Hi Sean,
Here is how we have implemented this same setup:
There are 3 scenarios:
* eduroam-local: our student/staff accessing eduroam within campus, they
are authenticated against our radius/AD and then depending upon which group
they belong to (member_of_student or member_of_staff), radius returns
VLAN/Interface/Interface Group (student interface group or staff interface
group) to WLC. If a person is both student and staff, he/she is given staff
status.
* eduroam-inbound: our student/staff accessing eduroam in other
institutions; our radius receives the auth request via ISP (here in Australia
it is AARNET).
* eduroam-outbound: Affiliates from other institutions accessing eduroam
within our campus; the auth request is sent to ISP which takes it to his/her
parent institution. Upon successful authentication, radius returns
VLAN/Interface/Interface Group (guest interface group) to WLC.
Controller:
-create student, staff and guest interfaces. Group the interfaces into
interface group. One IG can have up to 64 interfaces.
-point the eduroam SSiD to your radius server (ISE here)
Radius server:
* create 3 policies or services (we are using Aruba clearpass so we use
services)
* 1st service/policy: eduroam-local: all conditions need to be met
* username contains "@our institution domain"
* is connecting to eduroam
* request is coming from our controllers
* then authenticate against our AD
* return student or staff interface group to WLC
* 2nd service/policy: eduroam-inbound: all conditions need to be met
* Request is coming from ISP (proxy servers)
* Then just do authentication
* 3rd service/policy: eduroam-outbound: all conditions need to be met
* Username contains institutions other than ours
* Is connecting to eduroam
* Then send auth request to ISP and upon successful auth, return
guest interface group from radius to WLC.
Let me know if you need any further details.
-
Cheers,
Kind regards,
Tariq
From: The EDUCAUSE Wireless Issues Community Group Listserv
<[email protected]> On Behalf Of Gray, Sean
Sent: Thursday, 8 July 2021 2:52 AM
To: [email protected]
Subject: [WIRELESS-LAN] ISE Dynamic VLAN redirect with single eduroam WLAN
Hi Everyone,
We are looking to amalgamate our 3 dot1x WLANs (employees/student/eduroam) into
a single WLAN (eduroam). Behind the scenes we still need to authenticate and
route clients to their respective network segment. So to achieve this we need
to implement dynamic vlan redirects behind the scenes.
Eduroam users from other institutions will be sent out to eduroam to be handled
appropriately
Authentication will be handled by ISE cluster, running 2.6.0.156
WLC - 5520 (pair) running 8.8.130.0
The process, from a high level should look something like this
* Staff/faculty will connect to our new single WLAN, namely Eduroam
* They will be caught by the appropriate policy and authenticated against
AD, validating that they are staff/faculty
* Now they will be redirected to the appropriate VLAN
* Student will follow the same process, but will be validated that they are
a student, and redirected to a different VLAN
* All others (externals) will be sent to an external RADIUS server for auth
and then redirected to yet another different VLAN.
Currently unique policies exist for each of these processes, without the added
complexities of the VLAN redirect. So my mission is to combine these, filtering
each client to their auth point, and then upon receiving the authorization,
assign the appropriate vlan tag, for IP assignment, prior to them getting
on-net.
I've been unable to find any meaningful documentation around how to handle
internal vs external radius redirection in this scenario.
So has anyone done this, and are they able to share their process, inclusive of
vlan redirect?
Thanks
Sean
Sean Gray | B.Sc (Hons)
Voice, Collaboration & Wireless Network Analyst
ITS, University of Lethbridge
**********
Replies to EDUCAUSE Community Group emails are sent to the entire community
list. If you want to reply only to the person who sent the message, copy and
paste their email address and forward the email reply. Additional participation
and subscription information can be found at
https://www.educause.edu/community<https://protect-au.mimecast.com/s/7QL3CJyBrGfq4pqJLcV86Bd?domain=educause.edu>
**********
Replies to EDUCAUSE Community Group emails are sent to the entire community
list. If you want to reply only to the person who sent the message, copy and
paste their email address and forward the email reply. Additional participation
and subscription information can be found at https://www.educause.edu/community
