Solved: What attributes can we send from ISE to an external radius authentication servers

edmcnich · ‎04-26-2018

I have a customer that is integrating ISE with an external radius provider (onelogin) for authentication. This radius instance also provides risk based (adaptive) authentication, where it will challenge based off of client information (Source IP, OS, NAD, etc...). Does ISE forward over any contextual information to the external radius provider during authentication, or is this configurable?

Craig Hyps · ‎04-26-2018

It depends on the RADIUS integration method. The two fundamental methods is RADIUS Token and RADIUS Proxy. With proxy we relay all attributes to external RADIUS instance. ISE can also manipulate attributes in flight to or from external.

In RADIUS Token case, it is a basic RADIUS PAP request with username (identity) where ISE is the NAD (RADIUS client) to external RADIUS server. In response, we accept a single authorization attribute.

Craig

View solution in original post

Craig Hyps · ‎04-26-2018

It depends on the RADIUS integration method. The two fundamental methods is RADIUS Token and RADIUS Proxy. With proxy we relay all attributes to external RADIUS instance. ISE can also manipulate attributes in flight to or from external.

In RADIUS Token case, it is a basic RADIUS PAP request with username (identity) where ISE is the NAD (RADIUS client) to external RADIUS server. In response, we accept a single authorization attribute.

Craig

edmcnich · ‎04-26-2018

Thanks Craig

Thanks!

Ed