Ruckus SmartZone

CONFIGURATION GUIDE

The purpose of the following manual is to describe the necessary configuration of the Ruckus SmartZone equipment from version 3.5.1 for the use of the captive portal and the integration with Octopus Platform.

1- Pre-requisites

  • If there is a firewall in the network that might block the traffic, you will need to allow access to some domains to enable user's authentication:

    • Radius Servers:

      • Primary: <IP_Radius_1> 1812 and 1813 UDP ports

      • Secondary: <IP_Radius_2> 1812 and 1813 UDP ports

    • Splash Portal server: 

      • Domain <captive_portal_domain> 80 and 443 TCP ports

  • For the operation of the Guest and Enterprise modules configuration, it will be necessary to previously contract the Octopus platform licenses with the respective modules.

2- Guest module configuration

2.1 Radius Server

First of all, to carry out the configuration in SmartZone controllers with version 3.5.1 or higher, it is necessary to enter the Radius Server parameters in the AP Zone where the APs of the installation are located. To do this go to Services & Profiles > Authentication and in the Non-Proxy tab (AP Authenticator) select the zone corresponding to the installation.

Once inside the corresponding area click on the Create button to add a new Radius server with the following configuration:

  • General Options

    • Name: RADIUS

    • Type: RADIUS

  • Primary Server:

    • IP Address: <IP_Radius_1>

    • Port: 1812

    • Sharet Secret: <Secret>

    • Confirm Secret: <Secret>

  • Enable Secondary Server

    • IP Address: <IP_Radius_2>

    • Port: 1812

    • Sharet Secret: <Secret>

    • Confirm Secret: <Secret>

Next, the Accounting Radius server must be added to access Services & Profiles > Accounting and in the Non-Proxy tab select the zone corresponding to the installation.

Once inside the corresponding area click on the Create button to add a new Radius server with the following configuration:

  • General Options

    • Name: RADIUS_ACC

    • Type: RADIUS Accounting

  • Primary Server:

    • IP Address: <IP_Radius_1>

    • Port: 1813

    • Sharet Secret: <Secret>

    • Confirm Secret: <Secret>

  • Enable Secondary Server:

    • IP Address: <IP_Radius_2>

    • Port: 1813

    • Sharet Secret: <Secret>

    • Confirm Secret: <Secret>

2.2 Hotspot

Para configurar los parámetros referentes al portal cautivo externo acceder a Service & Profiles > Hotspot & Portals y dentro de la pestaña Hotspot (WISPr) seleccionar la zona correspondiente a la instalación.

To configure the parameters for the external captive portal, go to Service & Profiles > Hotspot & Portals and select the zone corresponding to the installation in the Hotspot (WISPr) tab.

Once inside the corresponding area click on the Create button to add a new Hotspot Profile with the following configuration:

  • Portal Name: WIFI

  • Logon URL: External

  • Redirect unauthenticated user to the URL for authentication: http://<captive_portal_domain>/login/hotspot/ruckusvsz

  • Start Page: Redirect to the URL that user intends to visit

  • Walled Garden: Add the domains that will need to be accessed without authentication in the captive portal.

If you wish to add extra domains (Social Networks, Paypal, etc...) they can be consulted from the following link.

2.4 Configuración WLANs

Next, the WLAN that will be associated with the captive portal and the previously created Radius servers must be created. To do so, access Wireless LANs and select the zone corresponding to the installation.

Once inside the corresponding zone click on the Create button to add a new WLAN Profile with the following configuration:

  • General Options

    • Name: indicate the name of the WLAN

    • SSID: sindicate the SSID to be radiated by the APs.

    • WLAN Group: indicate the WLAN Group to which the APs that will broadcast the SSID belong.

  • WLAN Usage

    • Authentication Type: Hotspot (WISPr)

  • Authentication Options

    • Method: Open

  • Encryption Options

    • Method: None

  • Hotspot Portal

    • Hotspot (WISPr) Portal: select the previously created Hotspot Service - WIFI

    • Authentication Service: select the Radius server created earlier - RADIUS

    • Accounting Service: select the Radius server created earlier - RADIUS_ACC

    • Send interim update every: 10 minutes

  • RADIUS Options

    • NAS ID: AP MAC

    • Called STA ID: AP MAC

  • Advanced Options

    • Access VLAN – VLAN ID: Identifier of the VLAN associated to the SSID which will depend on the customer's network configuration.

To finalize the configuration, the SSID created must be associated to the AP Group containing the installation's APs so that they begin to radiate the new SSID. To do this, access Access Points and select the AP Group containing the APs of the installation in the corresponding zone.

Once the corresponding AP Group is selected edit the configuration to select the WLAN Group, which contains the SSID created earlier, on both the 2.4GHz Radio interface and the 5GHz interface.

 

2.5 Login process configuration option: HTTP or HTTPS

There are two configuration options for the validation of the captive portal: One through http connectivity, where the traffic would not be encrypted, and the other through https.


HTTP option

Leaving default values, we will be able to use this configuration.


HTTPS option

If you choose to configure this secure validation option, it is very important to know that a DNS resolution between the subdomain associated with the certificate and the SmartZone virtual IP is required, otherwise the validations will not be redirected correctly and authentication errors will occur. This DNS entry must be configured on the DNS servers delivered by DHCP to the clients.

For the whole validation process to be carried out securely, it is necessary to load a certificate in the controller so that the user does not receive certificate errors. To do this go to System > Certificate and within Installed Certs click on the + Import button to upload the file provided.

Finally, select the files provided by the support team and click OK to validate the changes:

  • Server Certificate: file ending in ".com.pem"

  • Intermediate CA certificate: file ending in ".ca.crt"

  • Private key: file ending in ".key"

2.6 Authorized MAC Addresses

For user validation to work correctly, it is necessary to identify the NAS that will be able to make authentication requests to the Radius Server. In this case, all the MAC addresses of the Access Points that will radiate the configured SSID must be added.

These MAC addresses are easily accessible within Access Points and selecting the Zone corresponding to the installation will display the list with all the information of the APs included in that domain.

For information on how to add the MAC address of each AP as an authorized NAS on the platform, please refer to the following link locations

3- Enterprise module configuration

In order to integrate the configurations of this module with the platform, it is necessary to contract the Octopus Wifi Enterprise Module.

3.1  MAC Authentication

To enable MAC authentication it is necessary to edit the WLAN created and enable this option. To do so, access Wireless LANs and in the corresponding area edit the configuration of the WLAN associated to the captive portal to modify the following parameter:

  • Authentication Options

    • Method: MAC Address

3.2 Configuration of “Access Profiles” funtionality in the Octopus Platform

Through the Octopus platform it is possible to configure a series of reply attributes of the Access-Accept packages, grouped in the so-called Access Profile. These Access Profiles allow to activate a series of functionalities in the Ruckus. Although the most common and proprietary Ruckus radius dictionaries are available, the following is a list of some of the most interesting ones:

Attribute

Description

Format

Attribute

Description

Format

WISPr-Bandwidth-Max-Down

Define downstream speed limits.

Bytes

WISPr-Bandwidth-Max-Up

Define upload speed limits.

Bytes

Reply-Message

Useful for troubleshooting functions, since it allows to identify associated elements of the Octopus platform, such as an access profile, access method, location, ...

 

Acct-Interim-Interval

Defines the time interval at which the NAS sends the accounting packet update with all the user's session information.

Seconds

Idle-Timeout

Maximum inactivity time. If the user does not transfer any data on the network during this time, the session will be terminated and the user will have to re-authenticate.

Seconds

Example of an Access Profile configuration with the attributes explained above: