1 IdentiFi and Eduroam Roaming Wireless Service Integration CONFIGURATION GUIDE
2 TABLE OF CONTENTS Introduction... 3 Prerequisites... 3 Design and Deployment Overview... 4 Configuring the wireless SSID and IdentiFi controller... 5 Configuring IdentiFi NAC... 9 IdentiFi and Eduroam Roaming Wireless Service Integration Configuration Guide 2
3 BUYER S GUIDE This document details the integration of Eduroam wireless service with IdentiFi platform. Introduction Eduroam (Education Roaming) is the secure, world-wide roaming access service developed for the international research and education community. Eduroam allows students, researchers and staff from participating institutions to obtain Internet connectivity across campus and when visiting other participating institutions by simply opening their laptop. Having started in Europe, eduroam has gained momentum throughout the research and education community and is now available in 54 countries. Combining Eduroam with IdentiFi platform, it is possible to extend enterprise-level visibility and control capabilities, while keeping the open nature of the service. Prerequisites The solution requires a complete IdentiFi solution, along with Roaming Operator (RO) and Roaming Confederation (RC) compliance. Eduroam policy agreement and framework is not discussed in this document, please refer to for details. Netsight, NAC and Wireless basic infrastructure configuration are not covered in this document, please refer to NetSight and Wireless controller manuals for details. Solution Components (customer site): NetSight Management Suite 6.0 or above IdentiFi Wireless controller and AP infrastructure 9.0 or above NAC Network Access Control appliance 6.0 or above LICENSING: NMS and NAC license sizing depends on the amount of end-systems (wireless clients) managed by the infrastructure, please contact your local account manager for further details. IdentiFi and Eduroam Roaming Wireless Service Integration Configuration Guide 3
4 Design and Deployment Overview The solution is composed by the following modules: Eduroam RADIUS server NetSight management server Mobile IAM (NAC) appliance IdentiFi Wireless controller APs For simplification, Netsight server, NAC and Wireless controller will be referred as a single IdentiFi module in the below diagram: The solutions is leveraging NAC RADIUS proxy feature, in order to relay authentication requests generated by the wireless infrastructure, toward Eduroam RADIUS server. The advantage is for both accountability and visibility, allowing granular control over the clients accessing the network. IdentiFi and Eduroam Roaming Wireless Service Integration Configuration Guide 4
5 Configuring the wireless SSID and IdentiFi controller Configuring IdentiFi wireless controller for Eduroam, requires the following: 1. Add a NAC server (IdentiFi IAM) on the wireless controller: IdentiFi and Eduroam Roaming Wireless Service Integration Configuration Guide 5
6 2. Create a dedicated topology under Controller->Network->Topologiesf Note: topology mode depends on local network infrastructure and design, it could be either bridged at AP, bridged at controller (example) or routed at controller. It is common practice to assign a dedicated VLAN or network space, in order to segment Eduroam traffic from production network. 3. Create a network role for Eduroam service: IdentiFi and Eduroam Roaming Wireless Service Integration Configuration Guide 6
7 Please refer to both Eduroam and local network guidelines, in order to define a proper set of network policies for inbound and outbound traffic of Eduroam users. 4. Create a new WLAN Service, selecting all the APs and radios serving the SSID select WPA 2 (AES) for encryption IdentiFi and Eduroam Roaming Wireless Service Integration Configuration Guide 7
8 specify the previously created RADIUS server (Identifi IAM) for both authentication and accounting 5. Create a new VNS IdentiFi and Eduroam Roaming Wireless Service Integration Configuration Guide 8
9 Configuring IdentiFi NAC IdentiFi NAC allows to relay RADIUS request coming from the wireless controller, to a specific RADIUS servers, based on the domain portion of the username. As foreign users domains are unknown, it is necessary to first define an AAA policy for local domain, then a catch-all policy, where all requests * are forwarded to Eduroam RADIUS server. 1. Create a new RADIUS server (Eduroam) in advanced configuration window: 2. Create a catch-all policy for non-local domain (Eduroam) users: IdentiFi and Eduroam Roaming Wireless Service Integration Configuration Guide 9
10 3. Create an Eduroam NAC rule set based on a specific location (Eduroam SSID), so dynamic policies can be specified for the new wireless service, changing eduroam base network profile. IdentiFi and Eduroam Roaming Wireless Service Integration Configuration Guide 10
11 Phone Extreme Networks, Inc. All rights reserved. Extreme Networks and the Extreme Networks logo are trademarks or registered trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names are the property of their respective owners. For additional information on Extreme Networks Trademarks please see Specifications and product availability are subject to change without notice IdentiFi and Eduroam Roaming Wireless Service Integration Configuration Guide 11
WHITE PAPER Mobility Services Platform (MSP) Using MSP in Wide Area Networks (Carriers) Table of Contents About This Document... 1 Chapter 1 Wireless Data Technologies... 2 Wireless Data Technology Overview...
