Integration Guide Eduroam Revised: 16 August 2017
About This Guide Guide Type Documented Integration WatchGuard or a Technology Partner has provided documentation demonstrating integration Guide Details WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product. Eduroam Integration Guide 2
Eduroam Integration Overview Eduroam is a cloud-based RADIUS proxy solution used by education institutions to provide a single SSID that can be deployed across many different institutions. Eduroam enables students to move between different campus locations and authenticate with the security of RADIUS and the same SSID. Programs and Software Firebox with Fireware v11.10 or greater installed Windows Server 2012 with ADDS, ADCS, and NPS services Eduroam Global Wi-Fi Roaming for Academia For assistance with setup of Windows Server 2012 NPS services, see these references in the MSDN Library: Windows Server NPS Certificate Windows NAP Radius Clients Windows NAP Remote Radius Eduroam Integration Guide 3
Access Point Configuration in WatchGuard Gateway Wireless Controller Configure RADIUS Single Sign-On 1. Log in to Fireware Web UI for your Firebox at https://<ip address of your Firebox>:8080. 2. Select Authentication > Servers. 3. In the Server section, select RADIUS. 4. In the Primary Server Settings section, select the Enable RADIUS Server check box. 5. In the IP Address text box, type the IP address of your RADIUS server. 6. In the Port text box, type the port number to connect to your RADIUS server. The default port number for a RADIUS server is 1821. If you have an older RADIUS server, 1645 might be the port number. Eduroam Integration Guide 4
7. In the Passphrase and Confirm text boxes, type the shared secret (passphrase) for your RADIUS server. Eduroam Integration Guide 5
Configure the Gateway Wireless Controller With the RADIUS Settings 1. Select Network > Gateway Wireless Controller. 2. If it is not already selected, select the Enable Gateway Wireless Controller check box. 3. Select the SSIDs tab and add Eduroam. 4. Select the Security tab and add the appropriate settings for your RADIUS Server. 5. For the Security Mode, select WPA Enterprise. Eduroam Integration Guide 6
Create a Static NAT Policy to Allow Communication to Eduroam Servers 1. Select Firewall > SNAT. 2. Click Add. 3. Type a name for your SNAT policy and add a description. 4. In the SNAT Members section, click Add. 5. Specify the correct information to connect to the Eduroam server in your environment. 6. Click OK. 7. Select Firewall > Firewall Policies 8. Click Add Policy. 9. Select Packet Filter. 10. From the Packet Filter drop-down list, select a RADIUS policy. 11. In the Alias Select Member section To list of, type Static NAT. 12. Select the SNAT policy you created. 13. Click Save. Eduroam Integration Guide 7
Configure AP Devices Managed by WatchGuard Cloud Wi-Fi Configure SSID Template 1. Log in to WatchGuard Wi-Fi Cloud at https://login.watchguard.cloudwifi.com. 2. From the Wi-Fi Cloud interface, select Manage. 3. Select the Configurations tab. 4. Select Device Configuration > SSID Profile. 5. To configure a full profile, select Add New Wi-Fi Profile. 6. In the Profile Name text box, type a profile name. For example, type WatchGuard_Eduroam. 7. In the SSID text box, type eduroam. 8. Expand Security. 9. From the Security Mode drop-down list, select WPA and WPA2 Mixed Mode. 10. Select 802.1X. 11. In the Primary Authentication Server section, type the server IP address, port number, and shared secret. Eduroam Integration Guide 8
12. Configure any additional items as required for your environment. 13. Click Save. Configure Device Templates 1. From the Locations tab, select the Configurations tab. 2. Select Device Configuration > Device Templates. 3. Select Add Device Template. 4. In the Template Name text box, type a name for your template. 5. In the Description text box, type a description or add notes about the template. 6. Select Radio Settings > Define settings for model. 7. Select Add SSID Profile. Eduroam Integration Guide 9
8. Select the SSID profile you created. 9. Click OK. 10. Click Save. Apply the Template to Your AP Devices 1. Select Monitoring > Managed Devices. 2. Select AP Device. 3. Click. 4. From the list of templates, select a device template. 5. Click Save. Eduroam Integration Guide 10
Set Up Windows Server 2012 r2 with NPS Generate A Certificate to Distribute to Users On your Windows server: 1. Open MMC. 2. Select File > Add/Remove Snap-in. 3. In the Available snap-ins section, double-click Certificates. 4. Select Computer account. 5. Click Next. 6. Select Local computer. 7. Click Finish. 8. Select Certificates > Certificates (Local Computer). 9. Select Personal. 10. Select Action > All Tasks > Request New Certificate. 11. Click Next. 12. Select the DomainController certificate template. 13. Click Details. Click Properties. 14. Type the Friendly name for the certificate and add a description. 15. Click Apply 16. Click Enroll. 17. Send the certificate to your end-users in an email or configure your Active Directory server to push the certificate to your clients. Eduroam Integration Guide 11
Configure NPS Radius Clients On your Network Policy Server (NPS): 1. Right-click Radius Clients and select New. 2. Create RADIUS clients for your internal users who authenticate with RADIUS. 3. Create RADIUS clients for Eduroam RADIUS servers. 4. Add a shared secret and an IP address for each RADIUS client you created. Configure Remote RADIUS Servers 1. Right-click Remote RADIUS Server Groups and select New. 2. Create a group name for each Eduroam RADIUS server. Eduroam Integration Guide 12
Create Connection Request Policies 1. Right-click Connection Request Policies and select New. 2. Configure your CRP policies for external and internal to authenticate against own realms and external to forward requests. Eduroam Integration Guide 13
Create Network Policies 1. Right-click Network Policies and select New. 2. Create network policies to define who is authorized to connect to your network. Eduroam Integration Guide 14
Configure RADIUS Server and Shared Secret with Eduroam To configure your RADIUS server: 1. Log in to Eduroam Administration at https://eduroam.us/admin-login. 2. Select the RADIUS Configuration tool. 3. Add a Friendly name for your RADIUS servers. 4. In the Host section, add the external IP address that will send authentication requests to Eduroam servers. This could be the Firebox (with SNAT policy) that forwards the RADIUS requests to your NPS server or the AP device if it has an external address. The Operator-Name is your.edu domain. 5. To test your authentication settings: a. Create test accounts on the Eduroam website. b. Connect to one of the test users (you must also add this user to your Active Directory list of Eduroam users) to your Eduroam SSID. c. From the Eduroam Administration Log Viewer, you review the log messages. Eduroam Integration Guide 15
Eduroam Integration Guide 16