Cisco 4402 Configuration Guide - Page 13

authentication can be completed. Here one can choose between using self-generated or purchased certificates. Self-generated certificates is the most secure option, but entail significant extra work, since it is necessary to perform a separate certificate installation in every single client which is to be granted access to the wireless network. The way in which you save your own root certificate and your own certificate hierarchy is described in Chapter 4 of UFS112 [1]. A simpler and "secure enough" way to achieve this is to make use of UNINETT's server certificate service, SCS (http://www.uninett.no/scs). UNINETT is actually a member of TERENA's TCS (TERENA Certificate Service) project and can supply user certificates to our members who belong to Comodo UserTrust. Most operating systems are accompanied by a client certificate with a public key from Comodo UserTrust. A detailed "cookbook" for ordering a UNINETT SCS certificate is available at http://forskningsnett.uninett.no/scs/hvordan.html. When you have received a certificate it must be installed in your RADIUS server. See Attachment C for installation of a certificate for FreeRADIUS 2.x. Once IEEE 802.1X is functioning internally, the national connection to eduroam can be configured. In general terms this involves rerouting the requests from users with unrecognised realms and accepting requests from one's own users who are visiting other institutions. For more information about eduroam, see Chapter 10 of UFS112 [1] and the "eduroam cookbook" [2]. - Obtain server certificate for RADIUS - Configure RADIUS server for the user database - Connect RADIUS server to eduroam (top level in Norway is handled by hegre.uninett.no and trane.uninett.no) - Filter: o RADIUS Authentication UDP 1812 to/from hegre.uninett.no and trane.uninett.no o RADIUS Accounting UDP 1813 to/from hegre.uninett.no and trane.uninett.no o RADIUS Proxy UDP 1814 to/from hegre.uninett.no and trane.uninett.no 13