cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

Configuring eduroam on Cisco Identity Services Engine (ISE) 2.1

9328
Views
19
Helpful
10
Comments

 

 

Purpose

This document details the steps for using ISE to authenticate eduroam users.

 

Three rules cover the authentication scenarios which will be encountered:

Rule 1: User is not a member of the home institution.  Authentication will be proxied to eduroam RADIUS Servers.

Rule 2: User is a member of the home institution but is located at another institution. Authentication will be sourced from the eduroam RADIUS Servers.

Rule 3: User is a member of the home institution and the request will be sourced locally.

 

Regarding authorization, we are simply aiming for PermitAccess, but will break the Authorization rules down to give granularity to the reporting.

 

 

Prerequisites

 

eduroam

Register the IP Addresses of your Policy Service Nodes as AAA Servers with eduroam.

 

Wireless LAN Controller

On all Wireless LAN Controllers (WLC) configured to offer the SSID 'eduroam' to AP Groups, make sure that WLAN ID is the same on all WLCs and that all ISE Policy Service Nodes (PSN) are being used for authentication.

 

Policy Sets

This guide shows the configuration of eduroam with the use of Policy Sets.  If you are currently not using them, the configuration can be done without the use of Policy Sets.  If you would like to enable Policy Sets, navigate to Administration > System > Settings > Policy Sets. Select Enabled and Save.

eduroam1.png

 

You will be logged out of ISE. Once you log back in, you will notice the Policy menu is different.  There is an option for Policy Sets while the Authentication and Authorization entries are no longer there.  Any policies you had already created are in the Default Policy Set.

eduroam2.png

 

Active Directory

ISE needs to be joined to your Active Directory Domain to authenticate local users.  Of course you can use any of the Identity Sources supported by ISE, but for this document we will focus on Active Directory (AD). 

If you have not already joined ISE to you Active Directory Domain, do so now by navigating to Administration > Identity Management > External Identity Sources > Active Directory.

Create a service account in AD and use it to create a connection to your AD Domain.

eduroam3.png

eduroam Configuration

 

Add eduroam RADIUS servers

 

Eduroam External User Server Setup

In this step, we will configure the external eduraom RADIUS Servers to which ISE will authenticate users that are visiting the Home Institution.  First, navigate to Administration > Network Resources > External RADIUS sources.

 

Configure each of the eduroam RADIUS Servers which will be used for authenticating users from external realms. The specific IP Address and Shared Secret will be provided to you by eduroam.  You can name these entries however you would like.

eduroam4.png


Then, navigate to Administration > Network Resources > Network Device List > RADIUS Server Sequences.

 

This is where you create a sequence which lists the access order of the external eduroam RADIUS servers.

eduroam5.png

 

Eduroam Internal User Server Setup

Now we will configure the access for internal users that are visiting a different eduroam member Institution. Navigate to Administration > Network Resources > Network Device Groups.

 

Under All Device Types, create a group for the eduroam RADIUS Servers and for your Wireless Controllers. In the figure below they are named 'eduroam' and 'WLC' accordingly.

eduroam6.png


Now that the groups are created, go to
Administration > Network Resources > Network Devices to add the eduroam RADIUS Servers and Wireless Controllers to ISE.

eduroam7.png

Remember to ensure your WLCs are part of the group WLC, and the eduroam RADIUS Servers servers are part of the Eduroam group.  This is done in the Network Device Group section.

 

Create the eduroam Policy Conditions

 

Authentication Conditions

This step will create the conditions used to authenticate through the eduroam system while keeping your Authentication Policy clean.  Navigate to Policy > Policy Elements > Conditions > Authentication > Compound Conditions.

 

Create a new condition, eg: 'Eduroam_User_External', this will be used to identify RADIUS requests that need to be handed off to the eduroam RADIUS Servers. In the event of receiving just a username we want to be able to handle that. We will make the assumption that such a user belongs to our own AD. As such we need to ensure that a 'foreign' username does not contain our realm but does contain the '@' symbol which we will infer means an alternative domain is provided.

 

Configure the following attributes:

 

Radius: User-Name NOT ENDS WITH @<your_domain> AND

Radius: User-Name CONTAINS @ AND

Radius: Service-Type EQUALS Framed AND

Radius: NAS-Port-Type EQUALS Wireless – IEEE 802.11

eduroam8.png

Create another condition 'Eduroam_User_Traveling' similar to the condition created above, but without the User-Name element. Since this condition will be used to identify eduroam traffic that must be sent to the eduroam RADIUS Servers, we will include a check for the WLAN-ID (this document uses WLAN ID of 6, please ensure you are using the WLAN ID that corresponds to your eduroam SSID):

Radius: Service-Type EQUALS Framed AND

Radius: NAS-Port-Type EQUALS Wireless – IEEE 802.11 AND

Airespace: Airespace-Wlan EQUALS 6

eduroam9.png

Authorization Condition

This step will create the conditions used to authorize local users at their Home Institution through the eduroam system while keeping your Authorization Policy clean.  Navigate to Policy > Policy Elements > Conditions > Authorization > Compound Conditions

 

Identify Authorization requests coming from the eduroam SSID and check the user names against AD. Name it 'Eduroam_User_Local':

 

Radius: Service-Type EQUALS Framed AND

Radius: NAS-Port-Type EQUALS Wireless – IEEE 802.11 AND

Airespace: Airespace-Wlan EQUALS 6

AD1:ExternalGroups EQUALS <your_domain>/Users/Domain Users

eduroam10.png

 

Create the eduroam Policy Set

 

Navigate to Policy > Policy Sets and create a new Policy Set named 'Eduroam Wireless'

 

Set the Policy Set filter as:

Airespace:Airespace-Wlan-Id EQUALS 6 OR

Radius:Called-Station-ID ENDS WITH eduroam OR

DEVICE:Device Type EQUALS Device Type#All Device Types#Eduroam

eduroam11.png

 

Authentication Policy

 

Create three rules to handle the different authentication directions: inbound, outbound, and local.

         

Name

If

Allow   Protocols

Default

Eduroam External User

Eduroam_User_External

Use Proxy Service: Eduroam

Eduroam Traveling User

DEVICE:Device Type EQUALS Device Type#All Device Types#Eduroam

PEAP-Auth

AD1

Eduroam Local User

Airespace:Airespace-Wlan_Id EQUALS 6 OR Radius:Called-Station-ID ENDS WITH eduroam

PEAP-Auth

AD1

 

eduroam12.png

Authorization Policy

Create two rules to handle the different authorization methods: external and local.

 

Rule Name

Conditions

Permissions

Eduroam   External

DEVICE:Device   Type EQUALS All Device Types#Eduroam

GUEST-ACCESS

Eduroam Local

Eduroam_User_Local

GUEST-ACCESS

 

eduroam13.png

 

 

References

 

Comments
Beginner

Just the cookbook I was looking for.

But a question on the policy set creation, the 2nd and 3rd lines show the values being set to "eduroam", but I don't see those values as options, where do those need to be created so they are selectable for those two lines of the policy set?

Cisco Employee

If you are talking about the Authentication Policy:

wduroam_authc.PNG

For the Eduroam Traveling User, this is shown in the section titled Eduroam Internal User Server Setup.

For the Eduroam Local User, you type in the name of the SSID, which, in this case, is eduroam.

I hope this helps.

Beginner

Actually, the section right above that;

Cisco Employee

The answers are the same, though.  Radius:Called-Station-ID ENDS WITH and then in the dropdown, just type eduroam

The Device Type is set as noted, but is listed in a manner that might catch you off guard.

eduroam_AuthC2.PNG

You had to have created the Device Group and placed the Eduroam Servers in it to be effective.

Beginner

Hi,

How can I use ISE as eduroam FLR? I think I should use the same concept of external RADIUS server.

Beginner

Great article. Can you expand a little on how to register ISE as our RADIUS server with the external RADIUS servers & does this mean ISE needs to be accessible from the internet?

Beginner

hi @Jason Weids,

 

usually you dont connect your RADIUS to other RADIUS servers outside of your organization. instead you get a proxy RADIUS server which is facing the internet and forwards/receives the requests from eduroam partners to you.

 

this proxy is the one added with eduroam people so they know where you are and traffic the requests to you when needed.

 

Beginner

Hi, Can you advise on how you do the authentication policy on v2.3.

 

In the example above when creating the 3 rules for the authentication of external, travelling & local user it says set the Allowed Protocols to use proxy service: eduroam & PEAP-Auth but in v2.3 the authentication policy has the "Use" field where you can select internal endpoints, users & ID stores.

Beginner

Hi,

Just a little question.

This integration is supposed to be applied to a Guest access enviroment. So, with Base licenses is enough to do it o do I need another license?

 

Thank you.

 

 

Beginner

Usually  Thisis an 802.1x SSID