Wireless DPSK setup with Ruckus Zone Director
Configure the AAA Server (Using local database howto is out of this scope)
Log in to the zone director and configure the AAA Server from Configure > AAA Servers as shown in the figure below.
Name: Give a name for the AAA Server for identification {jcua for this example}
Type: Active Directory
Global Catalog: {leave it un-check}
IP Address: IP address of the domain controller
Port: 389 {ldap port}
Windows Domain Name: domain name {test.com for this example}
Setup the Walled Garden so that the open network is used only for provisioning purpose as shown in the figure below. Walled Garden > Create New and enter the details.
Destination Address: https://wireless.test.com
Configure the Provisioning WLAN
Create a Provisioning SSID to use the HOTSPOT service created for user authentication from Configure > WLANs as shown in the figure below.
Name/ESSID: Give a name for the WLAN as well as for the SSID to use. You can provide a separate SSID different from the Name by changing the ESSID field. {JCU-Singapore-Provisioning for this example}
Type: Select Hotspot Service (WISpr)
Authentication Method: Open
Hotspot Services: Dropdown and select the Hotspot service created in the earlier step {JCU-Wireless-Provisioning for this example}
Configure the WLANs and send traffic to the designated VLANs
Now we will try to create different WLANs for Staffs and Students and the traffic will be sent to different VLANs for other security purposes. Same as above create the WLANs and call it Staff-Wireless and Student-Wireless as shown in the figure below.
Name/ESSID: Staff-Wireless / Student-Wireless
Type: Standard Usage
Method: Open
Encryption Options
Method: WPA2
Algorithm: AES
Passphrase: Type a passphrase
Wireless Client Isolation: None
Zero-IT Activation: Enable
Dynamic PSK: Enable PSK with 62 characters passphrase
Priority: High
Note: Under the Advanced options, change the Access VLAN ID respectively for the Staff-Wireless and Student-Wireless as shown in the figure below. (VLAN configuration and trunks are out of this scope)
Under Configure > WLANs, enable the Zero-IT Activation and Dynamic
PSK selecting the correct authentication server (jcua for this example)
and PSK Expiration (unlimited for my case) as shown in the figure below.
Test the WLAN
Turn on your wireless on laptop
Select “JCU-Singapore-Provisioning” network
Optional: choose No or Yes for sharing connection
Launch browser (i.e. Internet Explorer, Chrome or Firefox) and go to any webpage. Upon Launch of web browser and opening a website, the current page will be redirected to a WLAN activation page. If you encounter a page which wants to "Verify Certificate”, click to accept and continue.
Input your domain credentials on activation page, and click “login”. Upon successful authentication, launch the “prov.exe” and run the program, as shown in the figure below.
Note: For other devices, that doesn’t install the software automatically, the pre-shared key can be obtained and keyed in for the SSID as shown in the figure below:
Finally you can monitor the users connected and the PSK generated from Monitor > Generated PSK/Certs and manage them from there as shown in the figure below.
Some important points:
a. Based on your Zone Director Model number, there is a maximum number of DPSKs that can be generated. For my case, the maximum number of DPSKs that can be generated is 1000 and hence a maximum of only 1000 user devices can be connected. Other models do support upto 10000 DPSKs.
b. Windows Mobile devices has issues copying or keying the preshared key due to missing characters. One work around is to copy the area from above the preshared key box and editing it in some text editor to remove the unwanted text copied before pasting it.
c. Some links to understand DPSK are http://theruckusroom.typepad.com/files/dynamic-psk-fs.pdf , http://www.ruckuswireless.com/press/releases/20100524-dynamic-psk-patent , etc.
Log in to the zone director and configure the AAA Server from Configure > AAA Servers as shown in the figure below.
Name: Give a name for the AAA Server for identification {jcua for this example}
Type: Active Directory
Global Catalog: {leave it un-check}
IP Address: IP address of the domain controller
Port: 389 {ldap port}
Windows Domain Name: domain name {test.com for this example}
Configure the Hotspot Service
Configure a Hotspot to authenticate the users before allowing the traffic from Configure > Hotspot Services as shown in the figure below.
