Cisco ISE/ACS Configuration for eduroam
Published: 12/09/2016
Updated: 21/12/2023
Configuring Cisco ISE for eduroam
We do not have any Jisc-produced documentation on configuring ISE for eduroam use, but Cisco's own general configuration doc can be used as a starting point and contains eduroam-specific instructions however these contain errors! You MUST read these in conjuntion with our Implementing eduroam roadmap.
ISE 3.1 - 3.2 - we've had reports of problems with the remote RADIUS configuration / RADIUS authenticators on various versions of ISE over time and issues have been reported with version 3.2 too. A known good ISE version is ISE 3.1 patch 8 - as of 21/12/2023 this is the recommended version of ISE to be running. And version ISE 3.2 patch 3 should also be good.
Hint: After applying any ISE update or patch or after editing remote RADIUS server in Network Resources > External RADIUS Servers or a RADIUS server sequence in Network Resources > RADIUS Server Sequences, you MUST check that ISE is still forwarding auth requests for your visitors to the NRPS. The Support Server Troubleshoot > Logs > Radius authog can be useful here - apply the filter Operator:<your realm> and the report will show only authentication requests that are being sent from your ORPS to the NRPS.
ISE 3.0 - 3.1 - version 3.0 was released c. Sept 2021. Nothing very much changed between 2.7 and 3.0 other than the addition of some new features. The GUI screens may have altered, but the above guide can still be used as a starting point. https://community.cisco.com/t5/security-documents/configuring-eduroam-on-cisco-identity-services-engine-ise/ta-p/3655672
WARNING(1)! The section beginning - "Create another condition 'Eduroam_User_Traveling' " which is intended to relate to your roaming users, ie authentication requests recieved from the NRPS, includes conditions that MUST NOT be applied, namely Radius:Service-Type = Framed Radius:NAS-Port-Type = Wireless 802.1X (type 19) and Airespace:Airspace-WLAN-ID = 6. These have no place in the roaming user Policy. The condition you should apply is that the RADIUS client belongs to the Eduroam network Device Group (ie the NRPSs).
WARNING(2)! The section beginning "Create a new condition, 'Eduroam_User_External', this will be used to identify RADIUS requests that need to be handed off to the eduroam RADIUS Servers" contains errors. It is not clear why the conditions, Radius: Service-Type EQUALS Framed AND Radius: NAS-Port-Type EQUALS Wireless – IEEE 802.11 are included. Furthermore it is possible that these conditions will result in unwanted attributes being included in the RADIUS request sent to the NRPSs. It is only necessary define a condition that identifies that the realm component of the username is NOT that of the local organisation and DOES include '@' (and ideally is NOT one of the 'bad usernames' that are detailed elsewhere in the eduroam(UK) documentation).
See also: https://www.ise-support.com/2019/07/01/configuring-ise-for-eduroam-authentication/
Nb. Upgrade matix - https://community.cisco.com/t5/security-knowledge-base/ise-version-upgrade-matrix/ta-p/3653501
ISE 2.3 - 2.7 - a new Policy Engine was introduced in version 2.3 and with that came changes to how RADIUS Proxy Sequences are used for authentication. Because of this change in behavior https://community.cisco.com/t5/security-documents/configuring-eduroam-on-cisco-identity-services-engine-ise/ta-p/3655672 (note this guide can be used for versions 2.2 and lower since it breaks the Policy Sets section into sections detailing the configurations necessary for both strands).
(*) 2.7 has entered end-of-life and the last date of software maintenance releases will be 22 Sept 2023 https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-2943876.html
ISE 2.0 - 2.2 - https://community.cisco.com/t5/security-knowledge-base/configuring-eduroam-on-cisco-identity-services-engine-ise-2-1/ta-p/3655770 (was https://communities.cisco.com/docs/DOC-71299 )
ISE 1.2 - 1.4 - has been retired; you should upgrade to ISE 2.7 (stable) or 3.0
Sending operator name (with ISE 2.0)
Cisco ISE servers do not have the correct attribute set up for insertion of the Operator-Name attribute. However, the steps to achieve this are straight forward in the GUI. The following article describes how:
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Configuring Cisco ISE 1.2 - archive material
Cisco Identity Services Engine 1.2 has been retired and is no longer supported https://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_id_stores.html
Configuring Cisco ACS - archive material
The Cisco ACS services of products has now been retired. The last version 5.8 will become unsupported after August 2022.
https://www.cisco.com/c/en/us/obsolete/security/cisco-secure-access-cont...
The information below should be considered as archive material.
Configuring Cisco ACS 5.3 for a Visited (SP) eduroam Service
For details of how to configure Cisco ACS 5.3 for Visited site eduroam see:
Sending Operator Name with ACS 5.4
Cisco ACS 5.4 provides the ability to inject and/or overwrite RADIUS attributes while proxying. This means that attribute 126 Operator Name can be injected for eduroam Visited sites (as per our recommendations).
Operator Name injection while proxying to NRPS
In the Visitor Access Policy (JRS in the example below) first remove any existing Operator Name attributes (which may have been added by the NAS) and add the Service Provide Operator Name.
1. Go to “Access Policies > Access Services” and click on the Visitor Access Policy (JRS)
2.Click on the “RADIUS Attibutes” drop down (Below “External Proxy Servers”)
3. Select “RADIUS-IETF” as the “Dictionary Type:”
4.Click the ‘Select’ button for “RADIUS Attribute”
5.In the ‘RADIUS Dictionary popup window select ‘ID’ in the “Filter:” field
6. In the ‘RADIUS Dictionary popup window select ‘Equals’ in the “Match If:” field
7. In the ‘RADIUS Dictionary popup window in the text box after the “Match If:” field enter 126 and click the ‘Go’ button
8. Then tick the radio button for ‘Operator-Name’ and click ‘OK’ at the bottom
9. In the “Operation:” field chose ‘DELETE’ and then click the ‘Add ^’ button
10. Repeat steps 3 to 8
11. In the “Operation:” field chose ‘ADD’
12. In the “Attribute New Value:” text box enter the your sites realm prepended with 1 e.g. ‘1camford.ac.uk’
13. Click the ‘Add ^’ button
14. Click the ‘Submit’ button
Author: Scott Armitage
Configuring Cisco ACS 5.3 for a Home (IdP) eduroam Service
For details of how to configure Cisco ACS 5.3 for Home site eduroam see:
https://community.jisc.ac.uk/blogs/scotts-eduroam-blog/article/eduroam-h...
Note to Cisco ACS 4.2 Users
In ACS 4.2 you can use a feature called "Domain Stripping" in the Home user authentication process. However it is strongly recommended that you upgrade to the latest version of ACS or employ Cisco ISE since 4.2 is no longer supported by Cisco and doesn't support newer versions of AD, injection of Operator-Name etc.