This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Do we have documentation on configuring ISE to work with Eduroam for auth on university campuses?
I see that there are threads from ISE 1.x and I understand that this should be fairly straightforward, but have not found reference documentation for interested university clients.
Thanks so much in advance!
Solved! Go to Solution.
This is actually the best reference I have been able to find and, yes, it is written for ISE 1.4,
The truth is, I don't think there is official Cisco documentation detailing this configuration. I have used the above link for reference and have successfully configured Eduroam for a few clients. Contact me offline to discuss further.
Also, you can see customers using ISE 2.x for Eduroam at this link:
Just click the Miscellaneous Information tab and look under RADIUS Server Type.
Edit: I found your post about bug CSCvg03448. This still seems to be a issue in ISE 2.4 patch 2....
Have you done any updates to your steps for eduroam for ISE 2.4? With ISE 2.4 they changed how policy sets are done and moved the protocols/proxy out of the authentication choice and now its on the policy set itself. When you set a proxy radius server there you no longer get options for local authorization. Seems like there is no way to do this now causing a issue for eduroam users.
I actually figured out my issue with the policy set screens being missing. It was because a step was missing from your steps.
Administration > Network Resources > Network Device List > RADIUS Server Sequences.
You didn't have documented the need to go to the Advanced Attribute Settings tab and then select "On Access-Accept, continue to Authorization Policy"
Once I checked that the Authorization Policy options appeared in my Policy Set for the External RADIUS setup.
Great catch. I am validating the step in my lab now. It works as-is on 2.3 unpatched. I am installing patch 4 to test this setting and, if successful, will update the guide.
I'm looking to assign different one of two specific VLANs when a user with a specific domain suffix successfully logs in.
ie. @contonso.com VLAN = 111 , everyone else VLAN = 120
Anybody doing this, or are there any guides to make this happen ?
Many thanks, Justin
ISE 2.3 introduced changes to the Policy Sets. See here for specific 2.3 steps: https://community.cisco.com/t5/security-documents/configuring-eduroam-on-cisco-identity-services-engine-ise/tac-p/3655677#M5789 (thank again to Charlie Moreton!)