Name: Give a name for the hotspot service {JCU-Wireless-Provisioning for this example}
Login Page: https://wireless.test.com/activate {or https://zonedirectorIP/activate}
Start Page: I leave to redirect to the URL that the user intends to visit
Authentication Server: The AAA server that we created {i.e., jcua}
Accounting Server: none {out of scope for this documentation, though you can setup a radius accounting}
Wireless Client isolation: I choose full, but then again it depends on the organization requirements
Configure a Hotspot to authenticate the users before allowing the traffic from Configure > Hotspot Services as shown in the figure below.
Name: Give a name for the hotspot service {JCU-Wireless-Provisioning for this example}
Login Page: https://wireless.test.com/activate {or https://zonedirectorIP/activate}
Start Page: I leave to redirect to the URL that the user intends to visit
Authentication Server: The AAA server that we created {i.e., jcua}
Accounting Server: none {out of scope for this documentation, though you can setup a radius accounting}
Wireless Client isolation: I choose full, but then again it depends on the organization requirements
Setup the Walled Garden so that the open network is used only for provisioning purpose as shown in the figure below. Walled Garden > Create New and enter the details.
Destination Address: https://wireless.test.com
Configure the Provisioning WLAN
Create a Provisioning SSID to use the HOTSPOT service created for user authentication from Configure > WLANs as shown in the figure below.
Name/ESSID: Give a name for the WLAN as well as for the SSID to use. You can provide a separate SSID different from the Name by changing the ESSID field. {JCU-Singapore-Provisioning for this example}
Type: Select Hotspot Service (WISpr)
Authentication Method: Open
Hotspot Services: Dropdown and select the Hotspot service created in the earlier step {JCU-Wireless-Provisioning for this example}
Configure the WLANs and send traffic to the designated VLANs
Now we will try to create different WLANs for Staffs and Students and the traffic will be sent to different VLANs for other security purposes. Same as above create the WLANs and call it Staff-Wireless and Student-Wireless as shown in the figure below.
Name/ESSID: Staff-Wireless / Student-Wireless
Type: Standard Usage
Method: Open
Encryption Options
Method: WPA2
Algorithm: AES
Passphrase: Type a passphrase
Wireless Client Isolation: None
Zero-IT Activation: Enable
Dynamic PSK: Enable PSK with 62 characters passphrase
Priority: High
Note: Under the Advanced options, change the Access VLAN ID respectively for the Staff-Wireless and Student-Wireless as shown in the figure below. (VLAN configuration and trunks are out of this scope)
Test the WLAN
Turn on your wireless on laptop
Select “JCU-Singapore-Provisioning” network
Optional: choose No or Yes for sharing connection
Launch browser (i.e. Internet Explorer, Chrome or Firefox) and go to any webpage. Upon Launch of web browser and opening a website, the current page will be redirected to a WLAN activation page. If you encounter a page which wants to "Verify Certificate”, click to accept and continue.
For iphone, ipad devices, install Zero IT Activation as shown in the figure below after authentication steps:
For android devices, after the authentication, download and install the “prov.apk” as shown in the figure below.
Note: For other devices, that doesn’t install the software automatically, the pre-shared key can be obtained and keyed in for the SSID as shown in the figure below:
a. Based on your Zone Director Model number, there is a maximum number of DPSKs that can be generated. For my case, the maximum number of DPSKs that can be generated is 1000 and hence a maximum of only 1000 user devices can be connected. Other models do support upto 10000 DPSKs.
b. Windows Mobile devices has issues copying or keying the preshared key due to missing characters. One work around is to copy the area from above the preshared key box and editing it in some text editor to remove the unwanted text copied before pasting it.
c. Some links to understand DPSK are http://theruckusroom.typepad.com/files/dynamic-psk-fs.pdf , http://www.ruckuswireless.com/press/releases/20100524-dynamic-psk-patent , etc.
Comments
Post a Comment