cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6422
Views
9
Helpful
12
Replies

Eduroam auth with ISE 2.x

annie
Cisco Employee
Cisco Employee

Do we have documentation on configuring ISE to work with Eduroam for auth on university campuses?

I see that there are threads from ISE 1.x and I understand that this should be fairly straightforward, but have not found reference documentation for interested university clients.

Thanks so much in advance!

1 Accepted Solution
12 Replies 12

Charlie Moreton
Cisco Employee
Cisco Employee

Annie,

This is actually the best reference I have been able to find and, yes, it is written for ISE 1.4,

https://supportforums.cisco.com/document/12627176/configuring-eduroam-cisco-ise-14

The truth is, I don't think there is official Cisco documentation detailing this configuration.  I have used the above link for reference and have successfully configured Eduroam for a few clients.  Contact me offline to discuss further.

Also, you can see customers using ISE 2.x for Eduroam at this link:

https://www.eduroam.us/taxonomy/term/53

Just click the Miscellaneous Information tab and look under RADIUS Server Type.

Charles Moreton

Nice job, Charles! Thank you!!!

This is fantastic! Thank you Charles!!!!

Edit: I found your post about bug CSCvg03448.  This still seems to be a issue in ISE 2.4 patch 2....

 

Have you done any updates to your steps for eduroam for ISE 2.4?  With ISE 2.4 they changed how policy sets are done and moved the protocols/proxy out of the authentication choice and now its on the policy set itself.  When you set a proxy radius server there you no longer get options for local authorization.  Seems like there is no way to do this now causing a issue for eduroam users.

I actually figured out my issue with the policy set screens being missing.  It was because a step was missing from your steps.

 

Administration > Network Resources > Network Device List > RADIUS Server Sequences.

 

You didn't have documented the need to go to the Advanced Attribute Settings tab and then select "On Access-Accept, continue to Authorization Policy"

 

Once I checked that the Authorization Policy options appeared in my Policy Set for the External RADIUS setup.

Great catch.  I am validating the step in my lab now.  It works as-is on 2.3 unpatched.  I am installing patch 4 to test this setting and, if successful, will update the guide.

I am on ISE 2.4 Patch 2 which may be the reason for the difference.

Tested and verified to be working on 2.3 Patch 4 and 2.4 Patch 2.  The document has been updated to reflect this setting.

I'm looking to assign different one of two specific VLANs when a user with a specific domain suffix successfully logs in. 

ie. @contonso.com VLAN = 111 , everyone else VLAN = 120 

Anybody doing this, or are there any guides to make this happen ? 

Many thanks, Justin

 

ISE 2.3 introduced changes to the Policy Sets. See here for specific 2.3 steps: https://community.cisco.com/t5/security-documents/configuring-eduroam-on-cisco-identity-services-engine-ise/tac-p/3655677#M5789 (thank again to Charlie Moreton!)