cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3279
Views
9
Helpful
12
Replies
Cisco Employee

Eduroam auth with ISE 2.x

Do we have documentation on configuring ISE to work with Eduroam for auth on university campuses?

I see that there are threads from ISE 1.x and I understand that this should be fairly straightforward, but have not found reference documentation for interested university clients.

Thanks so much in advance!

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: Eduroam auth with ISE 2.x

12 REPLIES 12
Highlighted
Cisco Employee

Re: Eduroam auth with ISE 2.x

Annie,

This is actually the best reference I have been able to find and, yes, it is written for ISE 1.4,

https://supportforums.cisco.com/document/12627176/configuring-eduroam-cisco-ise-14

The truth is, I don't think there is official Cisco documentation detailing this configuration.  I have used the above link for reference and have successfully configured Eduroam for a few clients.  Contact me offline to discuss further.

Also, you can see customers using ISE 2.x for Eduroam at this link:

https://www.eduroam.us/taxonomy/term/53

Just click the Miscellaneous Information tab and look under RADIUS Server Type.

Charles Moreton

Highlighted
Cisco Employee

Re: Eduroam auth with ISE 2.x

Highlighted
Cisco Employee

Re: Eduroam auth with ISE 2.x

Nice job, Charles! Thank you!!!

Highlighted
Cisco Employee

Re: Eduroam auth with ISE 2.x

This is fantastic! Thank you Charles!!!!

Highlighted
Enthusiast

Re: Eduroam auth with ISE 2.x

Edit: I found your post about bug CSCvg03448.  This still seems to be a issue in ISE 2.4 patch 2....

 

Have you done any updates to your steps for eduroam for ISE 2.4?  With ISE 2.4 they changed how policy sets are done and moved the protocols/proxy out of the authentication choice and now its on the policy set itself.  When you set a proxy radius server there you no longer get options for local authorization.  Seems like there is no way to do this now causing a issue for eduroam users.

Highlighted
Cisco Employee

Re: Eduroam auth with ISE 2.x

Highlighted
Enthusiast

Re: Eduroam auth with ISE 2.x

I actually figured out my issue with the policy set screens being missing.  It was because a step was missing from your steps.

 

Administration > Network Resources > Network Device List > RADIUS Server Sequences.

 

You didn't have documented the need to go to the Advanced Attribute Settings tab and then select "On Access-Accept, continue to Authorization Policy"

 

Once I checked that the Authorization Policy options appeared in my Policy Set for the External RADIUS setup.

Highlighted
Cisco Employee

Re: Eduroam auth with ISE 2.x

Great catch.  I am validating the step in my lab now.  It works as-is on 2.3 unpatched.  I am installing patch 4 to test this setting and, if successful, will update the guide.

Highlighted
Enthusiast

Re: Eduroam auth with ISE 2.x

I am on ISE 2.4 Patch 2 which may be the reason for the difference.
Highlighted
Cisco Employee

Re: Eduroam auth with ISE 2.x

Tested and verified to be working on 2.3 Patch 4 and 2.4 Patch 2.  The document has been updated to reflect this setting.

Highlighted
Beginner

Re: Eduroam auth with ISE 2.x

I'm looking to assign different one of two specific VLANs when a user with a specific domain suffix successfully logs in. 

ie. @contonso.com VLAN = 111 , everyone else VLAN = 120 

Anybody doing this, or are there any guides to make this happen ? 

Many thanks, Justin

 

Highlighted

Re: Eduroam auth with ISE 2.x

ISE 2.3 introduced changes to the Policy Sets. See here for specific 2.3 steps: https://community.cisco.com/t5/security-documents/configuring-eduroam-on-cisco-identity-services-engine-ise/tac-p/3655677#M5789 (thank again to Charlie Moreton!)