LogoLogo
LogoLogo
  • Welcome
  • Details
  • Configuration
    • Getting Started
      • Generic Guide
      • Scenario-based Guides
        • Microsoft Cloud PKI
        • SCEPman PKI
    • Access Point Setup
      • RadSec
        • Aruba
        • FortiNet
        • Juniper Mist
        • Meraki
        • MikroTik
        • Ruckus
        • UniFi
      • RADIUS
        • ExtremeCloud IQ CoPilot
        • Meraki
        • Sophos UTM
        • UniFi
    • Server Certificate Renewal
  • Admin Portal
    • Home
    • Insights
      • Rule Engine
      • Logs
    • Users
    • Settings
      • Server Settings
      • Trusted Certificates
      • Proxy Settings
      • Permissions
      • User Settings
      • Rules
        • General Structure
        • WiFi
        • LAN
        • VPN
      • Log Exporter
        • Teams
        • Log Analytics
        • Generic Webhook
        • Examples
    • My Invited Users
  • Profile Deployment
    • Microsoft Intune
      • Server Trust
      • WiFi Profile
        • Windows
        • iOS/iPadOS & macOS
        • Android
      • Wired Profile
        • Windows
        • macOS
    • Jamf Pro
      • Server Trust
      • WiFi Profile
      • Wired Profile
    • Google Workspace
      • Server Trust
      • WiFi Profile
  • Other
    • Troubleshooting
    • FAQs
      • General
      • Log & Common Errors
      • MAC Authentication
      • Blast-RADIUS Vulnerability
      • OCSP Soft-fail Consequences
      • Security & Privacy
    • REST API
      • External Monitoring
    • Changelog
  • Licensing
    • Azure Marketplace
  • Support & Service Level
  • RADIUSaaS Website
Powered by GitBook
On this page
  • Prepare certificates
  • Ruckus SmartZone (SZ) configuration

Was this helpful?

  1. Configuration
  2. Access Point Setup
  3. RadSec

Ruckus

Last updated 6 months ago

Was this helpful?

The following guide was created using Ruckus Virtual SmartZone Essentials version 6.1.2.0.441.

Prepare certificates

To establish a valid RadSec connection, your Access Points must trust the RADIUS Server Certificate and your RADIUS server must trust your RadSec Client Certificate. To achieve this,

  1. Download the root certificate of the CA that has issued your active RADIUS Server Certificate as described .

  2. Create a RadSec Client Certificate for your Ruckus SmartZone. If you are using SCEPman Certificate Master, the process is described .

  3. Split the generated certificate into the private key (named "priv.key" in this example) and the certificate (named "clientcert.cer"). In case the RadSec Client Certificate was downloaded in the PKCS#12/.pfx format, this can be easily done, e.g. using OpenSSL: Private Key: openssl pkcs12 -in <your-radsec-client-cert>.pfx -nocerts -nodes -out priv.key Certificate without Private Key: openssl pkcs12 -in <your-radsec-client-cert>.pfx -clcerts -nokeys -out clientcert.cer

Ensure to monitor the expiry of your RadSec Client Certificate and renew it in due time to prevent service interruptions.

  1. Add the root certificate of the CA that has issued the RadSec Client Certificate to your RADIUS instance as described and select RadSec under Use for. In case the RadSec Client Certificate has been issued by SCEPman and you already trust the SCEPman Root CA for client authentication, simply edit the trusted SCEPman Root CA certificate and select Both under Use for.

Ruckus SmartZone (SZ) configuration

In the following, Ruckus SZ is configured as an authentication proxy, i.e. RADIUS authentication requests are routed from the WAPs to the Ruckus SZ and centrally forwarded to RADIUSaaS.

For general information on how to import certificates to the Ruckus SmartZone, please refer to their documentation:

  1. Click Import, provide a Name and optional Description for your RADIUS CA certificate and upload the certificate file by clicking Browse next to Root CA Certificate. In case you are bringing your own RADIUS Server Certificate and in case it has been issued by an intermediate CA, please also upload all intermediate certificates under Intermediate CA Certificates.

  2. Next, click Validate and OK.

  3. Click Import and provide a Name and optional Description for your RadSec Client Certificate. Then upload the public portion of your RadSec Client Certificate by clicking Browse next to Client Certificate. Finally, upload the private key by clicking Browse next to Private Key.

  4. For the RADIUS server configuration, navigate to Security > Authentication > Proxy (SZ Authenticator).

  5. Click Create and provide a Name, optional Friendly Name and Description for the RADIUS profile.

  6. Select RADIUS as Service Protocol.

  7. Under RADIUS Service Options, configure the following settings:

Encryption

Enable

CN/SAN Idenity

Provide the CN/SAN attribute of your RADIUS Server Certificate.

OCSP Validation

Default: Disabled In case you are bringing your own RADIUS Server Certificate and the CA that has issued it allows for its revocation, provide the OCSP Responder URL of your CA here.

Client Certificate

Select the RadSec Client Certificate uploaded to Ruckus SZ previously.

Server Certificate

Disable

RFC5580 Out of Band Location Delivery

Disable

  1. Click OK.

Import the root certificate of the CA that has issued your RADIUS Server Certificate (downloaded during step 1 ) by navigating to Administration > System > Certificates > SZ Trusted CA Certificates/Chain (external).

Import your RadSec Client Certificate (obtained from step 3 ) by navigating to Administration > System > Certificates > SZ as Client Certificate.

Next, under Primary Server, for the IP Address/FQDN choose either the IP address or the DNS name of your . For the Port select 2083.

here
here
here
Commscope Technical Content Portal
Logo
here
here
RadSec service endpoint
Showing SAN to be used as Certificate server name