Configuring ISE for eduroam authentication with a single policy set

The old way of specifying a proxy RADIUS service for authentications no longer works in Cisco ISE 2.3 and up because you must set the Allowed Protocols for the Policy Set itself instead of in the authentication policy. This affects how you configure ISE for eduroam authentications. The eduroam configuration for both ISE 2.2 and below as well as 2.3 and up can be found here:

https://community.cisco.com/t5/security-documents/configuring-eduroam-on-cisco-identity-services-engine-ise/ta-p/3655672

For ISE 2.3 and up, you would have to create 2 separate policy sets to handle internal/traveling users (local authentication) versus external users (external authentication). I didn’t like the idea of two separate policy sets so I started asking around in various forums about other ways of handling this configuration. Someone brought up that with eduroam you are only receiving a “Pass/Fail” (access-accept or access-reject) response. That means instead of setting up the eduroam servers as external RADIUS servers we can configure the servers are RADIUS Token servers. This will allow us to use the configured RADIUS Token server group (you can have 2 servers per Token server setting) in an authentication rule just like when we could have “Use Proxy Service”!

So follow the steps on the Cisco write-up for ISE 2.2 and below except make the following changes:

  1. Instead of setting up the eduroam servers as External RADIUS Servers, set them up as a RADIUS Token Server (Administration > Identity Management > External Identity Sources > RADIUS Token).
    • Under the Connection tab, put a check for Enable Secondary Server so you can set up more than 1 connection.
    • Even though the configuration for the Primary and Secondary server shows Host IP, you can enter the hostnames for the eduroam servers.
    • All other settings left to default.
  2. Instead of configuring the authentication policy to Use Proxy Service (not available in ISE 2.3 and up) for the Eduroam External User, set the Use for the server sequence to the name of the RADIUS Token server you set up above.

That’s it. Not a lot of changes required but just enough to no longer require two separate policy sets if you are using ISE 2.3 and up for eduroam authentication.

Share this post:

Leave a Reply

Your email address will not be published.