Props to Cisco for listening to their customers and adding the feature! Philippe - thanks for your efforts in this regard as well.
Curtis Larsen University of Utah Network Engineer ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [[email protected]] on behalf of Hurt,Trenton W. [[email protected]] Sent: Sunday, December 01, 2013 10:25 PM To: [email protected] Subject: Re: [WIRELESS-LAN] ISE as RADIUS server with eduroam ISE 1.2 patch 4 adds the capability to strip domain http://www.cisco.com/en/US/docs/security/ise/1.2/release_notes/ise12_rn.html#wp433101 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Hanset, Philippe C Sent: Wednesday, August 14, 2013 1:47 PM To: [email protected] Subject: Re: [WIRELESS-LAN] ISE as RADIUS server with eduroam All, I have contacted Cisco directly to try to accelerate the availability of the REALM stripping feature. Same with Microsoft and IAS (REALM stripping issue, and I'm also contacting them directly as well) Hope it will work! Philippe Philippe Hanset www.eduroam.us<http://www.eduroam.us> On Aug 14, 2013, at 12:44 PM, "Curtis K. Larsen (UIT-Network)" <[email protected]<mailto:[email protected]>> wrote: The status of the "enhancement request" is "open". In talking with TAC it appears it might take several months. We use MSCHAPv2, participate in eduroam, and rely on stripping the realm to put users in different vlans today so this is quite problematic for us. We are also running ISE 1.2. Thanks, Curtis ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [[email protected]<mailto:[email protected]>] on behalf of Joe Roth [[email protected]<mailto:[email protected]>] Sent: Wednesday, August 14, 2013 10:24 AM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] ISE as RADIUS server with eduroam Correct, the SSID that we were using LDAP with did not use MSCHAPv2. Did they happen to mention what version that bug was fixed in? We upgraded to 1.2 and it has been stable for us so far. On Wed, Aug 14, 2013 at 11:17 AM, Curtis K. Larsen (UIT-Network) <[email protected]<mailto:[email protected]>> wrote: Joe, Thanks for the reply. I am guessing you are not using PEAP-MSCHAPv2 is that correct? I have just come across the following from Cisco : CSCuc52361 Bug Details ISE should allow domain modification/stripping for AD external store Symptom: Currently ISE does not allow modifying the domain name before authentication when the external identity store used is AD. This is a problem in an environment like Eduroam where the specification enforces a particular username format (user@realm). Generally the username stored in the AD UPN field is not in the same format as the one supplied for authentication. It would be good to allow the modification of the AD username prior to authentication, or at least support suffix/prefix stripping, since this would be sufficient for local domain authentication (this would still break cross forest). Conditions: Trying to modify the domain name of the user before AD authentication. Workaround: Use LDAP for basic stripping (Does not currently work for MSCHAPv2) Thanks, Curtis ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [[email protected]<mailto:[email protected]>] on behalf of Joe Roth [[email protected]<mailto:[email protected]>] Sent: Tuesday, August 13, 2013 6:58 PM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] ISE as RADIUS server with eduroam Curtis, We are not using eduroam but we are a cisco ISE user. When you connect to AD via LDAP in ISE I believe that you can accomplish what you are looking to do. If you create a new LDAP identity source look under the directory structure tab. You can strip the subject name based on a dividing character. You can leave your current AD identity source in place and add the LDAP one as well, they will run side by side. On Tue, Aug 13, 2013 at 7:05 PM, Curtis K. Larsen (UIT-Network) <[email protected]<mailto:[email protected]>> wrote: Hello, I am just wondering if anyone on the list that participates in eduroam uses ISE for RADIUS. We are playing with ISE, and finding difficulty getting it to strip off the realm suffix before authenticating against AD. I can't imagine there isn't a way to do this since I assume that would prevent any eduroam customers from using ISE as their primary RADIUS server. Hopefully we are just missing something simple. Let me know. Thanks, Curtis Larsen University of Utah Network Engineer ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. -- Joe Roth Networking Group Binghamton University Ph. 607-777-7528<tel:607-777-7528> Fax 607-777-4009<tel:607-777-4009> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. -- Joe Roth Networking Group Binghamton University Ph. 607-777-7528 Fax 607-777-4009 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
