cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2746
Views
5
Helpful
7
Replies

Configuring ISE to proxy Authentications based on email address

noc
Level 1
Level 1

Hi

 

I'm looking for a little help configuring ISE to proxy requests to external radius servers based on email address and password. I want to configure eduroam on our WLAN. Eduroam allows students connect to the WIFI of other Campuses using their local credentials

 

Workflow:

  1. User associates to SSID (eduroamTest)
  2. Prompted for username & password (802.1x)
  3. User puts in username and password in the form joebloggs@university.com (UPN)
  4. If the user is part of our local institution they are authenticated using our local radius server (ISE)
  5. If the user is a  member of a partner institution the request is proxied to an external radius server (National Gateways).
  6. The National Gateways  passes the request to the relevant institution based on the UPN (eg @ucd.ie will be passed to ucd radius servers)
  7. The institution authenticates the user and passes the  request back to the National Gateways
  8. The National Gateways passes this request back to our ISE server and the external user is authenticated
  9. The user can browse the web

 

What I have done:

  1. Setup the National Gateways as external proxy servers
  2. Created firewall rules to allow the traffic
  3. Configured the proxy sequence with these servers
  4. Created a policy to proxy requests to the proxy sequence

 

What I need to figure out:

  1. How to get ISE to authenticate/proxy requests, for the SSID eduroamTest, based on UPN eg (if username = *@rcsi.ie then use local ISE otherwise use proxy service)

Any help with this configuration would be greatly appreciated as I am new to ISE.

 

If you need any more info please let know.

 

Kind regards

 

John

 

7 Replies 7

jan.nielsen
Level 7
Level 7

Sounds like you did most of the work already. To get ISE to direct certain requests based on attributes in the request to another radius server, all you need to do, is create a new authentication rule, where you check for the following attributes ;

radius/called-station-id contains "eduroam"

and

radius/username ends with "rcsi.ie"

Then you can select the radius server sequence you created instead of the normal "Allowed protocols" list.

If you want to be in control of the authorization, there is a flag you must set in the radius server sequence in ISE, this will let you control what rights the client is given locally, while still authenticating the user remotely.

 

 

Hi Jan

 

Thanks for your reply. Only getting back to this now. Unfortunately it hasn't worked for me. I have attached screenshots of the config and the troubleshooter.

 

Any idea where its going wrong?

 

Kind regards

 

John

Your authz condition is wrong, if you wan't only to match username that have the domain "rcsi.ie" at the end, you should use "ends with" or "contains" "rsci.ie", and not "Not Equals"

Also, you need to move the eduroam authentication rule to the top of your rule set, as the second rule you have will catch all dot1x requests on both wired and wireless, and ise will select this rule.

Thanks Jan

 

I'll give it a try early tomorrow morning, in case I break access to the Wifi for all the students.

 

Thanks

 

John

Hi Jan

 

Your suggestions worked for me. I was able to authenticate an external user to access the web using the eduroamTest ssid. 

 

The problem I'm facing now is that a test user I set up here isnt being authenticated in partner campuses. I can see the radius requests coming through our firewall.

 

Do you need to do something special on ISE, to authorise radius requests from external radius servers?

 

Thanks a lot

 

John

I don't think i have tried that, but as a minimum, you would have to define the other radius server as a network device in your ise, and agree on a radius key. Then you should begin to see the requests coming into your ise.

Hey Guys,

I have to implement the same solution. I understand we need to configure the authentication policy that would match field like SSID and domain name ( @cisco.com for example and if this condition satisfy then ISE will redirect this traffic to the external proxy server.

I am wondering, if we also need to configure any authorization policy to achieve this ?

Can you please confirm what authorization policy do you have  for your setup ?

Thanks in advance for your reply.