Identity Service Engine

Use Case
ISE Integration with Eduroam External
Server

Prepared By

M ANN AI TR ADING CO W LL

MANNAI NETWORKING & ELV

Pa ge |1 ISE for Multi Authentication Confidential

1. INTRODUCTION

1.1 Document Purpose

The purpose of this document is to demonstrate how ISE can integrate with an eduroam external server
which is a Wi-Fi roaming service that provides international access to devices in education, research,
and higher education. Students, teachers, and researchers have access to network resources when
they visit an institution other than their own. This document describes the components used for this
setup, the configuration of ISE, and the configuration of eduroam.

These are the steps in the flow of an external domain user:

 WLC of each location is configured with ISE as an authentication and accounting server. The
eduroam SSID will be configured according to 802.1x standard.

 ISE of each location is configured with local WLC as a network device with RADIUS functionality
enabled. ISE to be configured with protocols, identity source sequence, and
authentication/authorization policies.

 ISE is configured with eduroam as an external radius server.

 AD group members associated with eduroam SSID for 802.1x authentication.

 The WLC sends the RADIUS request to ISE.

 Based on the policy set, ISE checks whether the user is a member of a local AD group or a
roaming AD group. If it is an external domain user, ISE sends the traffic to external eduroam
servers (which are hosted in the cloud) if the user belongs to an external AD. Eduroam validates
the request from ISE and checks if the user is a part of remote AD and sends the response
back to ISE. ISE will authorize based on the policies mapped. ISE assigns a VLAN tag to the
user based on the AD group.

These are the steps in the flow of an internal domain user:

 WLC of each location to be configured with ISE as an authentication and accounting server.
The eduroam SSID is configured according to 802.1x standard.

 ISE of each location is configured with local WLC as a network device with RADIUS functionality
enabled. ISE to be configured with protocols, identity source sequence, and
authentication/authorization policies.

 AD group members associated with eduroam SSID for 802.1x authentication.

 The WLC sends the RADIUS request to ISE.

Pa ge |2 ISE for Multi Authentication Confidential

  Based on the policy set, ISE checks whether the user is a member of a local AD group or a
roaming AD group. If it is an internal domain user, ISE will not send the request to external
eduroam servers rather it will authorize based on the policies mapped. ISE assigns a VLAN tag
to the user based on the AD group.

1.2 Problem Statement

Previously, the customer had weak authentication mechanisms for connecting endpoints and users to
the corporate network. They were using a pre-shared key to access their corporate SSID, which is a
less secure method. It is easy to obtain these keys. It is extremely risky for any endpoint to have access
to the network at this stage.

The customer seeks an identity and access control policy solution that automates and enforces
authentication and authorization for endpoints. This will include employees, endpoints, contractors, and
non-user endpoints and hence we propose a Cisco Identity service Engine that can meet customer
requirements.

1.3 Background

Below is the list of components used in this setup. ISE version compatibility needs to be validated before
the setup.

 Cisco ISE 3.1 with patch 2

 Cisco Wireless LAN Controller - 8450

 Active Directory 2016

 Endpoint: Microsoft Windows 10, Apple iPhone, Android etc,

 Eduroam server

Pa ge |3 ISE for Multi Authentication Confidential

2. PROPOSED SOLUTION

2.1 Identity Service Engine

Cisco Identity Services Engine (ISE) is a next-generation identity and access control policy platform
that enables enterprises to enforce compliance, enhance infrastructure security, and streamline their
service operations. The unique architecture of Cisco ISE allows enterprises to gather real-time
contextual information from networks, users, and devices. The administrator can then use that
information to make proactive governance decisions by tying identity to various network elements
including access WLCs.

 Combines authentication, authorization, accounting (AAA), posture, and profiler into one
appliance.

 Provides comprehensive guest access management for the Cisco ISE administrator,
sanctioned sponsor administrators, or both.

 Enforces endpoint compliance by providing comprehensive client provisioning measures and

assessing device posture for all endpoints that access the network, including the 802.1X
environment.

 Provides support for discovery, profiling, policy-based placement, and monitoring of endpoint
devices on the network.

 Enables consistent policy in centralized and distributed deployments that allows services to be
delivered where they are needed.

 Supports scalability to support a number of deployment scenarios from small office to large
enterprise environment.

Pa ge |4 ISE for Multi Authentication Confidential

2.2 ISE Node, Roles and Personas
The persona or personas of a node determines the services provided by a node. An ISE node can
assume any or all of the following personas: Administration, Policy Service, and Monitoring. Below topic
describes the personas of ISE.

 PAN - Policy Administration Node

 MNT - Monitoring and Troubleshooting
 PSN - Policy service Node

Pa ge |5 ISE for Multi Authentication Confidential

3. NETWORK ARCHITECTURE

3.1 Network Infrastructure

Most ISE deployments are dependent on the existing infrastructure, as they need to be integrated into
it. Hence, it is very important to verify that the network components, software versions, and
configurations meet the ISE requirements. The following are the dependencies that exist in the network
infrastructure: Each network access device should be configured with the ISE as a RADIUS server for
authentication and authorization

 Wireless LAN Controller

3.1.1 Supplicant
The supplicant is a piece of software on the device (workstation, laptop, etc.) that requests access to
the WLC or wireless services, and responds to requests from the authenticator (WLC or WLC). The
device must be running IEEE 802.1x-compliant client software such as that offered in the Microsoft
Windows operating system. The client is the supplicant in the IEEE 802.1x specification.

3.1.2 Authenticator
The authenticator is a device such as a Cisco wireless controller that controls physical access to the
network based on the authentication status of the client. The authenticator usually acts as an
intermediary (proxy) between the client and the authentication server.

Pa ge |6 ISE for Multi Authentication Confidential

The authenticator requests identity information from the client via EAP, verifies that information with the
authentication server via RADIUS, and then relays a response to the client based on the response from
the authentication server.

When the WLC receives EAP over LAN (EAPOL) frames and relays them to the authentication server,
the Ethernet header and EAP frame are re-encapsulated into the RADIUS format.

3.1.3 Authentication Server

The authentication server performs the actual authentication of the client. The authentication server
validates the identity of the client and notifies the WLC whether or not the client is authorized to access
the WLC. Because the WLC acts as the proxy, the authentication server is transparent to the client.
The RADIUS security system with EAP extensions is the only supported authentication server.

RADIUS uses a client-server model in which secure authentication information is exchanged between
the RADIUS server and one or more RADIUS clients.

Pa ge |7 ISE for Multi Authentication Confidential

4. ISE Configuration

4.1 ISE Deployment

By default, an ISE appliance is configured in standalone mode. High availability can be configured
between two ISE systems to provide fault tolerance.

For this setup, two ISE nodes are configured as administration, monitoring and policy service enabled.
In future Additional nodes can be registered by clicking Navigate to Administration->Deployment and
then Register menu on primary node and then selecting the Register an ISE node. Before registering
an ISE node, we need to have the DNS entry of the ISE nodes so that FQDN should be resolved.

4.2 ISE Licensing

An essential license is required in ISE to execute this test. To validate the license, Navigate to
Administration->Licensing

Pa ge |8 ISE for Multi Authentication Confidential

4.3 Add WLC to ISE as NAD

Network devices or NAD are devices to which endpoints directly connect to. These devices can be
WLC, access points, etc. This POC will use WLC for NADs. Below is a list of NADs and their information.
ISE offers the functionality to create Network Device Groups that allow a structured way to group the
different NADs. Follow these steps to add two NADs to our ISE configuration:

1. Log in to ISE GUI by browsing to http://<ISE PAN>

2. Browse to Administration->Network Resources->Network Devices. On the Network
Devices page, click the + Add button to add a network device:

1. Add the network devices for your WLC with the Name, IP and Network Device groups. Location
as shown in the following screenshot:
2. Enable RADIUS and on this NAD and set the shared secret for RADIUS to ISE.
3. Click Submit to save the WLC NAD configuration.

Pa ge |9 ISE for Multi Authentication Confidential

4.4 Active Directory Integration

The Cisco Identity Services Engine (Cisco ISE) integrates with external identity sources to validate
credentials in user authentication functions, and to retrieve group information and other attributes that
are associated with the user for use in authorization policies. For Network Administration access,
authentications will be validated against the Active Directory domain.

P a g e | 10 ISE for Multi Authentication Confidential

 • Provides comprehensive authentication and authorization against multi-forest Microsoft Active
Directory domains.

• Includes flexible identity rewriting rules to smooth the solution’s transition and integration.

• Supports Microsoft Active Directory 2003, 2008, 2008R2, 2012, 2012R2, 2016, and 2019.

Joining Active Directory is configured on

1. Select Administration->Identity Management->External Identity Sources->Active

Directory->Connection screen.
2. Click the join button and provide the service account information.
3. Below is a screenshot showing the ISE nodes are connected to Active Directory.

4.5 External RADIUS Server

It is possible to configure and use multiple external RADIUS servers to authenticate users on the ISE.
To configure external RADIUS servers, navigate to Administration > Network Resources > External
RADIUS Servers > Add,

P a g e | 11 ISE for Multi Authentication Confidential

P a g e | 12 ISE for Multi Authentication Confidential
4.6 RADIUS Server Sequence

The next step is to create a RADIUS server sequence and map previously created external RADIUS
servers. To configure the RADIUS server sequence, navigate to Administration > Network
Resources > RADIUS Server Sequence > Add. The below screenshot shows that ISE is configured
with the RADIUS server sequence.

4.7 Define the Allowed Protocols Service.

The Allowed Protocols Service enables only the authentication methods/protocols that ISE supports
during Radius Authentication. In order to configure from ISE GUI, navigate to Policy > Policy
Elements: Results > Authentication > Allowed Protocols, and then it binds as an element to the

P a g e | 13 ISE for Multi Authentication Confidential

Authentication Policy.

4.8 ISE Policies

4.8.1 ISE Policy Set

A Policy Set is a collection of rules for authenticating and authorizing the users of an ISE deployment.
With multiple Policy Sets available in an ISE deployment, how does ISE decide which one to use for a
given authentication request? Below policy set is for eduroam internal and external user authentication.

ISE does not send the traffic to external eduroam servers if the user belongs to local AD. Instead, the
user is authenticated by local AD which has been added to ISE. ISE will authorize based on the policies
mapped.

P a g e | 14 ISE for Multi Authentication Confidential

ISE sends the traffic to external eduroam servers if the user belongs to an external AD. Eduroam
validates the request from ISE and checks if the user is a part of remote AD and sends the response
back to ISE. ISE will authorize based on the policies mapped.

4.8.2 ISE Authentication Policy

Authentication policies define the protocols that Cisco ISE should use to communicate with the network
devices and the identity sources that it should use for authentication. A policy is a set of conditions and
a result. A policy condition consists of an operand (attribute), an operator (equal to, not equal to, greater
than, and so on), and a value. Compound conditions are made up of one or more simple conditions that
are connected by the AND or operator.

1. Enter a name for your authentication rule. We have two authentications for 2 policy sets.
2. Select the plus (+) icon in the condition field.
3. From the Conditions Studio add Device type and Device location and click Save.
4. Use the Identity source sequence created before.
5. One for the external domain users pointing identity source sequence to eduroam and one for
the internal domain user pointing to local AD.
6. Click Options and Choose Reject from the If user not found a drop-down list.

P a g e | 15 ISE for Multi Authentication Confidential

4.8.3 ISE Authorization Policy

Authorization policies are a component of the Cisco ISE network authorization service that allows for
defining authorization policies and configuring authorization profiles for specific users and groups of
users that will access network resources.

1. Create a new rule, and enter a name.

2. From the Conditions select the appropriate use case and Save.
3. On the General Authorization page, choose the respective authorization Profile under Results.

P a g e | 16 ISE for Multi Authentication Confidential

P a g e | 17 ISE for Multi Authentication Confidential
5. WLC Configuration
Below are some screenshots showing how the WLC is configured with ISE as a RADIUS server and
SSID configuration.

P a g e | 18 ISE for Multi Authentication Confidential

6. Eduroam Configuration
Below are some screenshots showing how the eduroam server is configured with ISE as a RADIUS
server.

P a g e | 19 ISE for Multi Authentication Confidential

Conclusion:
In conclusion, Cisco ISE acts as RADIUS and TACACS authentication server. Put that all together in
one box, and ISE provides visibility to see who and what devices are connecting to the corporate
network and applies policy to determine what level of access is granted. It pretty much provides all
your authentication needs on your network – in one place – with one pane of glass to manage network-
wide authentication. ISE also can be integrated with Cisco DNA Center, creating a trusted
communications link for greater orchestration and automation for managing devices on the network
from a central pane of glass.

Published Link:

References:
https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/release_notes/b_ise_31_RN.html
https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/compatibility_doc/b_ise_sdt_31.html
ISE Security Ecosystem Integration Guides - Cisco

------------------------------------------------------End of Document---------------------------------------------------------

P a g e | 20 ISE for Multi Authentication Confidential