topic ise policy to modify RADIUS-Access-Request sent to RADIUS server in Network Access Control

ise policy to modify RADIUS-Access-Request sent to RADIUS server

sungy — Fri, 25 Oct 2019 16:03:14 GMT

Org1 will be providing Cisco wireless infrastructure for a multitenant building. Org1 needs to deliver Org2 802.1x wireless network in the new building. Org2 WLC will anchor a Org2 802.1x wlan from Org1 WLC. 802.1x must successfully complete on Org1 foreign WLC before the client is tunneled to Org2 anchor WLC. Since Org1 will not have access to Org2 RADIUS servers, we decided to use eduroam TLRSs 802.1x. Both Orgs are member of eduroam RADIUS federation.

Standard wireless profile for Org2 wireless devices does not include domain name “@org2.edu” in the user name. Org2 does not want to change the stadard wireless profile. However, this is required to use eduroam TLRS to authenticate against Org2 eduroam radius client servers.

Org1 has ISE deployment. Can Org1 ISE create a policy to take EAPOL-Response/Identity from Org2 client and add “@org2.edu” before sending it out as RADIUS-Access-Request to eduroam TLRSs?

There is “RADIUS Server Sequences List > Advanced Attribute Setting tab” that I thought might be the answer to my problem, but it did not work.

Any help would be greatly appreciated.

Re: ise policy to modify RADIUS-Access-Request sent to RADIUS server

sungy — Fri, 25 Oct 2019 19:57:23 GMT

maybe that was too much info...

I need ISE to change radius username, i.e. sungy, to append domain name, i.e. sungy@acme.edu, before sending radius packet off to the eduroam server.

is this possible?

Thanks

Re: ise policy to modify RADIUS-Access-Request sent to RADIUS server

andrewswanson — Fri, 25 Oct 2019 21:29:30 GMT

In the screenshot you have ADD RADIUS:User-Name = @org1.edu under Modify Attributes in the Request.

Have you tried changing this to UPDATE RADIUS:User-Name = @org1.edu - this would hopefully change the radius username "outer-id" attribute for all org1 users to @org1.edu (that are then proxied to eduroam).

hth
Andy

Re: ise policy to modify RADIUS-Access-Request sent to RADIUS server

sungy — Sat, 26 Oct 2019 07:45:53 GMT

with Update option, you have to specify a string to update in user-name and what you want to update to. this would not work. i was hoping that it supported variables and i could use that to make it work, but I am not finding any detail document on "modify attribute in the request" section.

[X]

Re: ise policy to modify RADIUS-Access-Request sent to RADIUS server

andrewswanson — Mon, 28 Oct 2019 11:03:33 GMT

Have you tried removing the existing RADIUS Username and then adding a generic one like screenshot below?

hth

andy

Re: ise policy to modify RADIUS-Access-Request sent to RADIUS server

sungy — Mon, 28 Oct 2019 17:18:41 GMT

I am not looking for a specific user. I need to be able to take any username in EAPOL-Response from endpoint and add "@org1.edu" at the end.

<username> --> <username>@org1.edu

Yong

Re: ise policy to modify RADIUS-Access-Request sent to RADIUS server

andrewswanson — Tue, 29 Oct 2019 10:00:56 GMT

My apologies if I misunderstood.

My previous post (typo - should have read as org2 and not org1) was looking at a way of org1 proxying wireless org2 client requests to eduroam TLRs - eduroam TLRs would then send the request to org2 RADIUS for authentication.

The method above would hopefully replace the original org2 username with an anonymised outer-id of anon@org2.edu

<username> --> anon@org2.edu

The eduroam TLRs don't need to see the actual username - they just need to know to send the request to org2.edu RADIUS for authentication.

Andy

Re: ise policy to modify RADIUS-Access-Request sent to RADIUS server

sungy — Tue, 29 Oct 2019 14:03:27 GMT

see attached.

it looks like it replaced username is the radius access request.

Yong

Re: ise policy to modify RADIUS-Access-Request sent to RADIUS server

andrewswanson — Tue, 29 Oct 2019 14:42:25 GMT

Interesting - so it seems that it worked as expected (in that it removed the original username and added an anonymised one). Did you use an actual account to test this that should have passed authentication?

Andy