The old way of specifying a proxy RADIUS service for authentications no longer works in Cisco ISE 2.3 and up because you must set the Allowed Protocols for the Policy Set itself instead of in the authentication policy. This affects how you configure ISE for eduroam authentications. The eduroam configuration for both ISE 2.2 and below as well as 2.3 and up can be found here:
For ISE 2.3 and up, you would have to create 2 separate policy sets to handle internal/traveling users (local authentication) versus external users (external authentication). I didn’t like the idea of two separate policy sets so I started asking around in various forums about other ways of handling this configuration. Someone brought up that with eduroam you are only receiving a “Pass/Fail” (access-accept or access-reject) response. That means instead of setting up the eduroam servers as external RADIUS servers we can configure the servers are RADIUS Token servers. This will allow us to use the configured RADIUS Token server group (you can have 2 servers per Token server setting) in an authentication rule just like when we could have “Use Proxy Service”!
So follow the steps on the Cisco write-up for ISE 2.2 and below except make the following changes:
- Instead of setting up the eduroam servers as External RADIUS Servers, set them up as a RADIUS Token Server (Administration > Identity Management > External Identity Sources > RADIUS Token).
- Under the Connection tab, put a check for Enable Secondary Server so you can set up more than 1 connection.
- Even though the configuration for the Primary and Secondary server shows Host IP, you can enter the hostnames for the eduroam servers.
- All other settings left to default.
- Instead of configuring the authentication policy to Use Proxy Service (not available in ISE 2.3 and up) for the Eduroam External User, set the Use for the server sequence to the name of the RADIUS Token server you set up above.
That’s it. Not a lot of changes required but just enough to no longer require two separate policy sets if you are using ISE 2.3 and up for eduroam authentication.
Thanks for the explanation. I have run into an issue when setting this up. When using the Radius Token I get the following error:
15013Selected Identity Source – Eduroam_Radius_Token
22043Current Identity Store does not support the authentication method; Skipping it – Eduroam_Radius_Token
22064Authentication method is not supported by any applicable identity store(s)
22058The advanced option that is configured for an unknown user is used
22061The ‘Reject’ advanced option is configured in case of a failed authentication request
11823EAP-MSCHAP authentication attempt failed
Policy Set allowed protocols set up for EAP-TLS or PEAP/MSCHAPv2
ISE version 3.1
Thanks.
This is an older write-up that I don’t believe works with newer versions of Eduroam. RADIUS Token doesn’t support EAP-TLS or PEAP/MSCHAPv2. You can see authentication protocols and the supported identity stores in the Cisco ISE 3.1 Administrator Guide under Asset Visibility if you look at table 13 (Internal and External Identity Sources section).
Cisco Identity Services Engine Administrator Guide, Release 3.1 > Asset Visibility
Ah, I see. Thank you for the Info Brad. Looks like back to the two separate policies…LOL