Secure Access integrates with Cisco Identity Services Engine (ISE) to support the use of centralized RADIUS servers that provide authentication, authorization, and accounting services (AAA) for remote users who access a network. Authentication identifies the user. Authorization implements policies that determine which resources and services an authenticated user may access. Accounting keeps track of time and data resources that are used for billing and analysis.

If you want to use an external RADIUS server for authentication, authorization, or accounting, you must first create at least one RADIUS server group and add one or more servers to each group. You identify RADIUS server groups by name. Each server in a group is identified by a server name, IP address, and a shared key. When identifying RADIUS servers, the server group order (and server order within the group), determines the server access order.

RADIUS and AAA Guidelines

The following are guidelines regarding Secure Access' integration with ISE, RADIUS groups, and AAA methods.

• You can add a maximum of eight servers to a Secure Access RADIUS group.
• You must specify the IP address, port number, and shared key of a specified RADIUS server. Other settings, such as the RADIUS user name format and number of times RADIUS request packets are retransmitted, have default values and can be changed based on network requirements.

Groups

A RADIUS server is a central server that provides authentication and authorization services for remote users who access a network. It receives authentication requests from RADIUS clients, such as routers, firewalls, or VPNs, verifies the credentials of the user, and returns an authorization decision to the client.

In a RADIUS server group, you must specify the IP address, port number, and shared key of a specified RADIUS server. Other settings, such as the RADIUS user name format and number of times RADIUS request packets are retransmitted, have default values and can be changed based on network requirements.

The RADIUS server group settings such as the RADIUS user name format and shared key must be the same as those on the RADIUS server.

SAML Support

Authentication Mode

Shows the authentication method that is used by the RADIUS protocol, such as Microsoft Challenge Handshake Authentication Protocol Version 2 (MS-CHAPv2), IEE 802.1x or dot1x, and so on.

Enter the RADIUS authentication port number. The valid range is from 1 to 65535.
The default is 1812.

Authorization Mode

Enter the RADIUS authorization port number. The valid range is from 1 to 65535. The default is 1812.

The tooltip also displays the RADIUS Change of Authorization (CoA) port and type of URL redirect that is used by the device. These attributes are defined in the device type's network device profile.

Specify the port to be used for RADIUS CoA. The default CoA port for the device is defined in the network device profile that is configured for a network device (Administration > Network Resources > Network Device Profiles > Network Resources > Network Device Profiles). Click Set To Default to use the default CoA port.

If you modify the CoA port specified in the Network Devices window (Administration > Network Resources > Network Devices) under RADIUS Authentication Settings, make sure that you specify the same CoA port for the corresponding profile in the Network Device Profile window (Administration > Network Resources > Network Device Profiles).

Accounting Mode

When Cisco ISE is integrated with ASA, ensure that the Accounting mode is set to Single in ASA. Accounting data is sent to only one accounting server in Single mode. or Simultaneous mode.

The RADIUS Accounting report identifies how long users have been on the network. If users are losing network access, you can use this report to identify whether Cisco ISE is the cause of the network connectivity issues. Radius accounting interim updates are included in the RADIUS Accounting report if the interim updates contain information about the changes to the IPv4 or IPv6 addresses for the given sessions.

Enter the RADIUS accounting port number. The valid range is from 1 to 65535. The default is 1813.

Add an IP Pool < Manage RADIUS Servers and Groups > Manage VPN Profiles