Configuring ISE to proxy Authentications based on email address
I'm looking for a little help configuring ISE to proxy requests to external radius servers based on email address and password. I want to configure eduroam on our WLAN. Eduroam allows students connect to the WIFI of other Campuses using their local credentials
User associates to SSID (eduroamTest)
Prompted for username & password (802.1x)
User puts in username and password in the form firstname.lastname@example.org (UPN)
If the user is part of our local institution they are authenticated using our local radius server (ISE)
If the user is a member of a partner institution the request is proxied to an external radius server (National Gateways).
The National Gateways passes the request to the relevant institution based on the UPN (eg @ucd.ie will be passed to ucd radius servers)
The institution authenticates the user and passes the request back to the National Gateways
The National Gateways passes this request back to our ISE server and the external user is authenticated
The user can browse the web
What I have done:
Setup the National Gateways as external proxy servers
Created firewall rules to allow the traffic
Configured the proxy sequence with these servers
Created a policy to proxy requests to the proxy sequence
What I need to figure out:
How to get ISE to authenticate/proxy requests, for the SSID eduroamTest, based on UPN eg (if username = *@rcsi.ie then use local ISE otherwise use proxy service)
Any help with this configuration would be greatly appreciated as I am new to ISE.
Sounds like you did most of the work already. To get ISE to direct certain requests based on attributes in the request to another radius server, all you need to do, is create a new authentication rule, where you check for the following attributes ;
radius/called-station-id contains "eduroam"
radius/username ends with "rcsi.ie"
Then you can select the radius server sequence you created instead of the normal "Allowed protocols" list.
If you want to be in control of the authorization, there is a flag you must set in the radius server sequence in ISE, this will let you control what rights the client is given locally, while still authenticating the user remotely.
I don't think i have tried that, but as a minimum, you would have to define the other radius server as a network device in your ise, and agree on a radius key. Then you should begin to see the requests coming into your ise.
I have to implement the same solution. I understand we need to configure the authentication policy that would match field like SSID and domain name ( @cisco.com for example and if this condition satisfy then ISE will redirect this traffic to the external proxy server.
I am wondering, if we also need to configure any authorization policy to achieve this ?
Can you please confirm what authorization policy do you have for your setup ?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :