cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
31900
Views
19
Helpful
22
Comments
Charlie Moreton
Cisco Employee
Cisco Employee

 

 

Purpose

This document details the steps for using ISE to authenticate eduroam users.

 

Three rules cover the authentication scenarios which will be encountered:

Rule 1: User is not a member of the home institution.  Authentication will be proxied to eduroam RADIUS Servers.

Rule 2: User is a member of the home institution but is located at another institution. Authentication will be sourced from the eduroam RADIUS Servers.

Rule 3: User is a member of the home institution and the request will be sourced locally.

 

Regarding authorization, we are simply aiming for PermitAccess, but will break the Authorization rules down to give granularity to the reporting.

 

 

Prerequisites

 

eduroam

Register the IP Addresses of your Policy Service Nodes as AAA Servers with eduroam.

 

Wireless LAN Controller

On all Wireless LAN Controllers (WLC) configured to offer the SSID 'eduroam' to AP Groups, make sure that WLAN ID is the same on all WLCs and that all ISE Policy Service Nodes (PSN) are being used for authentication.

 

Policy Sets

This guide shows the configuration of eduroam with the use of Policy Sets.  If you are currently not using them, the configuration can be done without the use of Policy Sets.  If you would like to enable Policy Sets, navigate to Administration > System > Settings > Policy Sets. Select Enabled and Save.

eduroam1.png

 

You will be logged out of ISE. Once you log back in, you will notice the Policy menu is different.  There is an option for Policy Sets while the Authentication and Authorization entries are no longer there.  Any policies you had already created are in the Default Policy Set.

eduroam2.png

 

Active Directory

ISE needs to be joined to your Active Directory Domain to authenticate local users.  Of course you can use any of the Identity Sources supported by ISE, but for this document we will focus on Active Directory (AD). 

If you have not already joined ISE to you Active Directory Domain, do so now by navigating to Administration > Identity Management > External Identity Sources > Active Directory.

Create a service account in AD and use it to create a connection to your AD Domain.

eduroam3.png

eduroam Configuration

 

Add eduroam RADIUS servers

 

Eduroam External User Server Setup

In this step, we will configure the external eduraom RADIUS Servers to which ISE will authenticate users that are visiting the Home Institution.  First, navigate to Administration > Network Resources > External RADIUS sources.

 

Configure each of the eduroam RADIUS Servers which will be used for authenticating users from external realms. The specific IP Address and Shared Secret will be provided to you by eduroam.  You can name these entries however you would like.

eduroam4.png


Then, navigate to Administration > Network Resources > Network Device List > RADIUS Server Sequences.

 

This is where you create a sequence which lists the access order of the external eduroam RADIUS servers.

eduroam5.png

 

Eduroam Internal User Server Setup

Now we will configure the access for internal users that are visiting a different eduroam member Institution. Navigate to Administration > Network Resources > Network Device Groups.

 

Under All Device Types, create a group for the eduroam RADIUS Servers and for your Wireless Controllers. In the figure below they are named 'eduroam' and 'WLC' accordingly.

eduroam6.png


Now that the groups are created, go to
Administration > Network Resources > Network Devices to add the eduroam RADIUS Servers and Wireless Controllers to ISE.

eduroam7.png

Remember to ensure your WLCs are part of the group WLC, and the eduroam RADIUS Servers servers are part of the Eduroam group.  This is done in the Network Device Group section.

 

Create the eduroam Policy Conditions

 

Authentication Conditions

This step will create the conditions used to authenticate through the eduroam system while keeping your Authentication Policy clean.  Navigate to Policy > Policy Elements > Conditions > Authentication > Compound Conditions.

 

Create a new condition, eg: 'Eduroam_User_External', this will be used to identify RADIUS requests that need to be handed off to the eduroam RADIUS Servers. In the event of receiving just a username we want to be able to handle that. We will make the assumption that such a user belongs to our own AD. As such we need to ensure that a 'foreign' username does not contain our realm but does contain the '@' symbol which we will infer means an alternative domain is provided.