MOBILE FIRST ENTERPRISE 1 White Paper Mobile-first Enterprise: Easing the IT Burden 10 Requirements for Optimizing Your Network for Mobility 2 MOBILE FIRST ENTERPRISE Table of Contents Executive Summary
ADMINISTRATION GUIDE Cisco Small Business WAP4410N Wireless-N Access Point with Power Over Ethernet Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the
Configuration Example Use NAT for Public Access to Servers with Private IP Addresses on the Private Network Example configuration files created with WSM v11.7.2 Revised 5/10/2013 Use Case In this use case,
An Oracle White Paper June, 2012 Provisioning & Patching Oracle Database using Enterprise Manager 12c. Table of Contents Executive Overview... 2 Introduction... 2 EM Readiness:... 3 Installing Agent...
Standard: Version: 2.0 Date: June 2011 Author: PCI Data Security Standard (PCI DSS) Virtualization Special Interest Group PCI Security Standards Council Information Supplement: PCI DSS Virtualization Guidelines
vshield Manager 5.0.1 vshield App 5.0.1 vshield Edge 5.0.1 vshield Endpoint 5.0.1 This document supports the version of each product listed and supports all subsequent versions until the document is replaced
WHITEPAPER February 2014 3725-77704-001A RealPresence One Product Definition and Licensing Polycom, Inc. 0 Copyright 2014, Polycom, Inc. All rights reserved. No part of this document may be reproduced,
Using Avaya one-x Agent Release 2.0 November 2009 2009 Avaya Inc. All Rights Reserved. Notice While reasonable efforts were made to ensure that the information in this document was complete and accurate
DATA SHEET IdentiFi AP3715i/e Indoor Access Point High Performance, Enterprise-Grade for Mission Critical Deployments BENEFITS Business Alignment Support for demanding voice/ video/data applications to
ClickSoftware Copyright Notice Copyright 2008 ClickSoftware Technologies Ltd. All rights reserved. Publication Notice The information contained herein does not constitute a warranty of any kind. ClickSoftware
Connecting Remote Offices by Setting Up VPN Tunnels Cisco RV0xx Series Routers Overview As your business expands to additional sites, you need to ensure that all employees have access to the network resources
ProfileUnity with FlexApp Technology Help Manual Introduction This guide has been authored by experts at Liquidware Labs in order to provide information and guidance concerning ProfileUnity with FlexApp.
Copyright 2014 SolarWinds Worldwide, LLC. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole
Check Point Software Blade Architecture Achieving the right balance between security protection and investment Contents Introduction 3 Check Point Software Blade architecture overview 3 What is a Software
VMG1312-B Series Support Notes Jun2012 Edition 1.0 Index General Application Notes... 6 Why use VMG1312-B Series?...6 Application Scenario...8 Prologue... 10 Access Application Notes...12 Web GUI... 12
APPLICATION NOTE Matt Allard Karel Rasovsky March 2014 The Grass Valley K2 media platform incorporates an open file system and a number of services and features to make it fast and easy to share content
TeamViewer 7 Manual Meeting TeamViewer GmbH Kuhnbergstraße 16 D-73037 Göppingen www.teamviewer.com Table of contents 1 About TeamViewer... 5 1.1 About the software... 5 1.2 About the manual... 5 2 Basics...
Example Community Broadband Wireless Mesh Network Design Version 1.1: 20 June 2007 General Information Company Information Main Office Address City, state, ZIP Code Phone number 866-872-6936 Fax number