04-26-2018 05:40 AM
I have a customer that is integrating ISE with an external radius provider (onelogin) for authentication. This radius instance also provides risk based (adaptive) authentication, where it will challenge based off of client information (Source IP, OS, NAD, etc...). Does ISE forward over any contextual information to the external radius provider during authentication, or is this configurable?
Solved! Go to Solution.
04-26-2018 02:45 PM
It depends on the RADIUS integration method. The two fundamental methods is RADIUS Token and RADIUS Proxy. With proxy we relay all attributes to external RADIUS instance. ISE can also manipulate attributes in flight to or from external.
In RADIUS Token case, it is a basic RADIUS PAP request with username (identity) where ISE is the NAD (RADIUS client) to external RADIUS server. In response, we accept a single authorization attribute.
Craig
04-26-2018 02:45 PM
It depends on the RADIUS integration method. The two fundamental methods is RADIUS Token and RADIUS Proxy. With proxy we relay all attributes to external RADIUS instance. ISE can also manipulate attributes in flight to or from external.
In RADIUS Token case, it is a basic RADIUS PAP request with username (identity) where ISE is the NAD (RADIUS client) to external RADIUS server. In response, we accept a single authorization attribute.
Craig
04-26-2018 03:17 PM
Thanks Craig
Thanks!
Ed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide