on - edited on by
hslai
- Purpose
- Prerequisites
- eduroam
- Wireless LAN Controller
- Policy Sets
- Active Directory
- eduroam Configuration
- Add eduroam RADIUS servers
- Create the eduroam Policy Conditions
- Create the eduroam Policy Sets
- References
Purpose
This document details the steps for using ISE to authenticate eduroam users.
Three rules cover the authentication scenarios which will be encountered:
Rule 1: User is not a member of the home institution. Authentication will be proxied to eduroam RADIUS Servers.
Rule 2: User is a member of the home institution but is located at another institution. Authentication will be sourced from the eduroam RADIUS Servers.
Rule 3: User is a member of the home institution and the request will be sourced locally.
Regarding authorization, we are simply aiming for PermitAccess, but will break the Authorization rules down to give granularity to the reporting.
Prerequisites
eduroam
Register the IP Addresses of your Policy Service Nodes as AAA Servers with eduroam.
Wireless LAN Controller
On all Wireless LAN Controllers (WLC) configured to offer the SSID 'eduroam' to AP Groups, make sure that WLAN ID is the same on all WLCs and that all ISE Policy Service Nodes (PSN) are being used for authentication.
Policy Sets
This guide shows the configuration of eduroam with the use of Policy Sets. ISE 2.3 uses Policy Sets by default and they cannot be turned off. If you are currently not using them, the configuration can be done without the use of Policy Sets. If you would like to enable Policy Sets, navigate to Administration > System > Settings > Policy Sets. Select Enabled and Save.
You will be logged out of ISE. Once you log back in, you will notice the Policy menu is different. There is an option for Policy Sets while the Authentication and Authorization entries are no longer there. Any policies you had already created are in the Default Policy Set.
Active Directory
ISE needs to be joined to your Active Directory Domain to authenticate local users. Of course you can use any of the Identity Sources supported by ISE, but for this document we will focus on Active Directory (AD).
If you have not already joined ISE to you Active Directory Domain, do so now by navigating to Administration > Identity Management > External Identity Sources > Active Directory.
Create a service account in AD and use it to create a connection to your AD Domain.
eduroam Configuration
Add eduroam RADIUS servers
Eduroam External User Server Setup
In this step, we will configure the external eduraom RADIUS Servers to which ISE will authenticate users that are visiting the Home Institution. First, navigate to Administration > Network Resources > External RADIUS sources.
Configure each of the eduroam RADIUS Servers which will be used for authenticating users from external realms. The specific IP Address and Shared Secret will be provided to you by eduroam. You can name these entries however you would like.
Then, navigate to Administration > Network Resources > Network Device List > RADIUS Server Sequences.
This is where you create a sequence which lists the access order of the external eduroam RADIUS servers.
From here, select the Advanced Attribute Settings tab and enable the
Eduroam Internal User Server Setup
Now we will configure the access for internal users that are visiting a different eduroam member Institution. Navigate to Administration > Network Resources > Network Device Groups.
Under All Device Types, create a group for the eduroam RADIUS Servers and for your Wireless Controllers. In the figure below they are named 'eduroam' and 'WLC' accordingly.
The Network Device Groups page view in ISE 2.2 and below
The Network Device Groups page view in ISE 2.3 and above
Now that the groups are created, go to Administration > Network Resources > Network Devices to add the eduroam RADIUS Servers and Wireless Controllers to ISE.
Remember to ensure your WLCs are part of the group WLC, and the eduroam RADIUS Servers servers are part of the Eduroam group. This is done in the Network Device Group section.
Create the eduroam Policy Conditions
Authentication Conditions
This step will create the conditions used to authenticate through the eduroam system while keeping your Authentication Policy clean. Navigate to Policy > Policy Elements > Conditions > Library Conditions.
Create a new condition, eg: 'Eduroam_User_External', this will be used to identify RADIUS requests that need to be handed off to the eduroam RADIUS Servers. In the event of receiving just a username we want to be able to handle that. We will make the assumption that such a user belongs to our own AD. As such we need to ensure that a 'foreign' username does not contain our realm but does contain the '@' symbol which we will infer means an alternative domain is provided.
