cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

ISE Integration with Eduroam External Server

692
Views
20
Helpful
3
Comments
deepuvarghese1
Beginner

The purpose of this document is to demonstrate how ISE can integrate with an eduroam external server which is a WI-Fi roaming service that provides international access to devices in education, research, and higher education. Students, teachers, and researchers have access to network resources when they visit an institution other than their own. This document describes the components used for this setup, the configuration of ISE, and the configuration of eduroam.

These are the steps in the flow of an external domain user:

  • WLC of each location is configured with ISE as an authentication and accounting server. The eduroam SSID will be configured according to 802.1x standard.
  • ISE of each location is configured with local WLC as a network device with RADIUS functionality enabled. ISE to be configured with protocols, identity source sequence, and authentication/authorization policies.
  • ISE is configured with eduroam as an external radius server.
  • AD group members associated with eduroam SSID for 802.1x authentication.
  • The WLC sends the RADIUS request to ISE.
  • Based on the policy set, ISE checks whether the user is a member of a local AD group or a roaming AD group. If it is an external domain user, ISE sends the traffic to external eduroam servers (which are hosted in the cloud) if the user belongs to an external AD. Eduroam validates the request from ISE and checks if the user is a part of remote AD and sends the response back to ISE. ISE will authorize based on the policies mapped. ISE assigns a VLAN tag to the user based on the AD group.

These are the steps in the flow of an internal domain user:

  • WLC of each location to be configured with ISE as an authentication and accounting server. The eduroam SSID is configured according to 802.1x standard.
  • ISE of each location is configured with local WLC as a network device with RADIUS functionality enabled. ISE to be configured with protocols, identity source sequence, and authentication/authorization policies.
  • AD group members associated with eduroam SSID for 802.1x authentication.
  • The WLC sends the RADIUS request to ISE.
  • Based on the policy set, ISE checks whether the user is a member of a local AD group or a roaming AD group. If it is an internal domain user, ISE will not send the request to external eduroam servers rather it will authorize based on the policies mapped. ISE assigns a VLAN tag to the user based on the AD group.

Components Used:

  • Cisco ISE 3.1 with patch 2
  • Cisco Wireless LAN Controller - 8450
  • Active Directory 2016
  • Endpoint: Microsoft Windows 10, Apple iPhone, Android etc,
  • Eduroam server

Refer the attached document for more information.

3 Comments
Create
Recognize Your Peers
Content for Community-Ad