Solved: Re: ISE RADIUS Proxy - Authentication Policy

Krzysztof Grabowski · ‎07-15-2019

Hi Guys,

I wanted to confirm the purpose of "Authentication Policy" when RADIUS Proxy is enabled along with "On Access-Accept, continue to Authorization Policy". It is displayed and is configurable under Policy Set set for RADIUS Proxy with above option enabled.

I would expect authentication to be fully delegated to remote RADIUS server; then once RADIUS Access-Accept is received local authorization policy would be applied to add new attributes. Authentication Policy seems redundant here.

Can you please confirm if the Authentication Policy in such case is just a dummy or could actually be used for some advanced use-cases with double authentication/failover?

Cheers,
Chris

Surendra · ‎07-15-2019

Authentication policy is just there to direct the authentications to the external RADIUS server. More about External RADIUS servers here : https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/213239-configure-external-radius-servers-on-ise.html

View solution in original post

Surendra · ‎07-15-2019

Authentication policy is just there to direct the authentications to the external RADIUS server. More about External RADIUS servers here : https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/213239-configure-external-radius-servers-on-ise.html

Krzysztof Grabowski · ‎07-15-2019

Hi Surendra,

Thanks for quick reply. In the RADIUS Proxy scenario the external RADIUS server (RADIUS Sequence) is configured on the Policy Set level in the "Allowed Protocols/Server Sequence" field. The Authentication Policy within the Policy set is not configured at all. The question is about the latter. I suspect the Authentication Policy is not evaluated by ISE in that scenario...

Cheers,
Chris

Krzysztof Grabowski · ‎07-16-2019

Thanks Surendra,

May we please sync-up offline regarding this question?

Cheers,
Chris