Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1179
Views
5
Helpful
3
Replies

Cisco ISE and eduroam IdP network access

FTBZ
Level 1
Level 1

‎11-22-2017 10:10 PM - edited ‎02-21-2020 10:40 AM

We started implementing Cisco ISE as central NAC for all networks and I'm looking for the best idea to implement the eduroam IdP service.

 

The eduroam IdP service must be reachable through the Internet by other Radius servers. So how to implement by minimizing the security risk?

 

Using ISE in DMZ? Configuring multiple ISE network interface? NAT/PAT only on Radius port?


Thanks for the help.

Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-22-2017 10:43 PM - edited ‎11-22-2017 11:03 PM

For eduroam to work, your RADIUS servers (i.e. at least one of your ISE PSNs) must be accessible from the eduroam top-level RADIUS servers (e.g., in the USA they are tlrs1.eduroam.us and tlrs2.eduroam.us).

 

The easiest solution is to have a static NAT (if you are using private addressing internally) plus an outside-in ACL allowing the tlrs servers to initiate traffic on the RADIUS well-known ports (udp/1812 and udp/1813).

 

If you wanted higher security, you could deploy one of your PSNs in a DMZ (requires a distributed ISE deployment of course) and have two sets of ACLs - one (outside-dmz) for incoming traffic from eduroam to the PSN and another (dmz-inside) for the PSN inbound to the rest of your ISE servers.

FTBZ
Level 1
Level 1
In response to Marvin Rhoads

‎11-22-2017 10:52 PM

Thank you for your opinion.

The optimal choice will be to have 2 PSNs in a DMZ, but only for eduroam IdP it's too much in my case (license cost).
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to FTBZ

‎11-22-2017 11:09 PM

ISE licensing is for the entire deployment.

 

If you wanted to deploy two dedicated PSNs you would need only purchase the VMs (with associated support contract).

 

I have also seen customers put an Application Delivery Controller (like Citrix Netscaler or F5 Big-IP LTM) in the DMZ with a VIP for the public-facing service and then balancing traffic to the real server addresses on the inside of the network. That’s usually not dedicated for ISE but leveraging existing investment in that sort of infrastructure. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents