Ruckus Wireless, Ruckus, the bark logo, ZoneFlex, FlexMaster, ZoneDirector, SmartMesh, Channelfly, Smartcell, Dynamic PSK, and Simply Better Wireless are trademarks of Ruckus Wireless, Inc. in the United States and other countries. All other product or company names may be trademarks of their respective owners.
This User Guide describes how to install, configure and manage the Ruckus Wireless™ ZoneDirector™ version 9.8. This guide is intended for use by those responsible for managing Ruckus Wireless network equipment. Consequently, it assumes a basic working knowledge of local area networking, wireless networking and wireless devices.
Description Note Information that describes important features or instructions Caution Information that alerts you to potential loss of data or potential damage to an application, system, or device Information that alerts you to potential personal injury Warning Ruckus Wireless, Inc.
Documentation Feedback Ruckus Wireless is interested in improving its documentation and welcomes your comments and suggestions. You can email your comments to Ruckus Wireless at: docs@ruckuswireless.com When contacting us, please include the following information: •...
Page 16
Documentation Feedback Ruckus Wireless, Inc.
Introducing Ruckus Wireless ZoneDirector In this chapter: • Overview of ZoneDirector • ZoneDirector Physical Features • Introduction to the Ruckus Wireless Network • Ensuring That APs Can Communicate with ZoneDirector • Installing ZoneDirector • Accessing ZoneDirector’s Command Line Interface •...
ZoneDirector, thereby eliminating bottlenecks when higher speed Wi-Fi technologies are used. This user guide provides complete instructions for using the Ruckus Wireless web interface, the wireless network management interface for ZoneDirector. With the web interface, you can customize and manage all aspects of ZoneDirector and your ZoneFlex network.
ZoneDirector Physical Features ZoneDirector 1100 ZoneDirector Physical Features Three models of ZoneDirector are currently available: ZoneDirector 1100, ZoneDi- rector 3000 and ZoneDirector 5000. This section describes the physical features of these ZoneDirector models. ZoneDirector 1100 This section describes the following physical features of ZoneDirector 1100: •...
Page 20
WARNING: Resetting ZoneDirector to factory default settings will erase all configuration changes that you made, except for AP licenses and SSL certificates. Front Panel LEDs Table 2 describes the LEDs on the front panel of ZoneDirector 1100. Table 2. ZoneDirector 1100 LED descriptions LED Label State...
Page 21
The port is connected to a 100Mbps or 10Mbps device. CAUTION! ZoneDirector 1100 can become disabled if half-duplex is forced on any port. Ethernet ports on any uplink switch must be set to 100Mbps auto-negotiation or 1000Mbps auto-negotiation. ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
F/D button for at least five (5) seconds. For more information, refer to Alternate Factory Default Reset Method. WARNING: Resetting ZoneDirector to factory default settings will erase all configuration changes that you have made, except for AP licenses and SSL certificates. Ruckus Wireless, Inc.
Page 23
ZoneDirector 3000 Label Meaning Reset To restart ZoneDirector, press the Reset button once for less than two seconds. For Ruckus Wireless Support use only Console RJ-45 port for accessing the ZoneDirector command line interface. 10/100/1000 Ethernet Two auto negotiating 10/100/1000Mbps Ethernet ports.
Page 24
The port has no network cable connected or is not receiving a link signal. Ethernet Rate Amber The port is connected to a 1000Mbps device. Green The port is connected to a 10Mbps or 100Mbps device. Ruckus Wireless, Inc.
ZoneDirector Physical Features ZoneDirector 5000 ZoneDirector 5000 This section describes the following physical features of ZoneDirector 5000: • Front Panel Features • Front Panel (Bezel Removed) • Control Panel • Rear Panel Features Figure 3. ZoneDirector 5000 Front Panel Front Panel Features Table 5.
Page 26
ESD ground strap attachment Hard drive bays (not used) Control panel RJ45 serial port for accessing the ZoneDirector command line interface. USB port (not used). Control Panel Figure 5. Control panel buttons and indicators 11 12 9 10 Ruckus Wireless, Inc.
Page 27
ZoneDirector Physical Features ZoneDirector 5000 Table 7. ZoneDirector 5000 control panel Number Feature Power button System reset button System status LED (see Table Fan status LED Critical alarm (not used) MJR alarm (not used) NMI pin hole button (factory reset button) Chassis ID button NIC 1 / NIC 2 activity LED HDD activity LED (not used)
Page 28
RJ45 serial port (COM2/serial B) Video connector (not used) USB 0 and 1 (#1 on top) USB 2 and 3 (#3 on top) GbE NIC #1 connector GbE NIC #2 connector Two ground studs (used for DC-input system) Ruckus Wireless, Inc.
Page 29
ZoneDirector Physical Features ZoneDirector 5000 Table 10. NIC status LEDs LED Color LED State NIC State Green/Amber (Left) 10Mbps Green 100Mbps Amber 1000Mbps Green (Right) Active connection Blinking Transmit / Receive activity ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
ZoneDirector 5000 Introduction to the Ruckus Wireless Network Your new Ruckus Wireless network starts when you disperse a number of Ruckus Wireless access points (APs) to efficiently cover your worksite. After connecting the APs to ZoneDirector (through network hubs or switches), running through the Setup Wizard and completing the “Zero-IT”...
Ensuring That APs Can Communicate with ZoneDirector How APs Discover ZoneDirector on the Network How APs Discover ZoneDirector on the Network 1 When an AP starts up, it sends out a DHCP discovery packet to obtain an IP address. 2 The DHCP server responds to the AP with the allocated IP address. If you configured DHCP Option 43 (see Option 2: Customize Your DHCP Server), the...
After the AP registers with ZoneDirector successfully, transfer it to its intended subnet. It will be able to find and communicate with ZoneDirector once you reconnect it to the other subnet. Ruckus Wireless, Inc.
Page 33
Class Identifier (VCI). The VCI is a text string that identifies a vendor/type of a DHCP client. All Ruckus Wireless Access Points are configured to send “Ruckus CPE” as the Vendor Class Identifier in option 60, and expect Zone Director IP information to be provided in DHCP option 43 (Vendor Specific Info), encapsulated with sub-option code 03 (the sub-option code for ZoneDirector).
Page 34
60. While you can achieve encapsulating TLVs in option 43 by hard coding the DHCP option 43 value, Ruckus Wireless recommends using vendor class option spaces - especially when you have more than one vendor type on the network and need “option 43”...
Page 35
How to Ensure that APs Can Discover ZoneDirector on the Network Configure Vendor Class Identifier and Vendor Specific Info sub-options on Microsoft DHCP server Configure vendor class for Ruckus Wireless Access Points: 1 In the Server Manager window, right-click the IPv4 icon, and choose Define Vendor Classes from the menu.
Page 36
4 Under Available Options, look for the 15 DNS Domain Name check box, and then select it. 5 In the String value text box under Data Entry, type your company’s domain name. 6 Click Apply to save your changes. 7 Click OK to close the Scope Options dialog box. Ruckus Wireless, Inc.
Page 37
Ensuring That APs Can Communicate with ZoneDirector How to Ensure that APs Can Discover ZoneDirector on the Network Figure 7. Select the 015 DNS Domain Name check box, and then type your company domain name in String value Step 2: Set the DNS Server IP Address on the DHCP Server 1 From Windows Administrative Tools, open DHCP, and then select the DHCP server you want to configure.
Page 38
Information on configuring the built-in DNS server on Windows is available at http://support.microsoft.com/kb/814591. NOTE: If your DNS server prompts you for the corresponding host name for each ZoneDirector IP address, you MUST enter zonedirector. This is critical to ensuring that the APs can resolve the ZoneDirector IP address. Ruckus Wireless, Inc.
Ensuring That APs Can Communicate with ZoneDirector Firewall Ports that Must be Open for ZoneDirector Communications After you register the ZoneDirector IP addresses with your DNS server, you have completed this procedure. APs on the network should now be able to discover ZoneDirector on another subnet.
Page 40
ZoneDirector physical IP address), and that the APs are configured with both ZoneDirectors’ public IP addresses as primary and secondary ZD IPs. • An active ZoneDirector behind NAT will be unable to perform upgrades to the standby ZoneDirector on the other side of the NAT device. Ruckus Wireless, Inc.
Installing ZoneDirector Firewall Ports that Must be Open for ZoneDirector Communications Installing ZoneDirector Basic installation instructions are included in the Quick Start Guide that shipped with your ZoneDirector. The steps are summarized below: 1 Connect and discover ZoneDirector using UPnP (Universal Plug and Play). •...
(using either a DB-9 serial cable for the console port or an Ethernet cable for LAN ports). 2 Launch a terminal program, such as Hyperterminal, PuTTy, etc. 3 Enter the following connection settings: • Bits per second: 115200 • Data bits: 8 • Parity: None Ruckus Wireless, Inc.
Page 43
To view a list of commands that are available at the root level, enter help or ?. For more information on using the CLI, see the Ruckus Wireless ZoneDirector Command Line Interface Reference Guide, available from http://support.ruck-...
Firewall Ports that Must be Open for ZoneDirector Communications Using the ZoneDirector Web Interface The ZoneDirector web interface consists of several interactive components that you can use to manage and monitor your Ruckus Wireless WLANs (including ZoneDi- rector and all APs). Dashboard...
Using the ZoneDirector Web Interface Navigating the Dashboard Navigating the Dashboard The Dashboard offers a number of self-contained indicators and tables that summa- rize the network and its current status. Some indicators have fields that link to more focused, detailed views on elements of the network. Figure 12.
• Currently Managed AP Groups: Shows details of the System Default and user- defined AP groups. Click the + button next to an AP group to expand the group to display all members of the AP group. • Support: Shows contact information for Ruckus Wireless support. Ruckus Wireless, Inc.
Page 47
Using the ZoneDirector Web Interface Using Indicator Widgets • Smart Redundancy: Displays the status of primary and backup ZoneDirector devices, if configured. • AP Activities: Shows a list of recent log events from APs. • Client Device Type: Displays a pie chart of currently connected client devices by OS type as a percentage of the total.
Page 48
The Widgets pane opens at the upper-left corner of the Dashboard. 3 Select any widget icon and drag and drop it onto the Dashboard to add the widget. If you have closed a widget, it appears in this pane. Ruckus Wireless, Inc.
Page 49
Using the ZoneDirector Web Interface Using Indicator Widgets Figure 14. The widget icons appear at the top-left corner of the Dashboard Widget icons 4 Click Finish in the Widgets pane to close it. Removing a Widget To remove a widget from the Dashboard, click the icon for any of the widgets currently open on the Dashboard.
To view the Real Time Monitoring page, locate the Toolbox link at the top of the page and select Real Time Monitoring from the pull-down menu. You can also access the Real Time Monitoring page from the Monitor > Real Time Monitoring tab. Figure 16. Select Real Time Monitoring from the Toolbox Ruckus Wireless, Inc.
Page 51
Using the ZoneDirector Web Interface Real Time Monitoring Like the Dashboard, you can drag and drop Widgets onto the Real Time Monitoring page to customize the information you want to see. Figure 17. The Real Time Monitoring screen Select a time increment to monitor statistics by (5 minutes, 1 hour or 1 day) and click Start Monitoring to begin.
(greyed out). To restart auto refresh, click Start Auto Refresh from the Toolbox. Figure 18. Stopping and starting automatic page refreshing Figure 19. The Refresh icon on all widgets is disabled when auto refresh is stopped Ruckus Wireless, Inc.
Registering Your Product NOTE: Ruckus Wireless encourages you to register your ZoneDirector product to receive updates and important notifications, and to make it easier to receive support in case you need to contact Ruckus for customer assistance. You can register your ZoneDirector along with all of your APs in one step using ZoneDirector’s Registration...
Page 54
Registering Your Product Stopping and Starting Auto Refresh Figure 21. The Product Registration page Your ZoneDirector is now registered with Ruckus Wireless. Ruckus Wireless, Inc.
Configuring System Settings In this chapter: • System Configuration Overview • Changing the Network Addressing • Creating Static Route Entries • Enabling Smart Redundancy • Configuring the Built-in DHCP Server • Controlling ZoneDirector Management Access • Setting the System Time •...
(_) and hyphens (-). Do not use spaces or other special characters. The first character must be a letter. System names are case sensitive. 3 3. Click Apply to save your settings. The change goes into effect immediately. Ruckus Wireless, Inc.
Changing the Network Addressing Changing the System Name Figure 22. The Identity section on the Configure > System page Changing the Network Addressing If you need to update the IP address and DNS server settings of ZoneDirector, follow the steps outlined below. CAUTION! As soon as the IP address has been changed (applied), you will be disconnected from your web interface connection to ZoneDirector.
ZoneDirector supports IPv6 and dual IPv4/IPv6 operation modes. If both IPv4 and IPv6 are used, ZoneDirector will keep both IP addresses. Ruckus ZoneFlex APs operate in dual IPv4/v6 mode by default, so you do not need to manually set the mode for each AP. Ruckus Wireless, Inc.
Page 59
Changing the Network Addressing IPv6 Configuration If you enable IPv6, you have the option to manually configure an IP address in IPv6 format (128 bits separated by colons instead of decimals) or to choose Auto Configuration. If you choose Manual, you will need to enter IP Address, Prefix Length and Gateway.
It can also be used for Smart Redundancy -- when two redundant ZoneDirectors are deployed, you can create a separate management interface to be shared by both devices. Then, you only have to remember one IP address that you can log Ruckus Wireless, Inc.
Page 61
Changing the Network Addressing Enabling an Additional Management Interface into regardless of which ZoneDirector is the active unit. This shared management IP address must be configured identically on both ZoneDirectors (see Configuring ZoneDirector for Smart Redundancy). To enable an additional management interface: 1 Go to Configure >...
ZoneDirector primary IP address or the Management IP address. To create a static route to an additional gateway 1 Go to Configure > System and locate the Static Route section. 2 Click Create New to create a new static route. Ruckus Wireless, Inc.
Creating Static Route Entries Static Route Example 3 Enter a Name for this access route. 4 Enter a Subnet (in the format A.B.C.D/M (where M is the netmask). 5 Enter the Gateway address. 6 Click OK to save your changes. You can create up to 4 static route entries. Figure 26.
APs. When failover occurs, all associated APs will continue to provide wireless service to clients during the transition, and will associate to the newly active ZoneDirector within approximately one minute. Ruckus Wireless, Inc.
This feature is only available using two ZoneDirectors of the same model and number of licensed APs. You can not enable Smart Redundancy using a ZoneDirector 3000 as the primary and a ZoneDirector 1100 as the backup unit, for example.
Page 66
8 Click Apply to save your changes and prompt ZoneDirector to immediately attempt to discover its peer on the network. 9 If discovery is successful, the details of the peer device will be displayed to the right. Ruckus Wireless, Inc.
Page 67
Enabling Smart Redundancy Configuring ZoneDirector for Smart Redundancy 10 If discovery is unsuccessful, you will be prompted to retry discovery or continue configuring the current ZoneDirector. 11 Install the second ZoneDirector and complete the Setup Wizard. 12 Go to Configure > System, enable Smart Redundancy and enter the primary ZoneDirector’s IP address in Peer Device IP address.
NOTE: If you disable Smart Redundancy after it has been enabled, both ZoneDirectors will revert to active state, which could result in unpredictable network topologies. Therefore, Ruckus Wireless recommends first factory resetting the standby ZoneDirector before disabling Smart Redundancy. NOTE:...
Enabling the Built-in DHCP server NOTE: Ruckus Wireless recommends that you only enable the built-in DHCP server if there are no other DHCP servers on the network. ZoneDirector’s internal DHCP server can service only a single subnet (the one it’s in) and not other VLANs that may be associated with client WLANs.
A table appears and lists all current DHCP clients with their MAC address, assigned IP address, and the remaining lease time. You can clear DHCP leases on ZoneDirector by disabling and re-enabling the DHCP service. Ruckus Wireless, Inc.
Controlling ZoneDirector Management Access Viewing DHCP Clients Figure 32. To view current DHCP clients, click the “click here” link Controlling ZoneDirector Management Access The Management Access Control option can be used to control access to ZoneDi- rector’s management interface. The Management Access Control interface is located on the Configure >...
Page 72
ACL that prevents the admin’s own IP address from accessing the web interface. 5 Click OK to confirm. You can create up to 16 entries to the Management ACL. Figure 33. Management Access Control Figure 34. Creating a new ZoneDirector management ACL Ruckus Wireless, Inc.
Setting the System Time Viewing DHCP Clients Setting the System Time The internal clock in ZoneDirector is automatically synchronized with the clock on your administration PC during the initial setup. You can use the web interface to check the current time on the internal clock, which shows up as a static notation in the Configure tab workspace.
APs under its control. To set the Country Code to the proper location: 1 Go to Configure > System. 2 Locate the Country Code section, and choose your location from the pull-down menu. 3 Click Apply to save your settings. Ruckus Wireless, Inc.
DFS (Dynamic Frequency Selection) channels in the 5 GHz band should be available for use by your APs. Note that these settings only affect Ruckus Wireless APs that support the extended DFS channel list. Channel Optimization settings are described in the following table.
Germany restricts channels in the 5.15 GHz to 5.25 GHz band to indoor use. When ZoneFlex Outdoor APs and Bridges with 5 GHz radios (ZoneFlex 7762, 7782, 7761- CM and 7731) are set to a country code where these restrictions apply, the AP or Ruckus Wireless, Inc.
Changing the System Log Settings Reviewing the Current Log Contents Bridge can no longer be set to an indoor-only channel and will no longer select from amongst a channel set that includes these indoor-only channels when SmartSelect or Auto Channel selection is used, unless the administrator configures the AP to allow use of these channels.
ZoneDirector to supply client association information to a third party application that can then deploy ACL policies to a firewall based on client association information such as user name, IP, MAC address, etc. First, ZoneDirector retrieves client association information, then reorganizes the Ruckus Wireless, Inc.
Page 79
Changing the System Log Settings Customizing the Current Log Settings information and sends it to the syslog server, from which it can be collected by the third party software and sent it to the firewall for access restriction based on client association information. 4 Click Apply to save your settings.
Page 80
5 The script on the syslog server extracts user information from the log message and sends it to the firewall. A similar flow can be used to remove user mappings if the station sends a disconnect message. Ruckus Wireless, Inc.
Page 81
Changing the System Log Settings Customizing the Current Log Settings Log format The log format consists of the following fields: • operation: Indicates whether to add, delete or update client association infor- mation. • sta_ip: Indicates the IP address of station. •...
Page 82
5 Repeat step 4 for Managed AP Settings. ZoneDirector and Access Points can use different facility and priority settings. All managed APs share the same facility and priority settings. Ruckus Wireless, Inc.
Setting Up Email Alarm Notifications Customizing the Current Log Settings Figure 40. Remote Syslog Advanced Settings Setting Up Email Alarm Notifications If an alarm condition is detected, ZoneDirector will record it in the event log. If you prefer, an email notification can be sent to a configured email address of your choosing.
Page 84
TLS check box. Check with your ISP or mail administrator for the correct encryption settings that you need to set. If using a Yahoo! email account, STARTTLS must be disabled. If using a Hotmail account, both TLS and STARTTLS must be enabled. Ruckus Wireless, Inc.
Page 85
Setting Up Email Alarm Notifications Customizing the Current Log Settings 6 To verify that ZoneDirector can send alarm messages using the SMTP settings you configured, click the Test button. • If ZoneDirector is able to send the test message, the message Success! appears at the bottom of the Email Notification page.
3 Enter your Account SID, Auth Token and From Phone Number (Twilio) or your User Name, Password and API ID (Clickatell). 4 Click the Test button to test your settings. 5 Once confirmed, click Apply to save your changes. Ruckus Wireless, Inc.
Page 87
Configuring SMS Settings for Guest Pass Delivery via SMS Customizing Email Alarms that ZoneDirector Sends You can now allow guest pass generators to deliver guest pass codes to guests using the SMS button when generating a new guest pass. (You must also enter a phone number for receiving the SMS messages for each guest pass created.) Figure 42.
Enabling Management via FlexMaster If you have a Ruckus Wireless FlexMaster server installed on the network, you can enable FlexMaster management to centralize monitoring and administration of ZoneDirector and other supported Ruckus Wireless devices. This version of Zone- Director supports the following FlexMaster-deployed tasks: •...
Enabling Network Management Systems Enabling Northbound Portal Interface Support Figure 43. The FlexMaster Management options Monitoring ZoneDirector Performance from FlexMaster If you want to monitor ZoneDirector’s performance statistics from FlexMaster, select Enable Performance Monitoring, enter an update interval, and click Apply. This option is disabled by default.
The procedure for enabling ZoneDirector’s internal SNMP agent depends on whether your network is using SNMPv2 or SNMPv3. SNMPv3 mainly provides security enhancements over the earlier version, and therefore requires you to enter authorization passwords and encryption settings instead of simple clear text community strings. Ruckus Wireless, Inc.
Page 91
ZoneDirector with SNMPv3 enabled. NOTE: For a list of the MIB variables that you can get and set using SNMP, check the related SNMP documentation on the Ruckus Wireless Support Web site at http://support.ruckuswireless.com/documents. If your network uses SNMPv2 To enable SNMPv2 management: 1 Go to Configure >...
Page 92
• Auth Pass Phrase: Enter a passphrase between 8 and 32 characters in length. • Privacy: Choose DES, AES or None. DES: Data Encryption Standard, data block cipher. AES: Advanced Encryption Standard, data block cipher. None: No Privacy passphrase is required. Ruckus Wireless, Inc.
Page 93
Enabling Network Management Systems Configuring SNMP Support • Privacy Phrase: If either DES or AES is selected, enter a Privacy phrase between 8 and 32 characters in length. 4 Click Apply to save your changes. Figure 46. Enabling the SNMPv3 agent Enabling SNMP Trap Notifications If you have an SNMP trap receiver on the network, you can configure ZoneDirector to send SNMP trap notifications to the server.
Page 94
Configuring SNMP Support • If you select SNMPv3, enter up to four trap receiver IP addresses along with authentication method passphrase and privacy (encryption) settings. 4 Click Apply to save your changes. Figure 47. Enabling SNMPv2 trap notifications Ruckus Wireless, Inc.
Page 95
Enabling Network Management Systems Configuring SNMP Support Figure 48. Enabling SNMP trap notifications with SNMPv3 Trap Notifications That ZoneDirector Sends There are several events for which ZoneDirector will send trap notifications to the SNMP server that you specified. Table 15 lists the trap notifications that ZoneDirector sends and when they are sent.
Page 96
A client has roamed away from an AP. The client's MAC address, AP's MAC address and SSID are included. ruckusZDEventClientRoamIn A client has roamed in to an AP. The client's MAC address, AP's MAC address and SSID are included. Ruckus Wireless, Inc.
Page 97
Enabling Network Management Systems Configuring SNMP Support Table 15. Trap notifications Trap Name Description ruckusZDEventClientAuthFailed A client authentication attempt has failed. The client's MAC address, AP's MAC address, SSID and failure reason are included. ruckusZDEventClientAuthorization A client authorization attempt to join an AP Failed has failed.
To configure DHCP Relay for tunneled WLANs: 1 Go to Configure > DHCP Relay. 2 Click Create New. 3 Enter a Name and IP address for the server. 4 Click OK to save your changes. The new server appears in the list. Ruckus Wireless, Inc.
Page 99
Configuring DHCP Relay Configuring SNMP Support Figure 49. Creating a DHCP Relay server To enable DHCP Relay for a WLAN: 1 Go to Configure > WLANs. 2 If creating a new WLAN, click Create New. Otherwise, click Edit for the WLAN you want to configure.
Bonjour services from one VLAN to another. ZoneDirector’s Bonjour Gateway feature addresses this requirement by providing an mDNS proxy service configurable from the web interface to allow administrators to specify which types of Bonjour services can be accessed from/to which VLANs. Ruckus Wireless, Inc.
Enabling Bonjour Gateway Creating a Bonjour Gateway Rule - ZD Site In order for the Bonjour Gateway to function, the following network configuration requirements must be met: 1 The target networks must be segmented into VLANs. 2 VLANs must be mapped to different SSIDs. 3 The controller must be connected to a VLAN trunk port.
• Some APs of one local area link must be in one subnet. The switch interfaces connected to these APs in a local area link to must be configured in VLAN-trunk mode. Only by doing so can the designated AP can receive all the multicast Bonjour protocol packets from other VLANs. Ruckus Wireless, Inc.
Page 103
Enabling Bonjour Gateway Creating a Bonjour Gateway Rule - AP Site • Dynamic VLANs are not supported. • Some AP models are incompatible with this feature due to memory requirements. To configure rules for AP site bridging Bonjour services across VLANs: 1 Go to Configure >...
The following example illustrates how ZoneDirector’s Bonjour Gateway can be used to allow users to access Bonjour resources on different VLANs in a school setting, where access to certain resources must generally be separated between teachers and students, but where sharing may sometimes be necessary. Ruckus Wireless, Inc.
Page 105
Enabling Bonjour Gateway Example Network Setup • Assume a network with three VLANs mapped to separate SSIDs, all on separate subnets or multicast domains. The three segments host different devices for different users: • Classroom SSID (VLAN 100): WEP authentication, includes an iMac desktop for file sharing and iOS Sync for backup, and an Apple TV attached to a projector.
Page 106
Enabling Bonjour Gateway Example Network Setup Ruckus Wireless, Inc.
Configuring Security and Other Services In this chapter: • Configuring Self Healing Options • Configuring Wireless Intrusion Prevention • Controlling Network Access Permissions • Using an External AAA Server ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
ZoneDirector offers two methods of automatic channel selection for spectrum utilization and performance optimization: • ChannelFly • Background Scanning While Background Scanning must be enabled for rogue AP detection, AP location detection and radio power adjustment, either can be used for automatic channel optimization. Ruckus Wireless, Inc.
Page 109
Configuring Self Healing Options Automatic Channel Selection ChannelFly The main difference between ChannelFly and Background Scanning is that Chan- nelFly determines the optimal channel based on real-time statistical analysis of actual throughput measurements, while Background Scanning uses channel measure- ment and other techniques to estimate the impact of interference on Wi-Fi capacity based on progressive scans of all available channels.
Page 110
• Automatically adjust 2.4 GHz channels using Background Scanning ChannelFly • Automatically adjust 5 GHz channels using Background Scanning ChannelFly 3 Click the Apply button in the same section to save your changes. Figure 55. Self Healing options Ruckus Wireless, Inc.
Page 111
Configuring Self Healing Options Automatic Channel Selection NOTE: ChannelFly channel selection data is persistent across reboots for the following APs only: 7982, 7782, 7782-x, 7781-CM, SC-8800-S. It is not persistent across power cycles for any AP. Background Scanning Using Background Scanning, ZoneDirector regularly samples the activity in all Access Points to assess RF usage, to detect rogue APs and to determine which APs are near each other for mesh optimization.
Page 112
To see whether Background Scanning is enabled or disabled for a particular AP, go to Monitor > Access Points, and click on the AP’s MAC address. The access point detail screen displays the Background Scanning status for each radio. Ruckus Wireless, Inc.
Configuring Self Healing Options Load Balancing Figure 57. Viewing whether Background Scanning is enabled for an AP Load Balancing Enabling load balancing can improve WLAN performance by helping to spread the client load between nearby access points, so that one AP does not get overloaded while another sits idle.
Page 114
To enable Load Balancing globally: 1 Go to Configure > Services. 2 In Load Balancing, choose to perform load balancing on either the 2.4 or 5 GHz radio. 3 Enter Adjacent Radio Threshold (in dB), and click Apply. Ruckus Wireless, Inc.
Page 115
Configuring Self Healing Options Load Balancing Figure 58. Enable Load Balancing across adjacent APs by radio type To disable Load Balancing on a per-WLAN basis: 1 Go to Configure > WLANs. 2 Click the Edit link beside the WLAN for which you want to disable load balancing. 3 Click the Advanced Options link to expand the options.
2.4 GHz and 5 GHz radios. This feature is enabled by default and set to a target of 25% of clients connecting to the 2.4 GHz band. To balance the load on a radio, the AP encourages dual-band clients to connect to the 5 GHz band when the configured percentage threshold is reached. Ruckus Wireless, Inc.
Configuring Self Healing Options Radar Avoidance Pre-Scanning Figure 60. Distributing clients between the 2.4 and 5 GHz radios Radar Avoidance Pre-Scanning The Radar Avoidance Pre-Scanning (RAPS) setting allows pre-scanning of DFS channels in the 5 GHz band to ensure the channel is clear of radar signals prior to transmitting on the channel.
To enable AeroScout RFID tag detection on ZoneDirector: 1 Go to Configure > Services. 2 Scroll down to the AeroScout RFID section (near the bottom of the page). 3 Select the Enable AeroScout RFID tag detection check box. Ruckus Wireless, Inc.
Configuring Self Healing Options Ekahau Tag Detection 4 Click the Apply button in the same section to save your changes. ZoneDirector enables AeroScout RFID tag detection on all its managed APs that support this feature. Figure 62. Enabling AeroScout Tag detection NOTE: Tag locations are not accurate if the 2.4 GHz band is noisy or if the AP setup is not optimal (according to AeroScout documents).
1 Go to Configure > Services, and scroll down to the Active Client Detection section. 2 Click the check box next to Enable client detection ... and enter an RSSI threshold, below which an event will be triggered. 3 Click Apply to save your changes. Ruckus Wireless, Inc.
Configuring Self Healing Options Tunnel Configuration Figure 64. Enabling active client detection A low severity event is now triggered each time a client connects with an RSSI lower than the threshold value entered. Go to Monitor > All Events/Activities to monitor these events.
Page 122
Packet Inspection Filter (see Packet Inspection Filter). 4 Click Apply in the same section to save your changes. Figure 65. Set tunnel configuration parameters for all WLANs with tunnel mode enabled. Ruckus Wireless, Inc.
(10~1200 seconds, default is 30). Clients temporarily blocked by the Intrusion Prevention feature are not added to the Blocked Clients list under Monitor > Access Control. 3 Click Apply to save your changes. Ruckus Wireless, Inc.
Configuring Wireless Intrusion Prevention Intrusion Detection and Prevention Figure 67. Denial of Service (DoS) prevention options Intrusion Detection and Prevention ZoneDirector’s intrusion detection and prevention features rely on background scanning results to detect rogue access points connected to the network and optionally, prevent clients from connecting to malicious rogue APs.
Page 126
BSSID (MAC) to prevent wireless clients from connecting to the malicious rogue AP. This option is disabled by default. 2 Click the Apply button that is in the same section to save your changes. Ruckus Wireless, Inc.
Configuring Wireless Intrusion Prevention Rogue DHCP Server Detection Figure 68. Intrusion Prevention options Detecting Rogue Access Points for more information on monitoring and handling rogue devices. Rogue DHCP Server Detection A rogue DHCP server is a DHCP server that is not under the control of network administrators and is therefore unauthorized.
Page 128
3 Click the Apply button that is in the same section. You have completed enabling rogue DHCP server detection. Ruckus Wireless recommends checking the Monitor > All Events/Activities page periodically to determine if ZoneDirector has detected any rogue DHCP servers. When a rogue...
Page 129
Configuring Wireless Intrusion Prevention Rogue DHCP Server Detection Figure 69. Enabling Rogue DHCP server detection ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
7 Click OK to save the L2/MAC based ACL. You can create up to 32 L2/MAC ACL rules and each rule can contain up to 128 MAC addresses. Each WLAN can be configured with one L2 ACL. Ruckus Wireless, Inc.
Controlling Network Access Permissions Creating Layer 3/Layer 4/IP Address Access Control Lists Figure 70. Configuring an L2/MAC access control list Creating Layer 3/Layer 4/IP Address Access Control Lists In addition to L2/MAC based ACLs, ZoneDirector also provides access control options at Layer 3 and Layer 4. This means that you can configure the access control options based on a set of criteria, including: •...
Page 132
• Destination Port: Enter a valid port number (1-65534) or port range (e.g., 80- 443). 8 Click OK to save the ACL. 9 Repeat these steps to create up to 32 L3/L4/IP address-based access control rules. Figure 71. Configuring an L3/L4 access control list Ruckus Wireless, Inc.
Controlling Network Access Permissions Configuring Device Access Policies Configuring Device Access Policies In response to the growing numbers of personally owned mobile devices such as smart phones and tablets being brought into the network, IT departments are requiring more sophisticated control over how devices connect, what types of devices can connect, and what they are allowed to do once connected.
Page 134
2 To edit an existing WLAN, click Edit next to the WLAN you want to edit. 3 Expand the Advanced Options, and locate the Access Control section. 4 In Device Policy, select the policy you created from the list. 5 Click OK to save your changes. Ruckus Wireless, Inc.
Controlling Network Access Permissions Configuring Client Isolation White Lists Figure 73. Applying a device access policy for a WLAN Configuring Client Isolation White Lists When Wireless Client Isolation is enabled on a WLAN, all communication between clients and other local devices is blocked at the Access Point. To prevent clients from communicating with other nodes, the Access Point drops all ARP packets from stations on the WLAN where client isolation is enabled and which are destined to IP addresses that are not part of a per-WLAN white list.
Page 136
• Isolate wireless client traffic from other clients on the same AP: Enable client isolation on the same Access Point (clients on the same subnet but connected to other APs will still be able to communicate). Ruckus Wireless, Inc.
Controlling Network Access Permissions Configuring Application Denial Policies • Isolate wireless client traffic from all hosts on the same VLAN/subnet: Prevent clients from communicating with any other hosts on the same subnet or VLAN other than those listed on the Client Isolation Whitelist. If this option is chosen, you must select a Whitelist from the drop-down list of those you created on the Configure >...
Page 138
There is no distinction between the TCP and UDP protocols, so care should be taken if wishing to block a specific application port as that will apply to both IP protocols and may inadvertently block another application using the other protocol. Ruckus Wireless, Inc.
Controlling Network Access Permissions Configuring User Defined Applications Figure 76. Blocking an application by HTTP host name Configuring User Defined Applications When an application is unrecognized and generically (or incorrectly) categorized, you can configure an explicit application identification policy by IP Address/Mask, Port and Protocol.
Figure 78 shows how an Application Port Mapping policy could be used to identify all port 8081 wireless traffic as “HTTP Proxy” traffic and display this name in application recognition pie charts and tables. Ruckus Wireless, Inc.
Page 141
Controlling Network Access Permissions Configuring Application Port Mapping Figure 78. Application Port Mapping Well-Known Service and Destination Port Mappings Defined in Application Visibility ZoneDirector automatically identifies several hundred applications for use in appli- cation recognition and denial policies. The following links provide lists of many the most common applications and ports that are included: •...
6 Click Save to save the rule. You can create up to two rules per policy. The rules will be applied in the order shown in the Order column. 7 Click OK to save the precedence policy. This policy is now available for selection in WLAN configuration. Ruckus Wireless, Inc.
Controlling Network Access Permissions Blocking Client Devices Figure 79. Precedence Policy settings Blocking Client Devices When users log into a ZoneDirector network, their client devices are recorded and tracked. If, for any reason, you need to block a client device from network use, you can do so from the web interface.
Page 144
1 Look at the Status column to identify any “Unauthorized” users. 2 Click the Delete button in the Action column in a specific user row. The entry is deleted from the Active/Current Client list, and the listed device is disconnected from your Ruckus Wireless WLAN. Ruckus Wireless, Inc.
Page 145
1 Look at the Status column to identify any unauthorized users. 2 Click the Block button in the Action column in a specific user row. The status is changed to Blocked. This will prevent the listed device from using your Ruckus Wireless WLANs. ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
Page 146
Reviewing a List of Previously Blocked Clients 1 Go to Configure > Access Control. 2 Review the Blocked Clients table. 3 You can unblock any listed MAC address by clicking the Unblock button for that address. Figure 83. Unblocking a previously blocked client Ruckus Wireless, Inc.
Active Directory server in one of two ways: • Single Domain Active Directory Authentication • Multi-Domain Active Directory Authentication Single Domain Active Directory Authentication To enable Active Directory authentication for a single domain: Ruckus Wireless, Inc.
Page 149
Using an External AAA Server Active Directory 1 Go to Configure > AAA Servers. 2 Click the Edit link next to Active Directory. 3 Do not enable Global Catalog support. 4 Enter the IP address and Port of the AD server. The default Port number (389) should not be changed unless you have configured your AD server to use a different port.
Page 150
NOTE: The Admin account need not have write privileges, but must able to read and search all users in the database. 6 Click OK to save changes. 7 To test your authentication settings, see Testing Authentication Settings. Ruckus Wireless, Inc.
Using an External AAA Server LDAP Figure 85. Active Directory with Global Catalog enabled LDAP ZoneDirector supports several of the most commonly used LDAP servers, including: • OpenLDAP • Apple Open Directory • Novell eDirectory • Sun JES (limited support) To enable LDAP user authentication for all users 1 Click the Edit link next to LDAP on the Configure >...
Page 152
For example, objectClass=Person limits the search to those whose “objectClass” attribute is equal to “Person”. More complicated examples are shown when you mouse over the “show more” section, as shown in Figure 87 below. Ruckus Wireless, Inc.
Page 153
Using an External AAA Server LDAP Figure 87. LDAP search filter syntax examples Mouse over “show more” Group Extraction By using the Search Filter, you can extract the groups to which a user belongs, as categorized in your LDAP server. Using these groups, you can attribute Roles within ZoneDirector to members of specific groups.
Accounting server is used for authentication or accounting, user credentials can be entered as a standard username / password combination, or client devices can be limited by MAC address. If using MAC address as the authentication method, you Ruckus Wireless, Inc.
Page 155
Using an External AAA Server RADIUS / RADIUS Accounting must enter the MAC addresses of each client on the AAA server, and any clients attempting to access your WLAN with a MAC address not listed will be denied access. A RADIUS/RADIUS Accounting server can be used with 802.1X, MAC authentica- tion, Web authentication (captive portal) and Hotspot WLAN types.
Page 156
Using an External AAA Server RADIUS / RADIUS Accounting 6 In Reconnect Primary, enter the number of minutes after which ZoneDirector will attempt to reconnect to the primary RADIUS server after failover to the backup server. Ruckus Wireless, Inc.
Page 157
Using an External AAA Server RADIUS / RADIUS Accounting Figure 89. Enable backup RADIUS server ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
Page 158
• All caps colon separated: AA:BB:CC:DD:EE:FF 3 Log in to the ZoneDirector web interface, and go to Configure > WLANs. 4 Click the Edit link next to the WLAN you would like to configure. 5 Under Authentication Options: Method, select MAC Address. Ruckus Wireless, Inc.
Page 159
Using an External AAA Server RADIUS / RADIUS Accounting 6 Under Authentication Server, select your RADIUS Server. 7 Select the MAC Address Format according to your RADIUS server’s requirements. 8 Click OK to save your changes. Figure 91. RADIUS authentication using MAC address You have completed configuring the WLAN to authenticate users by MAC address from a RADIUS server.
Page 160
2 Under Authentication Options: Method, select 802.1X EAP. 3 Under Encryption Options: Method, select None. 4 Under Authentication Server, select either Local Database or a previously configured RADIUS server from the list. 5 Click OK to save your changes. Ruckus Wireless, Inc.
Page 161
Using an External AAA Server RADIUS / RADIUS Accounting RADIUS Attributes Ruckus products communicate with an external RADIUS server as a RADIUS client. Packets from Ruckus products are called “access-request” or “accounting-request” messages. The RADIUS server, in turn, sends an “access-challenge“, “access- accept”...
Page 162
==> (24) State: if radius access-challenge in last received radius msg from AAA (80) Message Authenticator (95) NAS IPv6 address (if using/talking to an IPv6 RADIUS server) Ruckus private attribute: Vendor ID: 25053 Vendor Type / Attribute Number: 3 (Ruckus-SSID) Ruckus Wireless, Inc.
Page 163
Using an External AAA Server RADIUS / RADIUS Accounting Figure 93. RADIUS attributes used in authentication WLAN Type Attributes 802.1X / MAC Sent from RADIUS server in Access Accept messages: Auth (1) User name (25) Class (27) Session-timeout & (29) Termination-action: Session-timeout event becomes a disconnect event or re-authentication event if termination- action indicates "(1) radius-request"...
Page 164
(2) WISPr location name (4) WISPr redirection URL (7) WISPr Bandwidth-Max-Up: Maximum transmit rate (bits/second) (8) WISPr Bandwidth-Max-Down: Maximum receive rate (bits/second) (80) Message Authenticator RADIUS Accounting attributes The following table lists attributes used in RADIUS accounting messages. Ruckus Wireless, Inc.
Page 165
Using an External AAA Server RADIUS / RADIUS Accounting Table 16. RADIUS attributes used in Accounting WLAN Type Attribute 802.1X / MAC Common to Start, Interim Update, and Stop messages Auth (1) User Name (4) NAS IP Address (5) NAS Port (8) Framed IP (30) Called Station ID: user configurable (31) Calling Station ID: format is sta's mac...
Page 166
(64) Tunnel-Type: value only relevant if it is (13) VLAN (65) Tunnel-Medium-Type: value only relevant if it is (6) 802 (as in all 802 media plus Ethernet) (81) Tunnel-Private-Group-ID: this is the VLAN ID assignment (per RFC, this is between 1 and 4094) Ruckus Wireless, Inc.
Page 167
Using an External AAA Server RADIUS / RADIUS Accounting Table 16. RADIUS attributes used in Accounting WLAN Type Attribute WISPr / Web Common to Start, Interim Update, and Stop messages: Auth / Guest (1) User name Access (2) Password (4) NAS IP address (5) NAS port (8) Framed-IP (30) Called station ID: user configurable...
Page 168
Properties dialog box. 3 On the Properties dialog box, click Edit Profile..The Edit Dial-in Profile dialog box opens. 4 Click the Authentication tab at the top of the screen. 5 Select Unencrypted authentication (PAP, SPAP). Ruckus Wireless, Inc.
Page 169
Using an External AAA Server RADIUS / RADIUS Accounting 6 Click OK. 7 Repeat this procedure for additional users or groups. Figure 94. On the Microsoft IAS page, right-click the user/group and select Properties. ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
Page 170
Using an External AAA Server RADIUS / RADIUS Accounting Figure 95. On the Properties page, click Edit Profile... Figure 96. On the Authentication tab of the Edit Dial-in Profile dialog, select Unencrypted authentication (PAP, SPAP) Ruckus Wireless, Inc.
Page 171
Using an External AAA Server RADIUS / RADIUS Accounting You have completed configuring Microsoft IAS for PAP authentication. TACACS+ Terminal Access Controller Access-Control System Plus (TACACS+) is an Authen- tication, Authorization and Accounting protocol used to authenticate ZoneDirector administrators. ZoneDirector admins can be assigned any of the same three administration privilege levels that can be set manually on the Configure >...
Page 172
Figure 97. Configuring a TACACS+ AAA server Once your TACACS+ server is configured on the AAA Servers page, you can select it from the list of servers used to authenticate ZoneDirector administrators on the Administer > Preferences page. Ruckus Wireless, Inc.
Page 173
Using an External AAA Server RADIUS / RADIUS Accounting Figure 98. Select TACACS+ for ZoneDirector administrator authentication Testing Authentication Settings The Test Authentication Settings feature allows you to query an AAA server for a known authorized user, and return Groups associated with the user that can be used for configuring Roles within ZoneDirector.
Page 174
• Admin invalid • User name or password invalid • Search filter syntax invalid (LDAP only) These results can be used to troubleshoot the reasons for failure to authenticate users from an AAA server through ZoneDirector. Ruckus Wireless, Inc.
Managing a Wireless Local Area Network In this chapter: • Overview of Wireless Networks • About Ruckus Wireless WLAN Security • Creating a WLAN • Creating a New WLAN for Workgroup Use • Customizing WLAN Security • Working with WLAN Groups •...
WLAN for visitors and any needed WLANs that fulfill different wireless security or user segmentation requirements. The maximum number of WLANs configurable per ZoneDirector controller are as follows: Figure 99. Max WLANs by ZoneDirector model Model Max WLANs ZoneDirector 1100 ZoneDirector 3000 1024 ZoneDirector 5000 2048 Ruckus Wireless, Inc.
CAUTION! Deploying a large number of WLANs per AP will have a performance impact. Ruckus Wireless recommends deploying no more than eight WLANs per AP radio. About Ruckus Wireless WLAN Security One of the first things you should decide for each WLAN you create is which methods of authentication and encryption to use for both internal users and guests.
The WLAN Create New workspace includes the following configuration options used to customize your new WLAN. The individual options are explained in detail in the next section, beginning with General Options. Table 17. Create new WLAN options Option Description General Options Enter WLAN name and description. Ruckus Wireless, Inc.
Creating a WLAN General Options Table 17. Create new WLAN options Option Description WLAN Usages Select usage type (standard, guest access, hotspot, autonomous). Authentication Options Select an authentication method for this WLAN (open, 802.1X EAP, MAC address, 802.1X EAP + MAC Address).
Creating a Hotspot Service. • Hotspot 2.0: Create a Hotspot 2.0 WLAN. A Hotspot 2.0 Operator must first have been created (Configure > Hotspot 2.0 Services) before it will be available for selection. See Creating a Hotspot 2.0 Service. Ruckus Wireless, Inc.
Creating a WLAN Authentication Method • Autonomous: Autonomous WLANs are special WLANs designed to continue providing service to clients when APs are disconnected from ZoneDirector. See Autonomous WLANs. Autonomous WLANs The Autonomous WLAN usage type supports Open authentication and WPA2 (WPA2/WPA-Mixed), WEP or no encryption only.
Encryption choices include WPA2, WPA-Mixed, WEP-64, WEP-128 and None. WPA2 is the only encryption method certified by the Wi-Fi Alliance and is the recommended method. WEP has been proven to be easily circumvented, and Ruckus Wireless recommends against using WEP if possible. Method •...
Page 183
Creating a WLAN Encryption Options • WEP-64: Provides a lower level of encryption, and is less secure, using shared key 40-bit WEP encryption. • WEP-128: Provides a higher level of encryption than WEP-64, using a shared 104-bit key for WEP encryption. However, WEP is inherently less secure than WPA2.
Page 184
For example, if you want to prioritize internal traffic over guest WLAN traffic, you can set the priority in the guest WLAN configuration settings to “Low.” By default all WLANs are set to high priority. Ruckus Wireless, Inc.
Creating a WLAN Advanced Options Advanced Options The advanced options can be used to configure special WLANs; for example, you might want to create a special WLAN for VoIP phone use only, or create a student WLAN that should be time-controlled to provide access only during school hours. •...
Page 186
• Tunnel Mode: Select this check box if you want to tunnel the WLAN traffic back to ZoneDirector. Tunnel mode enables wireless clients to roam across different APs on different subnets. If the WLAN has clients that require uninterrupted wireless connection (for example, VoIP devices), Ruckus Wireless recommends enabling tunnel mode. NOTE:...
Page 187
• Load Balancing: Client load balancing between APs is disabled by default on all WLANs. To disable load balancing for this WLAN only (when enabled globally), check this box. Ruckus Wireless recommends disabling load balancing on VoIP WLANs. For more information, see Load Balancing.
Page 188
Click on a day of the week to enable/disable this WLAN for the entire day. Colored cells indicate WLAN enabled. Click and drag to select specific times of day. You can also disable a WLAN temporarily for testing purposes, for example. Ruckus Wireless, Inc.
Page 189
Creating a WLAN Advanced Options NOTE: This feature will not work properly if ZoneDirector does not have the correct time. To ensure ZoneDirector always maintains the correct time, configure an NTP server and point ZoneDirector to the NTP server’s IP address, as described in Setting the System Time.
Page 190
If these options are not enabled, the AP will send neighbor reports consisting of only APs found on the same channel as the operating channel of the AP. Figure 101. Advanced options for creating a new WLAN Ruckus Wireless, Inc.
Creating a New WLAN for Workgroup Use Advanced Options Figure 102. Configuring WLAN service schedule Creating a New WLAN for Workgroup Use If you want to create an additional WLAN based on your existing default WLAN and limit its use to a select group of users (e.g, Marketing, Engineering), you can do so by following these steps: 1 Make a list of the group of users.
3 You have three options for the internal WLAN: [1] continue using the current configuration, [2] fine-tune the existing security mode, or [3] replace this mode entirely with a different authentication and encryption method. The two WLAN- editing processes are described separately, below. Ruckus Wireless, Inc.
Customizing WLAN Security Fine-Tuning the Current Security Mode Figure 103. Viewing WLAN security configurations from the Monitor > WLANs page Fine-Tuning the Current Security Mode To keep the original security mode and fine-tune its settings: 1 Go to Configure > WLANs. 2 In the Internal WLAN row, click Edit.
Page 194
MAC addresses. Before you can use this option, you need to add your external RADIUS server to ZoneDirector’s Configure > AAA Servers page. You also need to define the MAC addresses that you want to allow on the RADIUS server. Ruckus Wireless, Inc.
7 When you are finished, click OK to apply your changes. NOTE: Replacing your WPA configuration with 802.1X requires the users to make changes to their Ruckus wireless connection configuration—which may include the importation of certificates. Using the Built-in EAP Server (Requires the selection of “Local Database”...
WLAN groups to do this. For example, if your wireless network covers three building floors (1st Floor to 3rd Floor) and you need to provide wireless access to visitors on the 1st Floor, you can do the following: Ruckus Wireless, Inc.
The maximum number of WLAN groups that you can create depends on the ZoneDirector model. Table 18. Maximum number of WLAN groups by ZoneDirector model ZoneDirector Model Max WLAN Groups ZoneDirector 1100 ZoneDirector 3000 1024 ZoneDirector 5000 2048 Creating a WLAN Group 1 Go to Configure >...
Assigning a WLAN Group to an AP 1 Go to Configure > Access Points. 2 In the list of access points, find the MAC address of the AP that you want to assign to a WLAN group, and then click Edit. Ruckus Wireless, Inc.
Working with WLAN Groups Viewing a List of APs That Belong to a WLAN Group 3 In WLAN Group, click Override Group Config and select the WLAN group to which you want to assign the AP. Each AP (or radio, on dual radio APs) can only be a member of a single WLAN group.
• Verifying that those trunk ports are on the same native VLAN. Example configuration (Figure 106): VLAN 20 is used for internal clients, VLAN 30 is used for guest clients, and Management VLAN configuration is optional. Ruckus Wireless, Inc.
Page 201
Deploying ZoneDirector WLANs in a VLAN Environment Viewing a List of APs That Belong to a WLAN Group Figure 106. Sample VLAN configuration You must ensure that switch ports are configured properly to pass the VLAN traffic necessary for ZoneDirector, AP and client communications. In the sample VLAN scenario above, the switch ports would need to be configured as follows: •...
5 In Device IP Settings, enter the VLAN ID in the Access VLAN field. 6 If you are using an additional management interface for ZoneDirector, enter the same ID in the Access VLAN field for the additional management interface. 7 Click Apply to save your settings. Ruckus Wireless, Inc.
Page 203
Deploying ZoneDirector WLANs in a VLAN Environment Tagging Management Traffic to a VLAN NOTE: ZoneDirector will need to be rebooted after changing management VLAN settings. 8 Go to Administer > Restart, and click Restart to reboot ZoneDirector. CAUTION! When configuring or updating the management VLAN settings, make sure that the same VLAN settings are applied on the Configure >...
2 In Authentication Server, select the RADIUS server that you configured on the AAA Servers page. 3 Expand the Advanced Settings section and click the Enable Dynamic VLAN box next to Access VLAN. 4 Click OK to save your changes. Ruckus Wireless, Inc.
Page 205
Deploying ZoneDirector WLANs in a VLAN Environment How Dynamic VLAN Works Figure 109. Enabling Dynamic VLAN Priority of VLAN, Dynamic VLAN and Tunnel Mode If the VLAN, Dynamic VLAN and Tunnel Mode features are all enabled and they have conflicting rules, ZoneDirector prioritizes and applies these three features in the following order: 1 Dynamic VLAN (top priority) 2 VLAN...
Page 206
VLAN (13) Tunnel-Medium-Type 802 (6) Tunnel-Private-Group-Id VLAN ID Here is an example of the required attributes for three users as defined on Free RADIUS: 0018ded90ef3 User-Name = user1, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 0014 00242b752ec4 Ruckus Wireless, Inc.
Working with Hotspot Services Creating a Hotspot Service User-Name = user2, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 0012 013469acee5 User-Name = user3, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 0012 The values in bold are the users' MAC addresses. NOTE: Working with Hotspot Services A hotspot is a venue or area that provides Internet access to devices with wireless...
Page 208
HTTP or HTTPS. 5 In Login Page (under Redirection), type the URL of the captive portal (the page where hotspot users can log in to access the service). 6 Configure optional settings as preferred: Ruckus Wireless, Inc.
Page 209
Working with Hotspot Services Creating a Hotspot Service • In Start Page, configure where users will be redirected after successful login. You could redirect them to the page that they want to visit, or you could set a different page where users will be redirected (for example, your company website).
Page 210
The page refreshes and the hotspot service you created appears in the list. You may now assign this hotspot service to the WLANs that you want to provide hotspot Internet access, as described in Assigning a WLAN to Provide Hotspot Service. Figure 110. Creating a Hotspot service Ruckus Wireless, Inc.
Working with Hotspot Services Assigning a WLAN to Provide Hotspot Service NOTE: If ZoneDirector is located behind a NAT device and signed certificates are used with portal authentication, a static entry must be added to the DNS server to resolve ZoneDirector’s private IP address to its FQDN. Otherwise, client browsers may enter an infinite redirect loop and be unable to reach the login page.
For a more complete guide on enabling WISPr Hotspot services with ZoneDirector, refer to the Ruckus Enabling WISPr Application Note. Table 20. Common WISPr Attributes Abbreviation Description The IP address of ZoneDirector. The MAC address of the Access Point (Ethernet). Ruckus Wireless, Inc.
Creating a Hotspot 2.0 Service Common WISPr Attribute Abbreviations Table 20. Common WISPr Attributes Abbreviation Description The Location ID of the Hotspot service. The client’s real IP address. In a Layer 3 NAT environment, the client’s IP address will be translated to the gateway’s IP address when logging to the Hotspot service.
Contains cellular information such as network advertisement information to assist a 3GPP station in selecting an AP for 3GPP network access, as defined in Annex A of 3GPP TS 24.234 v8.1.0. Up to eight entries can be created. Ruckus Wireless, Inc.
Page 215
Creating a Hotspot 2.0 Service Create a Service Provider Profile 4 Click OK to save your changes. 5 Continue to Create an Operator Profile. Figure 112. Creating a Service Provider Profile Create an Operator Profile To create an Operator Profile: 1 Go to Configure >...
Page 216
Connection Capability Provides information on the connection status within the hotspot of the most commonly used communications protocols and ports. 11 static rules are available, as defined in WFA Hotspot 2.0 Technical Specification, section 4.5. Ruckus Wireless, Inc.
Page 217
Creating a Hotspot 2.0 Service Create a Service Provider Profile Figure 113. Hotspot 2.0 Operator profile configuration options Option Description Additional Connection Capability Allows addition of custom connection capability rules. Up to 21 custom rules can be created. 4 Click OK to save this Operator Profile. 5 Continue to Create a Hotspot 2.0 WLAN.
Page 218
DGAF option. This option prevents stations from forwarding group-addressed (multicast/broad- cast) frames and converts group-addressed DHCP and ICMPv6 router advertisement packets from layer 2 multicast to unicast. 7 Click OK to save your changes. Ruckus Wireless, Inc.
AP venue names for individual APs. Working with Dynamic Pre-Shared Keys Dynamic PSK is a unique Ruckus Wireless feature that enhances the security of normal Pre-shared Key (PSK) wireless networks. Unlike typical PSK networks, which share a single key amongst all devices, a Dynamic PSK network assigns a unique key to every authenticated user.
Local Database or RADIUS Server. 8 Ensure that the Zero-IT Activation check box is enabled. 9 Next to Dynamic PSK, enable the check box next to Enable Dynamic PSK. Select a DPSK passphrase length (between 8 and 62 characters). Ruckus Wireless, Inc.
Working with Dynamic Pre-Shared Keys Setting Dynamic Pre-Shared Key Expiration • Limit DPSK: By default each authenticated user can generate multiple DPSKs. Select this option to limit the number of DPSKs each user can generate (1-4). 10 Click OK to save your settings. This WLAN is now ready to authenticate users using Dynamic Pre-Shared Keys once their credentials are verified against either the internal database or an external RADIUS server.
Page 222
If you change the dynamic PSK expiration period, the new expiration period will only be applied to new PSKs. Existing PSKs will retain the expiration period that was in effect when the PSKs were generated. To force expiration, go to Monitor > Generated PSK/Certs. Ruckus Wireless, Inc.
Working with Dynamic Pre-Shared Keys Generating Multiple Dynamic PSKs Generating Multiple Dynamic PSKs If you will be generating DPSKs frequently (for example, to configure school-owned laptops in batch), you may want to generate multiple DPSKs at once and distribute them to your users in one batch. Before performing this procedure, check your WLAN settings and make sure that the Dynamic PSK check box is selected.
5 Go back to the Dynamic PSK Batch Generation section, and then complete steps 4 to 6 in “Generating Multiple Dynamic PSKs” above to upload the batch dynamic PSK profile and generate multiple dynamic PSKs. Ruckus Wireless, Inc.
Enabling the Bypass Apple CNA Feature Creating a Batch Dynamic PSK Profile Figure 118. DPSK batch generation Enabling the Bypass Apple CNA Feature Some Apple iOS and OS X clients include a feature called Captive Network Assistant (Apple CNA), which allows clients to connect to an open captive portal WLAN without displaying the login page.
Page 226
3 Select any or all of the following WLAN types for which you want to bypass the Apple CNA feature: • Web Authentication • Guest Access • Hotspot service 4 Click Apply to save your changes. Figure 119. Enabling the Bypass Apple CNA Feature Ruckus Wireless, Inc.
Managing Access Points In this chapter: • Adding New Access Points to the Network • Working with Access Point Groups • Reviewing Current Access Point Policies • Importing a USB Software Package • Managing Access Points Individually • Optimizing Access Point Performance ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
2 Write down the MAC address (on the bottom of each device) and note the specific location of each AP as you distribute them. 3 Connect the APs to the LAN with Ethernet cables. NOTE: If using Gigabit Ethernet, ensure that you use Cat5e or better Ethernet cables. Ruckus Wireless, Inc.
Verifying/Approving New APs NOTE: By default, Ruckus Wireless APs will attempt to obtain an IP address via DHCP as soon as they are connected to the network. If you do not want the AP to automatically request an IP address, you must first configure a static IP address using the AP web interface or CLI before connecting them to your network.
Page 230
Adding New Access Points to the Network Verifying/Approving New APs Figure 121. The Monitor > Access Points page Ruckus Wireless, Inc.
> Edit [AP MAC address]) and set the Tx Power setting to a lower setting. Table 22. Maximum number of AP groups by ZoneDirector model ZoneDirector Model Max AP Groups ZoneDirector 1100 ZoneDirector 3000 ZoneDirector 5000 ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
2.4 GHz or 5 GHz radio. If 11n only Mode is enabled, all older 802.11b/g devices will be denied access to the radio. WLAN Group Specify which WLAN group this AP group belongs to. Ruckus Wireless, Inc.
Page 233
Working with Access Point Groups Modifying the System Default AP Group Setting Description Call Admission Control (Disabled by default). Enable Wi-Fi Multimedia Admission Control (WMM-AC) to support Polycom/Spectralink VIEW certification. See Advanced Options under Creating a WLAN for more information. Spectralink (Disabled by default).
Modifying Access Point Group Membership When more than one AP group exists, you can move APs between groups using the Group Settings section of the Editing [AP Group] form. To add more access points to this group: Ruckus Wireless, Inc.
Working with Access Point Groups Modifying Model Specific Controls 1 In Group Settings, click Add more Access Points to this group (or Add more Access Points from System Default group to this group). 2 Select the APs you want to add, and click Add to this group. The AP is added to the Members list above.
Page 236
3 Locate the Model Specific Control section, and select the AP model that you want to configure from the list. 4 In Port Setting, select Override System Default. The screen changes to display the Ethernet ports on the AP model currently selected. Ruckus Wireless, Inc.
Page 237
Working with Access Point Groups Modifying Model Specific Controls 5 Deselect the check box next to Enable to disable this LAN port entirely. All ports are enabled by default. 6 Select DHCP_Opt82 if you want to enable this option for this port (see “DHCP Option 82”).
Page 238
Working with Access Point Groups Modifying Model Specific Controls Figure 124. The ZoneFlex 7982 has two Ethernet ports, LAN1 and LAN2 Ruckus Wireless, Inc.
Page 239
Working with Access Point Groups Modifying Model Specific Controls Figure 125. The ZoneFlex 7025/7055 has four front-facing Ethernet ports and one rear port ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
Page 240
AP’s MAC address, or the client MAC plus ESSID or AP MAC plus ESSID. Sub-option 150 can be enabled to encapsulate the VLAN ID. Sub-option 151 can be enabled to encapsulate either the ESSID or a configurable Area Name. Ruckus Wireless, Inc.
Page 241
Working with Access Point Groups Modifying Model Specific Controls Figure 126. Enabling DHCP Option 82 sub-options for a WLAN Designating Ethernet Port Type Ethernet ports are defined as one of the following port types: • “Trunk Ports” • “Access Ports” •...
Page 242
VLAN 1 VLAN (VLAN 1). is sent untagged. Access Port, Untag All incoming traffic is sent to the Only traffic belonging to the VLAN [2-4094] VLANs specified. specified VLAN is forwarded. All other VLAN traffic is dropped. Ruckus Wireless, Inc.
Page 243
Working with Access Point Groups Modifying Model Specific Controls General Ports General ports are user-specified ports that can have any combination of up to 20 VLAN IDs assigned. Enter multiple valid VLAN IDs separated by commas or a range separated by a hyphen. Using Port-Based 802.1X 802.1X authentication provides the ability to secure the network and optionally bind service policies for an authenticated user.
Page 244
MAC-based authenticator. 5 Enable MAC authentication bypass: Enable this option to allow AAA server queries using the MAC address as both the user name and password. If MAC authentication is unsuccessful, the normal 802.1X authentication exchange is attempted. Ruckus Wireless, Inc.
Page 245
Working with Access Point Groups Modifying Model Specific Controls Figure 127. Enabling Guest VLAN and Dynamic VLAN on a MAC-based 802.1X Authenticator port AP Ethernet Port as Supplicant You can also configure a port to act as a supplicant and force it to authenticate itself to an upstream authenticator port.
Figure 128. Configuring an AP Ethernet port as an 802.1X Supplicant Viewing AP Ethernet Port Status You can view the status of an AP’s port configuration by going to Monitor > Access Points and clicking on the MAC address of the AP. Ruckus Wireless, Inc.
Page 247
Working with Access Point Groups Viewing AP Ethernet Port Status Figure 129. Viewing an AP’s Ethernet port configuration ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
Discovery to provide limited redundancy; however, this method does not provide synchronization of the user database. For information on Smart Redundancy configuration, see Enabling Smart Redundancy. For information on N+1 redundancy using Limited ZD Discovery, see Using Limited ZD Discovery for N+1 Redundancy. Ruckus Wireless, Inc.
Page 249
Reviewing Current Access Point Policies Viewing AP Ethernet Port Status Prefer Primary ZD: Enable this option if you want APs to revert to the primary ZoneDirector’s control after connection to the primary controller is restored. Keep AP’s Primary and Secondary ZD Settings: Enable this option if you want the AP’s existing settings to take precedence (not be overwritten by secondary controller’s settings after failover to secondary ZD).
Point Policies and locate the Limited ZD Discovery section. 2 Activate the check box next to Only connect to the following ZoneDirector. 3 Enter the IP address of the primary ZoneDirector (the one you are currently configuring) in Primary ZoneDirector Addr. Ruckus Wireless, Inc.
Page 251
Reviewing Current Access Point Policies Using Limited ZD Discovery for N+1 Redundancy 4 Enter the IP address of the backup ZoneDirector in Secondary ZoneDirector Addr. 5 (Optional) Enable the check box next to Prefer Primary ZD. This ensures that the AP will revert to its primary controller after connection to the primary has been restored.
Default AP Group/WLAN Group. Additionally, you must make sure that the maximum number of APs is not exceeded. Table 26. Max APs by ZoneDirector model Model Max APs per controller ZoneDirector 1100 ZoneDirector 3000 ZoneDirector 5000 1000 Importing a USB Software Package Ruckus ZoneFlex Access Points with USB ports (“SmartPoint”...
Page 253
Importing a USB Software Package Using Limited ZD Discovery for N+1 Redundancy 3 Once an LWAPP tunnel between the AP and ZoneDirector has been established, ZoneDirector automatically pushes the corresponding USB drivers, network connection scripts and configuration files to the AP. 4 The AP saves the files to its persistent storage.
7 Channel: Manually set the channel used by the AP radio. 8 Tx Power: Manually set the maximum transmit power level relative to the calibrated power. 9 WLAN Group: Specify a WLAN group for this radio. Ruckus Wireless, Inc.
Page 255
Managing Access Points Individually Using Limited ZD Discovery for N+1 Redundancy 10 Call Admission Control: (Disabled by default). Enable Wi-Fi Multimedia Admission Control (WMM-AC) to support Polycom/Spectralink VIEW certification. See Advanced Options under Creating a WLAN for more information. 11 Spectralink Compatibility: (Disabled by default). Enable this option if this AP radio will be used as a voice WLAN for Polycom/Spectralink phones.
Page 256
Root AP, Mesh AP, or Disable (default is Auto). In most cases, Ruckus Wireless recommends leaving this setting on Auto to reduce the risk of isolating a Mesh AP. Select Disable if you do not want this AP to be part of your mesh network.
Managing Access Points Individually Configuring Hotspot 2.0 Venue Settings for an AP 20 Click OK to save your settings. Figure 133. Ethernet port configuration - Override Group Config Configuring Hotspot 2.0 Venue Settings for an AP If this Access Point will be serving a Hotspot 2.0 hotspot, you can set the Venue Name for the venue at which the AP will be operating.
APs, in terms of coverage. (For detailed information on the Map View, see Using the Map View Tools.) 2 In the Coverage options, select 2.4 GHz or 5 GHz to view coverage for the radio band. Ruckus Wireless, Inc.
Optimizing Access Point Performance Improving AP RF Coverage 3 When the “heat map” appears, look for the Signal (%) scale in the upper right corner of the map. 4 Note the overall color range, especially colors that indicate low coverage. 5 Look at the floorplan and evaluate the current coverage.
To set a specific WLAN to lower priority: 1 Go to Configure > WLANs. 2 Click the Edit link next to the WLAN for which a lower priority will be set. 3 Select Low next to Priority, and click OK. Ruckus Wireless, Inc.
Monitoring Your Wireless Network In this chapter: • Reviewing the ZoneDirector Monitoring Options • Importing a Map View Floorplan Image • Using the Map View Tools • Evaluating and Optimizing Network Coverage • Reviewing Current Alarms • Reviewing Recent Network Events •...
• Configure: Use the options in this tab to assess the current state of WLAN users, any restricted WLANs, along with the settings for guest access, user roles, etc. You can also combine this tab's options with those in the Administer tab to perform system diagnostics and other preventive tasks. Ruckus Wireless, Inc.
You can import an unlimited number of floorplan images to ZoneDirector. However, the total file size of all imported floor maps is limited to 2MB on ZoneDirector 1100 and 10MB on ZoneDirector 3000/5000. An error message appears when these file size limits are reached.
5 Drag each marker icon from the upper left corner into its correct location on the floorplan. When you finish, you can make immediate use of the Map View to optimize your wireless coverage, as detailed in Optimizing Access Point Performance. Ruckus Wireless, Inc.
Using the Map View Tools Placing the Access Point Markers Using the Map View Tools If your worksite floorplan has been scanned in and mapped with APs, the Map View will display a graphical image of your physical Ruckus network AP distribution. Figure 136.
Page 266
10 Scale legend: To properly assess the distances in a floorplan, a scaler has been provided so that you can place APs in the most precise location. Ruckus Wireless, Inc.
Using the Map View Tools AP Icons 11 Open Space Office drop-down list: Open Office Space refers to the methodology used to compute RF coverage/signal% (i.e., heat map) based on the current environment. AP Icons Each AP marker has variable features that help indicate identity and status: A normal AP marker displays the description of the AP and the number of users that are currently associated...
3 After physically relocating the actual APs in accordance with Map View repositioning, reconnect each AP to a power source. When ZoneDirector has recalibrated the Map View after each AP restart, you can assess your changes and make further adjustments as needed. Ruckus Wireless, Inc.
Reviewing Current Alarms Moving the APs into More Efficient Positions Reviewing Current Alarms If an alarm condition is detected, ZoneDirector will record it in the events log, and if configured, will send an email warning. To review the current alarms and clear all resolved alarm records, follow these steps: 1 Go to Monitor >...
4 You can click Clear All at the bottom of the table to resolve and clear all events in the view. Moniting WLAN Status The Monitor > WLANs page lists the currently deployed WLANs, WLAN Groups, Events/Activities and RADIUS statistics for any WLANs that use RADIUS authenti- cation. Ruckus Wireless, Inc.
Page 271
Moniting WLAN Status Clearing Recent Events/Activities Figure 138. The Monitor > WLANs page ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
The Applications/Ports pie chart displays user activity by application or port for the selected time span. The Application Performance chart displays uplink and downlink throughput over time. Select time span, AP group and SSID to change the values displayed in the charts. Ruckus Wireless, Inc.
Page 273
Reviewing Current User Activity Viewing Application Usage Statistics Figure 139. Monitoring client activity Click the Show Details button to display detailed application or port usage percentages. ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
The Inactive Clients table displays a list of inactive clients and can be used to view usage statistics of recently disconnected clients. Events/Activities The Events/Activities table displays a client-specific subset of the events listed on the All Events/Activities page. Ruckus Wireless, Inc.
Page 275
Reviewing Current User Activity Events/Activities Figure 141. Monitoring Clients ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
Charts General Displays general information on the client, including OS, AP and WLAN and signal strength indication. Also contains a Client Performance icon (see Events Displays a client-specific subset of the events in the All Events/Activities table. Ruckus Wireless, Inc.
Page 277
Monitoring Individual Clients Events/Activities Figure 142. Viewing individual client information and performance statistics Monitoring Client Performance The Client Performance graph can be used to track the uplink/downlink throughput of a specific client over time. To monitor a client’s performance: 1 Go to Monitor > Wireless Clients and locate the client MAC address in the Active Clients list.
Page 278
The uplink and downlink throughput curves show the actual throughput of the client. These curves are influenced by the user session, and they vary as a function of gaps in browsing activity and internet server response times. Ruckus Wireless, Inc.
Monitoring Access Point Status Monitoring Wired Clients Monitoring Wired Clients You can also monitor currently connected wired clients using the Monitor > 802.1X Wired Clients page. Note that connected devices will only be displayed when 802.1X is enabled on the Ethernet port to which they are connected. The Clients table lists the wired client’s MAC address, user name or IP address, the AP it is connected to, the port number, VLAN and authorization status.
Page 280
The number of clients currently connected to this AP. Bonjour Gateway Indicates whether Bonjour Gateway service is enabled, disabled or not supported on this AP. Application Capability Indicates whether Application Visibility is enabled, disabled or not supported on this AP. Ruckus Wireless, Inc.
Page 281
Monitoring Access Point Status Using the AP Status Overview Page Action These icons allow you to configure and troubleshoot APs individually. See Using Action Icons to Configure and Troubleshoot APs in a Mesh. Export to CSV The Currently Managed APs table can be exported as a CSV file, which can be opened in a spreadsheet program such as Microsoft Excel.
Page 282
Monitoring Access Point Status Using the AP Status Overview Page Figure 146. Viewing AP group members Events/Activities This table displays an AP-related subset of the information on the Monitor > All Events/Activities page. Ruckus Wireless, Inc.
Monitoring Individual APs Using the AP Status Overview Page Monitoring Individual APs When you click on the MAC address of any AP, the Monitor > Access Points page changes to a detailed view of information related to that specific AP. You can also click the AP name or MAC address in any of the tables or dashboard widgets in which it appears as a link to go directly to the AP detail page.
“RF Pollution” is a linear index used to describe the level of performance- impacting RF contention and interference that an AP is experiencing. It distills several low-level mac and phy-level error metrics into a single parameter. Values Ruckus Wireless, Inc.
Page 285
Monitoring Individual APs RF Pollution FAQ can range from 0 to infinity, although in most normal environments the RF Pollution index will average between 10 and 100. Higher values are indicative of a noisier environment. • What is RF Pollution measuring? It is measuring the level of RF contention and interference experienced by the AP.
Page 286
Monitoring Individual APs RF Pollution FAQ Figure 147. Viewing an individual AP’s information Figure 148. Monitoring an AP’s performance Ruckus Wireless, Inc.
Monitoring Individual APs Spectrum Analysis Spectrum Analysis Spectrum analysis provides two real time views of the RF environment using data generated by the AP to chart power levels across the 2.4 and 5GHz frequency bands. • Instantaneous Samples View (top view): The instantaneous samples plot provides a real time display of signal power across the entire 2.4 or 5GHz frequency bands.
Page 288
Monitoring Individual APs Spectrum Analysis Figure 149. APs that support spectrum analysis display an extra icon in the Actions table Ruckus Wireless, Inc.
Monitoring Individual APs Neighbor APs Figure 150. The Spectrum Analysis page Neighbor APs ZoneDirector uses several calculations to determine which APs are in proximity to one another. This information can be useful in planning or redesigning your Smart Mesh topology or in troubleshooting link performance issues. Details on neighbor APs include: •...
This sensor displays the mounting orientation of the AP. Three orientations are possible: • Desktop/Horizontal Mount • Ceiling/Horizontal Mount • Wall/Vertical Mount Figure 151. AP orientation sensor information Temperature This sensor displays the temperature statistics as reported by the AP. Figure 152. AP temperature sensor information Ruckus Wireless, Inc.
LAN resources. This would potentially allow even more unauthorized users to access your corporate LAN - posing a security risk. Rogue APs also interfere with nearby Ruckus Wireless APs, thus degrading overall wireless network coverage and performance.
Page 292
“malicious”, whether user-blocked or another type. 5 If a listed AP is part of another, known neighbor network, click Mark as Known. This identifies the AP as posing no threat, while copying the record to the Known/ Recognized Rogue Devices table. Ruckus Wireless, Inc.
Page 293
Detecting Rogue Access Points Access Point Sensor Information 6 To locate rogue APs that do pose a threat to your internal WLAN, click the Map View icon for a device to open the Map View. 7 Open the Map View, and look for rogue AP icons .
To view the status of ZoneDirector’s Ethernet ports, go to Monitor > System Info. The table displays the MAC address, Interface ID, physical link status, link speed, and total packets/bytes received/transmitted on the port since last restart. Ruckus Wireless, Inc.
Monitoring AAA Server Statistics Access Point Sensor Information Figure 156. Monitoring system Ethernet port information Monitoring AAA Server Statistics To monitor AAA servers that you have configured on the Configure > AAA Servers page, go to Monitor > AAA Servers Statistics. ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
Configure > Access Points > AP Groups page, go to Monitor > Location Services. NOTE: For information on configuration and administration of Ruckus SmartPositioning Technology (SPoT) service, please refer to the SPoT User Guide, available from the Ruckus support site: https://support.ruckuswireless.com. Ruckus Wireless, Inc.
Page 297
Monitoring Location Services Access Point Sensor Information Figure 158. Monitoring Location Services ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
Page 298
Monitoring Location Services Access Point Sensor Information Ruckus Wireless, Inc.
Managing User Access In this chapter: • Enabling Automatic User Activation with Zero-IT • Adding New User Accounts to ZoneDirector • Managing Current User Accounts • Creating New User Roles • Managing Automatically Generated User Certificates and Keys • Using an External Server for User Authentication •...
Enabling Automatic User Activation with Zero-IT Ruckus Wireless Zero-IT Activation allows network users to self-activate their devices for secure access to your wireless networks with no manual configuration required by the network administrator. Once your ZoneFlex network is set up, you need only direct users to the Activation URL, and they will be able to automatically authenticate themselves to securely access your wireless LAN.
Enabling Automatic User Activation with Zero-IT Clients that Support Zero-IT Figure 159. Enabling Zero-IT for a WLAN You have completed enabling Zero-IT for this WLAN. At this point, any user with the proper credentials (username and password) and running a supported operating system can self-provision his/her wireless client to securely access your wireless LANs.
/<zonedirector’s_IP_address>/activate). A WLAN Connection Activation web page appears. 3 Enter User Name and Password, and click OK. If the user name and password are confirmed and the computer is running a supported operating system, an automated script will launch. Ruckus Wireless, Inc.
Page 303
Enabling Automatic User Activation with Zero-IT Self-Provisioning Clients with Zero-IT Figure 160. Zero-IT automatic activation 4 Run the prov.exe script to automatically configure this computer’s wireless settings for access to the secure internal WLAN. 5 If you are not running a supported operating system, you can manually configure wireless settings by clicking the link at the bottom of the page (see Provisioning Clients that Do Not Support...
Once your wireless network is set up, you can instruct ZoneDirector to authenticate wireless users using an existing Active Directory, LDAP or RADIUS server, or to authenticate users by referring to accounts that are stored in ZoneDirector's internal user database. Ruckus Wireless, Inc.
• Confirm Password: Re-enter the same password for this user. NOTE: ZoneDirector 1100 can support up to 1,250 combined total DPSK users and guest passes in the internal database. ZoneDirector 3000 can support up to 10,000 total DPSK users and guest passes. ZoneDirector 5000 can support up to 20,000 guest passes and 10,000 DPSKs.
4 If a role must be replaced, open that menu and choose a new role for this user. (For more information, see Creating New User Roles.) 5 Click OK to save your settings. Be sure to communicate the relevant changes to the appropriate end user. Ruckus Wireless, Inc.
Creating New User Roles Deleting a User Record Deleting a User Record 1 Go to Configure > Users. 2 When the Users screen appears, review the “Internal User Database.” 3 To delete one or more records, click the check boxes next to those account records.
Page 308
- either full access or limited access. 5 When you finish, click OK to save your settings. This role is ready for assignment to authorized users. 6 If you want to create additional roles with different policies, repeat this procedure. Ruckus Wireless, Inc.
Creating New User Roles Role Based Access Control Policy Figure 164. The Create New form for adding a role Role Based Access Control Policy Using the Role Based Access Control Policy (RBAC) feature, organizations can deploy a single SSID for multiple roles and provide different access privileges based on the user’s role in the organization.
WPA or WPA2 and Dynamic PSK enabled, a unique and random key phrase is generated for each wireless user. Similarly, for a WLAN configured with 802.1X/EAP authentication, a unique certificate for each wireless user is created. Ruckus Wireless, Inc.
Using an External Server for User Authentication Role Based Access Control Policy When using the internal user database, automatically generated user certificates and keys are deleted whenever the associated user account is deleted from the user database. In the case of using Windows Active Directory, LDAP or RADIUS as an authentication server, you can delete the generated user keys and certificates by following these steps: 1 Go to Monitor >...
Page 312
RADIUS server configuration and the choice you made in RADIUS/ RADIUS Accounting. Make sure that either PAP or CHAP is enabled on the Remote Access Policy (assuming Microsoft IAS as the RADIUS server) before continuing with testing authentication settings. Ruckus Wireless, Inc.
Activating Web Authentication Role Based Access Control Policy Figure 166. The Create New form for adding an authentication server For more information on configuring an external authentication server, see Using an External AAA Server. Activating Web Authentication Web authentication (also known as a “captive portal”) redirects users to a login web page the first time they connect to this WLAN, and requires them to log in before granting access to use the WLAN.
Page 314
5 Select the preferred authentication server from the Authentication Server drop- down menu. 6 Click OK to save this entry. Repeat this “enabling” process for each WLAN to which you want to apply web authentication. Figure 167. Activating captive portal/web authentication Ruckus Wireless, Inc.
Managing Guest Access In this chapter: • Configuring Guest Access • Creating a Guest Access Service • Creating a Guest WLAN • Using the BYOD Onboarding Portal • Working with Guest Passes ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
6 Under Redirection, select one of the following radio buttons to use/not use redirection: • Redirect to the URL that the user intends to visit: Allows the guest user to continue to their destination without redirection. Ruckus Wireless, Inc.
Creating a Guest Access Service Configuring Guest Subnet Access • Redirect to the following URL: Redirect the user to a specified web page (entered into the text box) prior to forwarding them to their destination. When guest users land on this page, they are shown the expiration time for their guest pass.
Page 318
8 If you want to allow or restrict subnet access based on the application, protocol, or destination port used, click the Advanced Options link, and then configure the settings. 9 Click OK to save the subnet access rule. Repeat Steps 4 to 9 to create up to 22 subnet access rules. Ruckus Wireless, Inc.
Creating a Guest WLAN Configuring Guest Subnet Access Figure 169. The Restricted Subnet Access options Creating a Guest WLAN After you have created a guest access service, create a WLAN of the type “Guest Access.” This WLAN can be configured to allow access only to a specific set of resources - such as ZoneDirector’s Zero-IT activation address, from which users can then activate their devices to gain access to the secure internal WLANs.
WLAN using Zero-IT activation. To enable the Onboarding Portal for mobile devices: 1 Go to Configure > Guest Access. 2 Click Edit or Create New to configure a guest access service. Ruckus Wireless, Inc.
Page 321
Using the BYOD Onboarding Portal Configuring Guest Subnet Access 3 Enable the check box next to Onboarding Portal to enable Zero-IT device registration from the Guest Portal. 4 Select one of the following options to display when connecting to the Onboarding Portal: •...
Page 322
If the user clicks the Register Device button, the web page will be redirected to the WLAN Connection Activation page, from which the user can enter user name and password to activate this device. A Zero-IT activation file is generated for download once the client is registered with ZoneDirector. Ruckus Wireless, Inc.
Page 323
Using the BYOD Onboarding Portal Configuring Guest Subnet Access Figure 174. Activate device using the WLAN Connection Activation screen, and download activation file After running the downloaded Zero-IT file, the device will be configured with the settings to automatically connect to the secure internal/corporate WLAN. NOTE: You may need to manually switch from the guest WLAN to the secure WLAN after activation (on some mobile devices).
System page. NOTE: ZoneDirector 1100 can support up to 1,250 combined total DPSK users and guest passes in the internal database. ZoneDirector 3000 can support up to 10,000 total DPSK users and guest passes. ZoneDirector 5000 can support up to 20,000 guest passes and 10,000 DPSKs.
Page 325
Working with Guest Passes Configuring Guest Pass Generation • If you configured an AAA server (RADIUS, Active Directory or LDAP) on the Configure > AAA Servers page and you want to use that server to authenti- cate users, select the server name from the drop-down menu. (See Using an External Server for User Authentication.)
Page 326
1 Go to Configure > Roles. 2 In the Roles table, click Create New. 3 When the Create New features appear, make these entries: • Name: Enter a name for this role (e.g., “Guest Pass Generator”). Ruckus Wireless, Inc.
Page 327
Working with Guest Passes Configuring Guest Pass Generation • Description: Enter a short description of this role's application. • Group Attributes: This field is only available if you choose Active Directory as your authentication server. Enter the Active Directory User Group names here.
Page 328
You can edit an existing user account and reassign the guest pass generator role, if you prefer. 5 Click OK to save your settings. Be sure to communicate the role, user name and password to the appropriate end user. Ruckus Wireless, Inc.
