Ruckus ZoneDirector

Owned by Adrián Macarro (Unlicensed)
Last updated: Oct 18, 2021 by Santiago Nanclares (Unlicensed)
7 min read

CONFIGURATION GUIDE

The purpose of the following manual is to describe the necessary configuration of Ruckus ZoneDirector equipment for integration with Octopus Platform

Ruckus Unleashed

If you are going to use the Ruckus Unleashed configuration, please follow the user guide Ruckus Unleashed

 

1- Pre-requisites

  • If there is a firewall in the network that might block the traffic, you will need to allow access to some domains to enable user's authentication:

    • Radius Servers:

      • Primary: <IP_Radius_1> 1812 and 1813 UDP ports

      • Secondary: <IP_Radius_2> 1812 and 1813 UDP ports

    • Splash Portal server: 

      • Domain <captive_portal_domain> 80 and 443 TCP ports

  • For the operation of the Guest and Enterprise modules configuration, it will be necessary to previously contract the Octopus platform licenses with the respective modules.

2- Guest module configuration

2.1 Radius Servers

Go to the menu Admin & Services > Services > AAA Servers > Authentication Servers and create two new servers. One of them will be the Authentication Server and the second one will be the Accounting Server. Configure them as described below.

Radius Authentication:

  • Name: RADIUS

  • Type: RADIUS

  • Auth Method: PAP

  • Backup RADIUS: Enable

  • IP Address First Server: <IP_Radius_1>

  • Port: 1812

  • Sharet Secret: <Secret>

  • Confirm Secret: <Secret>

  • IP Address Second Server: <IP_Radius_2>

  • Port: 1812

  • Sharet Secret: <Secret>

  • Confirm Secret: <Secret>

  • Request timeout: 3 seconds

  • Max Numbers of Retries: 2 times

Radius Accounting:

  • Name: RADIUS_acct

  • Type: RADIUS Accounting

  • Backup RADIUS: Enable

  • IP Address First Server:<IP_Radius_1>

  • Port: 1813

  • Sharet Secret: <Secret>

  • Confirm Secret: <Secret>

  • IP Address Second Server: <IP_Radius_2>

  • Port: 1813

  • Sharet Secret: <Secret>

  • Confirm Secret: <Secret>

  • Request timeout: 3 seconds

  • Max Numbers of Retries: 2 times

2.2 Captive Portal

To configure the external captive portal, go to Admin & Services > Services > Hotspot Services menu and add a new Hotspot Service with the following configuration:

  • Name: WIFI

  • WISPr Smart Client Support: None

  • Login Page (check section 2.5 for the url redirection to be http or https):

    • Opción https: https://<domain_captive_portal>/login/hotspot/ruckus

    • Opción http: http://<domain_captive_portal>/login/hotspot/ruckus

  • After user is authenticated: Select Redirect to the URL that the user intends to vist if you want to manage the redirection from the WIFI platform.

  • Authentication Server: Select the Radius Authentication Server added before - RADIUS

  • Accounting Server: Select the Radius Accounting Server added before - RADIUS_ACC

  • Send Interim-Update every: 10 minutes

  • Walled Garden: Add the domains to which users will have free access before validating in the captive portal.

If you wish to add extra domains (Social Networks, Paypal, etc...) they can be consulted from the following link.

2.3 WLANs

The next step is to create the WLAN which will use the captive portal and the authentication servers added. Go to Configure > WLANs and add a new WLAN with the following configuration:

  • Name/ESSID: set up the SSID name that will be visible to the wireless users.

  • WLAN Usages Type: Hotspot Service (WISPr)

  • Authentication Method: Open

  • Encryption Method: None

  • Hotspot Services: select the captive portal created in the chapter before - WIFI.

  • Access VLAN – VLAN ID: set the vlan associated to the SSID depending on the client's network configuration. 

Finally, it is necessary to create or edit the WLAN Group to include the new WLAN. Go to Configure > WLANs > WLAN Group section and select the WLANs that will be broadcasted by the access points that belong to this group.

2.4 Called-Station-Id Set up

IMPORTANT: It is required to change the format of the Called Station ID sent by the access point. This has to be done in the command line interface. Once you have accessed the device through SSH, please execute the following commands:

  • Enable, to enter into the privilege mode.

  • Config, to be able to execute the commands. 

  • Wlan_name, to enter in the WLAN configuration. Please change the wlan_name by the one you have configured previously.

  • Called-station-id-type ap-mac, to perform the required change. 

  • End, to exit the configuration mode and save the change.

2.5 Option configuration login process: HTTP or HTTPS

There are two configuration options for the validation of the captive portal: One through http connectivity, where the traffic would not be encrypted, and the other through https.

HTTP option

Dejando valores por defecto, podremos utilizar esta configuración.

HTTPS option

If you choose to configure this secure validation option, it is very important to know that a DNS resolution is required between the subdomain associated with the certificate and the IP of the controller, otherwise the validations will not be redirected to the ZoneDirector and authentication errors will occur. This DNS entry must be configured in the DNS servers delivered by DHCP to the clients.

The first thing to do is to load a new certificate into the controller associated with the subdomine in order to log in. To do this go to Configure > Certificate and in the Import Signed Certificate tab click on the Select file button to upload the file provided:

The first certificate to be uploaded is the securelogin.xxxxxxx.pem file. Once you have chosen the file, select the option Accept this certificate and then install a private key to match your certificate and click on the Import button:

Then you need to upload the second certificate: certificate.key. Once selected in the drop-down list, select the option Install this certificate and additional intermediate certificates and click on the Import button:

After uploading the certificate key it is necessary to upload the last certificate provided. To do this, select the certificate.ca.crt in the Import Intermediate Certificates tab and select the Install this intermediate certificate and then reboot option and click on the Import button:

After clicking Import the driver will restart to apply the changes.

2.6 Authorized MAC Addresses

In order to allow the users to authenticate themselves in the captive portal correctly, it is necessary to identify the NAS that will send the authentication requests to the Radius Server. In Ruckus ZoneDirector, it is required to add the MAC address of every access point that will radiate the configured SSID. These MAC addresses can be obtained in the Monitor section. Go to Monitor > Access Points.

3- Enterprise module configuration

In order to integrate the configurations of this module with the platform, it is necessary to contract the Octopus Wifi Enterprise Module.

3.1 Captive portal + MAC Authentication Configuration

If you wish to configure the functionality that would allow MACs registered on the WIFI platform to be validated a second time directly without the captive portal appearing to users, you need to perform an additional configuration in ZoneDirector. Go to Configure > Hotspot Services and select the one you want to edit.

  • Authentication Server: Select the Radius Authentication created in point 2.1 of this manual.

  • Activar la casilla "Enable MAC authentication bypass (no rediretion)".

  • Marcar "Use device MAC address as authentication password".

  • MAC Address Format: Select the MAC address format with dotted division.

  • Accounting Server: Select the Radius Accounting created in point 2.1 of this manual.

  • Send Interim-Update every: 10 minutes

3.2 MAC Authentication Configuration

To create an SSID dedicated to MAC Authentication validation only, go to Configure > WLANs and create a new WLAN or modify an existing one by configuring the following parameters:

  • Name/ESSID: configure SSID to be radiated by APs e.g. Mac_Auth_Guest

  • WLAN Usages Type: Starndar Usage

  • Authentication Method: MAC Address

  • Encryption Method: None

  • Access VLAN – VLAN ID: you can configure the VLAN associated to the SSID.

  • Authentication Server: Select the Radius Authentication created in point 2.1 of this manual.

  • MAC Address Format: aa:bb:cc:dd:ee:ff

3.3 Access Profiles Configuration

Through the Octopus platform it is possible to configure a series of reply attributes of the Access-Accept packages, grouped in the so-called Access Profile. These Access Profiles allow to activate a series of functionalities in the Ruckus. Although the most common and proprietary Ruckus radius dictionaries are available, the following is a list of some of the most interesting ones:

Attribute

Description

Format

Attribute

Description

Format

Idle-Timeout

Maximum idle time. If the user does not transfer any data on the network during this time, the session will be terminated and the user will have to re-authenticate.

Seconds

Acct-Interim-Interval

Defines the time interval at which the NAS sends the accounting packet update with all the user's session information.

Seconds

WISPr-Bandwidth-Max-Down

Define downstream speed limits.

Bytes

WISPr-Bandwidth-Max-Up

Define upload speed limits.

Bytes

Reply-Message

Useful for troubleshooting functions, since it allows to identify associated elements of the Octopus platform, such as an access profile, access method, location, ...

 

Example of an Access Profile configuration with the attributes explained above: