cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Configuring Eduroam on Cisco ISE 1.4

4549
Views
4
Helpful
18
Comments

This document details the steps for using ISE to authenticate Eduroam users. Janet is the name of the UK provider of Eduroam, please replace this with your own reference.

 

Three rules cover the authentication scenarios which will be encountered:

Rule 1 : User is not a member of the institution

Rule 2 : User is a member of the home institution but is located at another institution. Authentication will be sourced from the Janet NRPS.

Rule 3 : User is a member of the home institution and the request will be sourced locally.

 

Regarding authorization, we are simply aiming for PermitAccess, but will break the AuthZ rules down to give granularity to the reporting.

 

Prerequisites

On all WLCs configured to offer the SSID 'eduroam' to AP Groups, make sure that WLAN ID is the same on all WLCs and that all ISE PSN are being used for authentication.

 

 

Administration → Identity Management → External Identity Sources → Active Directory

 

Create a service account in AD and use it to create a connection to your AD Domain

 

Administration → Network Resources → External RADIUS sources

 

Configure each of NRPS servers which will be used for authenticating users from external realms.

 

 

Administration → Network Resources → Network Device Groups

 

Create a new group 'NRPS'.

Create a new group 'Wireless'

 

Administration → Network Resources → Network Device List

 

Ensure your WLCs are part of the group Wireless, and the NRPS servers are part of the NRPS group.

 

 

Administration → Network Resources → Network Device List → RADIUS Server Sequences

 

Create an object which lists the access order of the external RADIUS servers.

 

 

Policy → Policy Elements → Conditions → Authentication → Compound Conditions

 

Create a new condition, eg: 'user_not_from_around_here', this will be used to identify RADIUS requests that need to be handed off the the NRPS servers. In the event of receiving just a username we want to be able to handle that. We will make the assumption that such a user belongs to our own AD. As such we need to ensure that a 'foreign' username does not contain our realm but does contain an '@' symbol which we will infer means an alternative domain is provided.

Configure the following elements:

 

Radius: User-Name NOT ENDS WITH @<your_domain> AND
Radius: User-Name CONTAINS @ AND
Radius: Service-Type EQUALS Framed AND
Radius: NAS-Port-Type EQUALS Wireless – IEEE 802.11

 

Create another condition 'eduroam-NRPS' similar to the above, but without the User-Name element. Since this condition will be used to identify eduroam traffic that must be sent to Janet we will include a check for the WLAN-ID:

 

Radius: Service-Type EQUALS Framed AND
Radius: NAS-Port-Type EQUALS Wireless – IEEE 802.11 AND
Airespace: Airespace-Wlan EQUALS 25

 

 

 

Policy → Policy Elements → Conditions → Authorization → Compound Conditions

 

Identify Authorization requests coming from the eduroam SSID and check the user names against AD. Name it 'eduroam-local':

 

Radius: Service-Type EQUALS Framed AND
Radius: NAS-Port-Type EQUALS Wireless – IEEE 802.11 AND
Airespace: Airespace-Wlan EQUALS 25
AD1:ExternalGroups EQUALS <your_domain>/Users/Domain Users

 

 

 

Policy

 

Policy

 

Turn on 'Policy Sets'. Create a new Policy Set 'Wireless'

 

 

Policy → Policy Sets → 'Wireless'

 

Set the Policy Set filer as:

DEVICE:Device Type EQUALS Device Type#All Device Types#Wireless OR
DEVICE:Device Type EQUALS Device Type#All Device Types#NRPS

 

 

Policy → Policy Sets → 'Wireless' → Authentication Policy

 

Create three rules to handle the different authentication directions: inbound, local and outbound.

