Ruckus
Last updated
Last updated
The following guide was created using Ruckus Virtual SmartZone Essentials version 6.1.2.0.441.
To establish a valid RadSec connection, your Access Points must trust the RADIUS Server Certificate and your RADIUS server must trust your RadSec Client Certificate. To achieve this,
Download the root certificate of the CA that has issued your active RADIUS Server Certificate as described here.
Create a RadSec Client Certificate for your Ruckus SmartZone. If you are using SCEPman Certificate Master, the process is described here.
Split the generated certificate into the private key (named "priv.key" in this example) and the certificate (named "clientcert.cer"). In case the RadSec Client Certificate was downloaded in the PKCS#12/.pfx format, this can be easily done, e.g. using OpenSSL:
Private Key:
openssl pkcs12 -in <your-radsec-client-cert>.pfx -nocerts -nodes -out priv.key
Certificate without Private Key:
openssl pkcs12 -in <your-radsec-client-cert>.pfx -clcerts -nokeys -out clientcert.cer
Ensure to monitor the expiry of your RadSec Client Certificate and renew it in due time to prevent service interruptions.
Add the root certificate of the CA that has issued the RadSec Client Certificate to your RADIUS instance as described here and select RadSec under Use for. In case the RadSec Client Certificate has been issued by SCEPman and you already trust the SCEPman Root CA for client authentication, simply edit the trusted SCEPman Root CA certificate and select Both under Use for.
In the following, Ruckus SZ is configured as an authentication proxy, i.e. RADIUS authentication requests are routed from the WAPs to the Ruckus SZ and centrally forwarded to RADIUSaaS.
For general information on how to import certificates to the Ruckus SmartZone, please refer to their documentation:
Import the root certificate of the CA that has issued your RADIUS Server Certificate (downloaded during step 1 here) by navigating to Administration > System > Certificates > SZ Trusted CA Certificates/Chain (external).
Click Import, provide a Name and optional Description for your RADIUS CA certificate and upload the certificate file by clicking Browse next to Root CA Certificate. In case you are bringing your own RADIUS Server Certificate and in case it has been issued by an intermediate CA, please also upload all intermediate certificates under Intermediate CA Certificates.
Next, click Validate and OK.
Import your RadSec Client Certificate (obtained from step 3 here) by navigating to Administration > System > Certificates > SZ as Client Certificate.
Click Import and provide a Name and optional Description for your RadSec Client Certificate. Then upload the public portion of your RadSec Client Certificate by clicking Browse next to Client Certificate. Finally, upload the private key by clicking Browse next to Private Key.
For the RADIUS server configuration, navigate to Security > Authentication > Proxy (SZ Authenticator).
Click Create and provide a Name, optional Friendly Name and Description for the RADIUS profile.
Select RADIUS as Service Protocol.
Under RADIUS Service Options, configure the following settings:
Encryption
Enable
CN/SAN Idenity
Provide the CN/SAN attribute of your RADIUS Server Certificate.
OCSP Validation
Default: Disabled In case you are bringing your own RADIUS Server Certificate and the CA that has issued it allows for its revocation, provide the OCSP Responder URL of your CA here.
Client Certificate
Select the RadSec Client Certificate uploaded to Ruckus SZ previously.
Server Certificate
Disable
RFC5580 Out of Band Location Delivery
Disable
Next, under Primary Server, for the IP Address/FQDN choose either the IP address or the DNS name of your RadSec service endpoint. For the Port select 2083.
Click OK.