 

Configure the following attributes:

 

Radius: User-Name NOT ENDS WITH @<your_domain> AND

Radius: User-Name CONTAINS @ AND

Radius: Service-Type EQUALS Framed AND

Radius: NAS-Port-Type EQUALS Wireless – IEEE 802.11

eduroam8.png

Create another condition 'Eduroam_User_Traveling' similar to the condition created above, but without the User-Name element. Since this condition will be used to identify eduroam traffic that must be sent to the eduroam RADIUS Servers, we will include a check for the WLAN-ID (this document uses WLAN ID of 6, please ensure you are using the WLAN ID that corresponds to your eduroam SSID):

Radius: Service-Type EQUALS Framed AND

Radius: NAS-Port-Type EQUALS Wireless – IEEE 802.11 AND

Airespace: Airespace-Wlan EQUALS 6

eduroam9.png

Authorization Condition

This step will create the conditions used to authorize local users at their Home Institution through the eduroam system while keeping your Authorization Policy clean.  Navigate to Policy > Policy Elements > Conditions > Authorization > Compound Conditions

 

Identify Authorization requests coming from the eduroam SSID and check the user names against AD. Name it 'Eduroam_User_Local':

 

Radius: Service-Type EQUALS Framed AND

Radius: NAS-Port-Type EQUALS Wireless – IEEE 802.11 AND

Airespace: Airespace-Wlan EQUALS 6

AD1:ExternalGroups EQUALS <your_domain>/Users/Domain Users

eduroam10.png

 

Create the eduroam Policy Set

 

Navigate to Policy > Policy Sets and create a new Policy Set named 'Eduroam Wireless'

 

Set the Policy Set filter as:

Airespace:Airespace-Wlan-Id EQUALS 6 OR

Radius:Called-Station-ID ENDS WITH eduroam OR

DEVICE:Device Type EQUALS Device Type#All Device Types#Eduroam

eduroam11.png

 

Authentication Policy

 

Create three rules to handle the different authentication directions: inbound, outbound, and local.

         

Name

If

Allow   Protocols

Default

Eduroam External User

Eduroam_User_External

Use Proxy Service: Eduroam

Eduroam Traveling User

DEVICE:Device Type EQUALS Device Type#All Device Types#Eduroam

PEAP-Auth

AD1

Eduroam Local User

Airespace:Airespace-Wlan_Id EQUALS 6 OR Radius:Called-Station-ID ENDS WITH eduroam

PEAP-Auth

AD1

 

eduroam12.png

Authorization Policy

Create two rules to handle the different authorization methods: external and local.

 

Rule Name

Conditions

Permissions

Eduroam   External

DEVICE:Device   Type EQUALS All Device Types#Eduroam

GUEST-ACCESS

Eduroam Local

Eduroam_User_Local

GUEST-ACCESS

 

eduroam13.png

 

 

References

 

Comments
tdhb..hiq
Level 1
Level 1

Did anybody find a solution to the  abandoned EAP session logs? I also have this problem.

Happening down under in NZ.

raj-toor
Level 1
Level 1

We currently use ISE for certificate based access to wireless SSID and EAP uses internal CA cert for that.

We also have setup Eduroam and allowed protocol uses PEAP>ms-chapv2.

On connection certificate that gets presented to the device is of internal CA. How can I change it to a Pubic CA.

If that is possible at all what would be the import type for cert as only one EAP certificate can be there on ISE.

yahya.jaber
Level 1
Level 1

Hi Raj,

 

You cannot use two EAP certificates on the same node.

Have another node for eduroam auth. with public certificate.

Jason Weids
Level 1
Level 1

@Charlie Moreton 

 

Is it possible to do machine authentication on eduroam as well? 

The situation we have is a number of domain bound student laptops are deployed in open areas as lab machines on occasion. Only wireless is available in these areas. A user can is not able to login with their domain credentials until the laptop is on the network however, you need to login before you can connect to the wireless.

 

Would it be possible to authenticate the machine first so the user can login, at which point, the user is then authenticated? & can this be acheived on eduroam or would we need to create another SSID (which we want to avoid if possible).

sd_rasmussen
Level 1
Level 1

Charlie, this is a great, well constructed guide.  However, we are running ISE 2.4, not 2.1, and as I am sure you are aware, there are some significant differences.  I do not really know how to convert some of what you are saying into the 2.4 configuration. Is there a guide for Eduroam sites running ISE 2.4?  Thanks.

craiglebutt
Level 4
Level 4

I support a customer who has multi tenanted buildings.

We advertise 4 other organisations WLANs and visa versa around the county.

As all the organisations advertise to many SSID, this would be a ideal solution to this, to cut down the amount  SSIDs.

Tunnels are already in place for anchor/foreign WLC, with win 10 and AOVPN this would improve security.

 

Has anyone done this, following the Eduroam style of network?

 

I know a NHS in Wales has done something but can't find the whitepaper on this.

powelca
Level 1
Level 1

Shouldn't the "Eduroam_User_Local" authorization condition still require @<your_domain.edu>? Without it, you're allowing your local users to authenticate without a realm. That works great for those that remain local, but it would break the ability to seamlessly roam to another institution which is sort of a core tenet. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: