Ruckus ZoneDirector WLC Configuration

Ruckus WLC is configured as Radius Client where Ivanti Policy Secure is the Radius Server. The following figure illustrates the workflow of Guest Access on Ivanti Policy Secure for Ruckus WLC.

  1. Connect user/endpoint to the Ruckus Wireless network with open SSID over 802.1X with restricted access through ACLs.

  2. Redirect Ruckus WLC guest to external (Ivanti Policy Secure) captive portal when guest tries to access a web-resource.

  3. Enter credentials on captive portal page.

  4. Credentials are passed to Ruckus WLC.

  5. Ruckus WLC encodes and sends it to Radius Server.

  6. Radius Server (IPS) validates credentials and sends a RADIUS response, which contains standard RADIUS attributes and Vendor Specific Attributes.

  7. Ruckus WLC provides network access to the guest by changing VLAN based on Ivanti Policy Secure role-based policy.

    1. Configure IPS as Radius Sever.

    2. Select Configuration > AP Zone > Zone Name > AAA servers > Create New.

    3. Enter Name, select “Type” as “Radius”, IP Address, Shared Secret and Confirm Secret.

To configure Hotspot (WISPr) service:

  1. Select Configuration > AP Zone > Zone Name > Hotspot Services>Create New.
  2. Configure Name, Login page text box with https://IPS-ip/guest.
  3. Select authentication server configured in AAA servers
    .

To configure WLAN:

  1. Go to Configuration > AP Zone > Zone Name >WLAN > Create New.
  2. Enter the Name, SSID, Authentication type as “Hotspot (WIPSr)“, Authentication method as “Open” and Encryption as “None”.
  3. Select Hotspot services as “Guest PS” from drop down list
    .
  4. Click OK to save changes to the settings.

Verifying Device Certificates

Ruckus device certificate validation enhances the security between IPS and the Ruckus device for guest access. It allows IPS to verify whether the server certificate is from a trusted source. This topic describes how to configure the IPS for validating device certificates, create certificates on Ruckus, and check the validity of the certificate.

Step1: Creating a Server Certificate

To create a CSR:

  1. From Certificate Server generate a Server Certificate with private key and import the certificate on Ruckus SmartZone.
  2. To import the certificate on Ruckus, select Configuration > System > Certificate Store > Import.

Step2: Importing the Certificate on IPS

To import the certificate on IPS:

  1. Obtain the root CA from the certificate server for the generated certificate.
  2. Select System > Configuration > Certificates > Trusted Server CAs > Import Trusted Server CA and import the certificate.

Step3: Adding Ruckus Wireless device as RADIUS Client

To add Ruckus wireless device to IPS:

  1. Select Endpoint policy > Network Access > RADIUS Client > New RADIUS Client.
  2. Select Ruckus Wireless as a Radius client and enable Ruckus Server Certificate Validation.
  3. (Optional) From client machine, perform a guest authentication, if the guest user is able to authenticate then the certificate is valid. Otherwise it is an invalid certificate or certificate is not available.
  4. (Optional) Verify the event logs to check if there are any certificate invalid logs.