01-25-2017 01:05 PM - edited 07-27-2018 05:05 AM
This document details the steps for using ISE to authenticate eduroam users.
Three rules cover the authentication scenarios which will be encountered:
Rule 1: User is not a member of the home institution. Authentication will be proxied to eduroam RADIUS Servers.
Rule 2: User is a member of the home institution but is located at another institution. Authentication will be sourced from the eduroam RADIUS Servers.
Rule 3: User is a member of the home institution and the request will be sourced locally.
Regarding authorization, we are simply aiming for PermitAccess, but will break the Authorization rules down to give granularity to the reporting.
Register the IP Addresses of your Policy Service Nodes as AAA Servers with eduroam.
On all Wireless LAN Controllers (WLC) configured to offer the SSID 'eduroam' to AP Groups, make sure that WLAN ID is the same on all WLCs and that all ISE Policy Service Nodes (PSN) are being used for authentication.
This guide shows the configuration of eduroam with the use of Policy Sets. If you are currently not using them, the configuration can be done without the use of Policy Sets. If you would like to enable Policy Sets, navigate to Administration > System > Settings > Policy Sets. Select Enabled and Save.
You will be logged out of ISE. Once you log back in, you will notice the Policy menu is different. There is an option for Policy Sets while the Authentication and Authorization entries are no longer there. Any policies you had already created are in the Default Policy Set.
ISE needs to be joined to your Active Directory Domain to authenticate local users. Of course you can use any of the Identity Sources supported by ISE, but for this document we will focus on Active Directory (AD).
If you have not already joined ISE to you Active Directory Domain, do so now by navigating to Administration > Identity Management > External Identity Sources > Active Directory.
Create a service account in AD and use it to create a connection to your AD Domain.
In this step, we will configure the external eduraom RADIUS Servers to which ISE will authenticate users that are visiting the Home Institution. First, navigate to Administration > Network Resources > External RADIUS sources.
Configure each of the eduroam RADIUS Servers which will be used for authenticating users from external realms. The specific IP Address and Shared Secret will be provided to you by eduroam. You can name these entries however you would like.
Then, navigate to Administration > Network Resources > Network Device List > RADIUS Server Sequences.
This is where you create a sequence which lists the access order of the external eduroam RADIUS servers.
Now we will configure the access for internal users that are visiting a different eduroam member Institution. Navigate to Administration > Network Resources > Network Device Groups.
Under All Device Types, create a group for the eduroam RADIUS Servers and for your Wireless Controllers. In the figure below they are named 'eduroam' and 'WLC' accordingly.
Now that the groups are created, go to Administration > Network Resources > Network Devices to add the eduroam RADIUS Servers and Wireless Controllers to ISE.
Remember to ensure your WLCs are part of the group WLC, and the eduroam RADIUS Servers servers are part of the Eduroam group. This is done in the Network Device Group section.
This step will create the conditions used to authenticate through the eduroam system while keeping your Authentication Policy clean. Navigate to Policy > Policy Elements > Conditions > Authentication > Compound Conditions.
Create a new condition, eg: 'Eduroam_User_External', this will be used to identify RADIUS requests that need to be handed off to the eduroam RADIUS Servers. In the event of receiving just a username we want to be able to handle that. We will make the assumption that such a user belongs to our own AD. As such we need to ensure that a 'foreign' username does not contain our realm but does contain the '@' symbol which we will infer means an alternative domain is provided.
