Ruckus Wireless ZoneDirector 1200 User Manual
  1. Manuals
  2. Brands
  3. Ruckus Wireless Manuals
  4. Network Router
  5. ZoneDirector 1200
  6. User manual

Ruckus Wireless ZoneDirector 1200 User Manual

Hide thumbs Also See for ZoneDirector 1200:
1
2
3
4
Table Of Contents
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
Table of Contents

Advertisement

Quick Links

Ruckus Wireless
ZoneDirector
Release 9.12.1 User Guide
Part Number 800-71016-001 Rev A
Published September 2015
www.ruckuswireless.com

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the ZoneDirector 1200 and is the answer not in the manual?

Questions and answers

Related Manuals for Ruckus Wireless ZoneDirector 1200

Summary of Contents for Ruckus Wireless ZoneDirector 1200

  • Page 1 Ruckus Wireless ™ ZoneDirector ™ Release 9.12.1 User Guide Part Number 800-71016-001 Rev A Published September 2015 www.ruckuswireless.com...

  • Page 3: Copyright Notice And Proprietary Information

    Ruckus Wireless, Ruckus, the bark logo, ZoneFlex, FlexMaster, ZoneDirector, SmartMesh, Channelfly, Smartcell, Dynamic PSK, and Simply Better Wireless are trademarks of Ruckus Wireless, Inc. in the United States and other countries. All other product or company names may be trademarks of their respective owners.
  • Page 4 Ruckus Wireless, Inc.

  • Page 5: Table Of Contents

    Introduction to the Ruckus Wireless Network ....... . . 32...
  • Page 6 Automatic Channel Selection ......... . . 116 Ruckus Wireless, Inc.
  • Page 7 About Ruckus Wireless WLAN Security........
  • Page 8 Reviewing Current Access Point Policies........267 Ruckus Wireless, Inc.
  • Page 9 Using Limited ZD Discovery for N+1 Redundancy ......269 Importing a USB Software Package ........271 Managing Access Points Individually .
  • Page 10 Creating a Custom Guest Pass Printout ........371 Ruckus Wireless, Inc.
  • Page 11 Delivering Guest Passes via Email ........373 Delivering Guest Passes via SMS .
  • Page 12 Best Practice Checklist ..........453 Ruckus Wireless, Inc.
  • Page 13 Appendix: Zone 2 APs Index ZoneDirector 9.12.1 User Guide, 800-71016-001 Rev A...
  • Page 14 Ruckus Wireless, Inc.

  • Page 15: About This Guide

    This User Guide describes how to install, configure and manage the Ruckus Wireless™ ZoneDirector™ version 9.12.1. This guide is intended for use by those responsible for managing Ruckus Wireless network equipment. Consequently, it assumes a basic working knowledge of local area networking, wireless networking and wireless devices.

  • Page 16: Document Conventions

    Description Note Information that describes important features or instructions Caution Information that alerts you to potential loss of data or potential damage to an application, system, or device Information that alerts you to potential personal injury Warning Ruckus Wireless, Inc.

  • Page 17: Related Documentation

    Documentation Feedback Ruckus Wireless is interested in improving its documentation and welcomes your comments and suggestions. You can email your comments to Ruckus Wireless at: docs@ruckuswireless.com When contacting us, please include the following information: •...
  • Page 18 Online Training Resources Ruckus Wireless, Inc.

  • Page 19: Introducing Ruckus Wireless Zonedirector

    Introducing Ruckus Wireless ZoneDirector In this chapter: • Overview of ZoneDirector • ZoneDirector Physical Features • Introduction to the Ruckus Wireless Network • Ensuring That APs Can Communicate with ZoneDirector • Installing ZoneDirector • Accessing ZoneDirector’s Command Line Interface •...

  • Page 20: Overview Of Zonedirector

    ZoneDirector, thereby eliminating bottlenecks when higher speed Wi-Fi technologies, such as 802.11ac, are used. This user guide provides complete instructions for using the Ruckus Wireless web interface, the wireless network management interface for ZoneDirector. With the web interface, you can customize and manage all aspects of ZoneDirector and your ZoneFlex network.

  • Page 21: Zonedirector Physical Features

    This section describes the physical features of these ZoneDirector models. NOTE: ZoneDirector 1100 is discontinued (EOL) as of release 9.12 and cannot be upgraded to 9.12 or later. ZoneDirector 1200 This section describes the following physical features of ZoneDirector 1200: • Buttons, Ports, and Connectors • Front Panel LEDs Figure 1.
  • Page 22 WARNING: Resetting ZoneDirector to factory default settings will erase all configuration changes that you made, except for AP licenses and SSL certificates. Front Panel LEDs Table 2 describes the LEDs on the front panel of ZoneDirector 1200. Table 2. ZoneDirector 1200 LED descriptions LED Label State...
  • Page 23 ZoneDirector Physical Features ZoneDirector 1200 LED Label State Meaning Status Solid Green Normal state. Flashing Green ZoneDirector has not yet been configured. Log into the web interface, and then configure ZoneDirector using the setup wizard. ZoneDirector has shut down (but is still connected to a power source).

  • Page 24: Zonedirector 3000

    F/D button for at least five (5) seconds. For more information, refer to Alternate Factory Default Reset Method. WARNING: Resetting ZoneDirector to factory default settings will erase all configuration changes that you have made, except for AP licenses and SSL certificates. Ruckus Wireless, Inc.
  • Page 25 ZoneDirector 3000 Label Meaning Reset To restart ZoneDirector, press the Reset button once for less than two seconds. For Ruckus Wireless Support use only Console RJ-45 port for accessing the ZoneDirector command line interface. 10/100/1000 Ethernet Two auto negotiating 10/100/1000Mbps Ethernet ports.
  • Page 26 The port has no network cable connected or is not receiving a link signal. Ethernet Rate Amber The port is connected to a 1000Mbps device. Green The port is connected to a 10Mbps or 100Mbps device. Ruckus Wireless, Inc.

  • Page 27: Zonedirector 5000

    ZoneDirector Physical Features ZoneDirector 5000 ZoneDirector 5000 This section describes the following physical features of ZoneDirector 5000: • Front Panel Features • Front Panel (Bezel Removed) • Control Panel • Rear Panel Features Figure 3. ZoneDirector 5000 Front Panel Front Panel Features Table 5.

  • Page 28: Control Panel

    ESD ground strap attachment Hard drive bays (not used) Control panel RJ45 serial port for accessing the ZoneDirector command line interface. USB port (not used). Control Panel Figure 5. Control panel buttons and indicators 11 12 9 10 Ruckus Wireless, Inc.
  • Page 29 ZoneDirector Physical Features ZoneDirector 5000 Table 7. ZoneDirector 5000 control panel Number Feature Power button System reset button System status LED (see Table Fan status LED Critical alarm (not used) MJR alarm (not used) NMI pin hole button (factory reset button) Chassis ID button NIC 1 / NIC 2 activity LED HDD activity LED (not used)

  • Page 30: Rear Panel Features

    RJ45 serial port (COM2/serial B) Video connector (not used) USB 0 and 1 (#1 on top) USB 2 and 3 (#3 on top) GbE NIC #1 connector GbE NIC #2 connector Two ground studs (used for DC-input system) Ruckus Wireless, Inc.
  • Page 31 ZoneDirector Physical Features ZoneDirector 5000 Table 10. NIC status LEDs LED Color LED State NIC State Green/Amber (Left) 10Mbps Green 100Mbps Amber 1000Mbps Green (Right) Active connection Blinking Transmit / Receive activity ZoneDirector 9.12.1 User Guide, 800-71016-001 Rev A...

  • Page 32: Introduction To The Ruckus Wireless Network

    ZoneDirector 5000 Introduction to the Ruckus Wireless Network Your new Ruckus Wireless network starts when you disperse a number of Ruckus Wireless access points (APs) to efficiently cover your worksite. After connecting the APs to ZoneDirector (through network hubs or switches), running through the Setup Wizard and completing the “Zero-IT”...

  • Page 33: How Aps Discover Zonedirector On The Network

    Ensuring That APs Can Communicate with ZoneDirector How APs Discover ZoneDirector on the Network How APs Discover ZoneDirector on the Network 1 When an AP starts up, it sends out a DHCP discovery packet to obtain an IP address. 2 The DHCP server responds to the AP with the allocated IP address. If you configured DHCP Option 43 (see Option 2: Customize Your DHCP Server), the...

  • Page 34: How To Ensure That Aps Can Discover Zonedirector On The Network

    After the AP registers with ZoneDirector successfully, transfer it to its intended subnet. It will be able to find and communicate with ZoneDirector once you reconnect it to the other subnet. Ruckus Wireless, Inc.
  • Page 35 Class Identifier (VCI). The VCI is a text string that identifies a vendor/type of a DHCP client. All Ruckus Wireless Access Points are configured to send “Ruckus CPE” as the Vendor Class Identifier in option 60, and expect ZoneDirector IP information to be provided in DHCP option 43 (Vendor Specific Info), encapsulated with sub-option code 03 (the sub-option code for ZoneDirector).
  • Page 36 60. While you can achieve encapsulating TLVs in option 43 by hard coding the DHCP option 43 value, Ruckus Wireless recommends using vendor class option spaces - especially when you have more than one vendor type on the network and need “option 43”...
  • Page 37 How to Ensure that APs Can Discover ZoneDirector on the Network Configure Vendor Class Identifier and Vendor Specific Info sub-options on Microsoft DHCP server Configure vendor class for Ruckus Wireless Access Points: 1 In the Server Manager window, right-click the IPv4 icon, and choose Define Vendor Classes from the menu.
  • Page 38 4 Under Available Options, look for the 15 DNS Domain Name check box, and then select it. 5 In the String value text box under Data Entry, type your company’s domain name. 6 Click Apply to save your changes. 7 Click OK to close the Scope Options dialog box. Ruckus Wireless, Inc.
  • Page 39 Ensuring That APs Can Communicate with ZoneDirector How to Ensure that APs Can Discover ZoneDirector on the Network Figure 7. Select the 015 DNS Domain Name check box, and then type your company domain name in String value Step 2: Set the DNS Server IP Address on the DHCP Server 1 From Windows Administrative Tools, open DHCP, and then select the DHCP server you want to configure.
  • Page 40 Information on configuring the built-in DNS server on Windows is available at http://support.microsoft.com/kb/814591. NOTE: If your DNS server prompts you for the corresponding host name for each ZoneDirector IP address, you MUST enter zonedirector. This is critical to ensuring that the APs can resolve the ZoneDirector IP address. Ruckus Wireless, Inc.

  • Page 41: Firewall Ports That Must Be Open For Zonedirector Communications

    Ensuring That APs Can Communicate with ZoneDirector Firewall Ports that Must be Open for ZoneDirector Communications After you register the ZoneDirector IP addresses with your DNS server, you have completed this procedure. APs on the network should now be able to discover ZoneDirector on another subnet.
  • Page 42 ZoneDirector physical IP address), and that the APs are configured with both ZoneDirectors’ public IP addresses as primary and secondary ZD IPs. • An active ZoneDirector behind NAT will be unable to perform upgrades to the standby ZoneDirector on the other side of the NAT device. Ruckus Wireless, Inc.

  • Page 43: Installing Zonedirector

    Installing ZoneDirector Firewall Ports that Must be Open for ZoneDirector Communications Installing ZoneDirector Basic installation instructions are included in the Quick Start Guide that shipped with your ZoneDirector. The steps are summarized below: 1 Connect and discover ZoneDirector using UPnP (Universal Plug and Play). •...

  • Page 44: Accessing Zonedirector's Command Line Interface

    (using either a DB-9 serial cable for the console port or an Ethernet cable for LAN ports). 2 Launch a terminal program, such as Hyperterminal, PuTTy, etc. 3 Enter the following connection settings: • Bits per second: 115200 • Data bits: 8 • Parity: None Ruckus Wireless, Inc.
  • Page 45 To view a list of commands that are available at the root level, enter help or ?. For more information on using the CLI, see the Ruckus Wireless ZoneDirector Command Line Interface Reference Guide, available from http://support.ruck-...

  • Page 46: Using The Zonedirector Web Interface

    Firewall Ports that Must be Open for ZoneDirector Communications Using the ZoneDirector Web Interface The ZoneDirector web interface consists of several interactive components that you can use to manage and monitor your Ruckus Wireless WLANs (including ZoneDi- rector and all APs). Dashboard...

  • Page 47: Navigating The Dashboard

    Using the ZoneDirector Web Interface Navigating the Dashboard Navigating the Dashboard The Dashboard offers a number of self-contained indicators and tables that summa- rize the network and its current status. Some indicators have fields that link to more focused, detailed views on elements of the network. Figure 12.
  • Page 48 AP groups. Click the + button next to an AP group to expand the group to display all members of the AP group. • Support: Shows contact information for Ruckus Wireless support, product registration and support account activation. • Smart Redundancy: Displays the status of primary and backup ZoneDirector devices, if configured.
  • Page 49 Using the ZoneDirector Web Interface Using Indicator Widgets • Client Device Type: Displays a pie chart of currently connected client devices by OS type as a percentage of the total. • Top 10 Applications by Usage: Lists the top 10 applications, their total usage in KB and percent of the total.
  • Page 50 3 Select any widget icon and drag and drop it onto the Dashboard to add the widget. If you have closed a widget, it appears in this pane. Figure 14. The widget icons appear at the top-left corner of the Dashboard Widget icons Ruckus Wireless, Inc.

  • Page 51: Real Time Monitoring

    Using the ZoneDirector Web Interface Real Time Monitoring 4 Click Finish in the Widgets pane to close it. Removing a Widget To remove a widget from the Dashboard, click the icon for any of the widgets currently open on the Dashboard. The Dashboard refreshes and the widget that you removed disappears from the page.
  • Page 52 Figure 17. The Real Time Monitoring screen Select a time increment to monitor statistics by (5 minutes, 1 hour or 1 day) and click Start Monitoring to begin. Ruckus Wireless, Inc.

  • Page 53: Stopping And Starting Auto Refresh

    Using the ZoneDirector Web Interface Stopping and Starting Auto Refresh Real Time Monitoring Widgets • CPU Util: Displays the % utilization of ZoneDirector’s CPU. • Memory Util: Displays the % utilization of ZoneDirector’s memory. • # of APs: Displays the number of APs being managed by ZoneDirector. •...

  • Page 54: Registering Your Product

    Registering Your Product NOTE: Ruckus Wireless encourages you to register your ZoneDirector product to receive updates and important notifications, and to make it easier to receive support in case you need to contact Ruckus for customer assistance. You can register your ZoneDirector along with all of your APs in one step using ZoneDirector’s Registration...
  • Page 55 Registering Your Product Stopping and Starting Auto Refresh Figure 20. Support Widget on the Dashboard Figure 21. The Product Registration page Your ZoneDirector is now registered with Ruckus Wireless. ZoneDirector 9.12.1 User Guide, 800-71016-001 Rev A...
  • Page 56 Registering Your Product Stopping and Starting Auto Refresh Ruckus Wireless, Inc.

  • Page 57: Configuring System Settings

    Configuring System Settings In this chapter: • System Configuration Overview • Changing the Network Addressing • Creating Static Route Entries • Enabling Smart Redundancy • Configuring the Built-in DHCP Server • Controlling ZoneDirector Management Access • Setting the System Time •...

  • Page 58: System Configuration Overview

    (_) and hyphens (-). Do not use spaces or other special characters. Do not start with a hyphen (-) or underscore (_). System names are case sensitive. 3 Click Apply to save your settings. The change goes into effect immediately. Ruckus Wireless, Inc.

  • Page 59: Changing The Network Addressing

    Changing the Network Addressing Changing the System Name Figure 22. The Identity section on the Configure > System page Changing the Network Addressing If you need to update the IP address and DNS server settings of ZoneDirector, follow the steps outlined below. CAUTION! As soon as the IP address has been changed (applied), you will be disconnected from your web interface connection to ZoneDirector.

  • Page 60: Ipv6 Configuration

    ZoneDirector supports IPv6 and dual IPv4/IPv6 operation modes. If both IPv4 and IPv6 are used, ZoneDirector will keep both IP addresses. Ruckus ZoneFlex APs operate in dual IPv4/v6 mode by default, so you do not need to manually set the mode for each AP. Ruckus Wireless, Inc.
  • Page 61 Changing the Network Addressing IPv6 Configuration If you enable IPv6, you have the option to manually configure an IP address in IPv6 format (128 bits separated by colons instead of decimals) or to choose Auto Configuration. If you choose Manual, you will need to enter IP Address, Prefix Length and Gateway.

  • Page 62: Enabling An Additional Management Interface

    ZoneDirector for Smart Redundancy). To enable an additional management interface: 1 Go to Configure > System. 2 Locate the Management Interface section and click the check box next to Enable IPv4 Management Interface or Enable IPv6 Management Interface. Ruckus Wireless, Inc.
  • Page 63 Changing the Network Addressing Enabling an Additional Management Interface 3 Enter the IP Address, Netmask and Access VLAN information for the additional interface. (If IPv6, enter Prefix Length instead of Netmask). 4 (Optional) If you want to configure this management interface with a different gateway from the gateway configured under “Device IP Settings”, select Default gateway is connected with this interface, and enter the gateway IP address in the field provided.

  • Page 64: Creating Static Route Entries

    4 Enter a Subnet (in the format A.B.C.D/M (where M is the netmask). 5 Enter the Gateway address. 6 Click OK to save your changes. You can create up to 4 static route entries. Figure 26. Creating a static route entry Ruckus Wireless, Inc.

  • Page 65: Static Route Example

    Enabling Smart Redundancy Static Route Example Static Route Example As an example, in a network where the APs are connected to ZoneDirector via a cable modem termination system, the APs are in a different subnet and not found via the default gateway. A static route would therefore be needed to allow ZoneDi- rector to AP connectivity.

  • Page 66: Configuring Zonedirector For Smart Redundancy

    Port 443 and Port 33003 are open in any routers and firewalls located between the two ZoneDirectors. To enable Smart Redundancy: 1 Log in to the web interface of the ZoneDirector you will initially designate as the primary unit. Ruckus Wireless, Inc.
  • Page 67 Enabling Smart Redundancy Configuring ZoneDirector for Smart Redundancy 2 Go to Configure > System, and set a static IP address under Device IP Settings, if not already configured. 3 Click Apply. You will need to log in again using the new IP address (if changed). 4 On the same Configure >...
  • Page 68 If you disable Smart Redundancy after it has been enabled, both ZoneDirectors will revert to active state, which could result in unpredictable network topologies. Therefore, Ruckus Wireless recommends first factory resetting the standby ZoneDirector before disabling Smart Redundancy. Ruckus Wireless, Inc.

  • Page 69: Forcing Failover To The Backup Zonedirector

    Enabling Smart Redundancy Forcing Failover to the Backup ZoneDirector NOTE: If the active and standby ZoneDirector are on different IP subnets, APs need to know the IP addresses of both ZoneDirectors to quickly find the active ZoneDirector after a Smart Redundancy failover. You can do this by configuring the IP addresses of both devices on the Configure >...
  • Page 70 Figure 31. Smart Redundancy status degraded (peer is disconnected, license pool remains valid for 60 days Figure 32. After 60 day grace period expires, license pool is revoked and AP license count reverts to active device license level only Ruckus Wireless, Inc.

  • Page 71: Configuring The Built-In Dhcp Server

    Enabling the Built-in DHCP server NOTE: Ruckus Wireless recommends that you only enable the built-in DHCP server if there are no other DHCP servers on the network. ZoneDirector’s internal DHCP server can service only a single subnet (the one it’s in) and not other VLANs that...
  • Page 72 Configuring the Built-in DHCP Server Enabling the Built-in DHCP server may be associated with client WLANs. If you enable the built-in DCHP server, Ruckus Wireless also recommends enabling the rogue DHCP server detector. For more information, refer to Rogue DHCP Server Detection.

  • Page 73: Viewing Dhcp Clients

    Configuring the Built-in DHCP Server Viewing DHCP Clients Figure 34. The DHCP Server options Viewing DHCP Clients To view a list of current DHCP clients, click the click here link at the end of the “To view all currently assigned IP addresses that have been assigned by the DHCP server...”...

  • Page 74: Controlling Zonedirector Management Access

    ZoneDirector’s web interface. To restrict access to ZoneDirector’s web interface: 1 Go to Configure > System. 2 Locate the Management Access Control section, and click the Create New link. Ruckus Wireless, Inc.
  • Page 75 Controlling ZoneDirector Management Access Viewing DHCP Clients 3 In the Create New menu that appears, enter a name for the user(s) that you want to allow access to ZoneDirector’s web interface. 4 Enter an IP address, address range or subnet. •...

  • Page 76: Setting The System Time

    • Refresh: Click this to update the ZoneDirector display (a static snapshot) from the internal clock. • Synch Time with your PC Now: If needed, click this to update the internal clock with the current time settings from your administration PC. Ruckus Wireless, Inc.

  • Page 77: Setting The Country Code

    Setting the Country Code Viewing DHCP Clients • Use NTP... (Enabled by default): Clear this check box to disable this option, or enter the DNS name or IP address of your preferred NTP server to use a different one. • Select time zone for your location: Choose your time zone from the drop- down menu.

  • Page 78: Channel Optimization

    DFS (Dynamic Frequency Selection) channels in the 5 GHz band should be available for use by your APs. Note that these settings only affect Ruckus Wireless APs that support the extended DFS channel list. Channel Optimization settings are described in the following table.

  • Page 79: Channel Mode

    Setting the Country Code Channel Mode Table 14. Channel Optimization settings for US Country Code Setting Description Use this setting when Optimize for ZoneFlex APs are limited to You have only DFS-capable APs Interoperability non-DFS channels, plus four in your network, or Smart Mesh DFS channels supported by is not enabled, and you are Centrino systems (may not be...

  • Page 80: Changing The System Log Settings

    Log entries are listed in reverse chronological order (with the latest logs at the top of the list). 3 Click a column header to sort the contents by that category. 4 Click any column twice to switch chronological or alphanumeric sorting modes. Ruckus Wireless, Inc.

  • Page 81: Customizing The Current Log Settings

    Changing the System Log Settings Customizing the Current Log Settings Figure 40. The All Events/Activities page Customizing the Current Log Settings You can review and customize the log settings by following these steps: 1 Go to Configure > System. 2 Scroll down to Log Settings. 3 Make your selections from these syslog server options: •...
  • Page 82 Update, Del), AP/ZD MAC, OS Type. To enable inclusion of client association logs in syslog messages: 1 Go to Administer > Diagnostics. 2 In Debug Logs, select the Client Association check box. 3 Click Apply to save your changes. Ruckus Wireless, Inc.
  • Page 83 Changing the System Log Settings Customizing the Current Log Settings 4 You must also ensure that syslog delivery is enabled on the Configure > System page and that the Priority level in Remote Syslog Advanced Settings is set to Info or All. Figure 42.
  • Page 84 • sta_ostype: Indicates the station’s OS type. Will be filled with “unknown” if the OS type is unobtainable. Examples • Add: operation=add;seq=1;sta_ip=192.168.120.16;sta_mac=60:36:dd:19:17:ac;zd/ ap=00:0c:29:11:5a:0b/58:93:96:29:4c:60;sta_ostype=Windows7/ Vista;sta_name=60:36:dd:19:17:ac;stamgr_handle_remote_ipc • Delete: operation=del;seq=4;sta_ip=192.168.120.30;sta_mac=60:36:dd:19:17:ac;zd/ ap=00:0c:29:11:5a:0b/58:93:96:29:4c:60;sta_ostype=Windows 7/ Vista;sta_name=60:36:dd:19:17:ac;stamgr_sta_log_disconnect • Update: operation=update;seq=2;sta_ip=192.168.120.30;sta_o- riip=192.168.120.16;sta_mac=60:36:dd:19:17:ac;zd/ap=00:0c:29:11:5a:0b/ 58:93:96:29:4c:60;sta_ostype=Windows 7/ Vista;sta_name=60:36:dd:19:17:ac;stamgr_handle_remote_ipc Ruckus Wireless, Inc.
  • Page 85 Changing the System Log Settings Customizing the Current Log Settings Configuring Remote Syslog Advanced Settings Advanced Syslog settings allow you to override the default Facility Name and Priority Level of messages sent to the syslog server. In this way, users can separate different kinds of syslogs according to the facility name on the syslog server side.

  • Page 86: Setting Up Email Alarm Notifications

    3 Enter the recipient email address in the Email Address box provided, and click Apply. 4 Go to Configure > System, and scroll down to the Email Server section. 5 Configure the settings listed in Table Ruckus Wireless, Inc.
  • Page 87 Setting Up Email Alarm Notifications Customizing the Current Log Settings Table 15. SMTP settings for email notification SMTP Setting Description From email address Type the email address from which ZoneDirector will send alarm messages. SMTP Server Name Type the full name of the server provided by your ISP or mail administrator.
  • Page 88 NOTE: When the alarm email is first enabled, the alarm recipient may receive a flood of alarm notifications. This may cause the mail server to treat the email notifications as spam and to temporarily block the account. Ruckus Wireless, Inc.

  • Page 89: Customizing Email Alarms That Zonedirector Sends

    Configuring SMS Settings for Guest Pass Delivery via SMS Customizing Email Alarms that ZoneDirector Sends NOTE: ZoneDirector sends email notifications for a particular alert only once, unless (1) it is a new alert of the same type but for a different device, or (2) existing alert logs are cleared.

  • Page 90: Enabling Login Warning Messages

    2 Click Enable login warning, and replace the text in the Customize warning content text box according to your preferences. 3 Click Apply to save your changes. The next time a user attempts to login to ZoneDirector, they will be presented with the warning message you configured. Ruckus Wireless, Inc.
  • Page 91 Enabling Login Warning Messages Customizing Email Alarms that ZoneDirector Sends Figure 46. Enabling and configuring a login warning message ZoneDirector 9.12.1 User Guide, 800-71016-001 Rev A...

  • Page 92: Enabling Network Management Systems

    Enabling Management via FlexMaster If you have a Ruckus Wireless FlexMaster server installed on the network, you can enable FlexMaster management to centralize monitoring and administration of ZoneDirector and other supported Ruckus Wireless devices. This version of Zone- Director supports the following FlexMaster-deployed tasks: •...

  • Page 93: Enabling Northbound Portal Interface Support

    Enabling Network Management Systems Enabling Northbound Portal Interface Support Figure 47. The FlexMaster Management options Monitoring ZoneDirector Performance from FlexMaster If you want to monitor ZoneDirector’s performance statistics from FlexMaster, select Enable Performance Monitoring, enter an update interval, and click Apply. This option is disabled by default.

  • Page 94: Configuring Snmp Support

    The procedure for enabling ZoneDirector’s internal SNMP agent depends on whether your network is using SNMPv2 or SNMPv3. SNMPv3 mainly provides security enhancements over the earlier version, and therefore requires you to enter authorization passwords and encryption settings instead of simple clear text community strings. Ruckus Wireless, Inc.
  • Page 95 ZoneDirector with SNMPv3 enabled. NOTE: For a list of the MIB variables that you can get and set using SNMP, check the related SNMP documentation on the Ruckus Wireless Support Web site at http://support.ruckuswireless.com/documents. If your network uses SNMPv2 To enable SNMPv2 management: 1 Go to Configure >...
  • Page 96 • Auth Pass Phrase: Enter a passphrase between 8 and 32 characters in length. • Privacy: Choose DES, AES or None. DES: Data Encryption Standard, data block cipher. AES: Advanced Encryption Standard, data block cipher. None: No Privacy passphrase is required. Ruckus Wireless, Inc.
  • Page 97 Enabling Network Management Systems Configuring SNMP Support • Privacy Phrase: If either DES or AES is selected, enter a Privacy phrase between 8 and 32 characters in length. 4 Click Apply to save your changes. Figure 50. Enabling the SNMPv3 agent Enabling SNMP Trap Notifications If you have an SNMP trap receiver on the network, you can configure ZoneDirector to send SNMP trap notifications to the server.
  • Page 98 Configuring SNMP Support • If you select SNMPv3, enter up to four trap receiver IP addresses along with authentication method passphrase and privacy (encryption) settings. 4 Click Apply to save your changes. Figure 51. Enabling SNMPv2 trap notifications Ruckus Wireless, Inc.
  • Page 99 Enabling Network Management Systems Configuring SNMP Support Figure 52. Enabling SNMP trap notifications with SNMPv3 Trap Notifications That ZoneDirector Sends There are several events for which ZoneDirector will send trap notifications to the SNMP server that you specified. Table 16 lists the trap notifications that ZoneDirector sends and when they are sent.
  • Page 100 A client has roamed away from an AP. The client's MAC address, AP's MAC address and SSID are included. ruckusZDEventClientRoamIn A client has roamed in to an AP. The client's MAC address, AP's MAC address and SSID are included. Ruckus Wireless, Inc.
  • Page 101 Enabling Network Management Systems Configuring SNMP Support Table 16. Trap notifications Trap Name Description ruckusZDEventClientAuthFailed A client authentication attempt has failed. The client's MAC address, AP's MAC address, SSID and failure reason are included. ruckusZDEventClientAuthorization A client authorization attempt to join an AP Failed has failed.

  • Page 102: Enabling Telnet

    ZoneDirector’s DHCP Relay agent improves network performance by converting DHCP broadcast traffic to unicast to prevent flooding the Layer 2 network (when Layer 3 Tunnel Mode is enabled -- DHCP Relay only applies to Tunnel Mode WLANs.) Ruckus Wireless, Inc.
  • Page 103 Configuring DHCP Relay Enabling Telnet Typically, when mobile stations acquire IP addresses through DHCP, the DHCP request and acknowledgment traffic is broadcast to any devices in the same Layer 2 environment. With Tunnel Mode WLANs, this traffic flood is wasteful in terms of bandwidth and computing power.
  • Page 104 3 Under Advanced Options, when Tunnel Mode is enabled, the DHCP Relay option becomes available. 4 Under DHCP Relay, select Enable DHCP relay agent with __ DHCP server and select the server you created earlier from the list. 5 Click OK to save your changes. Ruckus Wireless, Inc.

  • Page 105: Enabling Bonjour Gateway

    Enabling Bonjour Gateway Enabling Telnet Figure 55. Enabling DHCP Relay agent for a Tunnel Mode WLAN Enabling Bonjour Gateway Bonjour is Apple’s implementation of a zero-configuration networking protocol for Apple devices over IP. It allows OS X and iOS devices to locate other devices such as printers, file servers and other clients on the same broadcast domain and use the services offered without any network configuration required.

  • Page 106: Creating A Bonjour Gateway Rule - Zd Site

    The maximum number of ZD site Bonjour Gateway rules is as follows: Table 17. Max Bonjour rules per controller ZoneDirector Model Max Rules ZoneDirector 1200 ZoneDirector 3000 ZoneDirector 5000 To configure rules for bridging Bonjour services across VLANs: 1 Go to Configure > Bonjour Gateway.

  • Page 107: Creating A Bonjour Gateway Rule - Ap Site

    Enabling Bonjour Gateway Creating a Bonjour Gateway Rule - AP Site • To VLAN: Select the VLAN to which the service should be made available. • Notes: Add optional notes for this rule. 4 Click OK to save your changes. 5 Repeat for any additional rules.
  • Page 108 • Notes: Add optional notes for this rule. 5 Click OK to save your changes. 6 Repeat for any additional rules. 7 Select the check box next to Enable Bonjour gateway on AP and click the Apply button. Ruckus Wireless, Inc.

  • Page 109: Applying A Bonjour Policy To An Ap

    Enabling Bonjour Gateway Applying a Bonjour Policy to an AP Figure 57. Create an AP site Bonjour policy Applying a Bonjour Policy to an AP Once you have created an AP site Bonjour policy, you will need to designate the AP that will be responsible for implementing this policy.

  • Page 110: Example Network Setup

    • Students SSID (VLAN 300): Students have a separate SSID with no authentica- tion, they must be able to backup their iPads to the classroom iMac but should not have access to the Apple TV or File Sharing services. Ruckus Wireless, Inc.

  • Page 111: Configuring Spot Location Services

    Sharing, while students are given access to iCloud Sync and AirPrint only. Configuring SPoT Location Services To take advantage of Ruckus Wireless SmartPositioning Technology (SPoT) location services, ZoneDirector must be configured with the Venue information that is displayed in the SPoT Administration Portal. After completing purchase of the SPoT location service, you will be given account login information that you can use to log into the SPoT Administration Portal.
  • Page 112 12 Once the APs have successfully connected to the SPoT server, you can view the status of your SPoT-enabled APs on the Monitor > Location Services page. For more information on configuration and management of your SPoT service, see the SPoT User Guide, available from support.ruckuswireless.com. Ruckus Wireless, Inc.
  • Page 113 Configuring SPoT Location Services Example Network Setup Figure 60. SPoT Administration Portal Venue Config page Figure 61. Enter the venue information in ZoneDirector’s Configure > Location Services page ZoneDirector 9.12.1 User Guide, 800-71016-001 Rev A...
  • Page 114 Configuring SPoT Location Services Example Network Setup Figure 62. Configure an AP Group for SPoT location services Ruckus Wireless, Inc.

  • Page 115: Configuring Security And Other Services

    Configuring Security and Other Services In this chapter: • Configuring Self Healing Options • Configuring Wireless Intrusion Prevention • Controlling Network Access Permissions • Using an External AAA Server ZoneDirector 9.12.1 User Guide, 800-71016-001 Rev A...

  • Page 116: Configuring Self Healing Options

    ZoneDirector offers two methods of automatic channel selection for spectrum utilization and performance optimization: • ChannelFly • Background Scanning While Background Scanning must be enabled for rogue AP detection, AP location detection and radio power adjustment, either can be used for automatic channel optimization. Ruckus Wireless, Inc.
  • Page 117 Configuring Self Healing Options Automatic Channel Selection ChannelFly The main difference between ChannelFly and Background Scanning is that Chan- nelFly determines the optimal channel based on real-time statistical analysis of actual throughput measurements, while Background Scanning uses channel measure- ment and other techniques to estimate the impact of interference on Wi-Fi capacity based on progressive scans of all available channels.
  • Page 118 • Automatically adjust 2.4 GHz channels using Background Scanning ChannelFly • Automatically adjust 5 GHz channels using Background Scanning ChannelFly 3 Click the Apply button in the same section to save your changes. Figure 63. Self Healing options Ruckus Wireless, Inc.
  • Page 119 Configuring Self Healing Options Automatic Channel Selection NOTE: ChannelFly channel selection data is persistent across reboots for the following APs only: 7982, 7782, 7782-x, 7781-CM, SC-8800-S. It is not persistent across power cycles for any AP. Background Scanning Using Background Scanning, ZoneDirector regularly samples the activity in all Access Points to assess RF usage, to detect rogue APs and to determine which APs are near each other for mesh optimization.
  • Page 120 To see whether Background Scanning is enabled or disabled for a particular AP, go to Monitor > Access Points, and click on the AP’s MAC address. The access point detail screen displays the Background Scanning status for each radio. Ruckus Wireless, Inc.

  • Page 121: Load Balancing

    Configuring Self Healing Options Load Balancing Figure 65. Viewing whether Background Scanning is enabled for an AP Load Balancing Enabling load balancing can improve WLAN performance by helping to spread the client load between nearby access points, so that one AP does not get overloaded while another sits idle.
  • Page 122 To enable Load Balancing globally: 1 Go to Configure > Services. 2 In Load Balancing, choose to perform load balancing on either the 2.4 or 5 GHz radio. 3 Enter Adjacent Radio Threshold (in dB), and click Apply. Ruckus Wireless, Inc.
  • Page 123 Configuring Self Healing Options Load Balancing Figure 66. Enable Load Balancing across adjacent APs by radio type To disable Load Balancing on a per-WLAN basis: 1 Go to Configure > WLANs. 2 Click the Edit link beside the WLAN for which you want to disable load balancing. 3 Click the Advanced Options link to expand the options.

  • Page 124: Band Balancing

    2.4 GHz and 5 GHz radios. This feature is enabled by default and set to a target of 25% of clients connecting to the 2.4 GHz band. To balance the load on a radio, the AP encourages dual-band clients to connect to the 5 GHz band when the configured percentage threshold is reached. Ruckus Wireless, Inc.

  • Page 125: Radar Avoidance Pre-Scanning

    Configuring Self Healing Options Radar Avoidance Pre-Scanning Figure 68. Distributing clients between the 2.4 and 5 GHz radios Radar Avoidance Pre-Scanning The Radar Avoidance Pre-Scanning (RAPS) setting allows pre-scanning of DFS channels in the 5 GHz band to ensure the channel is clear of radar signals prior to transmitting on the channel.

  • Page 126: Aeroscout Rfid Tag Detection

    3 Select the Enable AeroScout RFID tag detection check box. 4 Click the Apply button in the same section to save your changes. ZoneDirector enables AeroScout RFID tag detection on all its managed APs that support this feature. Ruckus Wireless, Inc.

  • Page 127: Ekahau Tag Detection

    Configuring Self Healing Options Ekahau Tag Detection Figure 70. Enabling AeroScout Tag detection NOTE: Tag locations are not accurate if the 2.4 GHz band is noisy or if the AP setup is not optimal (according to AeroScout documents). For more information on AeroScout Tags and the AeroScout Engine, refer to your AeroScout documentation.

  • Page 128: Active Client Detection

    1 Go to Configure > Services, and scroll down to the Active Client Detection section. 2 Click the check box next to Enable client detection ... and enter an RSSI threshold, below which an event will be triggered. 3 Click Apply to save your changes. Ruckus Wireless, Inc.

  • Page 129: Tunnel Configuration

    Configuring Self Healing Options Tunnel Configuration Figure 72. Enabling active client detection A low severity event is now triggered each time a client connects with an RSSI lower than the threshold value entered. Go to Monitor > All Events/Activities to monitor these events.

  • Page 130: Packet Inspection Filter

    The Packet Inspection Filter (PIF) allows configuration of rate limits for broadcast neighbor discovery (IPv4 Address Resolution Protocol and IPv6 Neighbor Solicit) packets. The PIF rate limiting threshold affects the following services: • ARP Broadcast Filter for Mesh links (see Optional Mesh Configuration Features). Ruckus Wireless, Inc.

  • Page 131: Ethernet Port Redundancy

    Configuring Self Healing Options Ethernet Port Redundancy • Proxy ARP for WLAN interfaces (see Advanced Options under Creating a WLAN). • Proxy ARP for Tunneled WLANs (see Tunnel Configuration). When Proxy ARP or ARP Broadcast Filter services are enabled, the AP attempts to reduce neighbor discovery traffic over the air by replacing broadcast messages with unicast messages for known hosts.
  • Page 132 • Down Delay Time: Specifies the time, in milliseconds, to wait before disabling a slave after a link failure has been detected. The default value is 0, range is 0~1000000. 4 Click Apply to save your changes. Figure 75. Ethernet Port Redundancy Ruckus Wireless, Inc.

  • Page 133: Configuring Wireless Intrusion Prevention

    Configuring Wireless Intrusion Prevention DoS Protection Configuring Wireless Intrusion Prevention ZoneDirector provides several built-in intrusion prevention features designed to protect the wireless network from security threats such as Denial of Service (DoS) attacks and intrusion attempts. These features, called Wireless Intrusion Prevention System (WIPS), allow you to customize the actions to take and the notifications you would like to receive when each of the different threat types is detected.

  • Page 134: Intrusion Detection And Prevention

    Typically, rogue access points are not a threat, however there are certain types that do pose a threat that will be automatically identified by ZoneDirector as “malicious rogue APs”. The three automatically identified malicious access point categories are as follows: Ruckus Wireless, Inc.
  • Page 135 Configuring Wireless Intrusion Prevention Rogue Access Points • SSID-Spoofing: These are rogue access points that are beaconing the same SSID name as a ZoneDirector-managed access point. They pose a threat as someone may be attempting to use them as a honey pot to attract your clients into their network to attempt hacking or man-in-the-middle attacks to exploit passwords and other sensitive data.

  • Page 136: Rogue Dhcp Server Detection

    ZoneDirector scans the network every five seconds for unautho- rized DHCP servers and generates an event every time it detects a rogue DHCP server. The conditions for detecting rogue DHCP servers depend on whether ZoneDi- rector's own DHCP server is enabled: Ruckus Wireless, Inc.
  • Page 137 3 Click the Apply button that is in the same section. You have completed enabling rogue DHCP server detection. Ruckus Wireless recommends checking the Monitor > All Events/Activities page periodically to determine if ZoneDirector has detected any rogue DHCP servers. When a rogue...
  • Page 138 Configuring Wireless Intrusion Prevention Rogue DHCP Server Detection Figure 78. Enabling Rogue DHCP server detection Ruckus Wireless, Inc.

  • Page 139: Controlling Network Access Permissions

    Controlling Network Access Permissions Creating Layer 2/MAC Address Access Control Lists Controlling Network Access Permissions ZoneDirector provides several options for controlling client access to your wireless networks and to other wired/wireless network resources. This section is divided into the following subsections according to the features on the Configure > Access Control page: •...

  • Page 140: Creating Layer 3/Layer 4/Ip Address Access Control Lists

    4 Type a Name for the ACL. 5 Type a Description for the ACL. 6 In Default Mode, set the default access privilege (allow all or deny all) that you want to grant all users by default. Ruckus Wireless, Inc.
  • Page 141 Controlling Network Access Permissions Creating Layer 3/Layer 4/IP Address Access Control Lists 7 In Rules, click Create New or click Edit to edit an existing rule. 8 Define each access policy by configuring a combination of the following: • Type: The access privilege (allow or deny) that this policy grants. •...

  • Page 142: Configuring Device Access Policies

    2 Expand the Device Access Policy section, and click Create New. 3 Enter a Name and optionally a description for the access policy. 4 In Default Mode, select Deny all by default or Allow all by default. Ruckus Wireless, Inc.
  • Page 143 Controlling Network Access Permissions Configuring Device Access Policies 5 In Rules, you can create multiple OS-specific rules for each access policy. • Description: Description of the rule. • OS/Type: Select from any of the supported client types. • Type: Select rule type (allow or deny). •...

  • Page 144: Configuring Precedence Policies

    Create New to create a new policy to be selectable from the WLAN configuration dialog. 3 Under Rules, click Create New to create a new rule for this policy. 4 Select an Attribute (VLAN or Rate Limiting) to apply a precedence policy. Ruckus Wireless, Inc.

  • Page 145: Blocking Client Devices

    Controlling Network Access Permissions Blocking Client Devices 5 Select a Precedence Policy (AAA Server, Device Policy or WLAN Configuration) and click up and down arrows to set the order in which policies will take precedence. 6 Click Save to save the rule. You can create up to two rules per policy. The rules will be applied in the order shown in the Order column.
  • Page 146 1 Look at the Status column to identify any “Unauthorized” users. 2 Click the Delete button in the Action column in a specific user row. The entry is deleted from the Active/Current Client list, and the listed device is disconnected from your Ruckus Wireless WLAN. Ruckus Wireless, Inc.
  • Page 147 1 Look at the Status column to identify any unauthorized users. 2 Click the Block button in the Action column in a specific user row. The status is changed to Blocked. This will prevent the listed device from using your Ruckus Wireless WLANs. ZoneDirector 9.12.1 User Guide, 800-71016-001 Rev A...
  • Page 148 Figure 86. Click the Block button to permanently delete a client Reviewing a List of Previously Blocked Clients 1 Go to Configure > Access Control. 2 Review the Blocked Clients table. 3 You can unblock any listed MAC address by clicking the Unblock button for that address. Ruckus Wireless, Inc.

  • Page 149: Configuring Client Isolation White Lists

    Controlling Network Access Permissions Configuring Client Isolation White Lists Figure 87. Unblocking a previously blocked client Configuring Client Isolation White Lists When Wireless Client Isolation is enabled on a WLAN, all communication between clients and other local devices is blocked at the Access Point. To prevent clients from communicating with other nodes, the Access Point drops all ARP packets from stations on the WLAN where client isolation is enabled and which are destined to IP addresses that are not part of a per-WLAN white list.
  • Page 150 • Isolate wireless client traffic from other clients on the same AP: Enable client isolation on the same Access Point (clients on the same subnet but connected to other APs will still be able to communicate). Ruckus Wireless, Inc.

  • Page 151: Application Recognition And Filtering

    Controlling Network Access Permissions Application Recognition and Filtering • Isolate wireless client traffic from all hosts on the same VLAN/subnet: Prevent clients from communicating with any other hosts on the same subnet or VLAN other than those listed on the Client Isolation Whitelist. If this option is chosen, you must select a Whitelist from the drop-down list of those you created on the Configure >...
  • Page 152 ZoneDirector identifies wireless traffic matching this policy as “Well Paid Accounting” and displays this name in the application recognition pie charts and tables. Figure 90. Defining custom applications for ZoneDirector identification Ruckus Wireless, Inc.
  • Page 153 Controlling Network Access Permissions Application Recognition and Filtering Configure Application Port Mapping When an application is unrecognized and generically (or incorrectly) categorized you can configure an application identification policy by IP Port and Protocol. Wireless traffic that matches a configured policy will be displayed using the policy’s Descrip- tion text in the Applications widget on the Dashboard and Applications pie charts/ tables on the Wireless Clients monitoring page.
  • Page 154 “net” in any part of the FQDN or “.net” as the FQDN suffix. • *.corporate.com – This is an invalid rule. Wildcard “*” and other regular expres- sions cannot be used in any part of the FQDN. Ruckus Wireless, Inc.
  • Page 155 Controlling Network Access Permissions Application Recognition and Filtering • “www.corporate.com/games” - This is an invalid rule. The filter cannot parse and block access on text after the FQDN, i.e., in this example it cannot filter the micro- site “/games”. Notes: •...
  • Page 156 2 Expand the Advanced Options section, and locate the Application Visibility section. 3 Ensure that the Enable check box is enabled. 4 Select the policy you created from the Apply Policy Group list. 5 Click OK to save your changes. Ruckus Wireless, Inc.
  • Page 157 Controlling Network Access Permissions Application Recognition and Filtering Figure 93. Apply an Application Denial Policy to a WLAN ZoneDirector 9.12.1 User Guide, 800-71016-001 Rev A...

  • Page 158: Using An External Aaa Server

    Active Directory server in one of two ways: • Single Domain Active Directory Authentication • Multi-Domain Active Directory Authentication Single Domain Active Directory Authentication To enable Active Directory authentication for a single domain: Ruckus Wireless, Inc.
  • Page 159 Using an External AAA Server Active Directory 1 Go to Configure > AAA Servers, and click Create New under Authentication/ Accounting Servers. The Create New form appears. 2 In Type, Select Active Directory. • In Encryption, select Enable TLS encryption if you want to encrypt all authentication traffic between the client and the Active Directory server.
  • Page 160 NOTE: The Admin account need not have write privileges, but must able to read and search all users in the database. 8 Click OK to save changes. 9 To test your authentication settings, see Testing Authentication Settings. Ruckus Wireless, Inc.

  • Page 161: Ldap

    Using an External AAA Server LDAP Figure 95. Active Directory with Global Catalog enabled LDAP In addition to Microsoft Active Directory, ZoneDirector supports several of the most commonly used LDAP servers, including: • OpenLDAP • Apple Open Directory • Novell eDirectory •...
  • Page 162 9 Click OK to save your changes. 10 If you want to filter more specific settings, see Advanced LDAP Filtering. NOTE: The Admin account need not have write privileges, but must able to read and search all users in the database. Ruckus Wireless, Inc.
  • Page 163 Using an External AAA Server LDAP Figure 96. Creating a new LDAP server object in ZoneDirector Advanced LDAP Filtering A search string in LDAP format conforming to RFC 4515 can be used to limit search results. For example, objectClass=Person limits the search to those whose “objectClass”...
  • Page 164 Group “student” will be given the same privileges when he/ she is authenticated against your LDAP server. To configure user roles based on LDAP group: 1 Point ZoneDirector to your LDAP server: • Go to Configure > AAA Servers • Click Edit next to LDAP Ruckus Wireless, Inc.

  • Page 165: Radius / Radius Accounting

    Using an External AAA Server RADIUS / RADIUS Accounting • Enter IP address, Port number, Admin DN and Password 2 Enter the Key Attribute (default: uid). 3 Click OK to save this LDAP server. 4 In Test Authentication Settings, enter the User Name and Password for a known member of the relevant group.
  • Page 166 RADIUS server, an additional option will be available in the Test Authentication Settings section to choose to test against the primary or the backup RADIUS server. To configure a backup RADIUS / RADIUS Accounting server: 1 Click the check box next to Enable Backup RADIUS support. Ruckus Wireless, Inc.
  • Page 167 Using an External AAA Server RADIUS / RADIUS Accounting 2 Enter the IP Address, Port number and Shared Secret for the backup server (these fields can neither be left empty nor be the same values as those of the primary server). 3 In Request Timeout, enter the timeout period (in seconds) after which an expected RADIUS response message is considered to have failed.
  • Page 168 3 Log in to the ZoneDirector web interface, and go to Configure > WLANs. 4 Click the Edit link next to the WLAN you would like to configure. 5 Under Authentication Options: Method, select MAC Address. 6 Under Authentication Server, select your RADIUS Server. Ruckus Wireless, Inc.
  • Page 169 Using an External AAA Server RADIUS / RADIUS Accounting 7 Select the MAC Address Format according to your RADIUS server’s requirements. 8 Click OK to save your changes. Figure 101. RADIUS authentication using MAC address You have completed configuring the WLAN to authenticate users by MAC address from a RADIUS server.
  • Page 170 2 Under Authentication Options: Method, select 802.1X EAP. 3 Under Encryption Options: Method, select None. 4 Under Authentication Server, select either Local Database or a previously configured RADIUS server from the list. 5 Click OK to save your changes. Ruckus Wireless, Inc.

  • Page 171: Radius Attributes

    Using an External AAA Server RADIUS / RADIUS Accounting RADIUS Attributes Ruckus products communicate with an external RADIUS server as a RADIUS client. Packets from Ruckus products are called “access-request” or “accounting-request” messages. The RADIUS server, in turn, sends an “access-challenge“, “access- accept”...
  • Page 172 ==> (24) State: if radius access-challenge in last received radius msg from AAA (80) Message Authenticator (95) NAS IPv6 address (if using/talking to an IPv6 RADIUS server) Ruckus private attribute: Vendor ID: 25053 Vendor Type / Attribute Number: 3 (Ruckus-SSID) Ruckus Wireless, Inc.
  • Page 173 Using an External AAA Server RADIUS / RADIUS Accounting Figure 103. RADIUS attributes used in authentication WLAN Type Attributes 802.1X / MAC Sent from RADIUS server in Access Accept messages: Auth (1) User name (7) WISPr Bandwidth-Max-Up: Maximum transmit rate (bits/second) (8) WISPr Bandwidth-Max-Down: Maximum receive rate (bits/second) (25) Class (27) Session-timeout &...
  • Page 174 (2) WISPr location name (4) WISPr redirection URL (7) WISPr Bandwidth-Max-Up: Maximum transmit rate (bits/second) (8) WISPr Bandwidth-Max-Down: Maximum receive rate (bits/second) (80) Message Authenticator RADIUS Accounting attributes The following table lists attributes used in RADIUS accounting messages. Ruckus Wireless, Inc.
  • Page 175 Using an External AAA Server RADIUS / RADIUS Accounting Table 18. RADIUS attributes used in Accounting WLAN Type Attribute 802.1X / MAC Common to Start, Interim Update, and Stop messages Auth (1) User Name (4) NAS IP Address (5) NAS Port (8) Framed IP (30) Called Station ID: user configurable (31) Calling Station ID: format is sta's mac...
  • Page 176 (64) Tunnel-Type: value only relevant if it is (13) VLAN (65) Tunnel-Medium-Type: value only relevant if it is (6) 802 (as in all 802 media plus Ethernet) (81) Tunnel-Private-Group-ID: this is the VLAN ID assignment (per RFC, this is between 1 and 4094) Ruckus Wireless, Inc.
  • Page 177 Using an External AAA Server RADIUS / RADIUS Accounting Table 18. RADIUS attributes used in Accounting WLAN Type Attribute WISPr / Web Common to Start, Interim Update, and Stop messages: Auth / Guest (1) User name Access (2) Password (4) NAS IP address (5) NAS port (8) Framed-IP (30) Called station ID: user configurable...
  • Page 178 Properties dialog box. 3 On the Properties dialog box, click Edit Profile..The Edit Dial-in Profile dialog box opens. 4 Click the Authentication tab at the top of the screen. 5 Select Unencrypted authentication (PAP, SPAP). Ruckus Wireless, Inc.
  • Page 179 Using an External AAA Server RADIUS / RADIUS Accounting 6 Click OK. 7 Repeat this procedure for additional users or groups. Figure 104. On the Microsoft IAS page, right-click the user/group and select Properties. ZoneDirector 9.12.1 User Guide, 800-71016-001 Rev A...
  • Page 180 Using an External AAA Server RADIUS / RADIUS Accounting Figure 105. On the Properties page, click Edit Profile... Figure 106. On the Authentication tab of the Edit Dial-in Profile dialog, select Unencrypted authentication (PAP, SPAP) Ruckus Wireless, Inc.
  • Page 181 Using an External AAA Server RADIUS / RADIUS Accounting You have completed configuring Microsoft IAS for PAP authentication. TACACS+ Terminal Access Controller Access-Control System Plus (TACACS+) is an Authen- tication, Authorization and Accounting protocol used to authenticate ZoneDirector administrators. ZoneDirector admins can be assigned any of the same three administration privilege levels that can be set manually on the Configure >...
  • Page 182 Figure 107. Configuring a TACACS+ AAA server Once your TACACS+ server is configured on the AAA Servers page, you can select it from the list of servers used to authenticate ZoneDirector administrators on the Administer > Preferences page. Ruckus Wireless, Inc.
  • Page 183 Using an External AAA Server RADIUS / RADIUS Accounting Figure 108. Select TACACS+ for ZoneDirector administrator authentication Testing Authentication Settings The Test Authentication Settings feature allows you to query an AAA server for a known authorized user, and return Groups associated with the user that can be used for configuring Roles within ZoneDirector.
  • Page 184 • Admin invalid • User name or password invalid • Search filter syntax invalid (LDAP only) These results can be used to troubleshoot the reasons for failure to authenticate users from an AAA server through ZoneDirector. Ruckus Wireless, Inc.

  • Page 185: Managing A Wireless Local Area Network

    Managing a Wireless Local Area Network In this chapter: • Overview of Wireless Networks • About Ruckus Wireless WLAN Security • Creating a WLAN • Creating a Copy of an Existing WLAN for Workgroup Use • Customizing WLAN Security •...

  • Page 186: Overview Of Wireless Networks

    WLAN for visitors and any needed WLANs that fulfill different wireless security or user segmentation requirements. The maximum number of WLANs configurable per ZoneDirector controller are as follows: Figure 109. Max WLANs by ZoneDirector model Model Max WLANs ZoneDirector 1200 ZoneDirector 3000 1024 ZoneDirector 5000 2048 Ruckus Wireless, Inc.

  • Page 187: About Ruckus Wireless Wlan Security

    WLANs on the 5 GHz radio. CAUTION! Deploying a large number of WLANs per AP will have a performance impact. Ruckus Wireless recommends deploying no more than eight WLANs per AP radio. About Ruckus Wireless WLAN Security One of the first things you should decide for each WLAN you create is which methods of authentication and encryption to use for both internal users and guests.

  • Page 188: Creating A Wlan

    The WLAN Create New workspace includes the following configuration options used to customize your new WLAN. The individual options are explained in detail in the next section, beginning with General Options. Table 19. Create new WLAN options Option Description General Options Enter WLAN name and description. Ruckus Wireless, Inc.

  • Page 189: General Options

    Creating a WLAN General Options Table 19. Create new WLAN options Option Description WLAN Usages Select usage type (standard, guest access, hotspot, autonomous, social media). Authentication Options Select an authentication method for this WLAN (open, 802.1X EAP, MAC address, 802.1X EAP + MAC Address).

  • Page 190: Wlan Usage Types

    Creating a Hotspot Service. • Hotspot 2.0: Create a Hotspot 2.0 WLAN. A Hotspot 2.0 Operator must first have been created (Configure > Hotspot 2.0 Services) before it will be available for selection. See Creating a Hotspot 2.0 Service. Ruckus Wireless, Inc.
  • Page 191 Creating a WLAN WLAN Usage Types • Autonomous: Autonomous WLANs are special WLANs designed to continue providing service to clients when APs are disconnected from ZoneDirector. See Autonomous WLANs. • Social Media: Social Media WLANs require the visitor to “check in” to a social media account before being allowed free Internet access.
  • Page 192 • Google/Google+ • LinkedIn • Microsoft Windows Live About the Ruckus Wireless Facebook WiFi Implementation Business owners can use this WLAN type to require users to visit the business owner’s Facebook page and “check in” using a Facebook account before being allowed free access to the Internet.
  • Page 193 Creating a WLAN WLAN Usage Types 5 A new browser window opens to allow you to log into your Facebook account. 6 Configure the Facebook WiFi settings according to your preferences: a Facebook Page: If you have multiple Facebook Pages, select the one that is associated with your business’s location.

  • Page 194: Authentication Method

    11r standard (including iOS devices) can achieve significantly faster roaming between APs. Encryption Options Encryption choices include WPA2, WPA-Mixed, WEP-64, WEP-128 and None. WPA2 is the only encryption method certified by the WiFi Alliance and is the recommended method. Ruckus Wireless, Inc.
  • Page 195 Creating a WLAN Encryption Options WEP has been proven to be easily circumvented, and Ruckus Wireless recommends against using WEP if possible. Method • WPA2: Enhanced WPA encryption that complies with the 802.11i security standard. • WPA-Mixed: Allows mixed networks of WPA and WPA2 compliant devices. Use this setting if your network has a mixture of older clients that only support WPA and TKIP, and newer client devices that support WPA2 and AES.
  • Page 196 • Isolate wireless client traffic from other clients on the same AP: Prevents clients connected to the same AP from communicating with each other, but does not prevent clients from communicating with other hosts connected to different APs on the same subnet. Ruckus Wireless, Inc.

  • Page 197: Advanced Options

    Creating a WLAN Advanced Options • Isolate wireless client traffic from all hosts on the same VLAN/subnet: Enable this option to prevent clients from communicating with any other host on the network, unless they are specifically allowed in a white list. A Client Isolation White List must first be created on the Configure >...
  • Page 198 • Hide SSID: Activate this option if you do not want the ID of this WLAN advertised at any time. This will not affect performance or force the WLAN user to perform any unnecessary tasks. Ruckus Wireless, Inc.
  • Page 199 • Load Balancing: Client load balancing between APs is disabled by default on all WLANs. To disable load balancing for this WLAN only (when enabled globally), check this box. Ruckus Wireless recommends disabling load balancing on VoIP WLANs. For more information, see Load Balancing.
  • Page 200 This can be useful for service providers who are more interested in accounting statistics (after authorization) than in all wireless client statistics. For example, a Ruckus Wireless, Inc.
  • Page 201 Creating a WLAN Advanced Options Hotspot WLAN can be configured to allow unauthorized clients to connect and traverse any walled garden web pages without adding to transmission statistics (until after authorization). • Application Visibility: Enable this option to allow APs to collect client application data, which can then be consolidated for use by the Applications and Top 10 Applications by Usage widgets on the Dashboard.
  • Page 202 (Configure > WIPS) must be enabled for 802.11k radio resource management to work properly. If these options are not enabled, the AP will send neighbor reports consisting of only APs found on the same channel as the operating channel of the AP. Ruckus Wireless, Inc.
  • Page 203 Creating a WLAN Advanced Options NOTE: If 802.11k is disabled, fast roaming between APs is achieved using Opportunistic Key Caching (OKC) and Pairwise Master Key caching (PMK caching). These methods also require Background Scanning to be enabled. Both methods allow clients to roam without having to repeat the entire 802.1X authentication process.
  • Page 204 Creating a WLAN Advanced Options Figure 112. Advanced options for creating a new WLAN Ruckus Wireless, Inc.

  • Page 205: Creating A Copy Of An Existing Wlan For Workgroup Use

    Creating a Copy of an Existing WLAN for Workgroup Use Advanced Options Figure 113. Configuring WLAN service schedule Creating a Copy of an Existing WLAN for Workgroup Use If you want to create an additional WLAN based on your existing default WLAN and limit its use to a select group of users (e.g, Marketing, Engineering), you can do so by following these steps: 1 Make a list of the group of users.

  • Page 206: Customizing Wlan Security

    [2] fine-tune the existing security mode, or [3] replace this mode entirely with a different authentication and encryption method. The two WLAN- editing processes are described separately, below. Figure 114. Viewing WLAN security configurations from the Monitor > WLANs page Ruckus Wireless, Inc.

  • Page 207: Using The Built-In Eap Server

    Customizing WLAN Security Fine-Tuning the Current Security Mode Fine-Tuning the Current Security Mode To keep the original security mode and fine-tune its settings: 1 Go to Configure > WLANs. 2 In the Internal WLAN row, click Edit. 3 Choose from the following options to keep the default WPA2 encryption with no authentication (Open Auth).

  • Page 208: Authenticating With An External Radius Server

    7 When you are finished, click OK to apply your changes. NOTE: Replacing your WPA configuration with 802.1X requires the users to make changes to their Ruckus wireless connection configuration—which may include the importation of certificates. Using the Built-in EAP Server (Requires the selection of “Local Database”...

  • Page 209: Working With Wlan Groups

    Customizing WLAN Security Authenticating with an External RADIUS Server Authenticating with an External RADIUS Server You can also use an external RADIUS server for your wireless client 802.1X/EAP authentication. An EAP-aware RADIUS server is required for this application. Also, you might need to deploy your own certificates for wireless client devices and for the RADIUS server you are using.

  • Page 210: Creating A Wlan Group

    APs, each radio can be assigned to only one WLAN Group (single radio APs can be assigned to only one WLAN Group). The maximum number of WLAN groups that you can create depends on the ZoneDirector model. Ruckus Wireless, Inc.
  • Page 211 Working with WLAN Groups Creating a WLAN Group Table 20. Maximum number of WLAN groups by ZoneDirector model ZoneDirector Model Max WLAN Groups ZoneDirector 1200 ZoneDirector 3000 1024 ZoneDirector 5000 2048 Creating a WLAN Group 1 Go to Configure > WLANs.

  • Page 212: Assigning A Wlan Group To An Ap

    3 In WLAN Group, click Override Group Config and select the WLAN group to which you want to assign the AP. Each AP (or radio, on dual radio APs) can only be a member of a single WLAN group. 4 Click OK to save your changes. Ruckus Wireless, Inc.

  • Page 213: Viewing A List Of Aps That Belong To A Wlan Group

    Working with WLAN Groups Viewing a List of APs That Belong to a WLAN Group Figure 116. Assign a WLAN group to an AP Viewing a List of APs That Belong to a WLAN Group 1 Go to Monitor > WLANs. 2 Under Currently Active WLAN Groups, click the WLAN group name for which you want to view the member AP list.

  • Page 214: Deploying Zonedirector Wlans In A Vlan Environment

    • Verifying that those trunk ports are on the same native VLAN. Example configuration (Figure 117): VLAN 20 is used for internal clients, VLAN 30 is used for guest clients, and Management VLAN configuration is optional. Ruckus Wireless, Inc.

  • Page 215: Tagging Management Traffic To A Vlan

    Deploying ZoneDirector WLANs in a VLAN Environment Viewing a List of APs That Belong to a WLAN Group Figure 117. Sample VLAN configuration You must ensure that switch ports are configured properly to pass the VLAN traffic necessary for ZoneDirector, AP and client communications. In the sample VLAN scenario above, the switch ports would need to be configured as follows: •...
  • Page 216 5 In Device IP Settings, enter the VLAN ID in the Access VLAN field. 6 If you are using an additional management interface for ZoneDirector, enter the same ID in the Access VLAN field for the additional management interface. 7 Click Apply to save your settings. Ruckus Wireless, Inc.
  • Page 217 Deploying ZoneDirector WLANs in a VLAN Environment Tagging Management Traffic to a VLAN NOTE: ZoneDirector will need to be rebooted after changing management VLAN settings. 8 Go to Administer > Restart, and click Restart to reboot ZoneDirector. CAUTION! When configuring or updating the management VLAN settings, make sure that the same VLAN settings are applied on the Configure >...

  • Page 218: How Dynamic Vlan Works

    2 In Authentication Server, select the RADIUS server that you configured on the AAA Servers page. 3 Expand the Advanced Settings section and click the Enable Dynamic VLAN box next to Access VLAN. 4 Click OK to save your changes. Ruckus Wireless, Inc.

  • Page 219: How It Works

    Deploying ZoneDirector WLANs in a VLAN Environment How Dynamic VLAN Works Figure 120. Enabling Dynamic VLAN Priority of VLAN, Dynamic VLAN and Tunnel Mode If the VLAN, Dynamic VLAN and Tunnel Mode features are all enabled and they have conflicting rules, ZoneDirector prioritizes and applies these three features in the following order: 1 Dynamic VLAN (top priority) 2 VLAN...

  • Page 220: Working With Vlan Pools

    Here is an example of the required attributes for three users as defined on Free RADIUS: 0018ded90ef3 User-Name = user1, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 0014 00242b752ec4 User-Name = user2, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 0012 Ruckus Wireless, Inc.
  • Page 221 Deploying ZoneDirector WLANs in a VLAN Environment Working with VLAN Pools 013469acee5 User-Name = user3, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 0012 The values in bold are the users' MAC addresses. NOTE: Working with VLAN Pools When WiFi is deployed in a high density environment such as a stadium or a university campus, the number of IP addresses required for client devices can easily run into the thousands.
  • Page 222 VLAN pool by clicking Create New VLAN Pool. 5 Click OK to save your changes. Clients connecting to this WLAN will now be automatically assigned to a VLAN from the specified VLAN pool. Ruckus Wireless, Inc.

  • Page 223: Working With Hotspot Services

    Deploying ZoneDirector WLANs in a VLAN Environment Working with VLAN Pools Figure 122. Assign a VLAN Pool to a WLAN NOTE: A VLAN pool cannot be applied to a WLAN with a Device Policy enabled, and vice-versa. If a Device Policy is selected, the VLAN Pooling option will automatically be disabled.

  • Page 224: Creating A Hotspot Service

    ZoneDirector supports up to 32 WISPr Hotspot service entries, each of which can be assigned to multiple WLANs. To create a Hotspot service: 1 Go to Configure > Hotspot Services. 2 Click Create New. The Create New form appears. Ruckus Wireless, Inc.
  • Page 225 Working with Hotspot Services Creating a Hotspot Service 3 In Name, enter a name for this hotspot service. (You will need to choose this name from a list when creating a WLAN to serve this hotspot service.) 4 In WISPr Smart Client Support, select whether to allow WISPr Smart Client support: •...

  • Page 226: Assigning A Wlan To Provide Hotspot Service

    The page refreshes and the hotspot service you created appears in the list. You may now assign this hotspot service to the WLANs that you want to provide hotspot Internet access, as described in Assigning a WLAN to Provide Hotspot Service. Ruckus Wireless, Inc.
  • Page 227 Working with Hotspot Services Assigning a WLAN to Provide Hotspot Service Figure 123. Creating a Hotspot service NOTE: If ZoneDirector is located behind a NAT device and signed certificates are used with portal authentication, a static entry must be added to the DNS server to resolve ZoneDirector’s private IP address to its FQDN.

  • Page 228: Common Wispr Attribute Abbreviations

    URL for an example: http://portal.free.com/?sip=192.168.120.15&mac=74911a20- dac0&client_mac=00216a95b0de&uip=192.168.120.13&lid=101& dn=free.com&url=&ssid=Free-WiFi&loc=London&vlan=101 For a more complete guide on enabling WISPr Hotspot services with ZoneDirector, refer to the Ruckus Enabling WISPr Application Note. Table 22. Common WISPr Attributes Abbreviation Description The IP address of ZoneDirector. Ruckus Wireless, Inc.

  • Page 229: Creating A Hotspot 2.0 Service

    Creating a Hotspot 2.0 Service Common WISPr Attribute Abbreviations Table 22. Common WISPr Attributes Abbreviation Description The MAC address of the Access Point (Ethernet). The Location ID of the Hotspot service. The client’s real IP address. In a Layer 3 NAT environment, the client’s IP address will be translated to the gateway’s IP address when logging to the Hotspot service.

  • Page 230: Create A Service Provider Profile

    Each NAI realm entry can contain up to four EAP methods. Each EAP method can contain up to four authentication types. Domain Name List List of domain names of the entity operating the access network. Up to five entries can be created. Ruckus Wireless, Inc.
  • Page 231 Creating a Hotspot 2.0 Service Create a Service Provider Profile Table 23. Hotspot 2.0 Service Provider profile configuration Option Description Roaming Consortium List List of Organization Identifiers included in the Roaming Consortium list, as defined in IEEE802.11u, dot11RoamingConsortiumTable. Up to two Roaming Consortium entries can be created.
  • Page 232 Operator Profile. HESSID Homogenous extended service set identifier. The HESSID is a 6-octet MAC address that identifies the homogeneous ESS. The HESSID value must be identical to one of the BSSIDs in the homogeneous ESS. Ruckus Wireless, Inc.
  • Page 233 Creating a Hotspot 2.0 Service Create a Service Provider Profile Figure 126. Hotspot 2.0 Operator profile configuration options Option Description WAN Metrics Provides information about the WAN link connecting an IEEE 802.11 access network and the Internet; includes link status and backhaul uplink/downlink speed estimates.
  • Page 234 DGAF option. This option prevents stations from forwarding group-addressed (multicast/broad- cast) frames and converts group-addressed DHCP and ICMPv6 router advertisement packets from layer 2 multicast to unicast. 7 Click OK to save your changes. Ruckus Wireless, Inc.

  • Page 235: Working With Dynamic Pre-Shared Keys

    AP venue names for individual APs. Working with Dynamic Pre-Shared Keys Dynamic PSK is a unique Ruckus Wireless feature that enhances the security of normal Pre-shared Key (PSK) wireless networks. Unlike typical PSK networks, which share a single key amongst all devices, a Dynamic PSK network assigns a unique key to every authenticated user.

  • Page 236: Enabling Dynamic Pre-Shared Keys On A Wlan

    8 Ensure that the Zero-IT Activation check box is enabled. 9 Next to Dynamic PSK, enable the check box next to Enable Dynamic PSK. Select a DPSK passphrase length (between 8 and 62 characters). 10 Choose whether to use Secure DPSK or Mobile Friendly DPSK. Ruckus Wireless, Inc.
  • Page 237 Working with Dynamic Pre-Shared Keys Enabling Dynamic Pre-Shared Keys on a WLAN • Secure DPSK: Includes almost all printable ASCII characters, including periods, hyphens, dashes, etc. This option is more secure, however it is difficult to input for mobile clients whose keyboards may not contain the entire set of printable ASCII characters.

  • Page 238: Setting Dynamic Pre-Shared Key Expiration

    (never expires). 4 In Validity Period, select Effective from first use or Effective from creation time. 5 Click the Apply button that is in the same section. The new setting goes into effect immediately. Ruckus Wireless, Inc.

  • Page 239: Generating Multiple Dynamic Psks

    Working with Dynamic Pre-Shared Keys Generating Multiple Dynamic PSKs Figure 130. Dynamic PSK expiration options NOTE: If you change the dynamic PSK expiration period, the new expiration period will only be applied to new PSKs. Existing PSKs will retain the expiration period that was in effect when the PSKs were generated.

  • Page 240: Creating A Batch Dynamic Psk Profile

    MAC address of the device that he used will be permanently associated with the dynamic PSK that he used. To enable wireless users to access the wireless network, you need to send them the following information: • User Name: The user name generated via batch DPSK generation (by default, “Batch_DPSK_User_[#]”. Ruckus Wireless, Inc.
  • Page 241 Working with Dynamic Pre-Shared Keys Creating a Batch Dynamic PSK Profile • WLAN Name: This is the WLAN with which they are authorized to access and use the dynamic PSK passphrase that you generated. • Passphrase: This is the network key that the user needs to enter on his WLAN configuration client to access the WLAN.

  • Page 242: Bypass Apple Cna

    When a client connects to a wireless network, the CNA feature launches a pre-browser login utility and it sends a request to a success page on the Apple website. If the success page is returned, the device Ruckus Wireless, Inc.
  • Page 243 Bypass Apple CNA Creating a Batch Dynamic PSK Profile assumes it has network connectivity and no action is taken. However, this login utility is not a fully functional browser, and does not support HTML, HTML5, PHP or other embedded video. In some situations, the ability to skip the login page for open WLANs is a benefit.
  • Page 244 Bypass Apple CNA Creating a Batch Dynamic PSK Profile Ruckus Wireless, Inc.

  • Page 245: Managing Access Points

    Managing Access Points In this chapter: • Adding New Access Points to the Network • Working with Access Point Groups • Configuring AP Ethernet Ports • Reviewing Current Access Point Policies • Importing a USB Software Package • Managing Access Points Individually •...

  • Page 246: Adding New Access Points To The Network

    1 Place the new APs in the appropriate locations. 2 Write down the MAC address (on the bottom of each device) and note the specific location of each AP as you distribute them. 3 Connect the APs to the LAN with Ethernet cables. Ruckus Wireless, Inc.

  • Page 247: Verifying/Approving New Aps

    NOTE: By default, Ruckus Wireless APs will attempt to obtain an IP address via DHCP as soon as they are connected to the network. If you do not want the AP to automatically request an IP address, you must first configure a static IP address using the AP web interface or CLI before connecting them to your network.
  • Page 248 Adding New Access Points to the Network Verifying/Approving New APs Figure 136. The Monitor > Access Points page Ruckus Wireless, Inc.

  • Page 249: Working With Access Point Groups

    > Edit [AP MAC address]) and set the Tx Power setting to a lower setting. Table 24. Maximum number of AP groups by ZoneDirector model ZoneDirector Model Max AP Groups ZoneDirector 1200 ZoneDirector 3000 ZoneDirector 5000 ZoneDirector 9.12.1 User Guide, 800-71016-001 Rev A...

  • Page 250: Modifying The System Default Ap Group

    2.4 GHz or 5 GHz radio. If 11n/ac Only Mode is enabled, all older 802.11b/g devices will be denied access to the radio. WLAN Group Specify which WLAN group this AP group belongs to. Ruckus Wireless, Inc.
  • Page 251 Working with Access Point Groups Modifying the System Default AP Group Setting Description Call Admission Control (Disabled by default). Enable Wi-Fi Multimedia Admission Control (WMM-AC) to support Polycom/Spectralink VIEW certification. See Advanced Options under Creating a WLAN for more information. Spectralink (Disabled by default).

  • Page 252: Creating A New Access Point Group

    Group Settings section of the Editing [AP Group] form. The Group Settings section is divided into two subsections: • Members: Lists the current member APs of this AP group. • Access Points: Lists the APs that are members of other AP groups. Ruckus Wireless, Inc.

  • Page 253: Modifying Model Specific Controls

    Working with Access Point Groups Modifying Model Specific Controls To move an AP from the current AP group to another group: 1 In Members, select the AP (or APs) that you want to move to another AP group, select the target AP group from the menu, and click the Move to button. (To select all APs in the group, click the check box at the top of the column) 2 Click OK to save your changes.
  • Page 254 • USB Software: On SmartPoint APs (ZoneFlex 7321-u only), you can override the system default USB software per AP group using this setting. See Importing a USB Software Package. • Port Settings: See Configuring AP Ethernet Ports. Ruckus Wireless, Inc.
  • Page 255 The BLE devices plug into a USB port on the AP, and the AP can be configured to turn power to the USB port either on or off. Ruckus Wireless APs with USB ports supporting BLE devices can provide power to the BLE device. The BLE devices perform whatever tasks they are designed to do without interference from or control (other than supplying USB power) by the Ruckus Wireless network equipment.

  • Page 256: Configuring Ap Ethernet Ports

    4 In Port Setting, select Override System Default. The screen changes to display the Ethernet ports on the AP model currently selected. 5 Deselect the check box next to Enable to disable this LAN port entirely. All ports are enabled by default. Ruckus Wireless, Inc.
  • Page 257 Configuring AP Ethernet Ports Modifying Model Specific Controls 6 Select the check box next to Tunnel to tunnel all Ethernet traffic on this access port to ZoneDirector. By default, Ethernet traffic is bridged to the network at the AP, rather than tunneled to ZoneDirector. In some specific scenarios (such as Point of Sales and hotel room applications), tunneling Ethernet traffic to ZoneDirector may be preferable.
  • Page 258 Configuring AP Ethernet Ports Modifying Model Specific Controls Figure 140. The ZoneFlex 7982 has two Ethernet ports, LAN1 and LAN2 Figure 141. The ZoneFlex 7055 has four front-facing Ethernet ports and one rear port Ruckus Wireless, Inc.

  • Page 259: Dhcp Option 82

    Configuring AP Ethernet Ports Modifying Model Specific Controls DHCP Option 82 The “DHCP Relay Agent Information Option” (Option 82) allows a DHCP Relay Agent to insert specific identification information into a request that is being forwarded to a DHCP server. When this option is enabled for an Ethernet port or a WLAN SSID, additional information will be encapsulated in DHCP option 82 and inserted into DHCP request packets.
  • Page 260 By default, all ports are enabled as Trunk Ports with Untag VLAN set as 1 (except for ZoneFlex 7055, whose four front-bottom ports are enabled as Access Ports by default). If configured as an Access Port, all untagged ingress traffic is sent to the Ruckus Wireless, Inc.
  • Page 261 Configuring AP Ethernet Ports Modifying Model Specific Controls configured Untag VLAN, and all egress traffic is sent untagged. If configured as a Trunk Port, all untagged ingress traffic is the configured Untag VLAN (by default, 1), and all VLAN-tagged traffic on VLANs 1-4094 will be seen when present on the network.
  • Page 262 802.1X provides logical port control and leverages the EAP authentication and RADIUS protocols to allow the network policy to be effectively applied in real time, no matter where the user connects to the network. Ruckus Wireless, Inc.
  • Page 263 Configuring AP Ethernet Ports Modifying Model Specific Controls AP Ethernet ports can be individually configured to serve as either an 802.1X supplicant (authenticating the AP to an upstream authenticator switch port), or as an 802.1X authenticator (receiving 802.1X authentication requests from down- stream supplicants).
  • Page 264 In this configuration, it is expected that the connected authenticator port is config- ured with the following characteristics: • As a Trunk Port to pass all VLAN packets, and • In port-based authentication mode Ruckus Wireless, Inc.

  • Page 265: Viewing Ap Ethernet Port Status

    Configuring AP Ethernet Ports Viewing AP Ethernet Port Status Each AP is allowed to configure a maximum of one Ethernet port as an 802.1X supplicant, and the supplicant port must be a Trunk Port. Figure 144. Configuring an AP Ethernet port as an 802.1X Supplicant Viewing AP Ethernet Port Status You can view the status of an AP’s port configuration by going to Monitor >...
  • Page 266 Configuring AP Ethernet Ports Viewing AP Ethernet Port Status Figure 145. Viewing an AP’s Ethernet port configuration Ruckus Wireless, Inc.

  • Page 267: Reviewing Current Access Point Policies

    ZoneDirector. NOTE: If you have two ZoneDirectors of the same model, Ruckus Wireless recommends using the Smart Redundancy feature. If you have two ZoneDirectors of different models, you can use Limited ZD Discovery to provide limited redundancy;...
  • Page 268 1280 will affect IPv6 connectivity. • Auto Recovery: Set an AP auto recovery time in minutes, after which APs will reboot in attempt to reconnect to ZoneDirector. Default is 30 minutes. 3 Click Apply to save and apply your settings. Ruckus Wireless, Inc.

  • Page 269: Using Limited Zd Discovery For N+1 Redundancy

    Reviewing Current Access Point Policies Using Limited ZD Discovery for N+1 Redundancy Figure 146. Setting global AP policies on the Configure > Access Points page Using Limited ZD Discovery for N+1 Redundancy ZoneDirector’s Smart Redundancy feature (see Enabling Smart Redundancy) can only be used with two ZoneDirectors of the same model (e.g., two ZoneDirector 1200s).
  • Page 270 APs’ primary/secondary ZD settings will not be overwritten by the secondary ZoneDirector’s configuration after failover to the secondary controller. 12 Click Apply to save your changes. 13 Reboot the backup/secondary ZoneDirector for all changes to take effect (Administer > Restart > Restart.) Ruckus Wireless, Inc.

  • Page 271: Importing A Usb Software Package

    Default AP Group/WLAN Group. Additionally, you must make sure that the maximum number of APs is not exceeded. Table 28. Max APs by ZoneDirector model Model Max APs per controller ZoneDirector 1200 ZoneDirector 3000 ZoneDirector 5000 1000 Importing a USB Software Package Ruckus ZoneFlex Access Points with USB ports (“SmartPoint”...
  • Page 272 8 The AP implements the 802.11 wireless configuration and is ready to provide 802.11 wireless services. 9 A wireless client connects to the AP’s 802.11 wireless service, and the data traffic is tunneled to ZoneDirector through the LWAPP tunnel. Figure 147. Importing a USB software package Ruckus Wireless, Inc.

  • Page 273: Managing Access Points Individually

    Managing Access Points Individually Using Limited ZD Discovery for N+1 Redundancy Managing Access Points Individually You can add a description, or change the channel selection, transmit power and Ethernet port settings of a managed access point by editing the AP’s parameters. Additionally, you can manually assign an IP address or disable WLAN service entirely for a specific radio.
  • Page 274 (netmask, gateway, and DNS servers). • If you want to assign a static IP address to the AP, click the Manual option next to Device IP Settings, and then set the values for the following options: IP Address Ruckus Wireless, Inc.
  • Page 275 Root AP, Mesh AP, or Disable (default is Auto). In most cases, Ruckus Wireless recommends leaving this setting on Auto to reduce the risk of isolating a Mesh AP. Select Disable if you do not want this AP to be part of your mesh network.

  • Page 276: Configuring Hotspot 2.0 Venue Settings For An Ap

    4 Click Create New to create a new venue name for this AP. Select the language and enter the venue name in that language. 5 Click Save to save the entry, and click OK to save the Venue Name settings for the AP. Ruckus Wireless, Inc.

  • Page 277: Optimizing Access Point Performance

    Optimizing Access Point Performance Assessing Current Performance Using the Map View Figure 150. Setting the Venue Name for a Hotspot 2.0 service AP Optimizing Access Point Performance ZoneDirector, through its web interface, allows you to remotely monitor and adjust key hardware settings on each of your network APs. After assessing AP perfor- mance in the context of network performance, you can reset channels and adjust transmission power, or adjust the priority of certain WLANs over others, as needed.

  • Page 278: Improving Ap Rf Coverage

    1 Go to Configure > Access Points. 2 Review the Access Points table and identify an AP that you want to adjust. 3 Click the Edit button in that AP row. 4 Review and adjust any of the following Editing (AP) options: Ruckus Wireless, Inc.

  • Page 279: Prioritizing Wlan Traffic

    Optimizing Access Point Performance Prioritizing WLAN Traffic NOTE: Some options are read-only depending on the approval status. • Channelization: Choose 20/40MHz or Auto channel width (11n APs only). • Tx Power: Choose the amount of power allocated to this channel. The default setting is “Auto”...
  • Page 280 Optimizing Access Point Performance Prioritizing WLAN Traffic Ruckus Wireless, Inc.

  • Page 281: Monitoring Your Wireless Network

    Monitoring Your Wireless Network In this chapter: • Reviewing the ZoneDirector Monitoring Options • Importing a Map View Floorplan Image • Using the Map View Tools • Evaluating and Optimizing Network Coverage • Reviewing Current Alarms • Reviewing Recent Network Events •...

  • Page 282: Reviewing The Zonedirector Monitoring Options

    • Configure: Use the options in this tab to assess the current state of WLAN users, any restricted WLANs, along with the settings for guest access, user roles, etc. You can also combine this tab's options with those in the Administer tab to perform system diagnostics and other preventive tasks. Ruckus Wireless, Inc.

  • Page 283: Importing A Map View Floorplan Image

    You can import an unlimited number of floorplan images to ZoneDirector. However, the total file size of all imported floor maps is limited to 2MB on ZoneDirector 1200, and 10MB on ZoneDirector 3000/5000. An error message appears when these file size limits are reached.

  • Page 284: Placing The Access Point Markers

    5 Drag each marker icon from the upper left corner into its correct location on the floorplan. When you finish, you can make immediate use of the Map View to optimize your wireless coverage, as detailed in Optimizing Access Point Performance. Ruckus Wireless, Inc.

  • Page 285: Using The Map View Tools

    Using the Map View Tools Placing the Access Point Markers Using the Map View Tools If your worksite floorplan has been scanned in and mapped with APs, the Map View will display a graphical image of your physical Ruckus network AP distribution. Figure 152.
  • Page 286 10 Scale legend: To properly assess the distances in a floorplan, a scaler has been provided so that you can place APs in the most precise location. Ruckus Wireless, Inc.

  • Page 287: Ap Icons

    Using the Map View Tools AP Icons 11 Open Space Office drop-down list: Open Office Space refers to the methodology used to compute RF coverage/signal% (i.e., heat map) based on the current environment. AP Icons Each AP marker has variable features that help indicate identity and status: A normal AP marker displays the description of the AP and the number of users that are currently associated...

  • Page 288: Evaluating And Optimizing Network Coverage

    3 After physically relocating the actual APs in accordance with Map View repositioning, reconnect each AP to a power source. When ZoneDirector has recalibrated the Map View after each AP restart, you can assess your changes and make further adjustments as needed. Ruckus Wireless, Inc.

  • Page 289: Reviewing Current Alarms

    Reviewing Current Alarms Moving the APs into More Efficient Positions Reviewing Current Alarms If an alarm condition is detected, ZoneDirector will record it in the events log, and if configured, will send an email warning. To review the current alarms and clear all resolved alarm records, follow these steps: 1 Go to Monitor >...

  • Page 290: Clearing Recent Events/Activities

    4 You can click Clear All at the bottom of the table to resolve and clear all events in the view. Moniting WLAN Status The Monitor > WLANs page lists the currently deployed WLANs, WLAN Groups, VLAN Pools, Events/Activities and RADIUS statistics for any WLANs that use RADIUS authentication. Ruckus Wireless, Inc.
  • Page 291 Moniting WLAN Status Clearing Recent Events/Activities Figure 154. The Monitor > WLANs page ZoneDirector 9.12.1 User Guide, 800-71016-001 Rev A...

  • Page 292: Reviewing Current User Activity

    The Applications/Ports pie chart displays user activity by application or port for the selected time span. The Application Performance chart displays uplink and downlink throughput over time. Select time span, AP group and SSID to change the values displayed in the charts. Ruckus Wireless, Inc.
  • Page 293 Reviewing Current User Activity Viewing Application Usage Statistics Figure 155. Monitoring client activity Click the Show Details button to display detailed application or port usage percentages. ZoneDirector 9.12.1 User Guide, 800-71016-001 Rev A...
  • Page 294 Reviewing Current User Activity Viewing Application Usage Statistics Figure 156. Click Show Details to view application usage statistics Figure 157. Client application usage details table Ruckus Wireless, Inc.
  • Page 295 Reviewing Current User Activity Viewing Application Usage Statistics Viewing Application Usage by Client The Applications pie chart can also be used to discover which clients are using the most used applications. When you mouse over a section of the pie chart, a table is displayed to the right providing a list of the top 10 clients responsible for this traffic.

  • Page 296: Active Clients

    The Inactive Clients table displays a list of inactive clients and can be used to view usage statistics of recently disconnected clients. Events/Activities The Events/Activities table displays a client-specific subset of the events listed on the All Events/Activities page. Ruckus Wireless, Inc.
  • Page 297 Reviewing Current User Activity Events/Activities Figure 160. Monitoring Clients ZoneDirector 9.12.1 User Guide, 800-71016-001 Rev A...

  • Page 298: Monitoring Individual Clients

    2009), the channel width (20S or 40S), and the data rate in Mbps. • Contains a Client Performance icon (see Monitoring Client Performance). Events Displays a client-specific subset of the events in the All Events/Activities table. Ruckus Wireless, Inc.

  • Page 299: Monitoring Client Performance

    Monitoring Individual Clients Monitoring Client Performance Figure 161. Viewing individual client information and performance statistics Monitoring Client Performance The Client Performance graph can be used to track the uplink/downlink throughput and estimated capacity of a specific client over time. To monitor a client’s performance: 1 Go to Monitor >...
  • Page 300 Monitoring Individual Clients Monitoring Client Performance Figure 162. The Client Performance icon Figure 163. Client Performance chart Ruckus Wireless, Inc.

  • Page 301: Monitoring Wired Clients

    Monitoring Access Point Status Monitoring Wired Clients The estimated capacity is the maximum potential throughput of a particular client. Estimated capacity or estimated throughput is the short-time averaged MSDU throughput the client is receiving when the AP is actually transmitting to that client. It is measured in bits/s and takes into account the PHY rate, error rate, and all contention due to 802.11 and non-802.11 transmitters.

  • Page 302: Using The Ap Status Overview Page

    Mesh AP eMesh AP Number of hops Mesh Mode Displays whether the AP is manually set as a Root or Mesh AP, or set to automatically choose Mesh mode. IP Address The IP address of the AP. Ruckus Wireless, Inc.
  • Page 303 Monitoring Access Point Status Using the AP Status Overview Page External IP: Port This column displays the public IP and port number for APs connected via Layer 3 behind a NAT device. VLAN The VLAN ID, if configured. Channel Displays the channel number and channel width. On dual band APs, details for each radio are shown.
  • Page 304 Using the AP Status Overview Page Figure 164. Saving a managed AP list as a CSV file Currently Managed AP Groups Click the + icon to expand the AP group to display all members of the group. Ruckus Wireless, Inc.
  • Page 305 Monitoring Access Point Status Using the AP Status Overview Page Figure 165. Viewing AP group members Events/Activities This table displays an AP-related subset of the information on the Monitor > All Events/Activities page. ZoneDirector 9.12.1 User Guide, 800-71016-001 Rev A...

  • Page 306: Monitoring Individual Aps

    100% - total. High numbers indicate contention in the channel. LAN Port Configuration Displays the current configuration of the AP’s LAN ports, including their enabled state, type (Access Port or Trunk Port), and Access VLAN ID. Ruckus Wireless, Inc.

  • Page 307: Rf Pollution Faq

    Monitoring Individual APs RF Pollution FAQ Performance Displays a graphical view of AP performance and RF environment statistics. Three Performance analysis graphs plot the capacity, throughput, associated clients and RF contention in the channel as a function of time. The estimated capacity is the maximum potential throughput of a particular client or the current mix of clients.
  • Page 308 Different chipsets can report these errors in different ways and certain types of noise can even mask these errors entirely. RF Pollution is a more stable metric that will never produce misleading results. Ruckus Wireless, Inc.
  • Page 309 Monitoring Individual APs RF Pollution FAQ Figure 166. Viewing an individual AP’s information Figure 167. Monitoring an AP’s performance ZoneDirector 9.12.1 User Guide, 800-71016-001 Rev A...

  • Page 310: Spectrum Analysis

    3 The Spectrum Analysis display opens in a new window. 4 Select 2.4G or 5G to choose the frequency band for which spectrum analysis data will be collected and click Start Monitoring to begin. Ruckus Wireless, Inc.
  • Page 311 Monitoring Individual APs Spectrum Analysis Figure 168. APs that support spectrum analysis display an extra icon in the Actions table Figure 169. The Spectrum Analysis page ZoneDirector 9.12.1 User Guide, 800-71016-001 Rev A...

  • Page 312: Neighbor Aps

    Temperature and orientation sensors are available on most Ruckus Wire- less outdoor APs. Orientation This sensor displays the mounting orientation of the AP. Three orientations are possible: • Desktop/Horizontal Mount • Ceiling/Horizontal Mount • Wall/Vertical Mount Figure 170. AP orientation sensor information Ruckus Wireless, Inc.

  • Page 313: Monitoring Mesh Status

    Monitoring Mesh Status Access Point Sensor Information Temperature This sensor displays the temperature statistics as reported by the AP. Figure 171. AP temperature sensor information Monitoring Mesh Status The Monitor > Mesh page can be used to view Smart Mesh topologies of any mesh trees present on your network.

  • Page 314: Detecting Rogue Access Points

    LAN resources. This would potentially allow even more unauthorized users to access your corporate LAN - posing a security risk. Rogue APs also interfere with nearby Ruckus Wireless APs, thus degrading overall wireless network coverage and performance.
  • Page 315 Detecting Rogue Access Points Access Point Sensor Information Figure 173. Rogue devices indicator 2 When the Monitor > Rogue Devices page appears, three tables are listed: • Currently Active Rogue Devices: Lists all currently detected rogue APs. • Known/Recognized Rogue Devices: Lists rogue APs that have been marked as known, typically neighbor APs.
  • Page 316 To assist in physically locating rogue devices, click the plus sign (+) icon next to a detected rogue AP. This expands a list to display which ZoneFlex APs have detected this rogue, sorted according to signal strength. Figure 174. Monitoring Rogue Access Points Ruckus Wireless, Inc.

  • Page 317: Monitoring System Ethernet Port Status

    Monitoring System Ethernet Port Status Access Point Sensor Information Monitoring System Ethernet Port Status To view the status of ZoneDirector’s Ethernet ports, go to Monitor > System Info. The table displays the MAC address, Interface ID, physical link status, link speed, and total packets/bytes received/transmitted on the port since last restart.

  • Page 318: Monitoring Location Services

    Configure > Access Points > AP Groups page, go to Monitor > Location Services. NOTE: For information on configuration and administration of Ruckus SmartPositioning Technology (SPoT) service, please refer to the SPoT User Guide, available from the Ruckus support site: https://support.ruckuswireless.com. Ruckus Wireless, Inc.
  • Page 319 Monitoring Location Services Access Point Sensor Information Figure 177. Monitoring Location Services You can also view the status of location services venues by dragging the Location Services widget onto the Dashboard. Figure 178. SPoT dashboard widget ZoneDirector 9.12.1 User Guide, 800-71016-001 Rev A...
  • Page 320 Monitoring Location Services Access Point Sensor Information Ruckus Wireless, Inc.

  • Page 321: Managing User Access

    Managing User Access In this chapter: • Enabling Automatic User Activation with Zero-IT • Adding New User Accounts to ZoneDirector • Managing Current User Accounts • Creating New User Roles • Managing Automatically Generated User Certificates and Keys • Using an External Server for User Authentication •...

  • Page 322: Enabling Automatic User Activation With Zero-It

    Enabling Automatic User Activation with Zero-IT Ruckus Wireless Zero-IT Activation allows network users to self-activate their devices for secure access to your wireless networks with no manual configuration required by the network administrator. Once your ZoneFlex network is set up, you need only direct users to the Activation URL, and they will be able to automatically authenticate themselves to securely access your wireless LAN.

  • Page 323: Clients That Support Zero-It

    Enabling Automatic User Activation with Zero-IT Clients that Support Zero-IT Figure 179. Enabling Zero-IT for a WLAN You have completed enabling Zero-IT for this WLAN. At this point, any user with the proper credentials (username and password) and running a supported operating system can self-provision his/her wireless client to securely access your wireless LANs.
  • Page 324 WLAN. 5 If you are not running a supported operating system, you can manually configure wireless settings by clicking the link at the bottom of the page (see Provisioning Clients that Do Not Support Zero-IT). Ruckus Wireless, Inc.

  • Page 325: Self-Provisioning Clients Without Ethernet Ports

    Enabling Automatic User Activation with Zero-IT Self-Provisioning Clients without Ethernet Ports Figure 181. Corporate WLAN configuration You have completed Zero-IT configuration for this user. Repeat this procedure to automatically configure all additional users of your internal WLAN. Self-Provisioning Clients without Ethernet Ports Many mobile devices such as iOS, Windows Phone and Android smartphones can also use Zero-IT Activation.

  • Page 326: Adding New User Accounts To Zonedirector

    Internal User Database To use the internal user database as the default authentication source and to create new user accounts in the database: 1 Go to Configure > Users. 2 In the Internal User Database table, click Create New. Ruckus Wireless, Inc.
  • Page 327 • Confirm Password: Re-enter the same password for this user. NOTE: ZoneDirector 1200 can support up to 2,000 DPSK users and guest passes, and up to 2,000 concurrently connected clients. ZoneDirector 3000 can support up to 10,000 total DPSK users and guest passes, and up to 10,000 concurrently connected clients.

  • Page 328: Managing Current User Accounts

    4 If a role must be replaced, open that menu and choose a new role for this user. (For more information, see Creating New User Roles.) 5 Click OK to save your settings. Be sure to communicate the relevant changes to the appropriate end user. Ruckus Wireless, Inc.

  • Page 329: Deleting A User Record

    Creating New User Roles Deleting a User Record Deleting a User Record 1 Go to Configure > Users. 2 When the Users screen appears, review the “Internal User Database.” 3 To delete one or more records, click the check boxes next to those account records.
  • Page 330 - either full access or limited access. 5 When you finish, click OK to save your settings. This role is ready for assignment to authorized users. 6 If you want to create additional roles with different policies, repeat this procedure. Ruckus Wireless, Inc.

  • Page 331: Role Based Access Control Policy

    Creating New User Roles Role Based Access Control Policy Figure 184. The Create New form for adding a role Role Based Access Control Policy Using the Role Based Access Control Policy (RBAC) feature, organizations can deploy a single SSID for multiple roles and provide different access privileges based on the user’s role in the organization.

  • Page 332: Managing Automatically Generated User Certificates And Keys

    WPA or WPA2 and Dynamic PSK enabled, a unique and random key phrase is generated for each wireless user. Similarly, for a WLAN configured with 802.1X/EAP authentication, a unique certificate for each wireless user is created. Ruckus Wireless, Inc.

  • Page 333: Using An External Server For User Authentication

    Using an External Server for User Authentication Role Based Access Control Policy When using the internal user database, automatically generated user certificates and keys are deleted whenever the associated user account is deleted from the user database. In the case of using Windows Active Directory, LDAP or RADIUS as an authentication server, you can delete the generated user keys and certificates by following these steps: 1 Go to Monitor >...
  • Page 334 RADIUS server configuration and the choice you made in RADIUS/ RADIUS Accounting. Make sure that either PAP or CHAP is enabled on the Remote Access Policy (assuming Microsoft IAS as the RADIUS server) before continuing with testing authentication settings. Ruckus Wireless, Inc.

  • Page 335: Activating Web Authentication

    Activating Web Authentication Role Based Access Control Policy Figure 186. The Create New form for adding an authentication server For more information on configuring an external authentication server, see Using an External AAA Server. Activating Web Authentication Web authentication (also known as a “captive portal”) redirects users to a login web page the first time they connect to this WLAN, and requires them to log in before granting access to use the WLAN.

  • Page 336: Captive Portal Redirect On Initial Browser Https Request

    • The first is generated because the SSL certificate of the HTTPS site the user is trying to reach does not match the certificate installed on the ZoneDirector. Depending on the browser/OS, this maybe flagged as a potential Man in the Middle attack (MiM). Ruckus Wireless, Inc.
  • Page 337 Activating Web Authentication Captive Portal Redirect on Initial Browser HTTPS Request • The second is generated if the ZoneDirector or Hotspot server does not have an SSL certificate signed by a recognized Certificate Authority installed when the client is redirected to the login page. These browser security warnings are there to encourage users to take care when browsing secure sites and ensure their authenticity.
  • Page 338 Activating Web Authentication Captive Portal Redirect on Initial Browser HTTPS Request Ruckus Wireless, Inc.

  • Page 339: Managing Guest Access

    Managing Guest Access In this chapter: • Configuring Guest Access • Creating a Guest Access Service • Creating a Guest WLAN • Using the BYOD Onboarding Portal • Working with Guest Passes ZoneDirector 9.12.1 User Guide, 800-71016-001 Rev A...

  • Page 340: Configuring Guest Access

    Type (or cut and paste) your terms of use into the large text box. 7 Under Redirection, select one of the following radio buttons to use/not use redirection: Ruckus Wireless, Inc.
  • Page 341 Creating a Guest Access Service • Redirect to the URL that the user intends to visit: Allows the guest user to continue to their destination without redirection. • Redirect to the following URL: Redirect the user to a specified web page (entered into the text box) prior to forwarding them to their destination.

  • Page 342: Using Guest Pass Self-Service

    URL, or select Redirect to the URL that the user intends to visit. 7 Select Enable Guest Pass Self-Service (enabled by default). The following new options appear: • Access Duration: Select the default access time provided with one guest pass in days, hours or weeks. (Default is one day.) Ruckus Wireless, Inc.
  • Page 343 Creating a Guest Access Service Using Guest Pass Self-Service • Session: Optionally, enable the session limitation to require guest pass users to re-login after the specified time period. • Max Device: Allow multiple devices to share a single guest pass. (Default is one device.) •...
  • Page 344 2 The browser redirects to the Guest Access Login page. 3 Click Register New Guest Access. Figure 190. Guest Access login page 4 The New Guest Registration page appears. 5 Enter a Name, Email address and mobile phone number. 6 Click Submit. Ruckus Wireless, Inc.
  • Page 345 Creating a Guest Access Service Using Guest Pass Self-Service Figure 191. New Guest Registration page 7 The Welcome to Guest Access page appears, displaying the information you entered along with your new Guest Pass code. Figure 192. Your Guest Pass code along with your registration information are displayed 8 Click Go to Guest Access Portal.
  • Page 346 SMS Settings for Guest Pass Delivery via SMS for more information. Configure the following options if Sponsor Approval is enabled: • Sponsor number: Set how many sponsors the user can specify to approve the guest pass request. Valid values are 1-5. Ruckus Wireless, Inc.
  • Page 347 Creating a Guest Access Service Using Guest Pass Self-Service • Sponsor Authentication Server: Select the authentication server to be used for sponsor authentication. When a guest pass approval request is sent to the sponsor’s email, the sponsor must click the link in the email, log in to this authentication server, and approve or reject the request.
  • Page 348 1 On the New Guest Registration screen, enter your Name, Mobile number and Email address. 2 Enter the sponsor’s email address and click Submit. A guest pass request email is sent to the sponsor’s address, and the Guest Access request submitted screen is displayed. Ruckus Wireless, Inc.
  • Page 349 Creating a Guest Access Service Using Guest Pass Self-Service Figure 196. Guest Access Request Submitted page 3 The sponsor will then receive an email requesting approval for guest pass activation. 4 Open the email and click the link to open the Sponsor/Approver Authentication page.
  • Page 350 7 Approving a guest pass triggers delivery of an email (and/or SMS message) containing the guest pass code to the guest. 8 As a guest user, open this email and copy the Guest Pass code to the clipboard. Figure 200. Guest pass activation email Ruckus Wireless, Inc.
  • Page 351 Creating a Guest Access Service Using Guest Pass Self-Service 9 Launch a web browser and browse to any URL. You will be redirected to the Welcome login page. 10 Enter the Guest Pass code received in the activation email and click Submit. Figure 201.

  • Page 352: Configuring Guest Subnet Restrictions

    5 Under Description, type a name or description for the access rule that you are creating. 6 Under Type, select Deny if this rule will prevent guest users from accessing certain subnets, or select Allow if this rule will allow them access. Ruckus Wireless, Inc.

  • Page 353: Creating A Guest Wlan

    Creating a Guest WLAN Configuring Guest Subnet Restrictions 7 Under Destination Address, type the IP address and subnet mask (format: A.B.C.D/M) on which you want to allow or deny users access. 8 If you want to allow or restrict subnet access based on the application, protocol, or destination port used, click the Advanced Options link, and then configure the settings.
  • Page 354 • Optionally, enable a Grace Period (disabled by default) and enter a value in minutes to allow disconnected users a grace period after disconnection, during which users will not need to re-authenticate. 10 Click OK to save your changes. Figure 204. Create a Guest Access WLAN Ruckus Wireless, Inc.

  • Page 355: Using The Byod Onboarding Portal

    Using the BYOD Onboarding Portal Configuring Guest Subnet Restrictions Using the BYOD Onboarding Portal The Onboarding Portal feature provides a series of intuitive option screens allowing mobile users to choose whether to connect to a Guest WLAN or to self-configure their mobile devices to authenticate to an internal WLAN using Zero-IT activation.
  • Page 356 Figure 206. The Onboarding Portal for mobile devices If the user clicks the Guest Access button, the process is the same as when connecting to a Guest WLAN and all settings on the Guest Access configuration page will be put into effect. Ruckus Wireless, Inc.
  • Page 357 Using the BYOD Onboarding Portal Configuring Guest Subnet Restrictions Figure 207. Guest Access welcome and terms of use screens If the user clicks the Register Device button, the web page will be redirected to the WLAN Connection Activation page, from which the user can enter user name and password to activate this device.
  • Page 358 On some devices (including some Android versions), the activation file will not run if an older an existing package of the same name with a conflicting signature is already installed. Ruckus Wireless, Inc.

  • Page 359: Working With Guest Passes

    System page. NOTE: ZoneDirector 1200 can support up to 2,000 DPSK users and guest passes, and up to 2,000 concurrently connected clients. ZoneDirector 3000 can support up to 10,000 total DPSK users and guest passes, and up to 10,000 concurrently connected clients.
  • Page 360 Figure 209. The Guest Pass Generation section on the Guest Pass page Guest Pass Generation URL Controlling Guest Pass Generation Privileges To disable the guest pass generation privilege granted to all basic “default” role users, follow these steps: Ruckus Wireless, Inc.
  • Page 361 Working with Guest Passes Configuring Guest Pass Generation 1 Go to Configure > Roles. When the Roles and Policies page appears, a table lists all existing roles, including “Default.” 2 Click Edit (in the “Default” role row). 3 In the Policies options, clear the Allow Guest Pass Generation check box. 4 Click OK to save your settings.
  • Page 362 You can edit an existing user account and reassign the guest pass generator role, if you prefer. 5 Click OK to save your settings. Be sure to communicate the role, user name and password to the appropriate end user. Ruckus Wireless, Inc.

  • Page 363: Generating And Delivering A Single Guest Pass

    Working with Guest Passes Generating and Delivering a Single Guest Pass Generating and Delivering a Single Guest Pass You can provide the following instructions to users with guest pass generation privileges. A single guest pass can be used for one-time login, time-limited multiple logins for a single guest user, or can be configured so that a single guest pass can be shared by multiple users.
  • Page 364 • Key: Leave as is if you want to use the random key that ZoneDirector generated. If you want to use a key that is easy to remember, delete the random key, and then type a custom key. For example, if ZoneDirector Ruckus Wireless, Inc.
  • Page 365 Working with Guest Passes Generating and Delivering a Single Guest Pass generated the random key OVEGS-RZKKF, you can change it to joe- guest-key. Customized keys must be between one and 16 ASCII charac- ters. NOTE: Each guest pass key must be unique and is distributed on all guest WLANs. Therefore, you cannot create the same guest pass for use on multiple WLANs.
  • Page 366 Working with Guest Passes Generating and Delivering a Single Guest Pass Figure 212. The Guest Pass Generated page Figure 213. Sample guest pass printout Ruckus Wireless, Inc.

  • Page 367: Generating And Printing Multiple Guest Passes At Once

    Working with Guest Passes Generating and Printing Multiple Guest Passes at Once Generating and Printing Multiple Guest Passes at Once You can provide the following instructions to users with guest pass generation privileges. NOTE: The following procedure will guide you through generating and printing multiple guest passes.
  • Page 368 If you did not create custom guest pass printouts, select Default. 9 Print the instructions for a single guest pass or print all of them. • To print instructions for all guest passes, click Print All Instructions. Ruckus Wireless, Inc.

  • Page 369: Monitoring Generated Guest Passes

    Working with Guest Passes Monitoring Generated Guest Passes • To print instructions for a single guest pass, click the Print link that is in the same row as the guest pass for which you want to print instructions. A new browser page appears and displays the guest pass instructions. At the same time, the Print dialog box appears.

  • Page 370: Customizing The Guest Login Page

    (ZoneDirector will notify you if the file is too large.) 4 Scroll down to the Guest Access Customization section. 5 (Optional) Delete the text in the Title field and type a short descriptive title or “welcome” message. 6 Click OK to save your settings. Ruckus Wireless, Inc.

  • Page 371: Creating A Custom Guest Pass Printout

    Working with Guest Passes Creating a Custom Guest Pass Printout Figure 216. The Guest Access Customization options Creating a Custom Guest Pass Printout The guest pass printout is a printable HTML page that contains instructions for the guest pass user on how to connect to the wireless network successfully. The authenticated user who is generating the guest pass will need to print out this HTML page and provide it to the guest pass user.
  • Page 372 {GP_IF_EFFECTIVE_FROM_CREATION_ If you set the validity period of guest TIME} passes to Effective from the creation time (in the Guest Pass Generation section), this token shows when the guest pass was created and when it will expire. Ruckus Wireless, Inc.

  • Page 373: Delivering Guest Passes Via Email

    Working with Guest Passes Delivering Guest Passes via Email Token Description {GP_ELSEIF_EFFECTIVE_FROM_FIRST If you set the validity period of guest _USE} passes to Effective from first use (in the Guest Pass Generation section), this token shows the number of days during which the guest pass will be valid after activation.

  • Page 374: Delivering Guest Passes Via Sms

    To customize the content of the SMS message used to deliver the guest pass code, use the following procedure: 1 On the Configure > Guest Access page, locate the Customize the SMS Content section. 2 Customize the message in the text box and click Apply to save your changes. Ruckus Wireless, Inc.
  • Page 375 Working with Guest Passes Delivering Guest Passes via SMS Figure 218. Customize the SMS content NOTE: For more information on Captive Portal redirection for Hotspot, Web Auth and Guest Access WLANs, see “Captive Portal Redirect on Initial Browser HTTPS Request”. ZoneDirector 9.12.1 User Guide, 800-71016-001 Rev A...
  • Page 376 Working with Guest Passes Delivering Guest Passes via SMS Ruckus Wireless, Inc.

  • Page 377: Deploying A Smart Mesh Network

    Deploying a Smart Mesh Network In this chapter: • Overview of Smart Mesh Networking • Smart Mesh Networking Terms • Supported Mesh Topologies • Deploying a Wireless Mesh via ZoneDirector • Understanding Mesh-related AP Statuses • Using the ZoneFlex LEDs to Determine the Mesh Status •...

  • Page 378: Overview Of Smart Mesh Networking

    A Smart Mesh network is a peer-to-peer, multi-hop wireless network wherein participant nodes cooperate to route packets. In a Ruckus wireless mesh network, the routing nodes (that is, the Ruckus Wireless APs forming the network), or “mesh nodes,” form the network's backbone. Clients (for example, laptops and other mobile devices) connect to the mesh nodes and use the backbone to communicate with one another, and, if permitted, with nodes on the Internet.

  • Page 379: Supported Mesh Topologies

    Supported Mesh Topologies Standard Topology Term Definition Mesh AP (MAP) A mesh node that communicates with ZoneDirector through its wireless interface. Ethernet-Linked An eMAP is a mesh node that is connected to its uplink AP through Mesh AP (eMAP) a wired Ethernet cable, rather than wirelessly. eMAP nodes are used to bridge wireless LAN segments together.

  • Page 380: Wireless Bridge Topology

    LAN segment, and another isolated wired segment exists that needs to be bridged to the primary LAN segment. You can bridge these two wired LAN segments by forming a wireless mesh link between the two wired segments, as shown in Figure 220 below. Ruckus Wireless, Inc.

  • Page 381: Hybrid Mesh Topology

    Supported Mesh Topologies Hybrid Mesh Topology Figure 220. Mesh - wireless bridge topology Hybrid Mesh Topology A third type of network topology can be configured using the Hybrid Mesh concept. Ethernet-connected Mesh APs (eMAP) enable the extension of wireless mesh functionality to a wired LAN segment.

  • Page 382: Deploying A Wireless Mesh Via Zonedirector

    Deploying a wireless mesh via ZoneDirector involves the following steps: • Step 1: Prepare for Wireless Mesh Deployment • Step 2: Enable Mesh Capability on ZoneDirector • Step 3: Provision and Deploy Mesh Nodes • Step 4: Verify That the Wireless Mesh Network Is Up Ruckus Wireless, Inc.

  • Page 383: Step 1: Prepare For Wireless Mesh Deployment

    Step 1: Prepare for Wireless Mesh Deployment Step 1: Prepare for Wireless Mesh Deployment Before starting with your wireless mesh deployment, Ruckus Wireless recommends performing a number of tasks that can help ensure a smooth deployment. • Ensure that the APs that will form the mesh are of the same radio type.
  • Page 384 This passphrase will be used by ZoneDirector to secure the traffic between Mesh APs. Alternatively, click Generate to generate a random passphrase with 32 characters or more. 7 In the Mesh Settings section, click Apply to save your settings and enable Smart Mesh. Ruckus Wireless, Inc.

  • Page 385: Step 3: Provision And Deploy Mesh Nodes

    Deploying a Wireless Mesh via ZoneDirector Step 3: Provision and Deploy Mesh Nodes You have completed enabling mesh capability on ZoneDirector. You can now start provisioning and deploying the APs that you want to be part of your wireless mesh network.

  • Page 386: Step 4: Verify That The Wireless Mesh Network Is Up

    View on the menu. The Map View appears and shows the mesh nodes that are currently active. (See Importing a Map View Floorplan Image for instructions on importing a map.) 2 Check if all the mesh nodes that you have provisioned and deployed appear on the Map View. Ruckus Wireless, Inc.
  • Page 387 Deploying a Wireless Mesh via ZoneDirector Step 4: Verify That the Wireless Mesh Network Is Up 3 Verify that a mesh network has been formed by checking if dotted lines appear between the mesh nodes. These dotted lines identify the neighbor relationships that have been established in the current mesh network.

  • Page 388: Understanding Mesh-Related Ap Statuses

    • The AP may be configured ZoneDirector mesh incorrectly. Verify that the mesh SSID and passphrase configured on the AP are correct. • If Uplink Selection is set to Manual, the uplink AP specified for this AP may be off or unavailable. Ruckus Wireless, Inc.

  • Page 389: Using The Zoneflex Leds To Determine The Mesh Status

    Using the ZoneFlex LEDs to Determine the Mesh Status On Single-band ZoneFlex APs Using the ZoneFlex LEDs to Determine the Mesh Status In addition to checking the mesh status of ZoneFlex APs from the ZoneDirector web interface, you can also check the LEDs on the APs. The LED behaviors that indicate the AP's mesh status vary depending whether the AP is a single-band or a dual- band model.

  • Page 390: On Dual-Band Zoneflex Aps

    • This is a Mesh AP, and; • The Root AP signal is fair Slow blinking green • This is a Mesh AP that is currently searching for a Root AP, or; • This AP is currently searching for ZoneDirector Ruckus Wireless, Inc.

  • Page 391: Using Action Icons To Configure And Troubleshoot Aps In A Mesh

    Using Action Icons to Configure and Troubleshoot APs in a Mesh On Dual-band ZoneFlex APs Indoor Dual Band APs On dual band ZoneFlex indoor APs, the 5G LED indicates the AP's mesh status. See the table below for more information. LED Color/Behavior Root AP / eMAP Mesh AP...

  • Page 392: Setting Mesh Uplinks Manually

    Smart Uplink Selection and manually set the mesh nodes to which an AP can connect. Note that in most situations, Ruckus Wireless recommends against manually changing the roles of APs in a mesh, because it can result in isolated Mesh APs.
  • Page 393 Setting Mesh Uplinks Manually On Dual-band ZoneFlex APs Figure 224. Setting Uplink Selection to Manual CAUTION! Do not manually set a Mesh AP as a Root AP. Only APs that are connected to ZoneDirector via Ethernet (and on the same LAN segment) should be configured as Root APs.

  • Page 394: Troubleshooting Isolated Mesh Aps

    15 minutes as the mesh network stabilizes. If there is a significant number of APs on the network, it might take longer for the AP to resolve this. Ruckus Wireless, Inc.

  • Page 395: Recovering An Isolated Mesh Ap

    No APs with matching radio type The AP is unable to find an uplink AP with the same radio type. Ruckus Wireless Smart Mesh APs must use the same radio type to be able connect to each other via the mesh network. For example, an 802.11n Mesh AP will only connect...
  • Page 396 Therefore you will need to proceed to the next step and connect to the AP’s CLI to make changes. Step 4: Connect to the AP and update its Mesh settings 1 Launch your SSH client and enter the IP address 169.254.1.1. Ruckus Wireless, Inc.

  • Page 397: Best Practices And Recommendations

    Best Practices and Recommendations Recovering an Isolated Mesh AP 2 Log into the AP via SSH using the same user name and password that you use to log into the ZoneDirector web interface. 3 Enter the command set meshcfg ssid <current_ssid>, where current_ssid is the SSID that the mesh network is currently using.
  • Page 398 Best Practices and Recommendations Recovering an Isolated Mesh AP Ruckus Wireless, Inc.

  • Page 399: Setting Administrator Preferences

    Setting Administrator Preferences In this chapter: • Changing the ZoneDirector Administrator User Name and Password • Changing the Web Interface Display Language • Upgrading ZoneDirector and ZoneFlex APs • Working with Backup Files • Restoring ZoneDirector to Default Factory Settings •...

  • Page 400: Changing The Zonedirector Administrator User Name And Password

    (used solely to log into ZoneDirector via the web interface). • Password/Confirm Password: Delete the text in both fields and type the same text for a new password. 3 Click Apply to save your settings. The changes go into effect immediately. Ruckus Wireless, Inc.

  • Page 401: Setting Administrator Login Session Timeout

    Changing the Web Interface Display Language Setting Administrator Login Session Timeout Figure 226. The Preferences page Setting Administrator Login Session Timeout By default, administrators logged into the web interface are automatically logged out after 30 minutes of inactivity. This timeout can be configured with a value between 1 and 1440 minutes (24 hours).

  • Page 402: Upgrading Zonedirector And Zoneflex Aps

    3 Click Apply to save your settings. The changes go into effect immediately. Upgrading ZoneDirector and ZoneFlex APs Check the Ruckus Wireless Support web site on a regular basis for updates that can be applied to your Ruckus Wireless network devices — to ZoneDirector and all your ZoneFlex APs.

  • Page 403: Performing An Upgrade With Smart Redundancy

    Upgrading ZoneDirector and ZoneFlex APs Performing an Upgrade with Smart Redundancy NOTE: The full network upgrade is successive in sequence. After ZoneDirector is upgraded, it will contact each active AP, upgrade it, and then restore it to service. NOTE: The AP uses FTP to download firmware updates from ZoneDirector. If you have an access control list (ACL) or firewall between ZoneDirector and the AP, make sure that FTP traffic is allowed to ensure that the AP can successfully download the firmware update.

  • Page 404: Working With Backup Files

    9 Each AP reboots after upgrading. Working with Backup Files After you have set up and configured your Ruckus wireless network, you may want to back up the full configuration. The resulting archive can be used to restore your ZoneDirector and network. And, whenever you make additions or changes to the setup, you can create new backup files at that time, too.

  • Page 405: Restoring Archived Settings To Zonedirector

    Working with Backup Files Restoring Archived Settings to ZoneDirector Figure 228. The Back Up Configuration option Restoring Archived Settings to ZoneDirector NOTE: Restoring a backup file will automatically reboot ZoneDirector and all APs that are currently associated with it. Users associated with these APs will be temporarily disconnected;...
  • Page 406 When the restore process is complete, ZoneDirector automatically restarts and your wireless network will be ready for use again. Figure 229. Select the restore level for restoring from a backup file Ruckus Wireless, Inc.
  • Page 407 You can also restore previously saved access point configurations from a backup file without restoring any other ZoneDirector configuration settings. This feature can be useful in deploying N+1 redundancy. For example, if three ZoneDirector 1200 controllers are deployed in different locations and with one ZoneDirector 3000 serving as a backup, you can use this feature to export AP lists from the three ZD1200s and import them one by one into the ZD3000.

  • Page 408: Restoring Zonedirector To Default Factory Settings

    In this case, the system can be discovered by a UPnP client application, such as Windows “My Network Places.” If there is no DHCP server on the connected network, the system's default IP address is 192.168.0.2 with subnet mask 255.255.255.0. Ruckus Wireless, Inc.

  • Page 409: Alternate Factory Default Reset Method

    Restoring ZoneDirector to Default Factory Settings Alternate Factory Default Reset Method NOTE: A complete set of instructions is available in the ZoneDirector Quick Start Guide (QSG). Before restoring ZoneDirector to factory default settings, you should open and print out the QSG pages. You can follow those instructions to set up ZoneDirector after restoring factory defaults.

  • Page 410: Working With Ssl Certificates

    (CSR) file and send it to a certificate authority (CA) to purchase an SSL certificate. The ZoneDirector web interface provides a form that you can use to create the CSR file. Fields with an asterisk (*) are required entries. Those without an asterisk are optional. Ruckus Wireless, Inc.
  • Page 411 “ZoneDirector”). NOTE: Ruckus Wireless recommends using the FQDN as the Common Name if possible. If your network does not have a DNS server, you may use ZoneDirector’s IP address instead. However, note that some CA’s may not allow this.
  • Page 412 After the certificate authority approves your CSR, you will receive the SSL certificate via email. The following is an example of a signed certificate that you will receive from a certificate authority: -----BEGIN CERTIFICATE----- Ruckus Wireless, Inc.

  • Page 413: Importing An Ssl Certificate

    Working with SSL Certificates Importing an SSL Certificate MIIFVjCCBD6gAwIBAgIQLfaGuqKukMumWhbVf5v4vDANBgkqhkiG9w0B AQUFADCBsDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJ bmMuMR8wHQYDVQQLBgEFBQcBAQRtMGswJAYIKwYBBQUHMAGGGGh0dHA6 Ly9vY3NwLnZlcmlzaWduLmNvbTBDBggrBgEFBQcwAoY3aHR0cDovL1NW UlNlY3VyZS1haWEudmVyaXNpZ24uY29tL1NWUlNlY3VyZTIwMDUtYWlh LmNlcjBuBggrBgEFBQcBDARiMGChXqBcMFowWDBWFglpbWFnZS9naWYw ITAfMAcGBSsOAwIaBBRLa7kolgYMu9BSOJsprEsHiyEFGDAmFiRodHRw Oi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvMS5naWYwDQYJKoZIhvcN AQEFBQADggEBAI/S2dmm/kgPeVAlsIHmx- 751o4oq8+fwehRDBmQDaKiBvVXGZ5ZMnoc3DMyDjx0SrI9lkPsn223CV 3UVBZo385g1T4iKwXgcQ7WF6QcUYOE6HK+4ZGcHermFf3fv3C1- FoCjq+zEu8ZboUf3fWbGprGRA+MR/dDI1dTPtSUG7/zWjXO5jC// 0pykSldW/q8hgO8kq30S8JzCwkqrXJfQ050N4TJtgb/ YC4gwH3BuB9wqpRjUahTiK1V1- ju9bHB+bFkMWIIMIXc1Js62JClWzwFgaGUS2DLE8xICQ3wU1ez8RUPGn wSxAYtZ2N7zDxYDP2tEiO5j2cXY7O8mR3ni0C30= -----END CERTIFICATE----- 7 Copy the content of the signed certificate, and then paste it into a text file. Save the file.
  • Page 414 ZoneDirector certificate file. Then, you just need to import a single file. The intermediate certificate(s) will be imported automatically. In this case, you will see multiple ---BEGIN CERTIFICATE--- and ---END CERTIFICATE- -- pairs in the file. Ruckus Wireless, Inc.

  • Page 415: Ssl Certificate Advanced Options

    Working with SSL Certificates SSL Certificate Advanced Options Figure 234. Importing a signed certificate (continued) SSL Certificate Advanced Options The Advanced Options section allows you to perform additional certificate manage- ment functions. These include the following: • Restore to Default Certificate/Private Key: This deletes any certificate and private key that has been imported, and restores the factory default certificate/ private key after restore and reboot.
  • Page 416 CA separated by a string of number symbols (“#######”). Options include: • Add a new trusted CA: Import a single CA file. • Cover all trusted CA: Use the new trusted CA file to cover all existing trusted CA files. Ruckus Wireless, Inc.
  • Page 417 Working with SSL Certificates SSL Certificate Advanced Options Figure 235. SSL Certificate Advanced Options Wildcard Certificate Installation A wildcard certificate is a generic certificate that can be used for devices in a specific domain. This is useful for Smart Redundancy installations where you have two ZoneDirectors.

  • Page 418: Using An External Server For Administrator Authentication

    This section provides basic instructions for setting up ZoneDirector to authenticate additional administrator accounts with an external authentication server. For more information on AAA server configuration, see Using an External AAA Server. To authenticate ZoneDirector administrators using an AAA server: Ruckus Wireless, Inc.
  • Page 419 Using an External Server for Administrator Authentication SSL Certificate Advanced Options 1 Set up Group Attributes on the AAA server. • RADIUS: • Ruckus Wireless private attribute Vendor ID: 25053 Vendor Type/Attribute Number: 1 (Ruckus-User-Groups) Value Format: group_attr1,group_attr2,group_attr3,... • Cisco private attribute (if your network is using a Cisco access control server)

  • Page 420: Upgrading The License

    Server} with {Role}). Upgrading the License Depending on the number of Ruckus Wireless APs you need to manage with your ZoneDirector, you may need to upgrade your license as your network expands. Contact your authorized Ruckus Wireless reseller to purchase an upgrade license.

  • Page 421: Support Entitlement

    Support Entitlement SSL Certificate Advanced Options Support Entitlement The Support Entitlement license allows you to extend the period for which you are allowed to continue upgrading your ZoneDirector when newer versions are released. If your support contract has expired, you can contact your Ruckus customer service representative or Ruckus reseller to purchase a new support entitlement.
  • Page 422 Support Entitlement SSL Certificate Advanced Options Ruckus Wireless, Inc.

  • Page 423: Troubleshooting

    Troubleshooting In this chapter: • Troubleshooting Failed User Logins • Fixing User Connections • Measuring Wireless Network Throughput with SpeedFlex • Diagnosing Poor Network Performance • Starting a Radio Frequency Scan • Using the Ping and Traceroute Tools • Viewing Current System and AP Logs •...

  • Page 424: Troubleshooting Failed User Logins

    • Create an additional WLAN for non-standard client connections, then create a Role that refers to this WLAN, and assign that role to the relevant user accounts. • Enter the WEP key in the network configuration on the client device. Ruckus Wireless, Inc.

  • Page 425: Fixing User Connections

    Fixing User Connections Fixing User Connections If any of your users report problematic connections to the WLAN, the following debugging technique may prove helpful. Basically, you will be deleting that user's client from the Active Clients table in the Ruckus ZoneDirector, and when their client connection automatically renews itself, any previous problems will hopefully be resolved.

  • Page 426: If Wlan Connection Problems Persist

    For example, SpeedFlex may be inaccessible to users at http://{zonedirector-ip-address}/perf or SpeedFlex may prompt you to install the SpeedFlex application on the target client, even when it is already installed. Ruckus Wireless, Inc.
  • Page 427 Measuring Wireless Network Throughput with SpeedFlex If WLAN Connection Problems Persist NOTE: The following procedure describes how to run SpeedFlex from the ZoneDirector web interface to measure a wireless client’s throughput. For instructions on how to run SpeedFlex from a wireless client (for users), refer to Allowing Users to Measure Their Own Wireless Throughput.
  • Page 428 10-30 seconds. If you are testing both Downlink and Uplink options, the two tests take about one minute to complete. When the tests are complete, the results appear below the Start button. Downlink and uplink throughput results are displayed along with packet loss percentages. Figure 239. The SpeedFlex interface Ruckus Wireless, Inc.
  • Page 429 Measuring Wireless Network Throughput with SpeedFlex If WLAN Connection Problems Persist Figure 240. Click the download link for the target client’s operating system Figure 241. A progress bar appears as SpeedFlex measures the wireless throughput ZoneDirector 9.12.1 User Guide, 800-71016-001 Rev A...

  • Page 430: Using Speedflex In A Multi-Hop Smart Mesh Network

    4 Select Uplink, Downlink or both (default is both), and click Start to begin. Note that multi-hop SpeedFlex takes considerably longer to complete than a single hop. If you want to complete the test faster, deselect either Uplink or Downlink and test one direction at a time. Ruckus Wireless, Inc.
  • Page 431 Measuring Wireless Network Throughput with SpeedFlex Using SpeedFlex in a Multi-Hop Smart Mesh Network Figure 243. Running Multi-Hop SpeedFlex in a mesh tree Figure 244. Multi-Hop SpeedFlex test results ZoneDirector 9.12.1 User Guide, 800-71016-001 Rev A...

  • Page 432: Allowing Users To Measure Their Own Wireless Throughput

    How to Measure the Speed of Your Wireless Connection The following instructions describe how you can use SpeedFlex, a wireless perfor- mance test tool from Ruckus Wireless, to measure the speed of your wireless connection to your access point. 1 Make sure that your wireless device is connected only to the wireless network.

  • Page 433: Diagnosing Poor Network Performance

    Diagnosing Poor Network Performance Allowing Users to Measure Their Own Wireless Throughput This indicates that SpeedFlex was successfully started. Keep the command prompt window open. 7 On the SpeedFlex Wireless Performance Test interface, click the Start button again. A progress bar appears below the speedometer as the tool generates traffic to measure the downlink throughput from the AP to the client.

  • Page 434: Using The Ping And Traceroute Tools

    UI. The Ping and Traceroute tools can be accessed from anywhere in the UI that you see the icon. For example, from the Dashboard, if the “Currently Managed APs” widget is open, click the icon next to an AP to launch the troubleshooting window. Ruckus Wireless, Inc.
  • Page 435 Using the Ping and Traceroute Tools Allowing Users to Measure Their Own Wireless Throughput Figure 246. Launching the Ping/Traceroute Troubleshooting window from the Dashboard The Network Connectivity window opens. Click Ping to ping the IP address or Trace Route to diagnose the number of hops to the IP address. Figure 247.

  • Page 436: Generating A Debug File

    After the file is saved, you can email it to the technical support representative. NOTE: The debug (or diagnostics) file is encrypted and only Ruckus Wireless support representatives have the proper tools to decrypt this file. Viewing Current System and AP Logs You can display a list of recent ZoneDirector or AP activity logs from the ZoneDirector web interface.
  • Page 437 Viewing Current System and AP Logs Allowing Users to Measure Their Own Wireless Throughput 1 Go to Administer > Diagnostics, and locate the AP Logs section. 2 Click the “Click Here” link next to “To show current AP logs...”. The log data is displayed in the text box beneath the link.

  • Page 438: Packet Capture And Analysis

    “ping-pong” method. Due to memory limitations, the capture files are cleared after they are retrieved by the Save command and before each new capture session, and they are not retained on the AP between reboots. Ruckus Wireless, Inc.

  • Page 439: Local Capture

    Packet Capture and Analysis Local Capture In streaming capture mode, packet data from the 2.4 GHz and 5 GHz radios are available simultaneously on AP interfaces wifi0 and wifi1, respectively. The streams can be accessed using Wireshark’s remote interface capture option. The Windows version of Wireshark (e.g., v1.2.10) supports this option.
  • Page 440 Per-Packet Information (PPI) header that precedes the over-the-air content. 1 The PPI:802.11-Common Header antenna signal and antenna noise fields of packets transmitted by the AP contain the next-to-lowest byte and the lowest byte, respectively, of the antenna pattern used to transmit the packet. On some Ruckus Wireless, Inc.
  • Page 441 Packet Capture and Analysis Streaming Mode APs, the pattern value may contain more significant bits, which are not stored in this header. If the packet is 802.11n, it will also contain the full antenna pattern value in the header described below. 2 The PPI:802.11n-MAC+PHY Header EVM-3 field of packets transmitted by the AP contains the full antenna pattern used to transmit the packet (similar to above, except this 32-bit field can accommodate the complete value).

  • Page 442: Importing A Script

    The Status column now displays “Disconnected” along with the date and time when ZoneDirector last communicated with the AP. After restart is complete and the Ruckus ZoneDirector detects the active AP, the status will be returned to “Connected.” Ruckus Wireless, Inc.

  • Page 443: Restarting Zonedirector

    “Restarting an Access Point”.) NOTE: If you have made any configuration changes, Ruckus Wireless recommends shutting down ZoneDirector to ensure that all configuration changes are saved and remain after reboot. Performing a Restart may cause ZoneDirector to lose configuration changes if you forgot to click Apply after making changes and navigate away from a configuration page, for example.
  • Page 444 Restarting ZoneDirector Streaming Mode Ruckus Wireless, Inc.

  • Page 445: Smart Mesh Networking Best Practices

    Smart Mesh Networking Best Practices In this chapter: • Choosing the Right AP Model for Your Mesh Network • Calculating the Number of APs Required • Placement and Layout Considerations • Signal Quality Verification • Mounting and Orientation of APs •...

  • Page 446: Choosing The Right Ap Model For Your Mesh Network

    In a Smart Mesh network, the Root AP (RAP) has all its wireless bandwidth available for downlink, because the uplink is wired. For Mesh APs (MAPs), the available wireless bandwidth has to be shared between the uplink and the downlink. This Ruckus Wireless, Inc.

  • Page 447: Placement And Layout Considerations

    Placement and Layout Considerations degrades performance of a Mesh AP as compared to a Root. This problem is mitigated somewhat by dual radio APs when the uplink and downlink traffic can be sent/received on two separate radios. Placement and Layout Considerations •...

  • Page 448: Signal Quality Verification

    • If the customer's network utilizes a wireless backhaul technology for broadband access, it is recommended to not mount the broadband wireless modem right next to a Ruckus Wireless AP. A distance of 10 feet or more would be desirable. Signal Quality Verification The above guidelines for planning will result in a well-designed mesh.
  • Page 449 Signal Quality Verification • Ensure Signal >= 25%: The Signal value under Neighbor APs that shows “Connected” should be 25% or better. If it is lower, you need to bring the AP closer, or move it to avoid an obstruction, such that the Signal value becomes 25% or better.

  • Page 450: Mounting And Orientation Of Aps

    ZoneFlex APs are very tolerant to a variety of mounting and orientation options due to Ruckus Wireless' use of its unique BeamFlex technology, in which the RF signal is dynamically concentrated and focused towards the other end of the RF link.

  • Page 451: Indoor Aps - Vertical Orientation

    Mounting and Orientation of APs Indoor APs - Vertical Orientation Indoor APs - Vertical Orientation A less typical vertical orientation may be used in certain cases where it is not possible for mechanical or aesthetic reasons to use the typical horizontal orientation. In such cases, indoor APs may also be wall mounted vertically.

  • Page 452: Outdoor Aps - Typical Horizontal Orientation

    RAPs and MAPs are at ceiling height (standard 15-foot ceiling), then you would not want to mount the outdoor MAPs on 40-foot poles. You would want to keep all MAPs and RAPs at around the same elevation from the ground. Ruckus Wireless, Inc.

  • Page 453: Best Practice Checklist

    Best Practice Checklist Elevation of RAPs and MAPs Best Practice Checklist Following the mesh best practices will ensure that your mesh is well-designed, and have the capacity and reliability required for your enterprise applications. The best practices are summarized below as a checklist for quick review. 1 Do not mix single band with dual band APs in your mesh.
  • Page 454 Best Practice Checklist Elevation of RAPs and MAPs Ruckus Wireless, Inc.
  • Page 455 AP on non-Z2 channels, or use non-Z2 transmit power limits. APs discover and join Ruckus Wireless controllers with matching “Zone 2” or “Z2” country code settings. APs with locked Z2 country code settings comply with the Zone 2 regulatory limits...
  • Page 456 Index Adding a Widget Adjusting AP Settings Map View Administrator Login Session Timeout Advanced LDAP Filtering AeroScout option values Numerics airtime % 11n/ac Only Mode Alarms 802.11d activating email notification 802.11k Algorithm 802.11r New WLAN creation 802.11u All Events/Activities (Logs) 802.1X authenticator Zone 2/Z2...
  • Page 457 Example Create New User 105, 303 Bonjour Gateway internal database Buttons (Web interface) create user explained Creating a Guest Pass Generation User Bypass Apple CNA Feature role Apple CNA Bypass Creating a new WLAN Access VLAN Algorithm Ruckus Wireless, Inc.
  • Page 458 Description DHCP server Hide SSID configuring Method Diagnostics Name/ESSID tools Passphrase disabling status LEDs WEP key Disconnecting specific client devices Zero IT Activation Disconnecting users from the WLAN Creating a WLAN DNS Server Creating Additional WLANs Registering ZoneDirector Current Alarms DoS (Denial of Service) Protection 301, 307 reviewing...
  • Page 459 Layer 3/Layer 4/IP Address Access Con- login page customization trol Lists Guest VLAN 111, 251 LBS Venue Info Widget 161, 171, 333 LDAP Help and Log Out LDAP Filtering Hide SSID LDAP Group Extraction New WLAN creation LDAP over TLS Ruckus Wireless, Inc.
  • Page 460 22, 25 279, 302 LEDs Mesh Mode License Pools Mesh recovery SSID License Upgrade Mesh Topology Limited ZD Discovery Mesh Topology Detection Link Layer Discovery Protocol Mesh-related Information LinkedIn Microsoft IAS LLDP Microsoft Windows 121, 199, 268 Load Balancing EAP requirements Location Service Microsoft Windows Live Location Services...
  • Page 461 Restarting an Access Point Dynamic VLAN Restoring AP configuration settings only guest VLAN MAC-based Authenticator Restoring archived settings Port-based Authenticator Reviewing AP policies supplicant Reviewing current alarms Potential Throughput Precedence Policies see also 'Radio frequencies' Prefer Primary ZD RF Pollution Ruckus Wireless, Inc.
  • Page 462 RFID tags SNMPv2 Rogue Access Points SNMPv3 Rogue APs Social Media detecting Social Media WLANs 251, 274 Rogue DHCP Server Detection Spectralink Compatibility 197, Role Based Access Control Policy Spectralink VIEW certification Spectrum Analysis Roles SpeedFlex creating SpeedFlex in a Multi-Hop Smart Mesh Roles options Network Allow all WLANs...
  • Page 463 WEP Key creating new roles New WLAN creation disconnecting a user from the WLAN WEP-128 option values failed WLAN logins WEP-64 managing accounts option values Reviewing Current User Activity WEP-based security switching to 802.1X-based security Ruckus Wireless, Inc.
  • Page 464 Wireless performance test tool restoring to a factory default state WISPr Attributes upgrading software WLAN WLAN security explained Autonomous ZoneDirector 1200 creation ZoneDirector 3000 Hotspot ZoneDirector 5000 Hotspot 2.0 ZoneDirector management access optimizing coverage ZoneDirector VLAN Deployment...
  • Page 465 Ruckus Wireless, Inc.
  • Page 466 ZoneDirector 9.12.1 User Guide, 800-71016-001 Rev A...
  • Page 467 Copyright © 2006-2015. Ruckus Wireless, Inc. 350 West Java Dr. Sunnyvale, CA 94089. USA www.ruckuswireless.com...

This manual is also suitable for:

Zonedirector 5000Zonedirector 3000

Table of Contents

Save PDF