topic Your authz condition is wrong in Network Access Control

Configuring ISE to proxy Authentications based on email address

noc — Mon, 11 Mar 2019 05:05:03 GMT

I'm looking for a little help configuring ISE to proxy requests to external radius servers based on email address and password. I want to configure eduroam on our WLAN. Eduroam allows students connect to the WIFI of other Campuses using their local credentials

Workflow:

User associates to SSID (eduroamTest)
Prompted for username & password (802.1x)
User puts in username and password in the form joebloggs@university.com (UPN)
If the user is part of our local institution they are authenticated using our local radius server (ISE)
If the user is a member of a partner institution the request is proxied to an external radius server (National Gateways).
The National Gateways passes the request to the relevant institution based on the UPN (eg @ucd.ie will be passed to ucd radius servers)
The institution authenticates the user and passes the request back to the National Gateways
The National Gateways passes this request back to our ISE server and the external user is authenticated
The user can browse the web

What I have done:

Setup the National Gateways as external proxy servers
Created firewall rules to allow the traffic
Configured the proxy sequence with these servers
Created a policy to proxy requests to the proxy sequence

What I need to figure out:

How to get ISE to authenticate/proxy requests, for the SSID eduroamTest, based on UPN eg (if username = *@rcsi.ie then use local ISE otherwise use proxy service)

Any help with this configuration would be greatly appreciated as I am new to ISE.

If you need any more info please let know.

Kind regards

John

Sounds like you did most of

jan.nielsen — Sun, 05 Oct 2014 13:46:15 GMT

Sounds like you did most of the work already. To get ISE to direct certain requests based on attributes in the request to another radius server, all you need to do, is create a new authentication rule, where you check for the following attributes ;

radius/called-station-id contains "eduroam"

and

radius/username ends with "rcsi.ie"

Then you can select the radius server sequence you created instead of the normal "Allowed protocols" list.

If you want to be in control of the authorization, there is a flag you must set in the radius server sequence in ISE, this will let you control what rights the client is given locally, while still authenticating the user remotely.

Hi Jan Thanks for your reply.

noc — Tue, 07 Oct 2014 14:24:11 GMT

Hi Jan

Thanks for your reply. Only getting back to this now. Unfortunately it hasn't worked for me. I have attached screenshots of the config and the troubleshooter.

Any idea where its going wrong?

Kind regards

John

Your authz condition is wrong

jan.nielsen — Tue, 07 Oct 2014 15:00:44 GMT

Your authz condition is wrong, if you wan't only to match username that have the domain "rcsi.ie" at the end, you should use "ends with" or "contains" "rsci.ie", and not "Not Equals"

Also, you need to move the eduroam authentication rule to the top of your rule set, as the second rule you have will catch all dot1x requests on both wired and wireless, and ise will select this rule.

Thanks Jan I'll give it a try

noc — Wed, 08 Oct 2014 07:54:44 GMT

Thanks Jan

I'll give it a try early tomorrow morning, in case I break access to the Wifi for all the students.

Thanks

John

Hi Jan Your suggestions

noc — Tue, 14 Oct 2014 14:35:57 GMT

Hi Jan

Your suggestions worked for me. I was able to authenticate an external user to access the web using the eduroamTest ssid.

The problem I'm facing now is that a test user I set up here isnt being authenticated in partner campuses. I can see the radius requests coming through our firewall.

Do you need to do something special on ISE, to authorise radius requests from external radius servers?

Thanks a lot

John

I don't think i have tried

jan.nielsen — Tue, 14 Oct 2014 15:32:11 GMT

I don't think i have tried that, but as a minimum, you would have to define the other radius server as a network device in your ise, and agree on a radius key. Then you should begin to see the requests coming into your ise.

Hey Guys,

prashant dwivedi — Mon, 10 Oct 2016 12:45:58 GMT

Hey Guys,

I have to implement the same solution. I understand we need to configure the authentication policy that would match field like SSID and domain name ( @cisco.com for example and if this condition satisfy then ISE will redirect this traffic to the external proxy server.

I am wondering, if we also need to configure any authorization policy to achieve this ?

Can you please confirm what authorization policy do you have for your setup ?

Thanks in advance for your reply.