Configure External RADIUS Servers on ISE

Available Languages

Download Options

  • PDF     (1.9 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (2.1 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (1.5 MB)
    View on Kindle device or Kindle app on multiple devices
Updated:September 18, 2020
Document ID:213239

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes the configuration of a RADIUS server on ISE as a proxy and authorization server. Here two ISE servers are used and one acts as an external server. But, any RFC-compliant RADIUS server can be utilized.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Basic knowledge of RADIUS protocol
    • Expertise in Identity Services Engine (ISE) policy configuration

    Components Used

    The information in this document is based on Cisco ISE versions 2.2 and 2.4.

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Configure

    Network Diagram

    Network Diagram

    Configure ISE (Frontend Server)

    Step 1. Multiple external RADIUS servers can be configured and used in order to authenticate users on the ISE. In order to configure external RADIUS servers, navigate to Administration > Network Resources > External RADIUS Servers > Add, as shown in the image:

    Configure Multiple External RADIUS Servers for User Authentication on ISE

    Configure Multiple External RADIUS Servers for User Authentication on ISE

    Step 2. In order to use the configured external RADIUS server, a RADIUS server sequence must be configured similar to the Identity source sequence. In order to configure the same, navigate to Administration > Network Resources > RADIUS Server Sequences > Add, as shown in the image.


    Configure RADIUS Server Sequences for External RADIUS Servers on ISE

    Configure RADIUS Server Sequences for External RADIUS Servers on ISE

    Note: One of the options available while the server sequence is created, is to choose if accounting must be done locally on the ISE or on the external RADIUS server. Based on the option chosen here, ISE decides on whether to proxy the accounting requests or store those logs locally.

    Step 3. There is an additional section that gives more flexibility on how ISE must behave when it proxies requests to external RADIUS servers. It can be found under Advance Attribute Settings, as shown in the image.

    Configure Advanced Attribute Settings for Proxying Requests to External RADIUS Servers on ISE

      • Advanced Settings: Provides options to strip the start or the end of the username in RADIUS requests with a delimiter.
      • Modify Attribute in the request: Provides the option to modify any RADIUS attribute in the RADIUS requests. The list here shows the attributes that can be added/removed/updated:

        User-Name--[1]
NAS-IP-Address--[4]
NAS-Port--[5]
Service-Type--[6]
Framed-Protocol--[7] 
Framed-IP-Address--[8]
Framed-IP-Netmask--[9]
Filter-ID--[11]
Framed-Compression--[13]
Login-IP-Host--[14]
Callback-Number--[19]
State--[24]
VendorSpecific--[26]
Called-Station-ID--[30]
Calling-Station-ID--[31]
NAS-Identifier--[32]
Login-LAT-Service--[34]
Login-LAT-Node--[35]
Login-LAT-Group--[36]
Event-Timestamp--[55] 
Egress-VLANID--[56]
Ingress-Filters--[57]
Egress-VLAN-Name--[58]
User-Priority-Table--[59]
NAS-Port-Type--[61]
Port-Limit--[62]
Login-LAT-Port--[63]
Password-Retry--[75] 
Connect-Info--[77] 
NAS-Port-Id--[87]
Framed-Pool--[88]
NAS-Filter-Rule--[92]
NAS-IPv6-Address--[95] 
Framed-Interface-Id--[96]
Framed-IPv6-Prefix--[97]
Login-IPv6-Host--[98]
Error-Cause--[101]
Delegated-IPv6-Prefix--[123]
Framed-IPv6-Address--[168]
DNS-Server-IPv6-Address--[169]
Route-IPv6-Information--[170]
Delegated-IPv6-Prefix-Pool--[171]
Stateful-IPv6-Address-Pool--[172]

      • Continue to Authorization Policy on Access-Accept: Provides an option to choose if ISE must just send the Access-Accept as it is or proceed to provide access based on the Authorization Policies configured on the ISE rather than the authorization provided by the external RADIUS server. If this option is selected, the authorization provided by the external RADIUS server is overwritten with the authorization provided by ISE.

        Note: This option works only if the external RADIUS server sends an Access-Accept  in response to the proxied RADIUS Access-Request.

      • Modify Attribute before Access-Accept: Similar to the Modify Attribute in the request, the attributes mentioned earlier can be added/removed/updated present in the Access-Accept sent by the external RADIUS server before it is sent to the network device.

    Step 4. The next part is to configure the Policy Sets in order to use the RADIUS Server Sequence instead of Allowed Protocols so that the requests are sent to the external RADIUS server. It can be configured under Policy > Policy Sets. Authorization policies can be configured under the Policy Set  but only come into effect if the Continue to Authorization Policy on Access-Accept  option is chosen. If not, ISE simply acts as a proxy for the RADIUS requests in order to match the conditions configured for this Policy Set.

