Guide to configuring eduroam using a Cisco wireless controller Best ...
Guide to configuring eduroam using a Cisco wireless controller Best ...
Guide to configuring eduroam using a Cisco wireless controller Best ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Step 4: Connection Request Policies<br />
Connection Request Policies determine where authorisation shall take place according <strong>to</strong> certain criteria. One<br />
policy may authenticate employees locally and forward all students <strong>to</strong> the RADIUS server associated with the<br />
school domain, while another policy directs all other users <strong>to</strong> the <strong>eduroam</strong> core. Since the policies are handled<br />
in a specified order, it is important that this is done correctly.<br />
1. Users who are <strong>to</strong> be authenticated locally<br />
2. Users who are <strong>to</strong> be forwarded <strong>to</strong> another RADIUS server (several of which can be configured)<br />
3. All other users <strong>to</strong> be directed <strong>to</strong> <strong>eduroam</strong><br />
• Expand “Policies”, right-click on “Connection Request Policy” and select “New”<br />
• Type in the Policy name (for example, “Local”, “School” or “<strong>eduroam</strong>”) and click on “Next”<br />
• Click on “Add” <strong>to</strong> add criteria for the connection.<br />
<strong>eduroam</strong> determines where a user belongs by <strong>using</strong> the realm which is indicated when the user types<br />
username@organisation. In spite of the apparent similarity, there is no connection between realm and e-mail<br />
address. However, in most cases it is possible <strong>to</strong> use a realm corresponding <strong>to</strong> an e-mail address. The<br />
realms used are often agreed in advance. If you have any queries, contact <strong>eduroam</strong>@uninett.no<br />
An example of a realm:<br />
student.school.no is the connection <strong>to</strong> <strong>eduroam</strong> and forwards authentication <strong>to</strong> the employee.school.no<br />
RADIUS server. The “Employee” RADIUS server is the last in the series and receives authentication<br />
requests it shall use and forwards them.<br />
Criteria for Connection Policies on the student.school.no RADIUS server:<br />
.*@student.school.no – All students, authenticated locally<br />
.*@employee.school.no – All employees, sent <strong>to</strong> the “Employee” RADIUS server<br />
.*@.* – All other users, sent <strong>to</strong> the “Employee” RADIUS server<br />
Criteria for Connection Policies on the “Employee” RADIUS server:<br />
.*@employee.school.no – All employees, authenticated locally<br />
.*@.* – All other users, sent <strong>to</strong> the <strong>eduroam</strong> server<br />
• Select “User-Name” and click on “Add”. Fill in the criteria, for example “.*@student.school.no” specifies<br />
that all users who type in username@student.school.no shall be authenticated <strong>using</strong> this policy.<br />
• Click on “OK” followed by “Next”<br />
The “Authentication” option controls where the authentication is <strong>to</strong> be directed <strong>to</strong>.<br />
51