Introduction
The following guide was created using a Ruckus wireless network with the following components:
- Controller: Ruckus Virtual SmartZone
- Controller System Version: 3.2.1.0.163
- AP: Ruckus ZoneFlex R310
- AP Firmware: 3.2.0.0.593
Configuring the RADIUS server
Configure the CoffeeBean RADIUS server by creating a new AAA Server.
Go to "Configuration > Wireless Network > AAA Servers > Proxy AAA".
RADIUS Authentication
For "Authenticaton Service", click in the "Create New" link and fill the name, such as "AAA-SOCIAL-ID":
Then fill the following info:
- Service Protocol: RADIUS
- IP Address: the primary RADIUS server IP according to your environment/region
- Port: 1812
- Shared Secret: the provided RADIUS client secret
- Confirm Secret: the provided RADIUS client secret
- Backup RADIUS: check "Enable Secondary Server"
- IP Address: the secondary RADIUS server IP according to your environment/region
- Port: 1812
- Shared Secret: the provided RADIUS client secret
- Confirm Secret: the provided RADIUS client secret
RADIUS Accounting
For "Accounting Service", click in the "Create New" link and fill the name, such as "AAA-SOCIAL-ID-ACCT":
Then fill the following info:
- IP Address: the primary RADIUS server IP according to your environment/region
- Port: 1813
- Shared Secret: the provided RADIUS client secret
- Confirm Secret: the provided RADIUS client secret
- Backup RADIUS: check "Enable Secondary Server"
- IP Address: the secondary RADIUS server IP according to your environment/region
- Port: 1813
- Shared Secret: the provided RADIUS client secret
- Confirm Secret: the provided RADIUS client secret
PAP/CHAP Support
You can change PAP/CHAP support accessing AP CLI and running:
set aaa auth-method pap|chap
It is a global setting for all WebAuth WLANs on the AP. The default is CHAP.
Configuring the Hotspot (WISPr)
Go to "Configuration > Wireless Network > Hotspot (WISPr)", click in the "Create New" link and fill the Portal Name, such as "CP-SOCIAL-ID":
Then fill the following info on "Redirection" section:
- Logon URL: select "External" and fill the "Redirect unauthenticated user to the URL for authentication" with the provided captive portal login URL
- Start Page: select "Redirect to the following URL:" and fill the provided captive portal start URL
You can also adjust the "Session Timeout" and "Grace Period" according to your specifications.
Walled Garden
Allow CoffeeBean Platform URLs and social network URLs by configuring the Hotspot Walled Garden destinations.
Add the entries according to Walled Garden for the Social Login URLs:
Configuring the WLAN
Now you need to create a Wireless LAN with the Hotspot (WISPr) previously created.
Go to "Configuration > Wireless Network > WLANs", click in the "Create New" WLAN Configuration and fill the Name and SSID, such as "WLAN-SOCIAL-ID":
Then fill the following info:
- WLAN Usage > Authentication Type: Hotspot (WISPr)
- Authentication Options > Method: Open
- Encryption Options > Method: None
- Hotspot Portal > Hotspot (WISPr) Portal: the previously Hotspot (WISPr) created (e.g.: "CP-SOCIAL-ID")
- Hotspot Portal > Authentication Server: check the "Use the Controller as Proxy" and select the previously RADIUS Authentication Server created (e.g.: "AAA-SOCIAL-ID")
- Hotspot Portal > Accounting Server: check the "Use the Controller as Proxy" and select the previously RADIUS Accounting Server created (e.g.: "AAA-SOCIAL-ID-ACCT")
WLAN Group
You need to associate the previously WLAN with a WLAN Group.
Probably you already have a "Default" one, but you can also create a new one and associate the previously WLAN as a "Member":
Configuring the Access Points
You need to associate the WLAN Group previously created/configured to your Access Points.
Go to "Configuration > Wireless Network > APs" and check "AP Groups" section.
Click in the "Create New" AP Group and fill the Name, such as "APG-SOCIAL-ID":
Add the Access Points to the group:
Then assign the previously WLAN Group by overriding the configuration:
If you prefer, you can also override the WLAN Group for each AP individually.
Disable MAC Address Encryption
The client MAC address is encrypted by default on Ruckus SmartZone. To perform authentication flows you'll need to disable MAC address encryption.
Log in your Ruckus CLI using privileged credentials and run the following commands:
1. Enter in the config mode:
# config
2. Check if MAC encryption is enabled:
(config)# do show running-config encrypt-mac-ip Encryption MAC and IP: Enabled
3. If encryption is "Enabled", you can run the following command:
(config)# no encrypt-mac-ip Do you want to continue to disable (or input 'no' to cancel)? [yes/no] yes Successful operation
Customer Parameters
Here is a summary of the customer-specific parameters:
Basic Settings
- Logon URL: Captive portal login URL.
- Start Page: Captive portal welcome URL.
- Walled Garden: Refer to our documentation for a list of hostnames allowed for unauthenticated users.
- RADIUS Authentication:
- IP Address: RADIUS server IP based on your environment/region.
- Shared Secret: The provided RADIUS client secret.
- Port: RADIUS server authentication port according to your environment/region.
- RADIUS Accounting:
- IP Address: RADIUS server IP based on your environment/region.
- Shared Secret: The provided RADIUS client secret.
- Port: RADIUS server accounting port according to your environment/region.