Ruckus Unleashed

Owned by Marce de Miguel (Unlicensed)
Last updated: Oct 18, 2021 by Santiago Nanclares (Unlicensed)
7 min read

CONFIGURATION GUIDE

The purpose of the following manual is to describe the necessary configuration of Ruckus Unleashed equipment for integration with Octopus Platform

1- Pre-requisites

  • If there is a firewall in the network that might block the traffic, you will need to allow access to some domains to enable user's authentication:

    • Radius Servers:

      • Primary: <IP_Radius_1> 1812 and 1813 UDP ports

      • Secondary: <IP_Radius_2> 1812 and 1813 UDP ports

    • Splash Portal server: 

      • Domain <captive_portal_domain> 80 and 443 TCP ports

  • For the operation of the Guest and Enterprise modules configuration, it will be necessary to previously contract the Octopus platform licenses with the respective modules.

2- Guest module configuration

2.1 Radius Server

First of all, to configure the external captive portal in the Ruckus Unleashed APs, it is necessary to set up the Radius Server that the user's authentication requests will be sent to. Go to the menu Admin & Services > Services > AAA Servers > Authentication Servers and create two new servers. One of them will be the Authentication Server and the second one will be the Accounting Server. Configure them as described below.

Radius Authentication:

  • Name: RADIUS

  • Type: RADIUS

  • Auth Method: PAP

  • Backup RADIUS: Enable

  • IP Address First Server: <IP_Radius_1>

  • Port: 1812

  • Sharet Secret: <Secret>

  • Confirm Secret: <Secret>

  • IP Address Second Server:<IP_Radius_2>

  • Port:1812

  • Sharet Secret:<Secret>

  • Confirm Secret: <Secret>

  • Request timeout: 3 seconds

  • Max Numbers of Retries: 2 times

Radius Accounting:

  • Name: RADIUS_ACC

  • Type: RADIUS Accounting

  • Backup RADIUS: Enable

  • IP Address First Server: <IP_Radius_1>

  • Port: 1813

  • Sharet Secret: <Secret>

  • Confirm Secret: <Secret>

  • IP Address Second Server:<IP_Radius_2>

  • Port: 1813

  • Sharet Secret:<Secret>

  • Confirm Secret: <Secret>

  • Request timeout: 3 seconds

  • Max Numbers of Retries: 2 times

2.2 Captive Portal

To configure the external captive portal, go to Admin & Services > Services > Hotspot Services menu and add a new Hotspot Service with the following configuration:

General Tab

  • Name: WIFI

  • WISPr Smart Client Support: None

  • Login Page (check section 2.5 for the url redirection to be http or https):

    • http option: http://<domain_captive_portal>/login/hotspot/ruckus

    • https option: https://<domain_captive_portal>/login/hotspot/ruckus

  • After user is authenticated: Select Redirect to the URL that the user intends to visit to manage the web site redirection from the WIFI platform.

  • Grace Period: Enable and set 30 minutes.

Authentication Tab

  • Authentication Server: Select the Radius Authentication Server added before - RADIUS

  • Accounting Server: Select the Radius Accounting Server added before - RADIUS_ACC

  • Send Interim-Update every: 10 minutes

Walled Garden Tab

  • Add the domains to which users will have free access before validating in the captive portal.

If you wish to add extra domains (Social Networks, Paypal, etc...) they can be consulted from the following link.

2.3 WLANs

The next step is to create the WLAN which will use the captive portal and the authentication servers added. Go to WiFi Networks section and add a new WLAN with the following configuration:

  • Name: set up the SSID name that will be visible to the wireless users.

  • Usages Type: Hotspot Service 

  • Hotspot Services: select the captive portal created in the chapter before -WIFI.

  • Hide advanced options > Access VLAN: the VLAN ID associated with the SSID can be configured.

2.4 Called-Station-ID Configuration

IMPORTANT: It is required to change the format of the Called Station ID sent by the access point. This has to be done in the command line interface. Once you have accessed the device through SSH, please execute the following commands:

  • enable, to enter into the privilege mode.

  • config, to be able to execute the commands. 

  • wlan wlan_name, to enter in the WLAN configuration. Please change the wlan_name by the one you have configured previously.

  • called-station-id-type ap-mac, to perform the required change. 

  • end, to exit the configuration mode and save the change.

2.5 Login process configuration option: HTTP or HTTPS

There are two configuration options for the validation of the captive portal: One through http connectivity, where the traffic would not be encrypted, and the other through https.

HTTP option

Leaving default values, we can use this configuration.

HTTPS option

If you choose to configure this secure validation option it is very important to know that a DNS resolution is required between the subdomain associated to the certificate and the IP of the master AP, otherwise the validations will not be redirected to the AP and authentication errors will occur. This DNS entry must be configured in the DNS servers delivered by DHCP to the clients.

 

The first thing to do is to load a new certificate into the controller associated with the subdomine in order to log in. To do this, go to Admin & Services > Administration > Certificate and in the Import Signed Certificate tab click on the Select file button to upload the selected file:

The first certificate to be uploaded is the certificate.pem file. Once you have chosen the file, select the option Accept this certificate and then install a private key to match your certificate and click on the Import button:

Then you need to upload the second certificate: certificate.key. Once selected in the drop-down list, select the option Install this certificate and additional intermediate certificates and click on the Import button:

After uploading the certificate key it is necessary to upload the last certificate provided. To do this, select the certificate.ca.crt in the Import Intermediate Certificates tab and select the Install this intermediate certificate and then reboot option and click on the Import button:

After clicking Import the driver will restart to apply the changes.

In the Unleashed AP Master, the change of certificate for the captive portal also affects the certificate that is used to access the management of the AP via web. So in order to access the device it will be necessary to use an HTTPS access and with the IP address of the controller. If, on the other hand, it is accessed via HTTP, it will be redirected to the securelogin.<certified_domain> domain and it will not be able to access the equipment if a static entry has not been added in the DNS that associates this domain with the controller's IP.

2.6 Authorized MAC Addresses

In order to allow the users to authenticate themselves in the captive portal correctly, it is necessary to identify the NAS that will send the authentication requests to the Radius Server. In Ruckus Unleashed, it is required to add the MAC address of every access point that will radiate the configured SSID. These MAC addresses can be obtained in the Access Points section. Open the configuration window of each access point to be able to check its MAC address.

 

3- Enterprise module configuration

In order to integrate the configurations of this module with the platform, it is necessary to contract the Octopus Wifi Enterprise Module.

3.1 Captive portal + MAC Authentication Configuration

If you wish to configure the functionality that would allow the MACs registered in the WIFI platform to be validated a second time directly without the captive portal appearing to the users, it is necessary to perform an additional configuration. To do so, follow the steps below:

  • Go to the section Admin & Services > Services > Hotspot Services and select the Hotspot Service in use. 

  • Check the option Enable MAC authentication bypass(no redirection).

  • Check the box Use device MAC address as authentication password.

3.2 MAC Authentication Configuration

To create an SSID dedicated to MAC Authentication validation only, go to WiFi Networks and create a new WLAN or modify an existing one by configuring the following parameters:

  • Name: configure SSID for example Mac_Auth_Guest

  • Usages Type: Standard 

  • Authenticacion Method: select MAC Address.

  • Authenticacion Server: select the Radius Authentication server previously created (point 2.1). In the case of the example it would be: RADIUS

  • Accounting Server: select the Accounting Radius server created earlier (point 2.1). In the example case it would be: RADIUS_ACC

  • Hide advanced options > Access VLAN: the VLAN ID associated with the SSID can be configured.

3.3 Access Profiles Configuration

Through the Octopus platform it is possible to configure a series of reply attributes of the Access-Accept packages, grouped in the so-called Access Profile. These Access Profiles allow to activate a series of functionalities in the Ruckus. Although the most common and proprietary Ruckus radius dictionaries are available, the following is a list of some of the most interesting ones:

Atributo

Descripción

Format

Atributo

Descripción

Format

Idle-Timeout

Maximum idle time. If the user does not transfer any data on the network during this time, the session will be terminated and the user will have to re-authenticate.

Segundos

Acct-Interim-Interval

Defines the time interval at which the NAS sends the accounting packet update with all the user's session information.

Segundos

WISPr-Bandwidth-Max-Down

Define downstream speed limits.

Bytes

WISPr-Bandwidth-Max-Up

Define upload speed limits.

Bytes

Reply-Message

Useful for troubleshooting functions, since it allows to identify associated elements of the Octopus platform, such as an access profile, access method, location, ...

 

Example of an Access Profile configuration with the attributes explained above: