Solved: ISE support for 3GPP

damelton · ‎03-18-2018

Customer currently has Juniper Steel Belted Radius for 3GPP authentication, and would like to consolidate their AAA estate onto a single platform. I am aware that CPAR is documented as supporting 3GPP but I can't not find any documentation stating that 3GPP is supported.

Can someone confirm if 3GPP is supported and has been tested with ISE. If not I'd be grateful for some assistance with testing support for this 3GPP with ISE. I.E by providing the customer an eval of ISE and getting the customer to provide ISE Authentication trace for analysis.

Craig Hyps · ‎03-18-2018

ISE is a standards-based RADIUS server and there may be basic use cases where ISE could support 3GPP AAA requirements, but ISE is not targeted for this environment. For more info on 3GPP and AAA, see http://etutorials.org/Mobile+devices/mobile+vpn/Appendix+C+RADIUS+Usage+in+3GPP/

Cisco's Access Registrar solution is focused on SP requirements and is a 3GPP-compliant AAA server:

Cisco Prime Access Registrar - Cisco

View solution in original post

Craig Hyps · ‎03-18-2018

ISE is a standards-based RADIUS server and there may be basic use cases where ISE could support 3GPP AAA requirements, but ISE is not targeted for this environment. For more info on 3GPP and AAA, see http://etutorials.org/Mobile+devices/mobile+vpn/Appendix+C+RADIUS+Usage+in+3GPP/

Cisco's Access Registrar solution is focused on SP requirements and is a 3GPP-compliant AAA server:

Cisco Prime Access Registrar - Cisco

thomas · ‎03-18-2018

If you want an evaluation copy of ISE, see How to Get ISE Evaluation Software & Licenses.

The evaluation software link is also on the homepage of the Identity Services Engine (ISE) community.

damelton · ‎03-19-2018

Thanks Thomas I will offer an evaluation to the customer. However, I was also after a contact email/alias where I could ask for assistance to debug the Authentication traces should the customer have issues in this environment, are you able to advise on this.

Many thanks DaveM

Craig Hyps · ‎03-19-2018

You can leverage the ISE Community for technical questions, but please realize that it is not intended to be a replacement for advanced services or TAC. If need support for deep-level troubleshooting and debugging, then this should be led by either account team resources, Cisco/partner services, or potentially TAC if system not working as expected. Also, I would again consider evaluating Access Registrar for this specific use case.

damelton · ‎03-20-2018

Thanks for your helpful replies and for reference I've summarised our discussion below:

Cisco do not officially support 3GPP on ISE, by this you mean 3GPP authentication has not been tested and verified by Cisco.

The official ISE Compatibility Guide is listed @ http://cs.co/ise-compatibility for supported protocols/databases.

It is likely that ISE could work with 3GPP but the customer would need to play with it in a lab to see how they can would adapt the existing protocols or APIs to do it. Cisco could certainly provide assistance with this investigation.

It should also be noted that if the customer deploys this in the live network given its not officially supported, should issues occur then it may not be straightforward to troubleshoot this issue with TAC.

Cisco recommended approach would be to use CPAR which does officially support 3GPP Authentication.