Configure the following attributes:
Radius: User-Name NOT ENDS WITH @<your_domain> AND
Radius: User-Name CONTAINS @ AND
Radius: Service-Type EQUALS Framed AND
Radius: NAS-Port-Type EQUALS Wireless – IEEE 802.11
Create another condition 'Eduroam_User_Traveling' similar to the condition created above, but without the User-Name element. Since this condition will be used to identify eduroam traffic that must be sent to the eduroam RADIUS Servers, we will include a check for the WLAN-ID (this document uses WLAN ID of 6, please ensure you are using the WLAN ID that corresponds to your eduroam SSID):
Radius: Service-Type EQUALS Framed AND
Radius: NAS-Port-Type EQUALS Wireless – IEEE 802.11 AND
Airespace: Airespace-Wlan EQUALS 6
This step will create the conditions used to authorize local users at their Home Institution through the eduroam system while keeping your Authorization Policy clean. Navigate to Policy > Policy Elements > Conditions > Authorization > Compound Conditions
Identify Authorization requests coming from the eduroam SSID and check the user names against AD. Name it 'Eduroam_User_Local':
Radius: Service-Type EQUALS Framed AND
Radius: NAS-Port-Type EQUALS Wireless – IEEE 802.11 AND
Airespace: Airespace-Wlan EQUALS 6
AD1:ExternalGroups EQUALS <your_domain>/Users/Domain Users
Navigate to Policy > Policy Sets and create a new Policy Set named 'Eduroam Wireless'
Set the Policy Set filter as:
Airespace:Airespace-Wlan-Id EQUALS 6 OR
Radius:Called-Station-ID ENDS WITH eduroam OR
DEVICE:Device Type EQUALS Device Type#All Device Types#Eduroam
Create three rules to handle the different authentication directions: inbound, outbound, and local.
Name |
If |
Allow Protocols |
Default |
---|---|---|---|
Eduroam External User |
Eduroam_User_External |
Use Proxy Service: Eduroam |
|
Eduroam Traveling User |
DEVICE:Device Type EQUALS Device Type#All Device Types#Eduroam |
PEAP-Auth |
AD1 |
Eduroam Local User |
Airespace:Airespace-Wlan_Id EQUALS 6 OR Radius:Called-Station-ID ENDS WITH eduroam |
PEAP-Auth |
AD1 |
Create two rules to handle the different authorization methods: external and local.
Rule Name |
Conditions |
Permissions |
---|---|---|
Eduroam External |
DEVICE:Device Type EQUALS All Device Types#Eduroam |
GUEST-ACCESS |
Eduroam Local |
Eduroam_User_Local |
GUEST-ACCESS |
Did anybody find a solution to the abandoned EAP session logs? I also have this problem.
Happening down under in NZ.
We currently use ISE for certificate based access to wireless SSID and EAP uses internal CA cert for that.
We also have setup Eduroam and allowed protocol uses PEAP>ms-chapv2.
On connection certificate that gets presented to the device is of internal CA. How can I change it to a Pubic CA.
If that is possible at all what would be the import type for cert as only one EAP certificate can be there on ISE.
Hi Raj,
You cannot use two EAP certificates on the same node.
Have another node for eduroam auth. with public certificate.
Is it possible to do machine authentication on eduroam as well?
The situation we have is a number of domain bound student laptops are deployed in open areas as lab machines on occasion. Only wireless is available in these areas. A user can is not able to login with their domain credentials until the laptop is on the network however, you need to login before you can connect to the wireless.
Would it be possible to authenticate the machine first so the user can login, at which point, the user is then authenticated? & can this be acheived on eduroam or would we need to create another SSID (which we want to avoid if possible).
Charlie, this is a great, well constructed guide. However, we are running ISE 2.4, not 2.1, and as I am sure you are aware, there are some significant differences. I do not really know how to convert some of what you are saying into the 2.4 configuration. Is there a guide for Eduroam sites running ISE 2.4? Thanks.
I support a customer who has multi tenanted buildings.
We advertise 4 other organisations WLANs and visa versa around the county.
As all the organisations advertise to many SSID, this would be a ideal solution to this, to cut down the amount SSIDs.
Tunnels are already in place for anchor/foreign WLC, with win 10 and AOVPN this would improve security.
Has anyone done this, following the Eduroam style of network?
I know a NHS in Wales has done something but can't find the whitepaper on this.
Shouldn't the "Eduroam_User_Local" authorization condition still require @<your_domain.edu>? Without it, you're allowing your local users to authenticate without a realm. That works great for those that remain local, but it would break the ability to seamlessly roam to another institution which is sort of a core tenet.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: