated on ISE 1.2 (as admin) against an external radius server (like ACS not microsoft). How could i do that ?
  Is it possible while retaining internal admin users database in a sequence "external_radius or internal"
  thank you in advance.
  Best regards

  External authentication is supported only with internal authorization:
  External Authentication + Internal Authorization
  When configuring Cisco ISE to provide administrator authentication using an external RSA SecurID identity store, administrator credential authentication is performed by the RSA identity store. However, authorization (policy application) is still done according to the Cisco ISE internal database. In addition, there are two important factors to remember that are different from External Authentication + External Authorization:
  You do not need to specify any particular external administrator groups for the administrator.
  You must configure the same username in both the external identity store and the local Cisco ISE database.
  To create a new Cisco ISE administrator that authenticates via the external identity store, complete the following steps:
  Step 1 Choose Administration > System > Admin Access > Administrators > Local Administrators.
  The Administrators window appears, listing all existing locally defined administrators.
  Step 2 Follow the guidelines at Creating a New Cisco ISE Administrator to ensure that the administrator username on the external RSA identity store is also present in Cisco ISE. Be sure to click the External option under Password.
  Note Remember: you do not need to specify a password for this external administrator user ID, nor are you required to apply any specially configured external administrator group to the associated RBAC policy.
  Step 3 Click Save .

• Cisco ISE with both internal and External RADIUS Server

  Hi
  I have ISE 1.2 , I configured it as management monitor and PSN and it work fine
  I would like to know if I can integrate an external radius server and work with both internal and External RADIUS Server simultanously
  So some computer (groupe_A in active directory ) will continu to made radius authentication on the ISE internal radius and other computer (groupe_B in active directory) will made radius authentication on an external radius server
  I will like to know if it is possible to configure it and how I can do it ?
  Thanks in advance for your help
  Regards
  Blaise

  Cisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. Cisco ISE accepts the results of the requests and returns them to the NAS.
  Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. The External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description, or both. In both simple and rule-based authentication policies, you can use the RADIUS server sequences to proxy the requests to a RADIUS server.
  The RADIUS server sequence strips the domain name from the RADIUS-Username attribute for RADIUS authentications. This domain stripping is not applicable for EAP authentications, which use the EAP-Identity attribute. The RADIUS proxy server obtains the username from the RADIUS-Username attribute and strips it from the character that you specify when you configure the RADIUS server sequence. For EAP authentications, the RADIUS proxy server obtains the username from the EAP-Identity attribute. EAP authentications that use the RADIUS server sequence will succeed only if the EAP-Identity and RADIUS-Username values are the same.

• ISE admin access, authentication against external radius

  Please don't ask me why,
  the customer insists and wants to be authenticated on ise (as admin) against an external (microsoft) radius server
  is it possible while retaining internal admin users database in a sequence Internal>external_radius or internal>AD ?
  thank you in advance for whatever may help

  According to Cisco:
  External Authentication AND external Authorisation for Admin acces son the ISE can only be done by using LDAP or AD.
  For Radius Servers there are a solution for external Authentication and internal Authorisation on the ise:
  External Authentication + Internal Authorization
  When configuring Cisco ISE to provide administrator authentication using an external RSA SecurID identity store, administrator credential authentication is performed by the RSA identity store. However, authorization (policy application) is still done according to the Cisco ISE internal database. In addition, there are two important factors to remember that are different from External Authentication + External Authorization:
  You do not need to specify any particular external administrator groups for the administrator.
  You must configure the same username in both the external identity store and the local Cisco ISE database.
  To create a new Cisco ISE administrator that authenticates via the external identity store, complete the following steps:
  Step 1 Choose Administration > System > Admin Access > Administrators > Local Administrators.
  The Administrators window appears, listing all existing locally defined administrators.
  Step 2 Follow the guidelines at Creating a New Cisco ISE Administrator to ensure that the administrator username on the external RSA identity store is also present in Cisco ISE. Be sure to click the External option under Password.
  Note Remember: you do not need to specify a password for this external administrator user ID, nor are you required to apply any specially configured external administrator group to the associated RBAC policy.
  Step 3 Click Save .

• Cisco ISE: External RADIUS Server

  Hi,
  I would like to forward RADIUS from PSN to another PSN. I already defined "External RADIUS Servers".
  So, how can I use this external RADIUS server to process my request ?
  Looking at the user guide but didn't find any information about this setting (For rule based not simple rule)
  If anyone use this, please suggest this to me.
  Thanks,
  Pongsatorn

  Defining an External RADIUS Server
  The Cisco Cisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, the Cisco Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. The Cisco Cisco ISE accepts the results of the requests and returns them to the NAS. You must configure the external RADIUS servers in the Cisco Cisco ISE to enable it to forward requests to the external RADIUS servers. You can define the timeout period and the number of connection attempts.
  The Cisco Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. This External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description or both.
  To create an external RADIUS server, complete the following steps:
  Step 1 Choose Administration > Network Resources > External RADIUS Servers.
  The RADIUS Servers page appears with a list of external RADIUS servers that are defined in Cisco ISE.
  Step 2 Click Add to add an external RADIUS server.
  Step 3 Enter the values as described:
  •Name—(Required) Enter the name of the external RADIUS server.
  •Description—Enter a description of the external RADIUS server.
  •Host IP—(Required) Enter the IP address of the external RADIUS server.
  •Shared Secret—(Required) Enter the shared secret between Cisco Cisco ISE and the external RADIUS server that is used for authenticating the external RADIUS server. A shared secret is an expected string of text that a user must provide to enable the network device to authenticate a username and password. The connection is rejected until the user supplies the shared secret. The shared secret can be up to 128 characters in length.
  •Enable KeyWrap—This option increases RADIUS protocol security via an AES KeyWrap algorithm, to help enable FIPS 140-2 compliance in Cisco ISE.
  •Key Encryption Key—This key is used for session encryption (secrecy).
  •Message Authenticator Code Key—This key is used for keyed HMAC calculation over RADIUS messages.
  •Key Input Format—Specify the format you want to use to enter the Cisco ISE FIPS encryption key, so that it matches the configuration that is available on the WLAN controller. (The value you specify must be the correct [full] length for the key as defined below—shorter values are not permitted.)
  –ASCII—The Key Encryption Key must be 16 characters (bytes) long, and the Message Authenticator Code Key must be 20 characters (bytes) long.
  –Hexadecimal—The Key Encryption Key must be 32 bytes long, and the Message Authenticator Code Key must be 40 bytes long.
  •Authentication Port—(Required) Enter the RADIUS authentication port number. The valid range is from 1 to 65535. The default is 1812.
  •Accounting Port—(Required) Enter the RADIUS accounting port number. The valid range is from 1 to 65535. The default is 1813.
  •Server Timeout—(Required) Enter the number of seconds that the Cisco Cisco ISE waits for a response from the external RADIUS server. The default is 5 seconds. Valid values are from 5 to 120.
  •Connection Attempts—(Required) Enter the number of times that the Cisco Cisco ISE attempts to connect to the external RADIUS server. The default is 3 attempts. Valid values are from 1 to 9.
  Step 4 Click Submit to save the external RADIUS server configuration.