Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


Configuring ISE to proxy Authentications based on email address



I'm looking for a little help configuring ISE to proxy requests to external radius servers based on email address and password. I want to configure eduroam on our WLAN. Eduroam allows students connect to the WIFI of other Campuses using their local credentials



  1. User associates to SSID (eduroamTest)
  2. Prompted for username & password (802.1x)
  3. User puts in username and password in the form (UPN)
  4. If the user is part of our local institution they are authenticated using our local radius server (ISE)
  5. If the user is a  member of a partner institution the request is proxied to an external radius server (National Gateways).
  6. The National Gateways  passes the request to the relevant institution based on the UPN (eg will be passed to ucd radius servers)
  7. The institution authenticates the user and passes the  request back to the National Gateways
  8. The National Gateways passes this request back to our ISE server and the external user is authenticated
  9. The user can browse the web


What I have done:

  1. Setup the National Gateways as external proxy servers
  2. Created firewall rules to allow the traffic
  3. Configured the proxy sequence with these servers
  4. Created a policy to proxy requests to the proxy sequence


What I need to figure out:

  1. How to get ISE to authenticate/proxy requests, for the SSID eduroamTest, based on UPN eg (if username = * then use local ISE otherwise use proxy service)

Any help with this configuration would be greatly appreciated as I am new to ISE.


If you need any more info please let know.


Kind regards




Rising star

Sounds like you did most of the work already. To get ISE to direct certain requests based on attributes in the request to another radius server, all you need to do, is create a new authentication rule, where you check for the following attributes ;

radius/called-station-id contains "eduroam"


radius/username ends with ""

Then you can select the radius server sequence you created instead of the normal "Allowed protocols" list.

If you want to be in control of the authorization, there is a flag you must set in the radius server sequence in ISE, this will let you control what rights the client is given locally, while still authenticating the user remotely.



Hi Jan


Thanks for your reply. Only getting back to this now. Unfortunately it hasn't worked for me. I have attached screenshots of the config and the troubleshooter.


Any idea where its going wrong?


Kind regards



Your authz condition is wrong, if you wan't only to match username that have the domain "" at the end, you should use "ends with" or "contains" "", and not "Not Equals"

Also, you need to move the eduroam authentication rule to the top of your rule set, as the second rule you have will catch all dot1x requests on both wired and wireless, and ise will select this rule.

Thanks Jan


I'll give it a try early tomorrow morning, in case I break access to the Wifi for all the students.





Hi Jan


Your suggestions worked for me. I was able to authenticate an external user to access the web using the eduroamTest ssid. 


The problem I'm facing now is that a test user I set up here isnt being authenticated in partner campuses. I can see the radius requests coming through our firewall.


Do you need to do something special on ISE, to authorise radius requests from external radius servers?


Thanks a lot



I don't think i have tried that, but as a minimum, you would have to define the other radius server as a network device in your ise, and agree on a radius key. Then you should begin to see the requests coming into your ise.

Hey Guys,

I have to implement the same solution. I understand we need to configure the authentication policy that would match field like SSID and domain name ( for example and if this condition satisfy then ISE will redirect this traffic to the external proxy server.

I am wondering, if we also need to configure any authorization policy to achieve this ?

Can you please confirm what authorization policy do you have  for your setup ?

Thanks in advance for your reply.

Recognize Your Peers
Content for Community-Ad

ISE Webinars

Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube