10-25-2019 09:03 AM
Org1 will be providing Cisco wireless infrastructure for a multitenant building. Org1 needs to deliver Org2 802.1x wireless network in the new building. Org2 WLC will anchor a Org2 802.1x wlan from Org1 WLC. 802.1x must successfully complete on Org1 foreign WLC before the client is tunneled to Org2 anchor WLC. Since Org1 will not have access to Org2 RADIUS servers, we decided to use eduroam TLRSs 802.1x. Both Orgs are member of eduroam RADIUS federation.
Standard wireless profile for Org2 wireless devices does not include domain name “@org2.edu” in the user name. Org2 does not want to change the stadard wireless profile. However, this is required to use eduroam TLRS to authenticate against Org2 eduroam radius client servers.
Org1 has ISE deployment. Can Org1 ISE create a policy to take EAPOL-Response/Identity from Org2 client and add “@org2.edu” before sending it out as RADIUS-Access-Request to eduroam TLRSs?
There is “RADIUS Server Sequences List > Advanced Attribute Setting tab” that I thought might be the answer to my problem, but it did not work.
Any help would be greatly appreciated.
10-25-2019 12:57 PM
maybe that was too much info...
I need ISE to change radius username, i.e. sungy, to append domain name, i.e. sungy@acme.edu, before sending radius packet off to the eduroam server.
is this possible?
Thanks
10-25-2019 02:29 PM
Hi
In the screenshot you have ADD RADIUS:User-Name = @org1.edu under Modify Attributes in the Request.
Have you tried changing this to UPDATE RADIUS:User-Name = @org1.edu - this would hopefully change the radius username "outer-id" attribute for all org1 users to @org1.edu (that are then proxied to eduroam).
hth
Andy
10-26-2019 12:45 AM
10-28-2019 04:03 AM
Have you tried removing the existing RADIUS Username and then adding a generic one like screenshot below?
hth
andy
10-28-2019 10:18 AM
I am not looking for a specific user. I need to be able to take any username in EAPOL-Response from endpoint and add "@org1.edu" at the end.
<username> --> <username>@org1.edu
Yong
10-29-2019 03:00 AM
Hi
My apologies if I misunderstood.
My previous post (typo - should have read as org2 and not org1) was looking at a way of org1 proxying wireless org2 client requests to eduroam TLRs - eduroam TLRs would then send the request to org2 RADIUS for authentication.
The method above would hopefully replace the original org2 username with an anonymised outer-id of anon@org2.edu
<username> --> anon@org2.edu
The eduroam TLRs don't need to see the actual username - they just need to know to send the request to org2.edu RADIUS for authentication.
Andy
10-29-2019 07:03 AM
10-29-2019 07:42 AM
Interesting - so it seems that it worked as expected (in that it removed the original username and added an anonymised one). Did you use an actual account to test this that should have passed authentication?
Andy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide