This document describes how an external RADIUS server can be configured as an authentication server on Identity Services Engine (ISE) where ISE acts a proxy and as an authorization server as well. In this document, two ISE servers are used, one acts as an external server to the other. However, any RADIUS server can be used as an external server as long as it is abided by the RFC.
Cisco recommends that you have knowledge of these topics:
Basic knowledge of RADIUS protocol.
Expertise in ISE policy configuration.
The information in this document is based on Cisco ISE version 2.4 and 2.2.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Configure ISE (Frontend Server)
Step 1. Multiple external RADIUS servers can be configured and used to authenticate users on the ISE. In order to configure external RADIUS servers, navigate to Administration > Network Resources > External RADIUS Servers > Add, as shown in the image:
Step 2. To use the configured external RADIUS server, a RADIUS server sequence has to be configured similar to Identity source sequence. To configure the same, navigate to Administration > Network Resources > RADIUS Server Sequences > Add, as shown in the image.
Note: One of the options available while server sequence is created, is to choose if Accounting should be done locally on the ISE or on the external RADIUS server. Based on the option selected here, ISE decides on whether to proxy the accounting requests or store those logs locally.
3. There is an additional section which gives more flexibility on how ISE should behave when proxying requests to external RADIUS servers. It can be found under Advance Attribute Settings, as shown in the image.
Advanced Settings: Provides options to strip the start or the end of the username in a RADIUS requests using a delimiter.
Modify Attribute in the request: Provides option to modify any RADIUS attribute in the RADIUS requests. The list here shows which all attributes can be added/removed/updated :
Continue to Authorization Policy on Access-Accept: Provides an option to choose if ISE should just send the Access-Accept as it is or proceed to provide access based on the Authorization Policies configured on the ISE rather than the authorization provided by the external RADIUS server. Is this option is selected, the authorization provided by the external RADIUS server is overwritten with the authorization provided by ISE.
Note: This option works if and only if the external RADIUS server sends an Access-Accept in response to the proxied RADIUS Access-Request.
Modify Attribute before Access-Accept: Similar to the Modify Attribute in the request, the same attributes mentioned earlier can be added/removed/updated present in the Access-Accept sent by the external RADIUS server before it is sent to the network device.
Step 4. The next part is to configure the Policy Sets to use the RADIUS Server Sequence instead of Allowed Protocols so that the requests are sent to the external RADIUS server. It can be configure under Policy > Policy Sets . Authorization policies can be configured under the Policy Set but they only come into effect if Continue to Authorization Policy on Access-Accept option is selected. If not, ISE simply acts as a proxy for the RADIUS requests matching the conditions configured for this Policy Set.
Configure External RADIUS server
Step 1. In this example, another ISE server (Version 2.2) is used as an external RADIUS server named ISE_Backend_Server. The ISE (ISE_Frontend_Server) needs to be configured as a network device or traditionally called NAS in the external RADIUS server (ISE_Backend_Server in this example), since the NAS-IP-Address attribute in the Access-Request being forwarded to the external RADIUS server will be replaced with ISE_Frontend_Server's own IP address. The shared secret to be configured is same as the one configured for the external RADIUS server on the ISE_Frontend_Server.
Step 2. The external RADIUS server can be configured with its own authentication and authorization policies to serve the requests proxied by the ISE. In this example, a simple policy is configured to check the user in the internal users and then permit access if authenticated.
Step 1. Check ISE livelogs if the request is received, as shown in the image.
Step 2. Check if correct policy set is selected, as shown in the image.
Step 3. Check if the request is being forwarded to the external RADIUS server.
4. If Continue to Authorization Policy on Access-Accept option is selected, check if the authorization policy is being evaluated.
Scenario 1 : Event - 5405 RADIUS Request dropped
The most important thing that needs to be verified is the steps in the detailed authentication report. If the steps say RADIUS-Client request timeout expired, then it would mean that the ISE did not receive any response from the configured external RADIUS server. This can happen when :
1. There is a connectivity issue with the external RADIUS server. ISE is unable to reach the external RADIUS server on the ports configured for it. 2. ISE is not configured as a Network Device or NAS on the external RADIUS Server. 3. Packets are being dropped by the external RADIUS Server either by configuration or because of some problem on the external RADIUS server.
Check packet captures as well to see if it is not a false message i.e, ISE receives the packet back from the server but still reports that request timed out.
If the steps say Start forwarding request to remote RADIUS server and the immediate step is No more external RADIUS servers; can't perform failover, then it means that all the configured external RADIUS servers are currently marked dead and the requests are only be served after the dead timer expires.
Note: The default dead time for external RADIUS Servers in ISE is 5 minutes. This value is hardcoded and cannot be modified as of this version.
If the steps say RADIUS-Client encountered error during processing flow and is followed by Failed to forward request to current remote RADIUS server; an invalid response was received,then it means that ISE has encountered a problem while forwarding the request to the external RADIUS server. This is usually seen when the RADIUS request sent from the Network Device/NAS to the ISE does not have the NAS-IP-Address as one of the attributes. If there is no NAS-IP-Address attribute and if external RADIUS servers are not in use, ISE populates the NAS-IP-Address field with the source IP of the packet. However, this does not apply when an external RADIUS server is in use.
Scenario 2 : Event - 5400 Authentication failed
In this event, if the steps say 11368 Please review logs on the External RADIUS Server to determine the precise failure reason, then it would mean that the authentication has failed on the external RADIUS server itself and it has sent an Access-Reject.
If the steps say 15039 Rejected per authorization profile, it means that ISE received an Access-Accept from the external RADIUS server but ISE rejects the authorization based on the authorization policies configured.
If the Failure Reason on the ISE is anything else apart from the ones mentioned here in case of an authentication failure, then it could mean a potential issue with the configuration or with the ISE itself. A TAC case is recommended to be opened at this point.