You want to use an RSA SecureID identity store to access Cisco ISE administratively.
Which of the following will you configure?
A. external authentication and internal authorization
B. internal authentication and external authorization
C. internal authentication and authorization
D. external authentication and authorization
Explanation:
You will configure external authentication and internal authorization for Cisco Identity Services Engine (ISE) if you want to use an RSA SecureID identity store to access Cisco ISE administratively. Although Cisco ISE contains its own internal database of users and credentials, Cisco ISE can integrate with external identity systems so that administrative users can log in by using external credentials. There are two methods of authentication and authorization to Cisco ISE by using an external identity store:
• External authentication and authorization
• External authentication and internal authorization
If you are connecting Cisco ISE to RSA SecureID, authorization and administrator role assignment must occur locally on Cisco ISE after authentication occurs in RSA SecureID. Thus, you should configure identical administrative user names on the Cisco ISE and RSA SecureID.
You would not configure external authentication and authorization if you wanted to use an RSA SecureID identity store to access Cisco ISE administratively. However, you can configure external authentication and authorization if you want to use a Microsoft Active Directory identity store or a Lightweight Directory Access Protocol (LDAP) identity store to access Cisco ISE administratively. External authentication and authorization means that the external identity store handles the authentication of users, authorization of users, and administrative role assignment instead of Cisco ISE. In this case, it is not necessary to configure Cisco ISE locally with user names that are identical to the user names in the external identity store.
You would not configure internal authentication and authorization if you wanted to use an RSA SecureID identity store to access Cisco ISE administratively. Internal authentication and authorization relies exclusively on the Cisco ISE’s local user database to authenticate users, authorize users, and assign administrative roles. Nor would you use internal authentication and external authorization, because this is an invalid Cisco ISE authentication and authorization configuration.
Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ISE_admin_guide_24/m_extrnal_identity_store.html