Configure the following attributes:
Radius: User-Name NOT ENDS WITH @<your_domain> AND
Radius: User-Name CONTAINS @ AND
Radius: Service-Type EQUALS Framed AND
Radius: NAS-Port-Type EQUALS Wireless – IEEE 802.11
Click Save and save it as Eduroam_User_External.
Create another condition 'Eduroam_User_Traveling' similar to the condition created above, but without the User-Name element. Since this condition will be used to identify eduroam traffic that must be sent to the eduroam RADIUS Servers, we will include a check for the WLAN-ID (this document uses WLAN ID of 6, please ensure you are using the WLAN ID that corresponds to your eduroam SSID):
Radius: Service-Type EQUALS Framed AND
Radius: NAS-Port-Type EQUALS Wireless – IEEE 802.11 AND
Airespace: Airespace-Wlan EQUALS 6
Authorization Condition
This step will create the conditions used to authorize local users at their Home Institution through the eduroam system while keeping your Authorization Policy clean. Stay at Policy > Policy Elements > Conditions > Library Conditions
Identify Authorization requests coming from the eduroam SSID and check the user names against AD. Name it 'Eduroam_User_Local':
Radius: Service-Type EQUALS Framed AND
Radius: NAS-Port-Type EQUALS Wireless – IEEE 802.11 AND
Airespace: Airespace-Wlan EQUALS 6
AD1:ExternalGroups EQUALS <your_domain>/Users/Domain Users
Create the eduroam Policy Sets
ISE introduced a new Policy Engine in version 2.3 and with that came changes to how RADIUS Proxy Sequences are used for authentication. Because of this change in behavior, this guide will break the Policy Sets section into sections detailing the configurations necessary for versions 2.2 and lower as well as 2.3 and above.
ISE Policy Sets in versions 2.2 and below
Navigate to Policy > Policy Sets and create a new Policy Set named 'Eduroam Wireless'
Set the Policy Set filter as:
Airespace:Airespace-Wlan-Id EQUALS 6 OR
Radius:Called-Station-ID ENDS WITH eduroam OR
DEVICE:Device Type EQUALS Device Type#All Device Types#Eduroam
Authentication Policy
Create three rules to handle the different authentication directions: inbound, outbound, and local.
|
Name |
If |
Allow Protocols |
Default |
|---|---|---|---|
|
Eduroam External User |
Eduroam_User_External |
Use Proxy Service: Eduroam |
|
|
Eduroam Traveling User |
DEVICE:Device Type EQUALS Device Type#All Device Types#Eduroam |
PEAP-Auth |
AD1 |
|
Eduroam Local User |
Airespace:Airespace-Wlan_Id EQUALS 6 OR Radius:Called-Station-ID ENDS WITH eduroam |
PEAP-Auth |
AD1 |
Authorization Policy
Create two rules to handle the different authorization methods: external and local.
|
Rule Name |
Conditions |
Permissions |
|---|---|---|
|
Eduroam External |
DEVICE:Device Type EQUALS All Device Types#Eduroam |
GUEST-ACCESS |
|
Eduroam Local |
Eduroam_User_Local |
GUEST-ACCESS |
ISE Policy Sets in versions 2.3 and newer
Eduroam External Users
Navigate to Policy > Policy Sets and create a new Policy Set named 'Eduroam External Users'
Set the Policy Set filter as:
Airespace:Airespace-Wlan-Id EQUALS 6 OR
Radius:Called-Station-ID ENDS WITH eduroam OR
DEVICE:Device Type EQUALS Device Type#All Device Types#Eduroam
The reason we need to create two separate Policy Sets is that in ISE 2.3 and above, the RADIUS Proxy Sequence is selected at the same top level filter as the Allowed Protocols. Since we are choosing the RADIUS Proxy Sequence, we cannot also choose an Allowed Protocol to be used by the same Policy Set.
Authentication Policy
The Eduroam External Users can use the Default Authentication Policy since this will be handled by the Proxy Sequence.
Authorization Policy
Create a rules to handle the external authorization.
|
Rule Name |
Conditions |
Permissions |
|---|---|---|
|
Eduroam External |
DEVICE:Device Type EQUALS All Device Types#Eduroam |
GUEST-ACCESS |
Eduroam Internal Users
Set the Policy Set filter as:
Airespace:Airespace-Wlan-Id EQUALS 6 OR
Radius:Called-Station-ID ENDS WITH eduroam OR
DEVICE:Device Type EQUALS Device Type#All Device Types#Eduroam
Authentication Policy
Create two rules to handle the different authentication directions: inbound, and local.
|
Name |
If |
Allow Protocols |
Default |
|---|---|---|---|
|
Eduroam Traveling User |
DEVICE:Device Type EQUALS Device Type#All Device Types#Eduroam |
PEAP-Auth |
AD1 |
|
Eduroam Local User |
Airespace:Airespace-Wlan_Id EQUALS 6 OR Radius:Called-Station-ID ENDS WITH eduroam |
PEAP-Auth |
AD1 |
Authorization Policy
Create two rules to handle the different authorization methods: external and local.
|
Rule Name |
Conditions |
Permissions |
|---|---|---|
|
Eduroam External |
DEVICE:Device Type EQUALS All Device Types#Eduroam |
GUEST-ACCESS |
|
Eduroam Local |
Eduroam_User_Local |
GUEST-ACCESS |
References
Hi, nice 
I have a few things to add...
If you use multiple ISE PSNs, the eduroam website will, by default, give you a unique RADIUS Shared Secret for each PSN, which is not supported in ISE. To get round this you need to add all of your PSNs in the eduroam portal, then e-mail them via their website, http://support.eduroam.uk, and ask for them to use the same Shared Secret on all nodes.
When configuring the Proxy RADIUS settings in ISE, you need to include more Realm-Filtering than is shown in the example to remain compliant with eduroam's policies. The list of mandatory username attributes and realms to filter can be found here; https://community.jisc.ac.uk/library/janet-services-documentation/filtering-invalid-realms
You also need to manipulate your outbound requests to include an Operator-Name attribute which matches the realm you have registered with them. ISE doesn't support this RADIUS attribute by default so you have to add it yourself. This is done by updating RADIUS IETF attribute 126 in the ISE's RADIUS dictionary, then referencing the attribute in your ISE's outbound Proxy RADIUS settings so it adds Operator-Name = 'Your Realm' to all of the RADIUS traffic you send outbound to their Proxy RADIUS servers. In current versions of ISE and Firefox, there seems to be a bug with attribute picker so when you go to select your new Operator-Name attribute from the list, it's not there. The workaround is to type 'operator-name' in the text filter at the top, then you'll see it.
Also be aware of the potential for unwanted / unintended RADIUS attributes to break things. Depending on how you've built your policies in ISE, remember that you could be sending all sorts of RADIUS attributes out to other organisations, and likewise other people could be sending unexpected RADIUS attributes to you. These attributes can lead to unwanted consequences because a request could end up hitting the wrong rules in ISE. Be sure to build your ISE policies with this in mind and implement RADIUS attribute filtering to help avoid this.
---
Edited to add - 27/7/18
It's common for ISE's to not be hosted on Public IP addressing. When you register your ISE's with janet (to get the shared secret, etc...) make sure you register the Public IP(s) you are NAT-ing via and not the ISE's 'real' Private Addresses.
You can create Authorization Rules in the eduroam Policy Set that uses the RADIUS Proxy Sequence. Here is how my Policy Set looks:
I'm using Chrome.
You are clicking on the arrow in the far right column to enter the policy set, right?
I know the condition isn't right, but here the policy set with RADIUS proxy sequence chosen. Funny thing is if I hit Save here, right before the 'saving pop-up window' closes and brings me back to this screen, I see the 2 AuthC and 2 AuthZ policy sections in the background for a brief second. Must be browser(s) issue.... 