Working with Guest Passes Generating and Delivering a Single Guest Pass Generating and Delivering a Single Guest Pass You can provide the following instructions to users with guest pass generation privileges. A single guest pass can be used for one-time login, time-limited multiple logins for a single guest user, or can be configured so that a single guest pass can be shared by multiple users.
Page 330
• Key: Leave as is if you want to use the random key that ZoneDirector generated. If you want to use a key that is easy to remember, delete the random key, and then type a custom key. For example, if ZoneDirector Ruckus Wireless, Inc.
Page 331
Working with Guest Passes Generating and Delivering a Single Guest Pass generated the random key OVEGS-RZKKF, you can change it to joe- guest-key. Customized keys must be between one and 16 ASCII charac- ters. NOTE: Each guest pass key must be unique and is distributed on all guest WLANs. Therefore, you cannot create the same guest pass for use on multiple WLANs.
Page 332
Working with Guest Passes Generating and Delivering a Single Guest Pass Figure 178. The Guest Pass Generated page Figure 179. Sample guest pass printout Ruckus Wireless, Inc.
Working with Guest Passes Generating and Printing Multiple Guest Passes at Once Generating and Printing Multiple Guest Passes at Once You can provide the following instructions to users with guest pass generation privileges. NOTE: The following procedure will guide you through generating and printing multiple guest passes.
Page 334
If you did not create custom guest pass printouts, select Default. 9 Print the instructions for a single guest pass or print all of them. • To print instructions for all guest passes, click Print All Instructions. Ruckus Wireless, Inc.
Working with Guest Passes Monitoring Generated Guest Passes • To print instructions for a single guest pass, click the Print link that is in the same row as the guest pass for which you want to print instructions. A new browser page appears and displays the guest pass instructions. At the same time, the Print dialog box appears.
(ZoneDirector will notify you if the file is too large.) 4 Scroll down to the Guest Access Customization section. 5 (Optional) Delete the text in the Title field and type a short descriptive title or “welcome” message. 6 Click OK to save your settings. Ruckus Wireless, Inc.
Working with Guest Passes Creating a Custom Guest Pass Printout Figure 182. The Guest Access Customization options Creating a Custom Guest Pass Printout The guest pass printout is a printable HTML page that contains instructions for the guest pass user on how to connect to the wireless network successfully. The authenticated user who is generating the guest pass will need to print out this HTML page and provide it to the guest pass user.
Page 338
{GP_IF_EFFECTIVE_FROM_CREATION_ If you set the validity period of guest TIME} passes to Effective from the creation time (in the Guest Pass Generation section), this token shows when the guest pass was created and when it will expire. Ruckus Wireless, Inc.
Working with Guest Passes Delivering Guest Passes via Email Token Description {GP_ELSEIF_EFFECTIVE_FROM_FIRST If you set the validity period of guest _USE} passes to Effective from first use (in the Guest Pass Generation section), this token shows the number of days during which the guest pass will be valid after activation.
To customize the content of the SMS message used to deliver the guest pass code, use the following procedure: 1 On the Configure > Guest Access page, locate the Customize the SMS Content section. 2 Customize the message in the text box and click Apply to save your changes. Ruckus Wireless, Inc.
Page 341
Working with Guest Passes Delivering Guest Passes via SMS Figure 184. Customize the SMS content ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
Page 342
Working with Guest Passes Delivering Guest Passes via SMS Ruckus Wireless, Inc.
Deploying a Smart Mesh Network In this chapter: • Overview of Smart Mesh Networking • Smart Mesh Networking Terms • Supported Mesh Topologies • Deploying a Wireless Mesh via ZoneDirector • Understanding Mesh-related AP Statuses • Using the ZoneFlex LEDs to Determine the Mesh Status •...
A Smart Mesh network is a peer-to-peer, multi-hop wireless network wherein participant nodes cooperate to route packets. In a Ruckus wireless mesh network, the routing nodes (that is, the Ruckus Wireless APs forming the network), or “mesh nodes,” form the network's backbone. Clients (for example, laptops and other mobile devices) connect to the mesh nodes and use the backbone to communicate with one another, and, if permitted, with nodes on the Internet.
Supported Mesh Topologies Standard Topology Term Definition Mesh AP (MAP) A mesh node that communicates with ZoneDirector through its wireless interface. Ethernet-Linked An eMAP is a mesh node that is connected to its uplink AP through Mesh AP (eMAP) a wired Ethernet cable, rather than wirelessly. eMAP nodes are used to bridge wireless LAN segments together.
LAN segment, and another isolated wired segment exists that needs to be bridged to the primary LAN segment. You can bridge these two wired LAN segments by forming a wireless mesh link between the two wired segments, as shown in Figure 186 below. Ruckus Wireless, Inc.
Supported Mesh Topologies Hybrid Mesh Topology Figure 186. Mesh - wireless bridge topology Hybrid Mesh Topology A third type of network topology can be configured using the Hybrid Mesh concept. Ethernet-connected Mesh APs (eMAP) enable the extension of wireless mesh functionality to a wired LAN segment.
Deploying a wireless mesh via ZoneDirector involves the following steps: • “Step 1: Prepare for Wireless Mesh Deployment” • “Step 2: Enable Mesh Capability on ZoneDirector” • “Step 3: Provision and Deploy Mesh Nodes” • “Step 4: Verify That the Wireless Mesh Network Is Up” Ruckus Wireless, Inc.
Step 1: Prepare for Wireless Mesh Deployment Step 1: Prepare for Wireless Mesh Deployment Before starting with your wireless mesh deployment, Ruckus Wireless recommends performing a number of tasks that can help ensure a smooth deployment. • Ensure that the APs that will form the mesh are of the same radio type.
Page 350
6 In Mesh Passphrase, type a passphrase that contains at least 12 characters. This passphrase will be used by ZoneDirector to secure the traffic between Mesh APs. Alternatively, click Generate to generate a random passphrase with 32 characters or more. Ruckus Wireless, Inc.
Deploying a Wireless Mesh via ZoneDirector Step 3: Provision and Deploy Mesh Nodes 7 In the Mesh Settings section, click Apply to save your settings and enable Smart Mesh. You have completed enabling mesh capability on ZoneDirector. You can now start provisioning and deploying the APs that you want to be part of your wireless mesh network.
View on the menu. The Map View appears and shows the mesh nodes that are currently active. (See Importing a Map View Floorplan Image for instructions on importing a map.) 2 Check if all the mesh nodes that you have provisioned and deployed appear on the Map View. Ruckus Wireless, Inc.
Page 353
Deploying a Wireless Mesh via ZoneDirector Step 4: Verify That the Wireless Mesh Network Is Up 3 Verify that a mesh network has been formed by checking if dotted lines appear between the mesh nodes. These dotted lines identify the neighbor relationships that have been established in the current mesh network.
• The AP may be configured ZoneDirector mesh incorrectly. Verify that the mesh SSID and passphrase configured on the AP are correct. • If Uplink Selection is set to Manual, the uplink AP specified for this AP may be off or unavailable. Ruckus Wireless, Inc.
Using the ZoneFlex LEDs to Determine the Mesh Status On Single-band ZoneFlex APs Using the ZoneFlex LEDs to Determine the Mesh Status In addition to checking the mesh status of ZoneFlex APs from the ZoneDirector web interface, you can also check the LEDs on the APs. The LED behaviors that indicate the AP's mesh status vary depending whether the AP is a single-band or a dual- band model.
• This is a Mesh AP, and; • The Root AP signal is fair Slow blinking green • This is a Mesh AP that is currently searching for a Root AP, or; • This AP is currently searching for ZoneDirector Ruckus Wireless, Inc.
Using Action Icons to Configure and Troubleshoot APs in a Mesh On Dual-band ZoneFlex APs Indoor Dual Band APs On dual band ZoneFlex indoor APs, the 5G LED indicates the AP's mesh status. See the table below for more information. LED Color/Behavior Root AP / eMAP Mesh AP...
Smart Uplink Selection and manually set the mesh nodes to which an AP can connect. Note that in most situations, Ruckus Wireless recommends against manually changing the roles of APs in a mesh, because it can result in isolated Mesh APs.
Page 359
Setting Mesh Uplinks Manually On Dual-band ZoneFlex APs Figure 190. Setting Uplink Selection to Manual NOTE: Do not manually set a Mesh AP as a Root AP. Only APs that are connected to ZoneDirector via Ethernet (and on the same LAN segment) should be configured as Root APs.
15 minutes as the mesh network stabilizes. If there is a significant number of APs on the network, it might take longer for the AP to resolve this. Ruckus Wireless, Inc.
No APs with matching radio type The AP is unable to find an uplink AP with the same radio type. Ruckus Wireless Smart Mesh APs must use the same radio type to be able connect to each other via the mesh network. For example, an 802.11n Mesh AP will only connect...
Page 362
Therefore you will need to proceed to the next step and connect to the AP’s CLI to make changes. Step 4: Connect to the AP and update its Mesh settings 1 Launch your SSH client and enter the IP address 169.254.1.1. Ruckus Wireless, Inc.
Best Practices and Recommendations Recovering an Isolated Mesh AP 2 Log into the AP via SSH using the same user name and password that you use to log into the ZoneDirector web interface. 3 Enter the command set meshcfg ssid <current_ssid>, where current_ssid is the SSID that the mesh network is currently using.
Page 364
Best Practices and Recommendations Recovering an Isolated Mesh AP Ruckus Wireless, Inc.
Setting Administrator Preferences In this chapter: • Changing the ZoneDirector Administrator User Name and Password • Changing the Web Interface Display Language • Upgrading ZoneDirector and ZoneFlex APs • Working with Backup Files • Restoring ZoneDirector to Default Factory Settings •...
(used solely to log into ZoneDirector via the web interface). • Password/Confirm Password: Delete the text in both fields and type the same text for a new password. 3 Click Apply to save your settings. The changes go into effect immediately. Ruckus Wireless, Inc.
Changing the Web Interface Display Language Setting Administrator Login Session Timeout Figure 192. The Preferences page Setting Administrator Login Session Timeout By default, administrators logged into the web interface are automatically logged out after 30 minutes of inactivity. This timeout can be configured with a value between 1 and 1440 minutes (24 hours).
3 Click Apply to save your settings. The changes go into effect immediately. Upgrading ZoneDirector and ZoneFlex APs Check the Ruckus Wireless Support web site on a regular basis for updates that can be applied to your Ruckus Wireless network devices — to ZoneDirector and all your ZoneFlex APs.
Upgrading ZoneDirector and ZoneFlex APs Performing an Upgrade with Smart Redundancy NOTE: The full network upgrade is successive in sequence. After ZoneDirector is upgraded, it will contact each active AP, upgrade it, and then restore it to service. NOTE: The AP uses FTP to download firmware updates from ZoneDirector. If you have an access control list (ACL) or firewall between ZoneDirector and the AP, make sure that FTP traffic is allowed to ensure that the AP can successfully download the firmware update.
9 Each AP reboots after upgrading. Working with Backup Files After you have set up and configured your Ruckus wireless network, you may want to back up the full configuration. The resulting archive can be used to restore your ZoneDirector and network. And, whenever you make additions or changes to the setup, you can create new backup files at that time, too.
Working with Backup Files Restoring Archived Settings to ZoneDirector Figure 194. The Back Up Configuration option Restoring Archived Settings to ZoneDirector NOTE: Restoring a backup file will automatically reboot ZoneDirector and all APs that are currently associated with it. Users associated with these APs will be temporarily disconnected;...
Page 372
When the restore process is complete, ZoneDirector automatically restarts and your wireless network will be ready for use again. Figure 195. Select the restore level for restoring from a backup file Ruckus Wireless, Inc.
Page 373
You can also restore previously saved access point configurations from a backup file without restoring any other ZoneDirector configuration settings. This feature can be useful in deploying N+1 redundancy. For example, if three ZoneDirector 1100 controllers are deployed in different locations and with one ZoneDirector 3000 serving as a backup, you can use this feature to export AP lists from the three ZD1100s and import them one by one into the ZD3000.
In this case, the system can be discovered by a UPnP client application, such as Windows “My Network Places.” If there is no DHCP server on the connected network, the system's default IP address is 192.168.0.2 with subnet mask 255.255.255.0. Ruckus Wireless, Inc.
Restoring ZoneDirector to Default Factory Settings Alternate Factory Default Reset Method NOTE: A complete set of instructions is available in the ZoneDirector Quick Start Guide (QSG). Before restoring ZoneDirector to factory default settings, you should open and print out the QSG pages. You can follow those instructions to set up ZoneDirector after restoring factory defaults.
(CSR) file and send it to a certificate authority (CA) to purchase an SSL certificate. The ZoneDirector web interface provides a form that you can use to create the CSR file. Fields with an asterisk (*) are required entries. Those without an asterisk are optional. Ruckus Wireless, Inc.
Page 377
“ZoneDirector”). NOTE: Ruckus Wireless recommends using the FQDN as the Common Name if possible. If your network does not have a DNS server, you may use ZoneDirector’s IP address instead. However, note that some CA’s may not allow this.
Page 378
After the certificate authority approves your CSR, you will receive the SSL certificate via email. The following is an example of a signed certificate that you will receive from a certificate authority: -----BEGIN CERTIFICATE----- Ruckus Wireless, Inc.
