Wireless

Cisco ISE 1.4 – Configuring Eduroam

This document details the steps for using ISE to authenticate Eduroam users. Janet is the name of the UK provider of Eduroam, please replace this with your own reference.

Three rules cover the authentication scenarios which will be encountered:

  • Rule 1: User is not a member of the institution
  • Rule 2: User is a member of the home institution but is located at another institution. Authentication will be sourced from the Janet NRPS
  • Rule 3: User is a member of the home institution and the request will be sourced locally

Regarding authorization, we are simply aiming for PermitAccess, but will break the AuthZ rules down to give granularity to the reporting.

Prerequisites

On all WLCs configured to offer the SSID ‘eduroam’ to AP Groups, make sure that WLAN ID is the same on all WLCs and that all ISE PSN are being used for authentication.

Administration → Identity Management → External Identity Sources → Active Directory

Create a service account in AD and use it to create a connection to your AD Domain

Administration → Network Resources → External RADIUS sources

Configure each of NRPS servers which will be used for authenticating users from external realms.

Administration → Network Resources → Network Device Groups

Create a new group ‘NRPS’.
Create a new group ‘Wireless’

Administration → Network Resources → Network Device List

Ensure your WLCs are part of the group Wireless, and the NRPS servers are part of the NRPS group.

Administration → Network Resources → Network Device List → RADIUS Server Sequences

Create an object which lists the access order of the external RADIUS servers.

Policy → Policy Elements → Conditions → Authentication → Compound Conditions

Create a new condition, eg: ‘user_not_from_around_here’, this will be used to identify RADIUS requests that need to be handed off the the NRPS servers. In the event of receiving just a username we want to be able to handle that. We will make the assumption that such a user belongs to our own AD. As such we need to ensure that a ‘foreign’ username does not contain our realm but does contain an ‘@’ symbol which we will infer means an alternative domain is provided.
Configure the following elements:


Radius: User-Name NOT ENDS WITH @ AND
Radius: User-Name CONTAINS @ AND
Radius: Service-Type EQUALS Framed AND
Radius: NAS-Port-Type EQUALS Wireless – IEEE 802.11

Create another condition ‘eduroam-NRPS’ similar to the above, but without the User-Name element. Since this condition will be used to identify eduroam traffic that must be sent to Janet we will include a check for the WLAN-ID:


Radius: Service-Type EQUALS Framed AND
Radius: NAS-Port-Type EQUALS Wireless – IEEE 802.11 AND
Airespace: Airespace-Wlan EQUALS 25

Policy → Policy Elements → Conditions → Authorization → Compound Conditions

Identify Authorization requests coming from the eduroam SSID and check the user names against AD. Name it ‘eduroam-local’:


Radius: Service-Type EQUALS Framed AND
Radius: NAS-Port-Type EQUALS Wireless – IEEE 802.11 AND
Airespace: Airespace-Wlan EQUALS 25
AD1:ExternalGroups EQUALS /Users/Domain Users

Policy

Turn on ‘Policy Sets’. Create a new Policy Set ‘Wireless’

Policy → Policy Sets → ‘Wireless’

Set the Policy Set filer as:

DEVICE:Device Type EQUALS Device Type#All Device Types#Wireless OR
DEVICE:Device Type EQUALS Device Type#All Device Types#NRPS

Policy → Policy Sets → ‘Wireless’ → Authentication Policy

Create three rules to handle the different authentication directions: inbound, local and outbound.

Name If Allow Protocols Default
eduroam-NRPS-outbound user_not_from_around_here Use Proxy Service: JanetRADIUS
eduroam-NRPS-inbound DEVICE:Device Type EQUALS Device Type#All Device Types#NRPS PEAP-Auth AD1
eduroam-local DEVICE:Device Type EQUALS Device Type#All Device Types#Wireless PEAP-Auth AD1

Policy → Policy Sets → ‘Wireless’ → Authorization Policy

Rule Name Conditions Permissions
eduroam-nrps-inbound eduroam-NRPS PermitAccess
eduroam-local eduroam-local PermitAccess
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s