https://community.cisco.com/t5/network-access-control/cisco-ise-and-eduroam-idp-network-access/m-p/3221420#M552081 <P>We started implementing Cisco ISE as central NAC for all networks and I'm looking for the best idea to implement the eduroam IdP service.</P> <P>&nbsp;</P> <P>The eduroam IdP service must be reachable through the Internet by other Radius servers. So how to implement by&nbsp;minimizing the security risk?</P> <P>&nbsp;</P> <P>Using ISE in DMZ? Configuring multiple ISE network interface? NAT/PAT only on Radius port?</P> <P><BR />Thanks for the help.</P> Fri, 21 Feb 2020 18:40:04 GMT FTBZ 2020-02-21T18:40:04Z https://community.cisco.com/t5/network-access-control/cisco-ise-and-eduroam-idp-network-access/m-p/3221420#M552081 <P>We started implementing Cisco ISE as central NAC for all networks and I'm looking for the best idea to implement the eduroam IdP service.</P> <P>&nbsp;</P> <P>The eduroam IdP service must be reachable through the Internet by other Radius servers. So how to implement by&nbsp;minimizing the security risk?</P> <P>&nbsp;</P> <P>Using ISE in DMZ? Configuring multiple ISE network interface? NAT/PAT only on Radius port?</P> <P><BR />Thanks for the help.</P> Fri, 21 Feb 2020 18:40:04 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-and-eduroam-idp-network-access/m-p/3221420#M552081 FTBZ 2020-02-21T18:40:04Z https://community.cisco.com/t5/network-access-control/cisco-ise-and-eduroam-idp-network-access/m-p/3221437#M552084 <P>For eduroam to work, your RADIUS servers (i.e. at least one of your ISE PSNs) must be accessible from the eduroam top-level RADIUS servers (e.g., in the USA they are tlrs1.eduroam.us and tlrs2.eduroam.us).</P> <P>&nbsp;</P> <P>The easiest solution is to have a static NAT (if you are using private addressing internally) plus an outside-in ACL allowing the tlrs servers to initiate traffic on the RADIUS well-known ports (udp/1812 and udp/1813).</P> <P>&nbsp;</P> <P>If you wanted higher security, you could deploy one of your PSNs in a DMZ (requires a distributed ISE deployment of course) and have two sets of ACLs - one (outside-dmz) for incoming traffic from eduroam to the PSN and another (dmz-inside) for the PSN inbound to the rest of your ISE servers.</P> Thu, 23 Nov 2017 07:03:40 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-and-eduroam-idp-network-access/m-p/3221437#M552084 Marvin Rhoads 2017-11-23T07:03:40Z https://community.cisco.com/t5/network-access-control/cisco-ise-and-eduroam-idp-network-access/m-p/3221441#M552086 Thank you for your opinion.<BR /><BR />The optimal choice will be to have 2 PSNs in a DMZ, but only for eduroam IdP it's too much in my case (license cost). Thu, 23 Nov 2017 06:52:03 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-and-eduroam-idp-network-access/m-p/3221441#M552086 FTBZ 2017-11-23T06:52:03Z https://community.cisco.com/t5/network-access-control/cisco-ise-and-eduroam-idp-network-access/m-p/3221451#M552091 <P>ISE licensing is for the entire deployment.</P> <P>&nbsp;</P> <P>If you wanted to deploy two dedicated PSNs you would need only purchase the VMs (with associated support contract).</P> <P>&nbsp;</P> <P>I have also seen customers put an Application Delivery Controller (like Citrix Netscaler or F5 Big-IP LTM) in the DMZ with a VIP for the public-facing service and then balancing traffic to the real server addresses on the inside of the network. That’s usually not dedicated for ISE but leveraging existing investment in that sort of infrastructure.&nbsp;</P> Thu, 23 Nov 2017 07:09:10 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-and-eduroam-idp-network-access/m-p/3221451#M552091 Marvin Rhoads 2017-11-23T07:09:10Z