Working with SSL Certificates Importing an SSL Certificate MIIFVjCCBD6gAwIBAgIQLfaGuqKukMumWhbVf5v4vDANBgkqhkiG9w0B AQUFADCBsDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJ bmMuMR8wHQYDVQQLBgEFBQcBAQRtMGswJAYIKwYBBQUHMAGGGGh0dHA6 Ly9vY3NwLnZlcmlzaWduLmNvbTBDBggrBgEFBQcwAoY3aHR0cDovL1NW UlNlY3VyZS1haWEudmVyaXNpZ24uY29tL1NWUlNlY3VyZTIwMDUtYWlh LmNlcjBuBggrBgEFBQcBDARiMGChXqBcMFowWDBWFglpbWFnZS9naWYw ITAfMAcGBSsOAwIaBBRLa7kolgYMu9BSOJsprEsHiyEFGDAmFiRodHRw Oi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvMS5naWYwDQYJKoZIhvcN AQEFBQADggEBAI/S2dmm/kgPeVAlsIHmx- 751o4oq8+fwehRDBmQDaKiBvVXGZ5ZMnoc3DMyDjx0SrI9lkPsn223CV 3UVBZo385g1T4iKwXgcQ7WF6QcUYOE6HK+4ZGcHermFf3fv3C1- FoCjq+zEu8ZboUf3fWbGprGRA+MR/dDI1dTPtSUG7/zWjXO5jC// 0pykSldW/q8hgO8kq30S8JzCwkqrXJfQ050N4TJtgb/ YC4gwH3BuB9wqpRjUahTiK1V1- ju9bHB+bFkMWIIMIXc1Js62JClWzwFgaGUS2DLE8xICQ3wU1ez8RUPGn wSxAYtZ2N7zDxYDP2tEiO5j2cXY7O8mR3ni0C30= -----END CERTIFICATE----- 7 Copy the content of the signed certificate, and then paste it into a text file. Save the file.
Page 380
ZoneDirector certificate file. Then, you just need to import a single file. The intermediate certificate(s) will be imported automatically. In this case, you will see multiple ---BEGIN CERTIFICATE--- and ---END CERTIFICATE- -- pairs in the file. Ruckus Wireless, Inc.
Working with SSL Certificates SSL Certificate Advanced Options Figure 200. Importing a signed certificate (continued) SSL Certificate Advanced Options The Advanced Options section allows you to perform additional certificate manage- ment functions. These include the following: • Restore the factory default certificate and private key. This deletes any certificate and private key that was imported.
Page 382
Redundant configuration with Guest Access, Web Portal and Hotspot captive portals, use the following wildcard certificate procedure: 1 Purchase or generate a self-signed wildcard certificate such as *.acompany.com and install it on both ZoneDirectors in the Smart Redundant pair. Ruckus Wireless, Inc.
Using an External Server for Administrator Authentication SSL Certificate Advanced Options 2 In DNS, add 3 host/IP entries similar to the following • management.acompany.com; 192.168.0.100: This is the FQDN you wish to use for reaching the shared virtual management interface and is mapped to its configured IP address.
Page 384
Using an External Server for Administrator Authentication SSL Certificate Advanced Options • Ruckus Wireless private attribute Vendor ID: 25053 Vendor Type/Attribute Number: 1 (Ruckus-User-Groups) Value Format: group_attr1,group_attr2,group_attr3,... • Cisco private attribute (if your network is using a Cisco access control server)
Server} with {Role}). Upgrading the License Depending on the number of Ruckus Wireless APs you need to manage with your ZoneDirector, you may need to upgrade your license as your network expands. Contact your authorized Ruckus Wireless reseller to purchase an upgrade license.
Ruckus reseller to purchase a new support entitlement. This file will be delivered via email, after which you can import the new entitlement file into your ZoneDirector. To import a new Support entitlement file: 1 Go to Administer > Support. Ruckus Wireless, Inc.
Page 387
Support Entitlement Upgrading the License with Smart Redundancy 2 In the Support Service section, click Choose File to import a new support upgrade file. 3 Once the new support entitlement is applied, click Check Entitlement to display the entitlement status, service purchased, serial number, start date, end date and AP numbers allowed by the new entitlement.
Page 388
Support Entitlement Upgrading the License with Smart Redundancy Ruckus Wireless, Inc.
Troubleshooting In this chapter: • Troubleshooting Failed User Logins • Fixing User Connections • Measuring Wireless Network Throughput with SpeedFlex • Diagnosing Poor Network Performance • Starting a Radio Frequency Scan • Using the Ping and Traceroute Tools • Viewing Current System and AP Logs •...
• Create an additional WLAN for non-standard client connections, then create a Role that refers to this WLAN, and assign that role to the relevant user accounts. • Enter the WEP key in the network configuration on the client device. Ruckus Wireless, Inc.
Fixing User Connections Fixing User Connections If any of your users report problematic connections to the WLAN, the following debugging technique may prove helpful. Basically, you will be deleting that user's client from the Active Clients table in the Ruckus ZoneDirector, and when their client connection automatically renews itself, any previous problems will hopefully be resolved.
For example, SpeedFlex may be inaccessible to users at http://{zonedirector-ip-address}/perf or SpeedFlex may prompt you to install the SpeedFlex application on the target client, even when it is already installed. Ruckus Wireless, Inc.
Page 393
Measuring Wireless Network Throughput with SpeedFlex If WLAN Connection Problems Persist NOTE: The following procedure describes how to run SpeedFlex from the ZoneDirector web interface to measure a wireless client’s throughput. For instructions on how to run SpeedFlex from a wireless client (for users), refer to Allowing Users to Measure Their Own Wireless Throughput.
Page 394
10-30 seconds. If you are testing both Downlink and Uplink options, the two tests take about one minute to complete. When the tests are complete, the results appear below the Start button. Downlink and uplink throughput results are displayed along with packet loss percentages. Figure 205. The SpeedFlex interface Ruckus Wireless, Inc.
Page 395
Measuring Wireless Network Throughput with SpeedFlex If WLAN Connection Problems Persist Figure 206. Click the download link for the target client’s operating system Figure 207. A progress bar appears as SpeedFlex measures the wireless throughput ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
4 Select Uplink, Downlink or both (default is both), and click Start to begin. Note that multi-hop SpeedFlex takes considerably longer to complete than a single hop. If you want to complete the test faster, deselect either Uplink or Downlink and test one direction at a time. Ruckus Wireless, Inc.
Page 397
Measuring Wireless Network Throughput with SpeedFlex Using SpeedFlex in a Multi-Hop Smart Mesh Network Figure 209. Running Multi-Hop SpeedFlex in a mesh tree Figure 210. Multi-Hop SpeedFlex test results ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
How to Measure the Speed of Your Wireless Connection The following instructions describe how you can use SpeedFlex, a wireless perfor- mance test tool from Ruckus Wireless, to measure the speed of your wireless connection to your access point. 1 Make sure that your wireless device is connected only to the wireless network.
Diagnosing Poor Network Performance Allowing Users to Measure Their Own Wireless Throughput This indicates that SpeedFlex was successfully started. Keep the command prompt window open. 7 On the SpeedFlex Wireless Performance Test interface, click the Start button again. A progress bar appears below the speedometer as the tool generates traffic to measure the downlink throughput from the AP to the client.
UI. The Ping and Traceroute tools can be accessed from anywhere in the UI that you see the icon. For example, from the Dashboard, if the “Currently Managed APs” widget is open, click the icon next to an AP to launch the troubleshooting window. Ruckus Wireless, Inc.
Page 401
Using the Ping and Traceroute Tools Allowing Users to Measure Their Own Wireless Throughput Figure 212. Launching the Ping/Traceroute Troubleshooting window from the Dashboard The Network Connectivity window opens. Click Ping to ping the IP address or Trace Route to diagnose the number of hops to the IP address. Figure 213.
After the file is saved, you can email it to the technical support representative. NOTE: The debug (or diagnostics) file is encrypted and only Ruckus Wireless support representatives have the proper tools to decrypt this file. Viewing Current System and AP Logs You can display a list of recent ZoneDirector or AP activity logs from the ZoneDirector web interface.
Page 403
Viewing Current System and AP Logs Allowing Users to Measure Their Own Wireless Throughput 1 Go to Administer > Diagnostics, and locate the AP Logs section. 2 Click the “Click Here” link next to “To show current AP logs...”. The log data is displayed in the text box beneath the link.
The local capture mode stores packet data from a single capture session in two files using a “ping-pong” method. On 11n APs, each file holds 2 MB of packet data. On 11g APs, each file holds 1 MB. Whenever one file reaches its limit, the other file is Ruckus Wireless, Inc.
Packet Capture and Analysis Local Capture cleared and begins filling. Due to memory limitations, the capture files are cleared after they are retrieved by the Save command and before each new capture session, and they are not retained on the AP between reboots. In streaming capture mode, packet data from the 2.4 GHz and 5 GHz radios are available simultaneously on AP interfaces wlan100 and wlan101, respectively.
Page 406
Using Ruckus Custom Indicators Packets captured on Ruckus APs include some information that is not available when capturing from other Wi-Fi devices. This additional information is stored in the Per-Packet Information (PPI) header that precedes the over-the-air content. Ruckus Wireless, Inc.
Page 407
Packet Capture and Analysis Streaming Mode 1 The PPI:802.11-Common Header antenna signal and antenna noise fields of packets transmitted by the AP contain the next-to-lowest byte and the lowest byte, respectively, of the antenna pattern used to transmit the packet. On some APs, the pattern value may contain more significant bits, which are not stored in this header.
The Status column now displays “Disconnected” along with the date and time when ZoneDirector last communicated with the AP. After restart is complete and the Ruckus ZoneDirector detects the active AP, the status will be returned to “Connected.” Ruckus Wireless, Inc.
“Restarting an Access Point”.) NOTE: If you have made any configuration changes, Ruckus Wireless recommends shutting down ZoneDirector to ensure that all configuration changes are saved and remain after reboot. Performing a Restart may cause ZoneDirector to lose configuration changes if you forgot to click Apply after making changes and navigate away from a configuration page, for example.
Page 410
Restarting ZoneDirector Streaming Mode Ruckus Wireless, Inc.
Smart Mesh Networking Best Practices In this chapter: • Choosing the Right AP Model for Your Mesh Network • Calculating the Number of APs Required • Placement and Layout Considerations • Signal Quality Verification • Mounting and Orientation of APs •...
In other words, if the network is designed to support 10Mbps, it would support 1 user at 10Mbps, or 10 users at 1Mbps each. In reality, due to statistical multiplexing (just like the phone system - Ruckus Wireless, Inc.
Placement and Layout Considerations the fact that not all users are using the network concurrently), if you use an oversubscription ratio of 4:1, such a network could actually support 40 users at 1Mbps. In a Smart Mesh network, the Root AP (RAP) has all its wireless bandwidth available for downlink, because the uplink is wired.
• If the customer's network utilizes a wireless backhaul technology for broadband access, it is recommended to not mount the broadband wireless modem right next to a Ruckus Wireless AP. A distance of 10 feet or more would be desirable. Signal Quality Verification The above guidelines for planning will result in a well-designed mesh.
Page 415
Signal Quality Verification • Ensure Signal >= 25%: The Signal value under Neighbor APs that shows “Connected” should be 25% or better. If it is lower, you need to bring the AP closer, or move it to avoid an obstruction, such that the Signal value becomes 25% or better.
ZoneFlex APs are very tolerant to a variety of mounting and orientation options due to Ruckus Wireless' use of its unique BeamFlex technology, in which the RF signal is dynamically concentrated and focused towards the other end of the RF link.
Mounting and Orientation of APs Indoor APs - Vertical Orientation Indoor APs - Vertical Orientation A less typical vertical orientation may be used in certain cases where it is not possible for mechanical or aesthetic reasons to use the typical horizontal orientation. In such cases, indoor APs may also be wall mounted vertically.
RAPs and MAPs are at ceiling height (standard 15-foot ceiling), then you would not want to mount the outdoor MAPs on 40-foot poles. You would want to keep all MAPs and RAPs at around the same elevation from the ground. Ruckus Wireless, Inc.
Best Practice Checklist Elevation of RAPs and MAPs Best Practice Checklist Following the mesh best practices will ensure that your mesh is well-designed, and have the capacity and reliability required for your enterprise applications. The best practices are summarized below as a checklist for quick review. 1 Do not mix single band with dual band APs in your mesh.
Page 420
Best Practice Checklist Elevation of RAPs and MAPs Ruckus Wireless, Inc.
Page 421
Index Administrator Login Session Timeout AeroScout option values airtime % Alarms activating email notification Algorithm Symbols New WLAN creation All Events/Activities (Logs) AP Activities AP Groups Numerics AP markers 11n Only Mode overview 802.11d Application Capability 802.11k Application Denial Policy 802.11r Application Port Mapping 802.1X...
Page 422
DHCP Create New options network address option Authentication Servers server customization Create New User DHCP clients internal database viewing create user 187, 240 DHCP Option 82 Creating a Guest Pass Generation User 98, 187 DHCP Relay role Ruckus Wireless, Inc.
Page 423
DHCP server Firewall Integration configuring Firmware upgrade Diagnostics FlexMaster tools enabling disabling status LEDs Performance Monitoring Disconnecting specific client devices Floorplan Disconnecting users from the WLAN adding to Map View DNS Server Force DHCP Registering ZoneDirector Downlink Throughput Downlink Traffic Graphic file formats downstream group-addressed frame for- guest user login page...
Page 424
Login page guest use Logs sorting contents Name/ESSID viewing New WLAN creation option values 284, 289 Neighbor APs Network addressing 158, 182 MAC Authentication changing RADIUS Network Connectivity 209, 244 MAC authentication bypass Network Diagnostics malicious AP Ruckus Wireless, Inc.
Page 425
New User Accounts adding new accounts Radar Avoidance Pre-Scanning New User Roles 236, 255 Radio Band (ZoneFlex 7321) creating Radio frequency scans starting a scan Radio Resource Management radio statistics Optimizing network coverage 153, 154, 311 RADIUS Option 82 using an external server orientation using for authentication Overview...
Page 426
System Overview disconnecting a user from the WLAN failed WLAN logins managing accounts Tabs (Web interface) reviewing current activity explained switching to 802.1X-based security Temperature switching to WEP-based security Testing authentication settings troubleshooting connection problems Timeout interval Ruckus Wireless, Inc.
Page 427
Wireless performance test tool Using Active Directory WLAN Using an external RADIUS server creation Using Map View to assess network perfor- optimizing coverage mance recent events (reviewing) 196, 232, 254 Using the built-in EAP server WLAN Group Using the Map View WLAN network security customizing WLAN performance...
Page 428
236, 255 band selection ZoneFlex APs upgrading software Ruckus Wireless, Inc.
Page 429
ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
Need help?
Do you have a question about the ZoneDirector 1100 and is the answer not in the manual?
Questions and answers