11-22-2017 10:10 PM - edited 02-21-2020 10:40 AM
We started implementing Cisco ISE as central NAC for all networks and I'm looking for the best idea to implement the eduroam IdP service.
The eduroam IdP service must be reachable through the Internet by other Radius servers. So how to implement by minimizing the security risk?
Using ISE in DMZ? Configuring multiple ISE network interface? NAT/PAT only on Radius port?
Thanks for the help.
11-22-2017 10:43 PM - edited 11-22-2017 11:03 PM
For eduroam to work, your RADIUS servers (i.e. at least one of your ISE PSNs) must be accessible from the eduroam top-level RADIUS servers (e.g., in the USA they are tlrs1.eduroam.us and tlrs2.eduroam.us).
The easiest solution is to have a static NAT (if you are using private addressing internally) plus an outside-in ACL allowing the tlrs servers to initiate traffic on the RADIUS well-known ports (udp/1812 and udp/1813).
If you wanted higher security, you could deploy one of your PSNs in a DMZ (requires a distributed ISE deployment of course) and have two sets of ACLs - one (outside-dmz) for incoming traffic from eduroam to the PSN and another (dmz-inside) for the PSN inbound to the rest of your ISE servers.
11-22-2017 10:52 PM
11-22-2017 11:09 PM
ISE licensing is for the entire deployment.
If you wanted to deploy two dedicated PSNs you would need only purchase the VMs (with associated support contract).
I have also seen customers put an Application Delivery Controller (like Citrix Netscaler or F5 Big-IP LTM) in the DMZ with a VIP for the public-facing service and then balancing traffic to the real server addresses on the inside of the network. That’s usually not dedicated for ISE but leveraging existing investment in that sort of infrastructure.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide