You are here
- Home
- Scott's eduroam blog
- Blogs
- eduroam visited Configuration for Cisco ACS 5.3
Group administrators:
Recent members:
eduroam visited Configuration for Cisco ACS 5.3
Tuesday, September 29, 2015 - 12:09
Add Janet National Proxy Servers
First add the Janet National Proxy Servers (NRPS) as external Proxy Servers.
- Go to “Network Resources > External Proxy Servers” and click “Create”
- In the ‘Name:’ field enter roaming0.ja.net
- In the ‘Hostname AAA:’ field enter the IP Address for roaming0.ja.net
- In the ‘Shared Secret:’ field enter the shared secret for roaming0 for you RADIUS Server. This information can be obtained by visiting https://support.eduroam.uk
- Then click ‘Submit’
- Repeat the above steps for roaming1.ja.net and roaming2.ja.net
Create an Access Service for JRS
- Go to “Access Policies > Access Services” and click ‘Create’
- In the ‘Name:’ field enter ‘JRS’
- Under “Acess Service Policy Structure” select ‘User Selected Service Type’ and then choose ‘External Proxy’ from the drop down list
- Then select the roaming0, roaming1 and roaming2 from the ‘Available External Proxy Servers’ and move them to the ‘Selected External Proxy Servers’ with the >> button
- Click ‘Finish’
Create a Policy for Proxying to the JRS Access Service
Add Compound Conditions to Service Selection Rules
First add ‘Compound Condition’ as an option in the ‘Service Selection Rules’
- Go to “Access Policies > Access Services à Service Selection Rules”, then click “Customize”
- From the “Available:” conditions add ‘Compound Condition’ to the “Selected:” list and click “OK”
Drop Invalid Network Access Identifiers
Drop invalid ‘Network Access Identifiers’, so they aren’t proxied to the NRPS.
- Go to “Access Policies > Access Services à Service Selection Rules”, then click “Create” and name the policy ‘drop-junk’
- Under “Conditions” tick “Protocols” and then match on RADIUS
- Under “Conditions” tick “Compound Condition”
- From the “Dictionary:” drop down select ‘RADIUS-IETF’ and then choose the “Attribute” ‘User-Name’
- Change “Operator:” to ‘contains’, “Value” to ‘static’ and enter @
- Click “Add V” and then click “And >”
- Change “Operator:” to ‘ends with’, “Value” to ‘static’ and enter ‘3gppnetworks.org’
- Click “Add V” and then click “Or >”
- Add entries for the following list of conditions:
- contains ..
- contains @.
- ends with myabc.com
- ends with @ac.uk
- ends with (your realm without ac.uk) e.g. camford
- Under “Results > Service:” choose the “DenyAccess” option
- Click “OK”
Proxy eduroam authentication attempts to NRPS
Once bad NAI’s have been handled remaining NAI’s with @realm can be proxied to the NRPS.
- Go to “Access Policies à Access Services à Service Selection Rules”, then click “Create” and name the policy ‘eduroam’
- Under “Conditions” tick “Protocols” and then match on RADIUS
- Under “Conditions” tick “Compound Condition”
- From the “Dictionary:” drop down select ‘RADIUS-IETF’ and then choose the “Attribute” ‘User-Name’
- Change “Operator:” to ‘contains’, “Value” to ‘static’ and enter @
- Click “Add V” and then click “And >”
- Change “Operator:” to ‘not contains’, “Value” to ‘static’ and enter your sites realm (with the @) e.g. @camford.ac.uk
- Click “Add V” and repeat the previous step for all of your sites domains
- Under “Results à Service:” choose the Access Service for the eduroam proxies e.g. “JRS”
- Click “OK”