IdentiFi and Eduroam Roaming Wireless Service Integration CONFIGURATION GUIDE
TABLE OF CONTENTS Introduction... 3 Prerequisites... 3 Design and Deployment Overview... 4 Configuring the wireless SSID and IdentiFi controller... 5 Configuring IdentiFi NAC... 9 IdentiFi and Eduroam Roaming Wireless Service Integration Configuration Guide 2
BUYER S GUIDE This document details the integration of Eduroam wireless service with IdentiFi platform. Introduction Eduroam (Education Roaming) is the secure, world-wide roaming access service developed for the international research and education community. Eduroam allows students, researchers and staff from participating institutions to obtain Internet connectivity across campus and when visiting other participating institutions by simply opening their laptop. Having started in Europe, eduroam has gained momentum throughout the research and education community and is now available in 54 countries. Combining Eduroam with IdentiFi platform, it is possible to extend enterprise-level visibility and control capabilities, while keeping the open nature of the service. Prerequisites The solution requires a complete IdentiFi solution, along with Roaming Operator (RO) and Roaming Confederation (RC) compliance. Eduroam policy agreement and framework is not discussed in this document, please refer to www.eduroam.org for details. Netsight, NAC and Wireless basic infrastructure configuration are not covered in this document, please refer to NetSight and Wireless controller manuals for details. Solution Components (customer site): NetSight Management Suite 6.0 or above IdentiFi Wireless controller and AP infrastructure 9.0 or above NAC Network Access Control appliance 6.0 or above LICENSING: NMS and NAC license sizing depends on the amount of end-systems (wireless clients) managed by the infrastructure, please contact your local account manager for further details. IdentiFi and Eduroam Roaming Wireless Service Integration Configuration Guide 3
Design and Deployment Overview The solution is composed by the following modules: Eduroam RADIUS server NetSight management server Mobile IAM (NAC) appliance IdentiFi Wireless controller APs For simplification, Netsight server, NAC and Wireless controller will be referred as a single IdentiFi module in the below diagram: The solutions is leveraging NAC RADIUS proxy feature, in order to relay authentication requests generated by the wireless infrastructure, toward Eduroam RADIUS server. The advantage is for both accountability and visibility, allowing granular control over the clients accessing the network. IdentiFi and Eduroam Roaming Wireless Service Integration Configuration Guide 4
Configuring the wireless SSID and IdentiFi controller Configuring IdentiFi wireless controller for Eduroam, requires the following: 1. Add a NAC server (IdentiFi IAM) on the wireless controller: IdentiFi and Eduroam Roaming Wireless Service Integration Configuration Guide 5
2. Create a dedicated topology under Controller->Network->Topologiesf Note: topology mode depends on local network infrastructure and design, it could be either bridged at AP, bridged at controller (example) or routed at controller. It is common practice to assign a dedicated VLAN or network space, in order to segment Eduroam traffic from production network. 3. Create a network role for Eduroam service: IdentiFi and Eduroam Roaming Wireless Service Integration Configuration Guide 6
Please refer to both Eduroam and local network guidelines, in order to define a proper set of network policies for inbound and outbound traffic of Eduroam users. 4. Create a new WLAN Service, selecting all the APs and radios serving the SSID select WPA 2 (AES) for encryption IdentiFi and Eduroam Roaming Wireless Service Integration Configuration Guide 7
specify the previously created RADIUS server (Identifi IAM) for both authentication and accounting 5. Create a new VNS IdentiFi and Eduroam Roaming Wireless Service Integration Configuration Guide 8
Configuring IdentiFi NAC IdentiFi NAC allows to relay RADIUS request coming from the wireless controller, to a specific RADIUS servers, based on the domain portion of the username. As foreign users domains are unknown, it is necessary to first define an AAA policy for local domain, then a catch-all policy, where all requests * are forwarded to Eduroam RADIUS server. 1. Create a new RADIUS server (Eduroam) in advanced configuration window: 2. Create a catch-all policy for non-local domain (Eduroam) users: IdentiFi and Eduroam Roaming Wireless Service Integration Configuration Guide 9
3. Create an Eduroam NAC rule set based on a specific location (Eduroam SSID), so dynamic policies can be specified for the new wireless service, changing eduroam base network profile. IdentiFi and Eduroam Roaming Wireless Service Integration Configuration Guide 10
http://www.extremenetworks.com/contact Phone +1-408-579-2800 2014 Extreme Networks, Inc. All rights reserved. Extreme Networks and the Extreme Networks logo are trademarks or registered trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names are the property of their respective owners. For additional information on Extreme Networks Trademarks please see http://www.extremenetworks.com/company/legal/trademarks/. Specifications and product availability are subject to change without notice. 8654-0714 WWW.EXTREMENETWORKS.COM IdentiFi and Eduroam Roaming Wireless Service Integration Configuration Guide 11