Ruckus ZoneDirector
CONFIGURATION GUIDE
The purpose of the following manual is to describe the necessary configuration of Ruckus ZoneDirector equipment for integration with Octopus Platform
Ruckus Unleashed
If you are going to use the Ruckus Unleashed configuration, please follow the user guide Ruckus Unleashed
Â
1- Pre-requisites
If there is a firewall in the network that might block the traffic, you will need to allow access to some domains to enable user's authentication:
Radius Servers:
Primary:Â <IP_Radius_1>Â 1812 and 1813 UDP ports
Secondary:Â <IP_Radius_2>Â 1812 and 1813 UDP ports
Splash Portal server:Â
Domain <captive_portal_domain>Â 80 and 443 TCP ports
For the operation of the Guest and Enterprise modules configuration, it will be necessary to previously contract the Octopus platform licenses with the respective modules.
2- Guest module configuration
2.1 Radius Servers
Go to the menu Admin & Services > Services > AAA Servers > Authentication Servers and create two new servers. One of them will be the Authentication Server and the second one will be the Accounting Server. Configure them as described below.
Radius Authentication:
Name: RADIUS
Type: RADIUS
Auth Method: PAP
Backup RADIUS: Enable
IP Address First Server: <IP_Radius_1>
Port: 1812
Sharet Secret: <Secret>
Confirm Secret: <Secret>
IP Address Second Server: <IP_Radius_2>
Port: 1812
Sharet Secret: <Secret>
Confirm Secret: <Secret>
Request timeout: 3 seconds
Max Numbers of Retries: 2 times
Radius Accounting:
Name:Â RADIUS_acct
Type: RADIUS Accounting
Backup RADIUS: Enable
IP Address First Server:<IP_Radius_1>
Port: 1813
Sharet Secret: <Secret>
Confirm Secret: <Secret>
IP Address Second Server: <IP_Radius_2>
Port: 1813
Sharet Secret: <Secret>
Confirm Secret: <Secret>
Request timeout: 3 seconds
Max Numbers of Retries: 2 times
2.2 Captive Portal
To configure the external captive portal, go to Admin & Services > Services > Hotspot Services menu and add a new Hotspot Service with the following configuration:
Name: WIFI
WISPr Smart Client Support: None
Login Page (check section 2.5 for the url redirection to be http or https):
Opción https: https://<domain_captive_portal>/login/hotspot/ruckus
Opción http: http://<domain_captive_portal>/login/hotspot/ruckus
After user is authenticated: Select Redirect to the URL that the user intends to vist if you want to manage the redirection from the WIFI platform.
Authentication Server: Select the Radius Authentication Server added before -Â RADIUS
Accounting Server: Select the Radius Accounting Server added before -Â RADIUS_ACC
Send Interim-Update every: 10 minutes
Walled Garden: Add the domains to which users will have free access before validating in the captive portal.
If you wish to add extra domains (Social Networks, Paypal, etc...) they can be consulted from the following link.
2.3 WLANs
The next step is to create the WLAN which will use the captive portal and the authentication servers added. Go to Configure > WLANs and add a new WLAN with the following configuration:
Name/ESSID: set up the SSID name that will be visible to the wireless users.
WLAN Usages Type: Hotspot Service (WISPr)
Authentication Method: Open
Encryption Method: None
Hotspot Services: select the captive portal created in the chapter before -Â WIFI.
Access VLAN – VLAN ID: set the vlan associated to the SSID depending on the client's network configuration.Â
Finally, it is necessary to create or edit the WLAN Group to include the new WLAN. Go to Configure > WLANs > WLAN Group section and select the WLANs that will be broadcasted by the access points that belong to this group.
2.4 Called-Station-Id Set up
IMPORTANT: It is required to change the format of the Called Station ID sent by the access point. This has to be done in the command line interface. Once you have accessed the device through SSH, please execute the following commands:
Enable, to enter into the privilege mode.
Config, to be able to execute the commands.Â
Wlan_name, to enter in the WLAN configuration. Please change the wlan_name by the one you have configured previously.
Called-station-id-type ap-mac, to perform the required change.Â
End, to exit the configuration mode and save the change.
2.5 Option configuration login process: HTTP or HTTPS
There are two configuration options for the validation of the captive portal: One through http connectivity, where the traffic would not be encrypted, and the other through https.
HTTP option
Dejando valores por defecto, podremos utilizar esta configuración.
HTTPS option
If you choose to configure this secure validation option, it is very important to know that a DNS resolution is required between the subdomain associated with the certificate and the IP of the controller, otherwise the validations will not be redirected to the ZoneDirector and authentication errors will occur. This DNS entry must be configured in the DNS servers delivered by DHCP to the clients.
The first thing to do is to load a new certificate into the controller associated with the subdomine in order to log in. To do this go to Configure > Certificate and in the Import Signed Certificate tab click on the Select file button to upload the file provided:
The first certificate to be uploaded is the securelogin.xxxxxxx.pem file. Once you have chosen the file, select the option Accept this certificate and then install a private key to match your certificate and click on the Import button:
Then you need to upload the second certificate: certificate.key. Once selected in the drop-down list, select the option Install this certificate and additional intermediate certificates and click on the Import button:
After uploading the certificate key it is necessary to upload the last certificate provided. To do this, select the certificate.ca.crt in the Import Intermediate Certificates tab and select the Install this intermediate certificate and then reboot option and click on the Import button:
After clicking Import the driver will restart to apply the changes.
2.6 Authorized MAC Addresses
In order to allow the users to authenticate themselves in the captive portal correctly, it is necessary to identify the NAS that will send the authentication requests to the Radius Server. In Ruckus ZoneDirector, it is required to add the MAC address of every access point that will radiate the configured SSID. These MAC addresses can be obtained in the Monitor section. Go to Monitor > Access Points.
3- Enterprise module configuration
In order to integrate the configurations of this module with the platform, it is necessary to contract the Octopus Wifi Enterprise Module.
3.1 Captive portal + MAC Authentication Configuration
If you wish to configure the functionality that would allow MACs registered on the WIFI platform to be validated a second time directly without the captive portal appearing to users, you need to perform an additional configuration in ZoneDirector. Go to Configure > Hotspot Services and select the one you want to edit.
Authentication Server: Select the Radius Authentication created in point 2.1 of this manual.
Activar la casilla "Enable MAC authentication bypass (no rediretion)".
Marcar "Use device MAC address as authentication password".
MAC Address Format: Select the MAC address format with dotted division.
Accounting Server: Select the Radius Accounting created in point 2.1 of this manual.
Send Interim-Update every: 10 minutes
3.2 MAC Authentication Configuration
To create an SSID dedicated to MAC Authentication validation only, go to Configure > WLANs and create a new WLAN or modify an existing one by configuring the following parameters:
Name/ESSID: configure SSID to be radiated by APs e.g. Mac_Auth_Guest
WLAN Usages Type: Starndar Usage
Authentication Method: MAC Address
Encryption Method: None
Access VLAN – VLAN ID: you can configure the VLAN associated to the SSID.
Authentication Server: Select the Radius Authentication created in point 2.1 of this manual.
MAC Address Format: aa:bb:cc:dd:ee:ff
3.3 Access Profiles Configuration
Through the Octopus platform it is possible to configure a series of reply attributes of the Access-Accept packages, grouped in the so-called Access Profile. These Access Profiles allow to activate a series of functionalities in the Ruckus. Although the most common and proprietary Ruckus radius dictionaries are available, the following is a list of some of the most interesting ones:
Attribute | Description | Format |
---|---|---|
Idle-Timeout | Maximum idle time. If the user does not transfer any data on the network during this time, the session will be terminated and the user will have to re-authenticate. | Seconds |
Acct-Interim-Interval | Defines the time interval at which the NAS sends the accounting packet update with all the user's session information. | Seconds |
WISPr-Bandwidth-Max-Down | Define downstream speed limits. | Bytes |
WISPr-Bandwidth-Max-Up | Define upload speed limits. | Bytes |
Reply-Message | Useful for troubleshooting functions, since it allows to identify associated elements of the Octopus platform, such as an access profile, access method, location, ... | Â |
Example of an Access Profile configuration with the attributes explained above:
Â
Â