Ruckus
Last updated
Was this helpful?
Last updated
Was this helpful?
To establish a valid RadSec connection, your Access Points must trust the RADIUS Server Certificate and your RADIUS server must trust your RadSec Client Certificate. To achieve this,
Download the root certificate of the CA that has issued your active RADIUS Server Certificate as described .
Create a RadSec Client Certificate for your Ruckus SmartZone. If you are using SCEPman Certificate Master, the process is described .
Split the generated certificate into the private key (named "priv.key" in this example) and the certificate (named "clientcert.cer"). In case the RadSec Client Certificate was downloaded in the PKCS#12/.pfx format, this can be easily done, e.g. using OpenSSL:
Private Key:
openssl pkcs12 -in <your-radsec-client-cert>.pfx -nocerts -nodes -out priv.key
Certificate without Private Key:
openssl pkcs12 -in <your-radsec-client-cert>.pfx -clcerts -nokeys -out clientcert.cer
Ensure to monitor the expiry of your RadSec Client Certificate and renew it in due time to prevent service interruptions.
Add the root certificate of the CA that has issued the RadSec Client Certificate to your RADIUS instance as described and select RadSec under Use for. In case the RadSec Client Certificate has been issued by SCEPman and you already trust the SCEPman Root CA for client authentication, simply edit the trusted SCEPman Root CA certificate and select Both under Use for.
For general information on how to import certificates to the Ruckus SmartZone, please refer to their documentation:
Click Import, provide a Name and optional Description for your RADIUS CA certificate and upload the certificate file by clicking Browse next to Root CA Certificate. In case you are bringing your own RADIUS Server Certificate and in case it has been issued by an intermediate CA, please also upload all intermediate certificates under Intermediate CA Certificates.
Next, click Validate and OK.
Click Import and provide a Name and optional Description for your RadSec Client Certificate. Then upload the public portion of your RadSec Client Certificate by clicking Browse next to Client Certificate. Finally, upload the private key by clicking Browse next to Private Key.
For the RADIUS server configuration, navigate to Security > Authentication > Proxy (SZ Authenticator).
Click Create and provide a Name, optional Friendly Name and Description for the RADIUS profile.
Select RADIUS as Service Protocol.
Under RADIUS Service Options, configure the following settings:
Encryption
Enable
CN/SAN Idenity
Provide the CN/SAN attribute of your RADIUS Server Certificate.
OCSP Validation
Default: Disabled In case you are bringing your own RADIUS Server Certificate and the CA that has issued it allows for its revocation, provide the OCSP Responder URL of your CA here.
Client Certificate
Select the RadSec Client Certificate uploaded to Ruckus SZ previously.
Server Certificate
Disable
RFC5580 Out of Band Location Delivery
Disable
Click OK.
Import the root certificate of the CA that has issued your RADIUS Server Certificate (downloaded during step 1 ) by navigating to Administration > System > Certificates > SZ Trusted CA Certificates/Chain (external).
Import your RadSec Client Certificate (obtained from step 3 ) by navigating to Administration > System > Certificates > SZ as Client Certificate.
Next, under Primary Server, for the IP Address/FQDN choose either the IP address or the DNS name of your . For the Port select 2083.
