This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I'm looking for a little help configuring ISE to proxy requests to external radius servers based on email address and password. I want to configure eduroam on our WLAN. Eduroam allows students connect to the WIFI of other Campuses using their local credentials
What I have done:
What I need to figure out:
Any help with this configuration would be greatly appreciated as I am new to ISE.
If you need any more info please let know.
Sounds like you did most of the work already. To get ISE to direct certain requests based on attributes in the request to another radius server, all you need to do, is create a new authentication rule, where you check for the following attributes ;
radius/called-station-id contains "eduroam"
radius/username ends with "rcsi.ie"
Then you can select the radius server sequence you created instead of the normal "Allowed protocols" list.
If you want to be in control of the authorization, there is a flag you must set in the radius server sequence in ISE, this will let you control what rights the client is given locally, while still authenticating the user remotely.
Your authz condition is wrong, if you wan't only to match username that have the domain "rcsi.ie" at the end, you should use "ends with" or "contains" "rsci.ie", and not "Not Equals"
Also, you need to move the eduroam authentication rule to the top of your rule set, as the second rule you have will catch all dot1x requests on both wired and wireless, and ise will select this rule.
Your suggestions worked for me. I was able to authenticate an external user to access the web using the eduroamTest ssid.
The problem I'm facing now is that a test user I set up here isnt being authenticated in partner campuses. I can see the radius requests coming through our firewall.
Do you need to do something special on ISE, to authorise radius requests from external radius servers?
Thanks a lot
I don't think i have tried that, but as a minimum, you would have to define the other radius server as a network device in your ise, and agree on a radius key. Then you should begin to see the requests coming into your ise.
I have to implement the same solution. I understand we need to configure the authentication policy that would match field like SSID and domain name ( @cisco.com for example and if this condition satisfy then ISE will redirect this traffic to the external proxy server.
I am wondering, if we also need to configure any authorization policy to achieve this ?
Can you please confirm what authorization policy do you have for your setup ?
Thanks in advance for your reply.