Solved: Re: Eduroam auth with ISE 2.x

annie · ‎01-24-2017

Do we have documentation on configuring ISE to work with Eduroam for auth on university campuses?

I see that there are threads from ISE 1.x and I understand that this should be fairly straightforward, but have not found reference documentation for interested university clients.

Thanks so much in advance!

Charlie Moreton · ‎01-25-2017

Also, there's this

https://communities.cisco.com/docs/DOC-71299

View solution in original post

Charlie Moreton · ‎01-24-2017

Annie,

This is actually the best reference I have been able to find and, yes, it is written for ISE 1.4,

https://supportforums.cisco.com/document/12627176/configuring-eduroam-cisco-ise-14

The truth is, I don't think there is official Cisco documentation detailing this configuration. I have used the above link for reference and have successfully configured Eduroam for a few clients. Contact me offline to discuss further.

Also, you can see customers using ISE 2.x for Eduroam at this link:

https://www.eduroam.us/taxonomy/term/53

Just click the Miscellaneous Information tab and look under RADIUS Server Type.

Charles Moreton

Charlie Moreton · ‎01-25-2017

Also, there's this

https://communities.cisco.com/docs/DOC-71299

thomas · ‎01-25-2017

Nice job, Charles! Thank you!!!

annie · ‎01-26-2017

This is fantastic! Thank you Charles!!!!

Nick Ciesinski_ · ‎09-04-2018

Edit: I found your post about bug CSCvg03448. This still seems to be a issue in ISE 2.4 patch 2....

Have you done any updates to your steps for eduroam for ISE 2.4? With ISE 2.4 they changed how policy sets are done and moved the protocols/proxy out of the authentication choice and now its on the policy set itself. When you set a proxy radius server there you no longer get options for local authorization. Seems like there is no way to do this now causing a issue for eduroam users.

Charlie Moreton · ‎09-04-2018

It's been updated here:

Configuring eduroam on Cisco Identity Services Engine (ISE)

Nick Ciesinski_ · ‎09-04-2018

I actually figured out my issue with the policy set screens being missing. It was because a step was missing from your steps.

Administration > Network Resources > Network Device List > RADIUS Server Sequences.

You didn't have documented the need to go to the Advanced Attribute Settings tab and then select "On Access-Accept, continue to Authorization Policy"

Once I checked that the Authorization Policy options appeared in my Policy Set for the External RADIUS setup.

Charlie Moreton · ‎09-04-2018

Great catch. I am validating the step in my lab now. It works as-is on 2.3 unpatched. I am installing patch 4 to test this setting and, if successful, will update the guide.

Nick Ciesinski_ · ‎09-04-2018

I am on ISE 2.4 Patch 2 which may be the reason for the difference.

Charlie Moreton · ‎09-04-2018

Tested and verified to be working on 2.3 Patch 4 and 2.4 Patch 2. The document has been updated to reflect this setting.

jickfoo · ‎10-11-2018

I'm looking to assign different one of two specific VLANs when a user with a specific domain suffix successfully logs in.

ie. @contonso.com VLAN = 111 , everyone else VLAN = 120

Anybody doing this, or are there any guides to make this happen ?

Many thanks, Justin

innovative_elephant · ‎08-24-2018

ISE 2.3 introduced changes to the Policy Sets. See here for specific 2.3 steps: https://community.cisco.com/t5/security-documents/configuring-eduroam-on-cisco-identity-services-engine-ise/tac-p/3655677#M5789 (thank again to Charlie Moreton!)