# Ruckus {% hint style="info" %} The following guide was created using Ruckus **Virtual SmartZone Essentials** version **6.1.2.0.441**. {% endhint %} ## Prepare certificates To establish a valid RadSec connection, your Access Points must trust the **RADIUS Server Certificate** and your RADIUS server must trust your **RadSec Client Certificate**. To achieve this, 1. Download the root certificate of the CA that has issued your active **RADIUS Server Certificate** as described [here](https://docs.radiusaas.com/admin-portal/settings/settings-server#download). 2. Create a **RadSec Client Certificate** for your Ruckus SmartZone. If you are using **SCEPman Certificate Master**, the process is described [here](https://docs.scepman.com/certificate-deployment/certificate-master/client-certificate-pkcs-12). 3. **Split the generated certificate** into the private key (named "priv.key" in this example) and the certificate (named "clientcert.cer"). In case the **RadSec Client Certificate** was downloaded in the **PKCS#12/.pfx** format, this can be easily done, e.g. using OpenSSL:\ \ Private Key:\ `openssl pkcs12 -in .pfx -nocerts -nodes -out priv.key`\ \ Certificate without Private Key:\ `openssl pkcs12 -in .pfx -clcerts -nokeys -out clientcert.cer` Depending on your Ruckus firmware version, it might be necessary to remove the bag attributes section from your certificate and private key files. This section looks like the following example: ``` Attributes localKeyID: 52 70 EB 96 89 23 90 F9 D5 0E 06 82 5C EC F7 63 30 44 F1 A9 friendlyName: Certificate from SCEPman Key Attributes: ``` {% hint style="warning" %} Ensure to monitor the expiry of your **RadSec Client Certificate** and renew it in due time to prevent service interruptions. {% endhint %} 3. Add the root certificate of the CA that has issued the **RadSec Client Certificate** to your RADIUS instance as described [here](https://docs.radiusaas.com/admin-portal/settings/trusted-roots#add) and select **RadSec** under **Use for**. \ In case the **RadSec Client Certificate** has been issued by SCEPman and you already trust the SCEPman Root CA for client authentication, simply edit the trusted SCEPman Root CA certificate and select **Both** under **Use for**. ## Ruckus SmartZone (SZ) configuration {% hint style="info" %} In the following, Ruckus SZ is configured as an **authentication proxy**, i.e. RADIUS authentication requests are routed from the WAPs to the Ruckus SZ and centrally forwarded to RADIUSaaS. {% endhint %} For general information on how to import certificates to the Ruckus SmartZone, please refer to their documentation: {% embed url="" %} 1. Import the root certificate of the CA that has issued your **RADIUS Server Certificate** (downloaded during step 1 [here](#prepare-certificates)) by navigating to **Administration >** **System > Certificates > SZ Trusted CA Certificates/Chain (external)**. 2. Click **Import**, provide a **Name** and optional **Description** for your RADIUS CA certificate and upload the certificate file by clicking **Browse** next to **Root CA Certificate**. In case you are bringing your own **RADIUS Server Certificate** and in case it has been issued by an intermediate CA, please also upload all intermediate certificates under **Intermediate CA Certificates**.

3. Next, click **Validate** and **OK**. 4. Import your **RadSec Client Certificate** (obtained from step 3 [here](#prepare-certificates)) by navigating to **Administration >** **System > Certificates > SZ as Client Certificate**. 5. Click **Import** and provide a **Name** and optional **Description** for your **RadSec Client Certificate**. Then upload the public portion of your **RadSec Client Certificate** by clicking **Browse** next to **Client Certificate**. Finally, upload the private key by clicking **Browse** next to **Private Key**.

6. For the RADIUS server configuration, navigate to **Security > Authentication > Proxy (SZ Authenticator)**. 7. Click **Create** and provide a **Name**, optional **Friendly Name** and **Description** for the RADIUS profile. 8. Select **RADIUS** as **Service Protocol**. 9. Under **RADIUS Service Options**, configure the following settings: | **Encryption** | Enable | | ----------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **CN/SAN Idenity** |

Provide the CN/SAN attribute of your RADIUS Server Certificate.

Showing SAN to be used as Certificate server name

| | **OCSP Validation** |

Default: Disabled
In case you are bringing your own RADIUS Server Certificate and the CA that has issued it allows for its revocation, provide the OCSP Responder URL of your CA here.

| | **Client Certificate** | Select the **RadSec Client Certificate** uploaded to Ruckus SZ previously. | | **Server Certificate** | Disable | | **RFC5580 Out of Band Location Delivery** | Disable | 10. Next, under **Primary Server**, for the **IP Address/FQDN** choose either the IP address or the DNS name of your [RadSec service endpoint](https://docs.radiusaas.com/admin-portal/settings/settings-server#properties). For the **Port** select **2083**.

11. Click **OK**.