    Configure Policy Sets for Sending Requests to External RADIUS Server and Authorization Policies on ISE

    Configure Policy Sets for Sending Requests to External RADIUS Server and Authorization Policies on ISE

    Configure the External RADIUS Server 

    Step 1. In this example, another ISE server (version 2.2) is used as an external RADIUS server named ISE_Backend_Server. The ISE (ISE_Frontend_Server) must be configured as a network device or traditionally called NAS in the external RADIUS server (ISE_Backend_Server in this example), since the NAS-IP-Address attribute in the Access-Request that is forwarded to the external RADIUS server is replaced with the IP address of theISE_Frontend_Server. The shared secret to be configured is the same as the one configured for the external RADIUS server on the ISE_Frontend_Server.

    Configure ISE_Frontend_Server as a Network Device for ISE_Backend_Server (External RADIUS Server)

    Step 2. The external RADIUS server can be configured with its own authentication and authorization policies in order to serve the requests proxied by the ISE. In this example, a simple policy is configured in order to check the user in the internal users and then permit access if authenticated.

    Configure Authentication and Authorization Policies on External RADIUS Server for Proxy Requests from ISE

    Verify

    Step 1. Check ISE live logs if the request is received, as shown in the image.

    Check ISE Live Logs for Received Requests

    Step 2. Check if the correct policy set is selected, as shown in the image.

    Verify Chosen Policy Set for Request in ISE

    Step 3. Check if the request is forwarded to the external RADIUS server.

    Verify Forwarding of Request to External RADIUS Server

    4. If the Continue to Authorization Policy on Access-Accept option is chosen, check if the authorization policy is evaluated.

    Verify Evaluation of Authorization Policy when 'Continue to Authorization Policy on Access-Accept' is Chosen

    Verify Evaluation of Authorization Policy when 'Continue to Authorization Policy on Access-Accept' is Chosen

    Troubleshoot

    Scenario 1. Event - 5405 RADIUS Request Dropped

    • The most important thing that must be verified is the steps in the detailed authentication report. If the steps say the RADIUS-Client request timeout expired, then it means that the ISE did not receive any response from the configured external RADIUS server. This can happen when:
    1. There is a connectivity issue with the external RADIUS server. ISE is unable to reach the external RADIUS server on the ports configured for it.
    2. ISE is not configured as a Network Device or NAS on the external RADIUS Server.
    3. Packets are dropped by the external RADIUS Server either by configuration or because of some problem on the external RADIUS server.

      Verify Steps in Authentication Report and Troubleshoot Connectivity Issues with External RADIUS Server

    Check packet captures as well in order to see if it is not a false message, that is, ISE receives the packet back from the server but still reports that the request timed out.

    Verify Packet Captures for False Timeout Reports in ISE

    • If the steps say Start forwarding request to remote RADIUS server  and the immediate step is No more external RADIUS servers; can't perform failoverthen it means that all the configured external RADIUS servers are currently marked dead and the requests are only served after the dead timer expires.

      Troubleshoot Dead External RADIUS Servers and Failover Issues in ISE



      Note: The default dead time for external RADIUS Servers in ISE is 5 minutes. This value is hardcoded and cannot be modified as of this version.

    • If the steps say RADIUS-Client encountered error during processing flow and are followed by Failed to forward request to current remote RADIUS server; an invalid response was received,then it means that ISE has encountered a problem while the request to the external RADIUS server was forwarded. This is usually seen when the RADIUS request sent from the Network Device/NAS to the ISE does not have the NAS-IP-Address  as one of the attributes. If there is no NAS-IP-Address attribute and if external RADIUS servers are not in use, ISE populates the NAS-IP-Address field with the source IP of the packet. However, this does not apply when an external RADIUS server is in use.

    Scenario 2. Event - 5400 Authentication Failed

    • In this event, if the steps say 11368 Please review logs on the External RADIUS Server to determine the precise failure reason, then it means that the authentication has failed on the external RADIUS server itself and it has sent an Access-Reject.

      Troubleshoot Authentication Failure on External RADIUS Server and Access-Reject Response
    • If the steps say 15039 Rejected per authorization profile, it means that ISE received an Access-Accept from the external RADIUS server but ISE rejects the authorization based on the authorization policies configured.

      Troubleshoot Authorization Rejection Based on Authorization Policies in ISE
    • If the Failure Reason  on the ISE is anything else apart from the ones mentioned here in case of an authentication failure, then it can mean a potential issue with the configuration or with the ISE itself. A TAC case is recommended to be opened at this point.

    Revision History

    Revision Publish Date Comments
    1.0
    23-Apr-2018
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Surendra Reddy
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products