Guide to configuring eduroam using the Aruba wireless controller and ClearPass RADIUS
UFS 139 is a best practice document prepared by UNINETT in co-operation with Aruba, Intelecom Group AS and the HE sector's work group for mobility, firstname.lastname@example.org.
This document describes one possible way of configuring eduroam on Aruba wireless controllers and utilizing Aruba ClearPass as a RADIUS server. Configuration of both wireless controller and the ClearPass Policy Manager is shown step-by-step using screenshots and some explanatory text.
The Technical Specification has received final approval after a four-week open consultation period with the HE sector.
Server Certificate Practices in eduroam
Certificates are extensively used in telecommunications to enable both parties to verify with whom they are communicating. Certificates are also used in the international roaming system eduroam. In eduroam it is important that users can verify that they are communicating with the correct authentication server before submitting their username and password.
Anyone can create a limitless number of self-signed certificates free of charge. Another option is to choose a public Certification Authority (CA) to issue the certificate. A self-signed certificate offers some security advantages in eduroam environment so it is the preferable option for those with CA expertise. The document describes the differences between private and public CAs. When creating and distributing certificates, it is important to pay attention to certificate properties to achieve the best possible compatibility with different end devices.
Using automatic provisioning tools like eduroam CAT makes life easier for eduroam end users. The tool makes end-device configuration and certificate installation a lightweight procedure.
Using Windows® NPS as RADIUS in eduroam
Network Policy Server (NPS) is the Microsoft Windows implementation of a Remote Access Dial-in User Service (RADIUS) server and proxy. An increasing number of institutions in the Norwegian HE sector have chosen to use Windows NPS as their RADIUS server connected to the eduroam infrastructure. This document is provided to explain in some detail how Windows NPS should be configured to best fit in with eduroam.
WLAN Network Planning and Setup
The cost-efficiency and reliability of wireless local area networks (WLANs) can be ensured through methodical planning. It is recommended that lecture halls, conference rooms, entrance areas and corridors are prioritised, and that primary attention is be paid to data rates and secondary attention to signal strength.
WLAN Network Infrastructure
The infrastructure of a WLAN network can be considered to include WLAN access points, and the WLAN controller and software and services related to authentication, such as a RADIUS server and supplicants. In this document, these components of the WLAN network will be described, along with recommendations and configuration guidelines.
Guide to Configuring eduroam Using a Cisco Wireless Controller
This document is a guide to configuring eduroam in a Cisco controller-based environment, i.e. a configuration based on one or more Cisco controllers, which govern the traffic to and from Cisco lightweight access points (LAP).
Cookbook for Configuration of HP Wireless Equipment
This document describes the configuration of access points from the HP ProCurve series. Details are provided for both the configuration for eduroam authentication via the 802.1X protocol as well as the configuration for using higher-level authentication mechanisms (typically web authentication).
WLAN Information Security
WLAN information security includes user authentication and encryption, as well as rules for handling the user’s traffic during the session. 802.1X authentication is recommended due to the high-quality security that it provides. As for encryption, WPA2-AES is recommended, both for its security and because the use of the same encryption on several campuses eases supplicant configuration for roaming. Best practice for traffic management is also stated in the document.
Recommended Security Systems for Wireless Networks
This document provides information about the different security mechanisms available for wireless networks. It describes the shortcomings of using MAC address filters, WEP, web portals, and VPN, and recommends mutual authentication based on 802.1X as the best alternative. EAP using TLS, PEAP and TTLS are also recommended alternatives that can also be supported simultaneously by the system.
The Legal Aspects of WLAN networks
This document presents an overview of the Finnish legislation pertaining to WLANs, with the aim of providing an overall understanding of what is required of WLANs on Finnish campuses. In all WLAN networks, information security must be ensured and technical quality requirements apply. Legislation makes a distinction between network provision to a restricted set of users, and to a set of users that are not subject to any restriction.
FreeRADIUS database connection
This document describes how to connect a FreeRADIUS server to external user databases and directories. For all practical purposes this is mandatory in order to minimize administrative work. The instructions follow the configuration of a FreeRADIUS server set up according to MobileFunet's FreeRADIUS Configuration best practice document.