 

 

Name

If

Allow Protocols

Default

eduroam-NRPS-outbound

user_not_from_around_here

Use Proxy Service: JanetRADIUS

eduroam-NRPS-inbound

DEVICE:Device Type EQUALS Device Type#All Device Types#NRPS

PEAP-Auth

AD1

eduroam-local

DEVICE:Device Type EQUALS Device Type#All Device Types#Wireless

PEAP-Auth

AD1

 

 

 

Policy → Policy Sets → 'Wireless' → Authorization Policy

 

Rule Name

Conditions

Permissions

eduroam-nrps-inbound

eduroam-NRPS

PermitAccess

eduroam-local

eduroam-local

PermitAccess

 

 

 

 

[eof]

Comments
yahya.jaber
Beginner

Hi Seb,

I am trying to do this on ISE 2.0

THere is no policy sets!

Seb Rupik
VIP Advisor

Hi Yahya,

You probably need to enable them:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_00.html#ID80

cheers,

Seb.

yahya.jaber
Beginner

Thanks Seb,

Can I do it without policy set? Like authentication rule? If I understood it correctly, I need to redirect the authentication Requests to the proxy of the user is not from my domain, and the proxy will reply the access accept?

Thanks again.

Seb Rupik
VIP Advisor

You can achieve the same result without enabling and using Policy Sets.

Yes you are correct, if the user is not from local home domain the request must be sent to the Eduroam relay which will forward the request to the correct home domain for the user.

yahya.jaber
Beginner

Thanks again.

So I will create ONLY an authentication rule that matches outside user "same as u have in the doc" ?

Appreciated.

Seb Rupik
VIP Advisor

hmmm typicaly for you to enlist in the Eduroam service you will need to have a home domain of your own. If this is approved, then the regional Eduroam proxy (NRPS) will allow you to peer with them.

It sounds like you just want to offer an Eduroam SSID while not having a home domain of your own. Certainly in the UK, this is not an option and you would not be allowed to peer with the JISC NRPS serers.

yahya.jaber
Beginner

Hi Seb,

We have our own domain, and we are approved by eduroam, I actually have eduroam in my campus.

The thing is I am moving from ACS5 to ISE.. And when testing I had some issues, so I just want to confirm if am on the right track or not.

Let me do further testing.

Thanks

yahya.jaber
Beginner

Hi Seb,

i got to the bottom of this.

the RADIUS proxy did not have the ISE as an AAA client.

its working fine now.

thanks.

sf7844784
Community Member

Hello, this is very useful, thanks. If I have multiple nodes (4) then how would I go about this as I can only use the roaming.ja.net IP addresses once as a network device so when I come to add my second node I can't add 194.82.174.185 as the roaming address as it has already been used.

yahya.jaber
Beginner

Can you please explain more?

those 4 devices are your AAA servers? how are they deployed?

if you have distributed deployment, you can add the eduroam proxy server only once, and it will be replicated on other nodes.

sf7844784
Community Member

Yes each node is a AAA server. My ISE deployment is:

1 x Primary Admin and Secondary Monitoring

1 x Secondary Admin and Primary Monitoring

4 x PSN (AAA)

I've registered each PSN on the eduroam support page with a different NAT'd address. Each node has a different radius key for roaming0, roaming1, etc.

I was hoping to add all 4 PSNs as AAA servers on my WLCs but when it comes to adding them to ISE it will only let me add the one as I cannot reuse the roaming IP addresses.

 

Thanks

yahya.jaber
Beginner

yeah, you wont be able to add the eduroam individually to each PSN, since there is one point of configuration PAN.

i have similar setup but with 2 monitoring nodes as individual servers, and i didn't NAT any PSN, i have Linux server working as a RADIUS proxy which is the only one NAT'd.

sf7844784
Community Member

OK thanks for the advice. I'll either have to go for no redundancy or use the same public IP address for all 4 nodes. I'll probably go for the latter.

Thanks again.

Craig Le-Butt
Beginner

Hi

We have a distributed deployment 6 PSN 2 PAN on ISE 2.0.

The organisation I work for currently broadcast several WLAN for different agencis in a multi tendented buildings around the county.

I'm trying to propose a Eduroam style setup for all the agencis who part of a wireless federation so each agency only broadcast 1wlan instead 1 for each group.

Does the above setup require all agencis to have ISE?

Cheers

Craig

yahya.jaber
Beginner

so you want to have 1 SSID everywhere?

can you explain more about the wireless setup?