Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new blog
2697
Views
21
Helpful
3
Comments

ISE Integration with Eduroam External Server

deepuvarghese1
Beginner
Beginner
‎05-09-2022 08:31 PM

The purpose of this document is to demonstrate how ISE can integrate with an eduroam external server which is a WI-Fi roaming service that provides international access to devices in education, research, and higher education. Students, teachers, and researchers have access to network resources when they visit an institution other than their own. This document describes the components used for this setup, the configuration of ISE, and the configuration of eduroam.

These are the steps in the flow of an external domain user:

  • WLC of each location is configured with ISE as an authentication and accounting server. The eduroam SSID will be configured according to 802.1x standard.
  • ISE of each location is configured with local WLC as a network device with RADIUS functionality enabled. ISE to be configured with protocols, identity source sequence, and authentication/authorization policies.
  • ISE is configured with eduroam as an external radius server.
  • AD group members associated with eduroam SSID for 802.1x authentication.
  • The WLC sends the RADIUS request to ISE.
  • Based on the policy set, ISE checks whether the user is a member of a local AD group or a roaming AD group. If it is an external domain user, ISE sends the traffic to external eduroam servers (which are hosted in the cloud) if the user belongs to an external AD. Eduroam validates the request from ISE and checks if the user is a part of remote AD and sends the response back to ISE. ISE will authorize based on the policies mapped. ISE assigns a VLAN tag to the user based on the AD group.

These are the steps in the flow of an internal domain user:

  • WLC of each location to be configured with ISE as an authentication and accounting server. The eduroam SSID is configured according to 802.1x standard.
  • ISE of each location is configured with local WLC as a network device with RADIUS functionality enabled. ISE to be configured with protocols, identity source sequence, and authentication/authorization policies.
  • AD group members associated with eduroam SSID for 802.1x authentication.
  • The WLC sends the RADIUS request to ISE.
  • Based on the policy set, ISE checks whether the user is a member of a local AD group or a roaming AD group. If it is an internal domain user, ISE will not send the request to external eduroam servers rather it will authorize based on the policies mapped. ISE assigns a VLAN tag to the user based on the AD group.

Components Used:

  • Cisco ISE 3.1 with patch 2
  • Cisco Wireless LAN Controller - 8450
  • Active Directory 2016
  • Endpoint: Microsoft Windows 10, Apple iPhone, Android etc,
  • Eduroam server

Refer the attached document for more information.

Preview file
2232 KB
3 Comments
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Popular Articles
Customers Also Viewed These Support Documents