 |
 |
Hi Scott, This is interesting because we also have a similar configuration. ISE for internal authentication. FreeRADIUS providing a proxy between ISE and NRPS. We also use FreeRADIUS to respond to inbound RADIUS requests. We only did that as a migration step as it was the intention to have ISE interface directly with the NRPSs - so might need to rethink. Darren Stobbs University of Warwick From: Wireless Issues in the JANET community <[log in to unmask]> On Behalf Of Scott Armitage Sent: Wednesday, January 17, 2024 8:56 AM To: [log in to unmask] Subject: Re: eduroam and Cisco ISE See: Cisco<https://bst.cisco.com/bugsearch/bug/CSCve00069> bst.cisco.com<https://bst.cisco.com/bugsearch/bug/CSCve00069> [cid:image001.gif@01DA493A.2E93CD20]<https://bst.cisco.com/bugsearch/bug/CSCve00069> On 17 Jan 2024, at 08:40, Scott Armitage <[log in to unmask]<mailto:[log in to unmask]>> wrote: Hi, As far as I am aware Cisco ISE doesn't support RFC 5997 (status-server). It also doesn't support Radsec or provide the ability to whitelist attributes. For these reasons whilst we use ISE for internal authentication and assigning of policy we sit FreeRADIUS servers between our ISE servers and the national eduroam proxy servers. If you wanted something a bit lighter weight to sit between ISE and the national infrastructure, you could use Radsec Proxy. Regards Scott Armtiage Loughborough University On 16 Jan 2024, at 19:59, Ciaran Byrne <[log in to unmask]<mailto:[log in to unmask]>> wrote: ** THIS MESSAGE ORIGINATED OUTSIDE LOUGHBOROUGH UNIVERSITY ** ** Be wary of links or attachments, especially if the email is unsolicited or you don't recognise the sender's email address. ** Hi All, We are in the process of migrating our eduroam radius servers from FreeRadius to Cisco ISE. We have run into the following problem: our eduroam national gateways (managed by HEAnet) periodically send status-server requests to our radius servers to determine their availability. Our FreeRadius responded to these requests without a problem. However, these requests appear to fail or are dropped when received by our test ISE server and thus the eduroam national gateways are marking our ISE server as unavailable. HEAnet say these requests are standard Radius status-server requests and that they would be surprised if Cisco ISE didn't support them, suggesting that maybe it's a setting that needs to be enabled on ISE. Has anyone else encountered this issue? We cannot find any reference to status-server requests in the Cisco documentation/forums. Thanks, Ciarán ------------ Ciarán Byrne Network Administrator IT Services Trinity College Dublin, the University of Dublin Dublin 2, Ireland. +353 1 8962603 [log in to unmask]<mailto:[log in to unmask]> www.tcd.ie/itservices<http://www.tcd.ie/itservices> Please note that electronic mail to, from or within the College, may be the subject of a request under the Freedom of Information Act. ________________________________ To unsubscribe from the WIRELESS-ADMIN list, click the following link: https://www.jiscmail.ac.uk/cgi-bin/WA-JISC.exe?SUBED1=WIRELESS-ADMIN&A=1 ________________________________ To unsubscribe from the WIRELESS-ADMIN list, click the following link: https://www.jiscmail.ac.uk/cgi-bin/WA-JISC.exe?SUBED1=WIRELESS-ADMIN&A=1 ________________________________ To unsubscribe from the WIRELESS-ADMIN list, click the following link: https://www.jiscmail.ac.uk/cgi-bin/WA-JISC.exe?SUBED1=WIRELESS-ADMIN&A=1 ######################################################################## To unsubscribe from the WIRELESS-ADMIN list, click the following link: https://www.jiscmail.ac.uk/cgi-bin/WA-JISC.exe?SUBED1=WIRELESS-ADMIN&A=1 This message was issued to members of www.jiscmail.ac.uk/WIRELESS-ADMIN, a mailing list hosted by www.jiscmail.ac.uk, terms & conditions are available at https://www.jiscmail.ac.uk/policyandsecurity/