Guide to configuring eduroam using a Cisco wireless controller Best ...

More documents

Recommendations

Info

Step 3: Adding Remote RADIUS Server Groups To enable NPS to forward authentications, a server group must be created. If this RADIUS server is the last in a series of several and is not intended to forward authentication, it is not necessary to define any server groups. If the server is to be in communication with eduroam, eduroam must be added as a server group. 50 • Right-click on “Remote RADIUS Server Groups” and select “New” • Type in a “Group name” and click on “Add” • If this is the server group used for connection to eduroam, the server group should be called “eduroam” • On the “Address” tab, enter the IP address or DNS name of the server. • In the “Authentication/Accounting” tab, type in the Authentication Port and Shared Secret • On the “Load Balancing” tab, no changes are necessary in systems with redundancy. • Click on “OK” in both windows. Repeat this procedure until all the server groups, for example a group for eduroam and a group for School, have been added. See www.eduroam.no for more information about eduroam.
Step 4: Connection Request Policies Connection Request Policies determine where authorisation shall take place according to certain criteria. One policy may authenticate employees locally and forward all students to the RADIUS server associated with the school domain, while another policy directs all other users to the eduroam core. Since the policies are handled in a specified order, it is important that this is done correctly. 1. Users who are to be authenticated locally 2. Users who are to be forwarded to another RADIUS server (several of which can be configured) 3. All other users to be directed to eduroam • Expand “Policies”, right-click on “Connection Request Policy” and select “New” • Type in the Policy name (for example, “Local”, “School” or “eduroam”) and click on “Next” • Click on “Add” to add criteria for the connection. eduroam determines where a user belongs by using the realm which is indicated when the user types username@organisation. In spite of the apparent similarity, there is no connection between realm and e-mail address. However, in most cases it is possible to use a realm corresponding to an e-mail address. The realms used are often agreed in advance. If you have any queries, contact eduroam@uninett.no An example of a realm: student.school.no is the connection to eduroam and forwards authentication to the employee.school.no RADIUS server. The “Employee” RADIUS server is the last in the series and receives authentication requests it shall use and forwards them. Criteria for Connection Policies on the student.school.no RADIUS server: .*@student.school.no – All students, authenticated locally .*@employee.school.no – All employees, sent to the “Employee” RADIUS server .*@.* – All other users, sent to the “Employee” RADIUS server Criteria for Connection Policies on the “Employee” RADIUS server: .*@employee.school.no – All employees, authenticated locally .*@.* – All other users, sent to the eduroam server • Select “User-Name” and click on “Add”. Fill in the criteria, for example “.*@student.school.no” specifies that all users who type in username@student.school.no shall be authenticated using this policy. • Click on “OK” followed by “Next” The “Authentication” option controls where the authentication is to be directed to. 51
Page 1 and 2: Guide to configuring eduroam using
Page 3 and 4: Table of Contents Executive Summary
Page 5 and 6: Executive Summary UFS127 is a UNINE
Page 7 and 8: 1 Network planning 1.1 Necessary co
Page 9 and 10: established by means of the Managem
Page 11 and 12: http://www.cisco.com/en/US/tech/tk7
Page 13 and 14: authentication can be completed. He
Page 15 and 16: Management Interface Netmask: 255.2
Page 17 and 18: 3.2 Further configuration via web b
Page 19 and 20: Path: Security → RADIUS → Accou
Page 21 and 22: Under General, the WLAN can be enab
Page 23 and 24: Security Layer 3 shall be “None
Page 25 and 26: What one selects under QoS depends
Page 27 and 28: 3.2.4 Connecting access points Afte
Page 29 and 30: 3.2.5 Further details Once a access
Page 31 and 32: operating and/or the cabling is not
Page 33 and 34: A. Configuration using autonomous a
Page 35 and 36: A.3 RADIUS configuration Go to SECU
Page 37 and 38: B. Configuring Microsoft RADIUS ser
Page 39 and 40: Step 3: Adding clients in IAS The c
Page 41 and 42: Step 5: Connection Request Policies
Page 43 and 44: Create a Connection Request Policy
Page 45 and 46: • Click on “OK”, then “Next
Page 47 and 48: User ola.nordmann was granted acces
Page 49: • Type in a “Friendly Name”
Page 53 and 54: Step 5: Network Policies Remote Acc
Page 55 and 56: Step 7: Logging NPS adds log entrie
Page 57 and 58: oot@sirius:~/tmp$ openssl x509 -noo
Page 59 and 60: Glossary CAPWAP Control And Provisi

Guide to configuring eduroam using a Cisco wireless controller Best ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?