ISE IOS CLI Authentication Quandry

Im trying to push the limits of ISE, since tacacs+ isnt supported yet. The goal is to authenticate switches and routers using radius against ISE. I think I am on the right track, since I can login against ISE. However, when I login to enable the ISE Authorizations log shows Radius status fail, with a failed attempt from user $enabl15$.
I have my device added to ISE. An authorization profile has been created for each privilege level, I am using policy sets and have the correct authz and autht policies. Below are the examples of my ISE configuration and router configuration. Hopefully it helps fix my problem, or it may help the next troller with success of their own configuration.
Auth Profile: When choosing priv-lvl=15 after hitting save, web auth is automatically selected.
Policy Set:
router configuration
aaa group server radius Rad_AUTH1
 server name Rad_Auth
aaa authentication login CONSOLE local
aaa authentication login Rad_Auth group Rad_AUTH1 local none
aaa authentication enable default group Rad_AUTH1 enable none
aaa authorization exec default none 
aaa authorization exec Rad_Auth group Rad_AUTH1 if-authenticated 
aaa accounting exec default start-stop group radius
radius server Rad_Auth
 address ipv4 x.x.x.x auth-port 1645 acct-port 1646
 timeout 3
 key 7 052F302B3B7E491B41
line vty 0 4
 session-timeout 30 
 exec-timeout 30 0
 authorization exec Rad_Auth
 login authentication Rad_Auth
 transport input ssh

Thanks for the reply Neno. I got it worked out and will be submitting a new document for future trollers. There were a couple things I had to change in both ISE and in IOS. 
In IOS
aaa authentication login default group radius local none
aaa authentication login CONSOLE local
aaa authentication enable default group radius enable none
aaa authorization exec default group radius local 
In ISE the AuthZ and AuthT policies worked, but didnt give the results I wanted. For example, since radius uses the $enabl$ as a username for the privilege level I had to put a deny at the end of each policy. Without it, enable would go to the next default rule, it also allowed a priv 5 to type in enable and get priv 15 access. 

Similar Messages

  • What is the equivalent implementation of isr ios cli "ip tcp synwait-time 10" on asa cli

    I would like to see an implementation of an ISR IOS cli:
         ip tcp synwait-time 10
    on an ASA cli.  thank you much in advance.               

    Hi Oscar,
    this is supported but you need a class-map type management:
    http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/mpf_service_policy.html#wp1167296
    TCP and UDP connection limits and timeouts, and TCP sequence number randomization: supported for management traffic...
    access-list CONTROL_ACL extended permit tcp host 1.1.1.2 interface outside eq https log
    access-list CONTROL_ACL extended permit tcp host 1.1.1.2 interface outside eq ssh log
    class-map type management CONTROL
    match access-list CONTROL_ACL
    policy-map global_policy
    class CONTROL
      set connection conn-max 1
    service-policy global_policy global
    In my tests, it worked for SSH but not for HTTPS:
    ciscoasa(config)# sh conn all
    2 in use, 2 most used
    TCP outside 1.1.1.2:38670 NP Identity Ifc 1.1.1.10:22, idle 0:00:38, bytes 20, flags UfrOB
    TCP outside 1.1.1.2:26470 NP Identity Ifc 1.1.1.10:443, idle 0:00:02, bytes 0, flags UB
    After other sessions:
    %ASA-7-710005: TCP request discarded from 1.1.1.2/25085 to outside:1.1.1.10/22
    %ASA-3-201011: Connection limit exceeded 1/1 for input packet from 1.1.1.2/25085 to 1.1.1.10/22 on interface outside
    ciscoasa(config)# sh conn all
    4 in use, 5 most used
    TCP outside 1.1.1.2:41726 NP Identity Ifc 1.1.1.10:443, idle 0:00:43, bytes 0, flags UB
    TCP outside 1.1.1.2:26087 NP Identity Ifc 1.1.1.10:443, idle 0:00:45, bytes 0, flags UB
    TCP outside 1.1.1.2:33312 NP Identity Ifc 1.1.1.10:443, idle 0:00:47, bytes 0, flags UB
    TCP outside 1.1.1.2:26470 NP Identity Ifc 1.1.1.10:443, idle 0:00:04, bytes 0, flags UB
    Somehow, 0 hitcount on HTTPS ACL...
    ciscoasa(config)# sh access-list
    access-list CONTROL_ACL line 1 extended permit tcp host 1.1.1.2 interface outside eq https log informational interval 300 (hitcnt=0) 0x59b7aa4c
    access-list CONTROL_ACL line 2 extended permit tcp host 1.1.1.2 interface outside eq ssh log informational interval 300 (hitcnt=8) 0x31fe983c
    ciscoasa(config)# sh asp drop
    Frame drop:
      Flow is denied by configured rule (acl-drop)                                 2
      First TCP packet not SYN (tcp-not-syn)                                      49
      Connection limit reached (conn-limit)                                        2
      FP L2 rule drop (l2_acl)                                                    48
    Flow drop:
      SSL bad record detected (ssl-bad-record-detect)                              3
    ciscoasa(config)# sh service-policy
    Global policy:
      Service-policy: global_policy
        Class-map: CONTROL
          Set connection policy: conn-max 1
            current conns 1, drop 2
    you can also control each feature timeouts seperately via:
    telnet/ssh timeout 1
    http server idle-timeout/session-timeout 1
    Note: I tried this in GNS (asa 8.4.2) and using telnet from a router (not using a real browser for HTTPS) so the results might not be reflect a production environnement...
    Patrick

  • ISE Admin Access Authentication to RADIUS Token Server

    Hi all!
    I want to use an External  RADIUS Token Server for ISE Admin Access Authentication and Authorization.
    Authentication works, but how do I map the users  to Admin Groups? Is there a way  to map a returned RADIUS Attribute  (IETF "Class" or Cisco-AVPair "CiscoSecure-Group-Id") to an Admin Group?
    Thanks in advance,
    Michael Langerreiter

    ISE 1.3 does have an bug: Authentication failed due to zero RBAC Groups.
    Cisco Bug: CSCur76447 - External Admin access fails with shadow user & Radius token
    Last Modified
    Nov 25, 2014
    Product
    Cisco Identity Services Engine (ISE) 3300 Series Appliances
    Known Affected Releases
    1.3(0.876)
    Description (partial)
    Symptom:
    ISE 1.3 RBAC fails with shadow user & Radius token
    Operations > Reports > Deployment Status > Administrator Logins report shows
    Authentication failed due to zero RBAC Groups
    Conditions:
    RBAC with shadow user & Radius token
    View Bug Details in Bug Search Tool
    Why Is Login Required?
    Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
    Bug Details Include
    Full Description (including symptoms, conditions and workarounds)
    Status
    Severity
    Known Fixed Releases
    Related Community Discussions
    Number of Related Support Cases
    Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.

  • ISE 1.2 Authentication Failures at First time Connection

    Hi,
     I have a trouble with ISE 1.2 when trying to authenticate for first time an end-device, this device might be either a Workstation or IP Phone or Printer,etc. it fails or staying in running mode. The result is the same it can not access the network.  hopefully I'm still in open mode :)
    As i described in the beginning everything has status Running or Authz Failed. and after a time of period usually one day finally succeeds.
    This happens mostly for workstations and printers, but in case of phones does not have the same behavior. I unplug plug the phones or I shut/ no shut the ports in order to trigger it to succeed. For some phones worked but other obstinately declined.
    The phones which are not Cisco phones authenticated with MD5 (a simple username and pass  ) i think the problem should not related with the auth protocol.
    Below are some logs from one phone. For me coming to a short conclusion this must be related with the switches which are 3750e (15.02 SE 4 IOS)
    or with the same the ISE, why because i have almost the same behavior for all end-devices.
    I kindly remain your comments...
    2169669: Apr 16 18:02:20.573 EEST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/35, changed state to up
    2169670: Apr 16 18:02:20.783 EEST: %DOT1X-5-FAIL: Authentication failed for client (0080.9f7d.3ddf) on Interface Gi1/0/34 AuditSessionID 0A114D0D0000D5E8855C01DE
    2169671: Apr 16 18:02:20.791 EEST: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (0080.9f7d.3ddf) on Interface Gi1/0/34 AuditSessionID 0A114D0D0000D5E8855C01DE
    S301#
    2169672: Apr 16 18:02:20.992 EEST: %AUTHMGR-5-START: Starting 'dot1x' for client (0080.9f7d.3ddf) on Interface Gi1/0/34 AuditSessionID 0A114D0D0000D5F0855DE0EF
    2169673: Apr 16 18:02:21.580 EEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/35, changed state to up
    S301#
    2169674: Apr 16 18:02:24.289 EEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/35, changed state to down
    S301#
    2169675: Apr 16 18:02:25.288 EEST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/35, changed state to down
    2169676: Apr 16 18:02:26.269 EEST: %AUTHMGR-5-START: Starting 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169677: Apr 16 18:02:26.294 EEST: %DOT1X-5-FAIL: Authentication failed for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169678: Apr 16 18:02:26.294 EEST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169679: Apr 16 18:02:26.303 EEST: %DOT1X-5-FAIL: Authentication failed for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169680: Apr 16 18:02:26.303 EEST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169681: Apr 16 18:02:26.319 EEST: %DOT1X-5-FAIL: Authentication failed for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169682: Apr 16 18:02:26.319 EEST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169683: Apr 16 18:02:26.319 EEST: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169684: Apr 16 18:02:26.319 EEST: %AUTHMGR-5-START: Starting 'mab' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169685: Apr 16 18:02:26.328 EEST: %MAB-5-FAIL: Authentication failed for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169686: Apr 16 18:02:26.328 EEST: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169687: Apr 16 18:02:26.328 EEST: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    2169688: Apr 16 18:02:26.328 EEST: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    S301#
    2169689: Apr 16 18:02:26.336 EEST: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
    S301#
    2169690: Apr 16 18:02:27.737 EEST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/35, changed state to up
    2169691: Apr 16 18:02:28.744 EEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/35, changed state to up
    Regards
    T.C

    I'm not using authentication method with certificates for none end-devices
    Workstations with the windows default authentication protocol EAP/MSCHAPv2
    In front of them there are non Cisco IP-phones with auth. method EAP/MD5
    Finally I also have some printers again with option EAP/MD5
    For all of these devices I received the same behavior, after many hours finally the authenticated with ISE. But is this the expected behavior?
    What I understand is that if the devices finally authenticated then it means that there isn’t anything wrong with the method.
    The misunderstanding points are 3
    Why there is so much delay for all devices to authenticate?
    Why some devices, mostly IP phones (not all) continuing to fail to the authentication method. All my devices are identical with the same software / patch, same model etc.
    I have noticed randomly some devices one moment to succeed and the next moment to failed
    So for my understanding there is an abnormal behavior and i cannot find the way /pattern to correct it or to understand the reason :)
    Port config
    switchport access vlan xxx
     switchport mode access
     switchport voice vlan yyy
     ip access-group ACL-ALLOW in
     authentication event fail action next-method
     authentication event server dead action reinitialize vlan xxx
     authentication event server dead action authorize voice
     authentication event server alive action reinitialize
     authentication host-mode multi-domain
     authentication open
     authentication order dot1x mab
     authentication priority dot1x mab
     authentication port-control auto
     authentication periodic
     authentication timer reauthenticate server
     authentication violation restrict
     mab
     dot1x pae authenticator
     no cdp enable
     spanning-tree portfast
    result template
    Switch#sh auth sess int g1/0/46
                Interface:  GigabitEthernet1/0/46
              MAC Address:  xxxx.xxxx.xxxx
               IP Address:  xx.xxx.xx.xxx
                User-Name:  xxxxxxxxxxxx
                   Status:  Authz Failed
                   Domain:  DATA
          Security Policy:  Should Secure
          Security Status:  Unsecure
           Oper host mode:  multi-domain
         Oper control dir:  both
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  0A114D0A00001972016208E1
          Acct Session ID:  0x00001BB7
                   Handle:  0x6D0009B6
    Runnable methods list:
           Method   State
           dot1x    Failed over
           mab      Failed over

  • ISE - IOS bug!

    I am using a stange issue in my environment. I use ISE 1.2 fo as radius server for device management/authentication(Not NAC usage). I am having Cisco c6509E VSS as core device. The device was added to ISE and aaa auth was working fine. I changed IP address of switch during my DC migration. Since then AAA fail for thsi device. ISE report and TCPdump shows old IP. My wireshard capture(SPAN port) also showing old IP in packet header irrespective of radius source interface I use in switch. Debug (radius/aaa) output in switch showing the correct interface addres whcih I  use in 'ip radius source-interface'.
    Unfortunatly I am unable to restart switch as it is core device in a critical place. It looks like a stange IOS issue. Did any one faced this kind of issues? Please advise how to resolve without restart. Don't know why the switch is always using its old IP to frame radius packet.

    These have been virified. I tried difference source interfaces and even changed  MAC addresses of SVIs. I am sniffing interface of ISE appliance to capture radius packets. I wondering how C6509E switch can frame a IP packet with source address not belonging to it. MAC address belongs to the switch but source IP address not belonging to the switch(Its old IP address).

  • ISE 1.2 Authentication fails for 2nd AD domain with the forest trust relation

    We are running cisco ISE 1.2, we have new AD domain with forest trust relation between both the new and the old. authentication to with the new domain fails.
    Is there any requirements or configurations change needs to be done to make it success?

    Use the license that is currently on your ISE.  If your account has access to download the software, then you are good.  The license will not change during the upgrade.  If you are using ISE 1.2 Patch 8 or above, then you are using the same Base/Plus?Apex Licensing model. 
    If you are not yet on Patch 8, the you are using Base/Advanced and these will be converted during the upgrade.
    Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
    Charles Moreton

  • ISE Admin Access Authentication against multiple AD/LDAP Identity Sources

    Hi all!
    We would like to grant admin cccess to our ISE deplyoment to users stored in multiple Active Directories. Since there is no trust relationship between these ADs, we created an LDAP Identity Source for each AD and also an Identity Source Sequence but in the UI we can only select one Identity Source.
    Any ideas how to solve this problem?
    Thanks in advance!
    Kind regards,
    Michael Langerreiter

    I did check in my lab and yes for admin access we can't select identity store sequence in authentication. We can only pick one external database. However, on the login page you may select the appropriate database before you enter the username and password.
    Jatin Katyal
    - Do rate helpful posts -

  • ISE - AAA radius authentication for NAD access

    Hi ,
    I have configured the switches to use the ISE as the Radius server to authenticate with , on the ISE i've configured an authentication policy
    for the "NADs" using the "Wired Devices" group which points to the AD indentity source to authenticate against .
    While testing the login access to the switches we've come up with 2 results :
    1.A domain user can indeed login to the switch as intended.
    2.Every domain user which exists in the AD indentity source can login , this is an undesired result .
    So I am trying to search for a way to restrict access to the NADs to only a particular group belonging to the AD , for example the group/ou
    of the IT_department only .
    I haven't been successfull , would appreciate any ideas on how to accomplish this .
    Switch configurations :
    =================
    aaa new-model
    aaa authentication login default group radius local
    ISE Authentication policy
    ==================
    Policy Name : NADs Authentication
    Condition:  "DEVICE:Device Type Equals :All Device Types#Wired"
    Allowed Protocol : Default Network Access
    use identity source : AD1

    Thank you for the quick replys , and now  ok , I've configured the following authorization policy :
    Rule Name : Nad Auth
    Conditions
    if: Any
    AND : AD1:ExternalGroups EQUALS IT_Departments
    Permissions , then PermitAccess
    What I don't understand is that it needs to match an "identity group" which can be either "Endpoint Identity group" or "Users Identity group" , I am limited with the if statement and cannot chose the same device group a choose before .
    How can i do that , i am thinking ahead an asking myself if in other cases a user might match this policy rule and can interfer ?

  • ISE admin access, authentication against external radius

    Please don't ask me why,
    the customer insists and wants to be authenticated on ise (as admin) against an external (microsoft) radius server
    is it possible while retaining internal admin users database in a sequence Internal>external_radius or internal>AD ?
    thank you in advance for whatever may help

    According to Cisco:
    External Authentication AND external Authorisation for Admin acces son the ISE can only be done by using LDAP or AD.
    For Radius Servers there are a solution for external Authentication and internal Authorisation on the ise:
    External Authentication + Internal Authorization
    When configuring Cisco ISE to provide administrator authentication using an external RSA SecurID identity store, administrator credential authentication is performed by the RSA identity store. However, authorization (policy application) is still done according to the Cisco ISE internal database. In addition, there are two important factors to remember that are different from External Authentication + External Authorization:
    You do not need to specify any particular external administrator groups for the administrator.
    You must configure the same username in both the external identity store and the local Cisco ISE database.
    To create a new Cisco ISE administrator that authenticates via the external identity store, complete the following steps:
    Step 1 Choose Administration > System > Admin Access > Administrators > Local Administrators.
    The Administrators window appears, listing all existing locally defined administrators.
    Step 2 Follow the guidelines at Creating a New Cisco ISE Administrator to ensure that the administrator username on the external RSA identity store is also present in Cisco ISE. Be sure to click the External option under Password.
    Note Remember: you do not need to specify a password for this external administrator user ID, nor are you required to apply any specially configured external administrator group to the associated RBAC policy.
    Step 3 Click Save .

  • ISE and machine authentication

    Hi
    I have ISE 1.1  : user authentication is working fine
    Now I need to implement machine authentication
    But I have 2 requirement
    1- User must remove and plug his network cable as he want (without close windows session or restart his computer) and his computer should be authenticated evry time as with user authentication
    2- I must not install any software or client applicatin on the computer
    Is there any method of machine authentication that respect thise 2 requirements above
    Regards

    I guess you need to review the below listed thread as we are discussing the same thing. You have to create an authorization rule highlighted in the screen shot.
    https://supportforums.cisco.com/message/4044276#4044276
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • Cisco ISE multiple EAP authentication methods question

    With Cisco ISE can you have various clients each using different EAP methods, such as PEAP for Windows machines, MD5 for legacy and TLS for others?
    My current efforts seem to fail as if a device gets a request from the ISE for an EAP method it doesnt understand it just times out.
    Thanks in advance.

    Multiple EAP Methods work fine. If your Clients are being crap you could try forcing then to use a specific set of Allowed Authentication Method by creating more specific Authentication rules.
    Sent from Cisco Technical Support iPad App

  • ISE - Machine + user authentication

    I've searched forum, community but I couldn't find exactly what I need:
    I have a client that want's to use two step authentication on wireless: first machine authentication to make sure that device is on the domain and then username/password authentication.
    Now, I've read about MAR, EAP chaining, and I understood it all, only thing I didn't understand is:
    If I configure ISE to authenticate machine, it will allow limited access to DC (for example).
    Then, after that AuthZ profile is applied, what will do new authorization? My understanding is once MAR is done, AuthZ profileis applied and authorization is finished.
    Now, I am not asking about turning on laptop, getting PC on the network, then logging in and then providing the user/credentials, etc. I am asking for this scenario:
    How ISE policy and AuthZ profile should look like, for example, I come in the office, my wireless card is disabled, I login to my laptop, then I notice that my wireless card is disabled and now I enable it. I need to have Machine authentciation happening at that point + prompting user for username/password to complete registration on wireless.
    NAM is already refused by client, so I need something that will work on plain Windows 7.
    Thanks.

    Hello Align-
    In your post you are referring to two completely separate and independent solutions:
    1. MAR
    2. EAP-Chaining
    MAR only happens when the machine first boots up and the host presents its machine domain credentials. Then the machine MAC address is saved in ISE. The MAC is preserved in ISE as long as configured in the machine timer. Keep in mind that if let's say a computer was booted while connected on the wired network, only that MAC address will be authenticated. If the user moves to wireless, the connection will be denied as ISE will not have any records of the wireless MAC. Along with all of that, you will need another method (usually PEAP) to perform the user authentication. Usually this method is not a very good one to implement due to the issues listed
    EAP-Chaining on the other hand utilizes EAP-FAST and it s a multi-phase method during which both machine and user information is passed in a secured TLS tunnel. For that you need to implement Cisco AnyConnect as it is the only software supplicant that supports it at the moment. For more info you might wanna look into Cisco's TrustSec guide:
    http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_80_eapchaining_deployment.pdf
    I hope this helps!
    Thank you for rating!

  • ISE wireless web authentication for guest management not redirecting

    Hi forumers'
    I face the problem that after connecting to the wireless guest network, it won't redirect me to the ISE guest portal . This happen on my iPhone. The iPhone is running on iOS 5.0.1
    Whilst on workstation it's working well.
    attach the snapshot of what happen on the iPhone.
    Any clue to torubleshoot? Thanks
    Noel

    Hi
    I still fail whilst i testing on my iPhone.
    I'm not using ISE self-signed certificate, i create CSR and signed by root CA server. So once i try to connect it won't prompt me the "accept ceritficate"
    My WLC local auth certificate verdor certificate is signed by the same root CA server as well.
    So i test on desktop to run safari broswer, it able to redirect to ISE guest portal.
    Can please suggest more troubleshooting guide?
    Thanks
    This is how the outcome for the safari broswer
    Noel

  • Configuring ISE to proxy Authentications based on email address

    Hi
    I'm looking for a little help configuring ISE to proxy requests to external radius servers based on email address and password. I want to configure eduroam on our WLAN. Eduroam allows students connect to the WIFI of other Campuses using their local credentials
    Workflow:
    User associates to SSID (eduroamTest)
    Prompted for username & password (802.1x)
    User puts in username and password in the form [email protected] (UPN)
    If the user is part of our local institution they are authenticated using our local radius server (ISE)
    If the user is a  member of a partner institution the request is proxied to an external radius server (National Gateways).
    The National Gateways  passes the request to the relevant institution based on the UPN (eg @ucd.ie will be passed to ucd radius servers)
    The institution authenticates the user and passes the  request back to the National Gateways
    The National Gateways passes this request back to our ISE server and the external user is authenticated
    The user can browse the web
    What I have done:
    Setup the National Gateways as external proxy servers
    Created firewall rules to allow the traffic
    Configured the proxy sequence with these servers
    Created a policy to proxy requests to the proxy sequence
    What I need to figure out:
    How to get ISE to authenticate/proxy requests, for the SSID eduroamTest, based on UPN eg (if username = *@rcsi.ie then use local ISE otherwise use proxy service)
    Any help with this configuration would be greatly appreciated as I am new to ISE.
    If you need any more info please let know.
    Kind regards
    John

    Sounds like you did most of the work already. To get ISE to direct certain requests based on attributes in the request to another radius server, all you need to do, is create a new authentication rule, where you check for the following attributes ;
    radius/called-station-id contains "eduroam"
    and
    radius/username ends with "rcsi.ie"
    Then you can select the radius server sequence you created instead of the normal "Allowed protocols" list.
    If you want to be in control of the authorization, there is a flag you must set in the radius server sequence in ISE, this will let you control what rights the client is given locally, while still authenticating the user remotely.

  • IOS CLI for WPA2 needed..

    Hi,
    I can't get my 871w to enable WPA2 for it. I found a reference to "wpa version 2" as CLI which my rather new IOS doesn't seem to understand.
    So how to enable WPA2 via CLI commands? And by the way do you have a link to the wireless CLI reference?
    Ciao, Bernd

    Hi Jeff,
    thanks for message and the help - I appreciate that!
    Yes my router shows the option:
    CiscoKunr(config)#int Dot11Radio 0
    CiscoKunr(config-if)#encryption mode ciphers ?
    aes-ccm WPA AES CCMP
    tkip WPA Temporal Key encryption
    wep128 128 bit key
    wep40 40 bit key
    And I set it to aes-ccm, but my client (Macbook) says it's still WPA and not WPA2 like my D-Link wireless. Is the message of the Mac OSX wrong or do I miss something else in the setting for WPA2?
    Ciao, Bernd

Maybe you are looking for

  • Video and audio files hosted on your site

    It would be great to be able to host your own video and audio files and not have to rely on YouTube or Vimeo.  Design a widget to for ease of use.

  • Efficient searching in a large XML file for specific elements

    Hi How can I search in a large XML file for a specific element efficiently (fast and memory savvy?) I have a large (approximately 32MB with about 140,000 main elements) XML file and I have to search through it for specific elements. What stable and p

  • Trouble downloading attachments in gmail/Firefox-IE

    Since this morning, I cannot download attachments in gmail using Firefox or IE (I did not try out Chrome). Since I have this problem in multiple browsers, the issue seems to stem from my computer, but still I'd appreciate any suggestions...

  • WLC 5508 authorization issue

    Hello, I have an issue with two wlc 5508 in the same mobility group. We use TACACS to authenticate admins, with maximum privileges. When I want to configure cleanair, or some security functions (such as ACL, or password policies), I have an error mes

  • IMovie for IOS Cannot export 60p despite iPhone 6 capability to shoot 60p

    Hi, iMovie for IOS Cannot export 60p despite iPhone 6 capability to shoot 60p I am obliged to use Pinnacle Studio for IOS 8 I have bought a superb iPhone 6 Plus, shooting in 1080/60p, I cannot edit my clips to build a 60p Master. I understand the cho