Eduroam Integration Guide

Eduroam® is a cloud-based RADIUS proxy solution used by education institutions to provide a single SSID that can be deployed across many different institutions. Eduroam enables students to move between different campus locations and authenticate with the security of RADIUS and the same SSID.

Programs and Software

  • WatchGuard Firebox
  • Windows Server 2012 with ADDS, ADCS, and NPS services
  • Eduroam Global Wi-Fi Roaming for Academia

For assistance with setup of Windows Server 2012 NPS services, see these references in the MSDN Library:

Access Point Configuration in WatchGuard Gateway Wireless Controller

Configure RADIUS Single Sign-On

  1. Log in to Fireware Web UI for your Firebox at https://<IP address of your Firebox>:8080.
  2. Select Authentication > Servers.
  3. From the Server list, select RADIUS.

  1. In the Primary Server Settings section, select the Enable RADIUS Server check box.
  2. In the IP Address text box, type the IP address of your RADIUS server.
  3. In the Port text box, type the port number used to connect to your RADIUS server. The default port number for a RADIUS server is 1821. If you have an older RADIUS server, the default port number might be 1645.
  4. In the Passphrase and Confirm text boxes, type the shared secret (passphrase) for your RADIUS server.

Configure the Gateway Wireless Controller With the RADIUS Settings

  1. Select Network > Gateway Wireless Controller.
  2. If it is not already selected, select the Enable Gateway Wireless Controller check box.
  3. Select the SSIDs tab and add Eduroam.
  4. Select the Security tab and add the appropriate settings for your RADIUS Server.
  5. From the Security Mode drop-down list, select WPA Enterprise.

Create a Static NAT Policy to Allow Communication to Eduroam Servers

  1. Select Firewall > SNAT.
  2. Click Add.
  3. Type a name for your SNAT policy and add a description.
  4. In the SNAT Members section, click Add.
  5. Configure the necessary settings to connect to the Eduroam server in your environment.

  1. Click OK.
  2. Select Firewall > Firewall Policies.
  3. Click Add Policy.
  4. Select Packet Filter.
  5. From the Select a packet filter drop-down list, select a RADIUS policy.
  6. Click Add Policy.
  7. Below the To list, click Add.
  8. From the Member type drop-down list, select Static NAT.
  9. Select the SNAT policy you created. Click OK.
  10. Click Save.

Configure AP Devices Managed by WatchGuard Cloud Wi-Fi

Configure SSID Template

  1. Log in to WatchGuard Wi-Fi Cloud at https://login.watchguard.cloudwifi.com.
  2. From the Wi-Fi Cloud interface, select Manage.
  3. Select the Configurations tab.
  4. Select Device Configuration > SSID Profile.
  5. To configure a full profile, select Add New Wi-Fi Profile.
  6. In the Profile Name text box, type a profile name. For example, type WatchGuard_Eduroam.
  7. In the SSID text box, type eduroam.
  8. Expand Security.
  9. From the Security Mode drop-down list, select WPA and WPA2 Mixed Mode.
  10. Select 802.1X.
  11. In the Primary Authentication Server section, type the server IP address, port number, and shared secret.
  12. Configure any additional settings required for your environment.

  1. Click Save.

Configure Device Templates

  1. From the Locations tab, select the Configurations tab.
  2. Select Device Configuration > Device Templates.
  3. Select Add Device Template.
  4. In the Template Name text box, type a name for your template.
  5. In the Description text box, type a description or add notes about the template.
  6. Select Radio Settings > Define settings for model.
  7. Select Add SSID Profile.
  8. Select the SSID profile you created.

  1. Click OK.
  2. Click Save.

Apply the Template to Your AP Devices

  1. Select Monitoring > Managed Devices.
  2. Select AP Device.
  3. Click Change device template icon.
  4. From the list of templates, select a device template.
  5. Click Save.

Set Up Windows Server 2012 R2 with NPS

Generate a Certificate to Distribute to Users

On your Windows server:

  1. Open MMC.
  2. Select File > Add/Remove Snap-in.
  3. In the Available snap-ins section, double-click Certificates.
  4. Select Computer account.
  5. Click Next.
  6. Select Local computer.
  7. Click Finish.
  8. Select Certificates > Certificates (Local Computer).
  9. Select Personal.
  10. Select Action > All Tasks > Request New Certificate.
  11. Click Next.
  12. Select the DomainController certificate template.
  13. Click Details.
  14. Click Properties.
  15. Type the Friendly name for the certificate and add a description.
  16. Click Apply.
  17. Click Enroll.
  18. Send the certificate to your end-users in an email or configure your Active Directory server to push the certificate to your clients.

Configure NPS Radius Clients

On your Network Policy Server (NPS):

  1. Right-click Radius Clients and select New.
  2. Create RADIUS clients for your internal users who authenticate with RADIUS.
  3. Create RADIUS clients for Eduroam RADIUS servers.
  4. Add a shared secret and an IP address for each RADIUS client you created.

Configure Remote RADIUS Servers

  1. Right-click Remote RADIUS Server Groups and select New.
  2. Create a group name for each Eduroam RADIUS server.

Create Connection Request Policies

  1. Right-click Connection Request Policies and select New.
  2. Configure your CRP policies for external and internal to authenticate against own realms and external to forward requests.

Create Network Policies

  1. Right-click Network Policies and select New.
  2. Create network policies to define who is authorized to connect to your network.

Configure RADIUS Server and Shared Secret with Eduroam

To configure your RADIUS server:

  1. Log in to Eduroam Administration at https://eduroam.us/admin-login.
  2. Select the RADIUS Configuration tool.
  3. In the Friendly Name text box, type a name for your RADIUS servers.
  4. In the Host text box, type the external IP address used to send authentication requests to Eduroam servers. This could be the Firebox (with SNAT policy) that forwards the RADIUS requests to your NPS server or the AP device if it has an external address. The Operator-Name is your .EDU domain.

To test your authentication settings:

  1. Create test accounts on the Eduroam website.
  2. Connect one of the test users (you must also add this user to your Active Directory list of Eduroam users) to your Eduroam SSID.
  3. From the Eduroam Administration Log Viewer, review the log messages.