eduroam visited Configuration for Cisco ACS 5.3

Tuesday, September 29, 2015 - 12:09

Add Janet National Proxy Servers

First add the Janet National Proxy Servers (NRPS) as external Proxy Servers.

  1. Go to “Network Resources > External Proxy Servers” and click “Create”
  2. In the ‘Name:’ field enter roaming0.ja.net
  3. In the ‘Hostname AAA:’ field enter the IP Address for roaming0.ja.net
  4. In the ‘Shared Secret:’ field enter the shared secret for roaming0 for you RADIUS Server.  This information can be obtained by visiting https://support.eduroam.uk
  5. Then click ‘Submit’
  6. Repeat the above steps for roaming1.ja.net and roaming2.ja.net

Create an Access Service for JRS

  1. Go to “Access Policies > Access Services” and click ‘Create’
  2. In the ‘Name:’ field enter ‘JRS’
  3. Under “Acess Service Policy Structure” select ‘User Selected Service Type’ and then choose ‘External Proxy’ from the drop down list
  4. Then select the roaming0, roaming1 and roaming2 from the ‘Available External Proxy Servers’ and move them to the ‘Selected External Proxy Servers’ with the >> button
  5. Click ‘Finish’

Create a Policy for Proxying to the JRS Access Service

Add Compound Conditions to Service Selection Rules

First add ‘Compound Condition’ as an option in the ‘Service Selection Rules’

  1. Go to “Access Policies > Access Services à Service Selection Rules”, then click “Customize”
  2. From the “Available:” conditions add ‘Compound Condition’ to the “Selected:” list and click “OK”

Drop Invalid Network Access Identifiers

Drop invalid ‘Network Access Identifiers’, so they aren’t proxied to the NRPS.

  1. Go to “Access Policies > Access Services à Service Selection Rules”, then click “Create” and name the policy ‘drop-junk’
  2. Under “Conditions” tick “Protocols” and then match on RADIUS
  3. Under “Conditions” tick “Compound Condition”
  4. From the “Dictionary:” drop down select ‘RADIUS-IETF’ and then choose the “Attribute” ‘User-Name’
  5. Change “Operator:” to ‘contains’, “Value” to ‘static’ and enter @
  6. Click “Add V” and then click “And >”
  7. Change “Operator:” to ‘ends with’, “Value” to ‘static’ and enter ‘3gppnetworks.org’
  8. Click “Add V” and then click “Or >”
  9. Add entries for the following list of conditions:
    1. contains ..
    2. contains @.
    3. ends with myabc.com
    4. ends with @ac.uk
    5. ends with (your realm without ac.uk) e.g. camford
  10. Under “Results > Service:” choose the “DenyAccess” option
  11. Click “OK”

 

Proxy eduroam authentication attempts to NRPS

Once bad NAI’s have been handled remaining NAI’s with @realm can be proxied to the NRPS.

  1. Go to “Access Policies à Access Services à Service Selection Rules”, then click “Create” and name the policy ‘eduroam’
  2. Under “Conditions” tick “Protocols” and then match on RADIUS
  3. Under “Conditions” tick “Compound Condition”
  4. From the “Dictionary:” drop down select ‘RADIUS-IETF’ and then choose the “Attribute” ‘User-Name’
  5. Change “Operator:” to ‘contains’, “Value” to ‘static’ and enter @
  6. Click “Add V” and then click “And >”
  7. Change “Operator:” to ‘not contains’, “Value” to ‘static’ and enter your sites realm (with the @) e.g. @camford.ac.uk
  8. Click “Add V” and repeat the previous step for all of your sites domains
  9. Under “Results à Service:” choose the Access Service for the eduroam proxies e.g. “JRS”
  10. Click “OK”

acs 5.3
eduroam
janet roaming
visited site
  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo