Ruckus Wireless ZoneDirector 1100 User Manual

Ruckus Wireless ZoneDirector 1100 User Manual

Hide thumbs Also See for ZoneDirector 1100:
Table of Contents

Advertisement

Ruckus Wireless
ZoneDirector
Release 9.8 User Guide
Part Number 800-70599-001 Rev B
Published July 2014
www.ruckuswireless.com

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the ZoneDirector 1100 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Summary of Contents for Ruckus Wireless ZoneDirector 1100

  • Page 1 Ruckus Wireless ™ ZoneDirector ™ Release 9.8 User Guide Part Number 800-70599-001 Rev B Published July 2014 www.ruckuswireless.com...
  • Page 3: Copyright Notice And Proprietary Information

    Ruckus Wireless, Ruckus, the bark logo, ZoneFlex, FlexMaster, ZoneDirector, SmartMesh, Channelfly, Smartcell, Dynamic PSK, and Simply Better Wireless are trademarks of Ruckus Wireless, Inc. in the United States and other countries. All other product or company names may be trademarks of their respective owners.
  • Page 4 Ruckus Wireless, Inc.
  • Page 5: Table Of Contents

    Introduction to the Ruckus Wireless Network ....... . . 30...
  • Page 6 Ekahau Tag Detection ..........119 Ruckus Wireless, Inc.
  • Page 7 About Ruckus Wireless WLAN Security........
  • Page 8 Optimizing Access Point Performance ........258 Assessing Current Performance Using the Map View ......258 Ruckus Wireless, Inc.
  • Page 9 Improving AP RF Coverage ..........259 Assessing Current Performance Using the Access Point Table.
  • Page 10 Wireless Bridge Topology..........346 Ruckus Wireless, Inc.
  • Page 11 Hybrid Mesh Topology ..........347 Deploying a Wireless Mesh via ZoneDirector .
  • Page 12 Best Practice Checklist ..........419 Index Ruckus Wireless, Inc.
  • Page 13: About This Guide

    This User Guide describes how to install, configure and manage the Ruckus Wireless™ ZoneDirector™ version 9.8. This guide is intended for use by those responsible for managing Ruckus Wireless network equipment. Consequently, it assumes a basic working knowledge of local area networking, wireless networking and wireless devices.
  • Page 14: Document Conventions

    Description Note Information that describes important features or instructions Caution Information that alerts you to potential loss of data or potential damage to an application, system, or device Information that alerts you to potential personal injury Warning Ruckus Wireless, Inc.
  • Page 15: Related Documentation

    Documentation Feedback Ruckus Wireless is interested in improving its documentation and welcomes your comments and suggestions. You can email your comments to Ruckus Wireless at: docs@ruckuswireless.com When contacting us, please include the following information: •...
  • Page 16 Documentation Feedback Ruckus Wireless, Inc.
  • Page 17: Introducing Ruckus Wireless Zonedirector

    Introducing Ruckus Wireless ZoneDirector In this chapter: • Overview of ZoneDirector • ZoneDirector Physical Features • Introduction to the Ruckus Wireless Network • Ensuring That APs Can Communicate with ZoneDirector • Installing ZoneDirector • Accessing ZoneDirector’s Command Line Interface •...
  • Page 18: Overview Of Zonedirector

    ZoneDirector, thereby eliminating bottlenecks when higher speed Wi-Fi technologies are used. This user guide provides complete instructions for using the Ruckus Wireless web interface, the wireless network management interface for ZoneDirector. With the web interface, you can customize and manage all aspects of ZoneDirector and your ZoneFlex network.
  • Page 19: Zonedirector Physical Features

    ZoneDirector Physical Features ZoneDirector 1100 ZoneDirector Physical Features Three models of ZoneDirector are currently available: ZoneDirector 1100, ZoneDi- rector 3000 and ZoneDirector 5000. This section describes the physical features of these ZoneDirector models. ZoneDirector 1100 This section describes the following physical features of ZoneDirector 1100: •...
  • Page 20 WARNING: Resetting ZoneDirector to factory default settings will erase all configuration changes that you made, except for AP licenses and SSL certificates. Front Panel LEDs Table 2 describes the LEDs on the front panel of ZoneDirector 1100. Table 2. ZoneDirector 1100 LED descriptions LED Label State...
  • Page 21 The port is connected to a 100Mbps or 10Mbps device. CAUTION! ZoneDirector 1100 can become disabled if half-duplex is forced on any port. Ethernet ports on any uplink switch must be set to 100Mbps auto-negotiation or 1000Mbps auto-negotiation. ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
  • Page 22: Zonedirector 3000

    F/D button for at least five (5) seconds. For more information, refer to Alternate Factory Default Reset Method. WARNING: Resetting ZoneDirector to factory default settings will erase all configuration changes that you have made, except for AP licenses and SSL certificates. Ruckus Wireless, Inc.
  • Page 23 ZoneDirector 3000 Label Meaning Reset To restart ZoneDirector, press the Reset button once for less than two seconds. For Ruckus Wireless Support use only Console RJ-45 port for accessing the ZoneDirector command line interface. 10/100/1000 Ethernet Two auto negotiating 10/100/1000Mbps Ethernet ports.
  • Page 24 The port has no network cable connected or is not receiving a link signal. Ethernet Rate Amber The port is connected to a 1000Mbps device. Green The port is connected to a 10Mbps or 100Mbps device. Ruckus Wireless, Inc.
  • Page 25: Zonedirector 5000

    ZoneDirector Physical Features ZoneDirector 5000 ZoneDirector 5000 This section describes the following physical features of ZoneDirector 5000: • Front Panel Features • Front Panel (Bezel Removed) • Control Panel • Rear Panel Features Figure 3. ZoneDirector 5000 Front Panel Front Panel Features Table 5.
  • Page 26 ESD ground strap attachment Hard drive bays (not used) Control panel RJ45 serial port for accessing the ZoneDirector command line interface. USB port (not used). Control Panel Figure 5. Control panel buttons and indicators 11 12 9 10 Ruckus Wireless, Inc.
  • Page 27 ZoneDirector Physical Features ZoneDirector 5000 Table 7. ZoneDirector 5000 control panel Number Feature Power button System reset button System status LED (see Table Fan status LED Critical alarm (not used) MJR alarm (not used) NMI pin hole button (factory reset button) Chassis ID button NIC 1 / NIC 2 activity LED HDD activity LED (not used)
  • Page 28 RJ45 serial port (COM2/serial B) Video connector (not used) USB 0 and 1 (#1 on top) USB 2 and 3 (#3 on top) GbE NIC #1 connector GbE NIC #2 connector Two ground studs (used for DC-input system) Ruckus Wireless, Inc.
  • Page 29 ZoneDirector Physical Features ZoneDirector 5000 Table 10. NIC status LEDs LED Color LED State NIC State Green/Amber (Left) 10Mbps Green 100Mbps Amber 1000Mbps Green (Right) Active connection Blinking Transmit / Receive activity ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
  • Page 30: Introduction To The Ruckus Wireless Network

    ZoneDirector 5000 Introduction to the Ruckus Wireless Network Your new Ruckus Wireless network starts when you disperse a number of Ruckus Wireless access points (APs) to efficiently cover your worksite. After connecting the APs to ZoneDirector (through network hubs or switches), running through the Setup Wizard and completing the “Zero-IT”...
  • Page 31: How Aps Discover Zonedirector On The Network

    Ensuring That APs Can Communicate with ZoneDirector How APs Discover ZoneDirector on the Network How APs Discover ZoneDirector on the Network 1 When an AP starts up, it sends out a DHCP discovery packet to obtain an IP address. 2 The DHCP server responds to the AP with the allocated IP address. If you configured DHCP Option 43 (see Option 2: Customize Your DHCP Server), the...
  • Page 32: How To Ensure That Aps Can Discover Zonedirector On The Network

    After the AP registers with ZoneDirector successfully, transfer it to its intended subnet. It will be able to find and communicate with ZoneDirector once you reconnect it to the other subnet. Ruckus Wireless, Inc.
  • Page 33 Class Identifier (VCI). The VCI is a text string that identifies a vendor/type of a DHCP client. All Ruckus Wireless Access Points are configured to send “Ruckus CPE” as the Vendor Class Identifier in option 60, and expect Zone Director IP information to be provided in DHCP option 43 (Vendor Specific Info), encapsulated with sub-option code 03 (the sub-option code for ZoneDirector).
  • Page 34 60. While you can achieve encapsulating TLVs in option 43 by hard coding the DHCP option 43 value, Ruckus Wireless recommends using vendor class option spaces - especially when you have more than one vendor type on the network and need “option 43”...
  • Page 35 How to Ensure that APs Can Discover ZoneDirector on the Network Configure Vendor Class Identifier and Vendor Specific Info sub-options on Microsoft DHCP server Configure vendor class for Ruckus Wireless Access Points: 1 In the Server Manager window, right-click the IPv4 icon, and choose Define Vendor Classes from the menu.
  • Page 36 4 Under Available Options, look for the 15 DNS Domain Name check box, and then select it. 5 In the String value text box under Data Entry, type your company’s domain name. 6 Click Apply to save your changes. 7 Click OK to close the Scope Options dialog box. Ruckus Wireless, Inc.
  • Page 37 Ensuring That APs Can Communicate with ZoneDirector How to Ensure that APs Can Discover ZoneDirector on the Network Figure 7. Select the 015 DNS Domain Name check box, and then type your company domain name in String value Step 2: Set the DNS Server IP Address on the DHCP Server 1 From Windows Administrative Tools, open DHCP, and then select the DHCP server you want to configure.
  • Page 38 Information on configuring the built-in DNS server on Windows is available at http://support.microsoft.com/kb/814591. NOTE: If your DNS server prompts you for the corresponding host name for each ZoneDirector IP address, you MUST enter zonedirector. This is critical to ensuring that the APs can resolve the ZoneDirector IP address. Ruckus Wireless, Inc.
  • Page 39: Firewall Ports That Must Be Open For Zonedirector Communications

    Ensuring That APs Can Communicate with ZoneDirector Firewall Ports that Must be Open for ZoneDirector Communications After you register the ZoneDirector IP addresses with your DNS server, you have completed this procedure. APs on the network should now be able to discover ZoneDirector on another subnet.
  • Page 40 ZoneDirector physical IP address), and that the APs are configured with both ZoneDirectors’ public IP addresses as primary and secondary ZD IPs. • An active ZoneDirector behind NAT will be unable to perform upgrades to the standby ZoneDirector on the other side of the NAT device. Ruckus Wireless, Inc.
  • Page 41: Installing Zonedirector

    Installing ZoneDirector Firewall Ports that Must be Open for ZoneDirector Communications Installing ZoneDirector Basic installation instructions are included in the Quick Start Guide that shipped with your ZoneDirector. The steps are summarized below: 1 Connect and discover ZoneDirector using UPnP (Universal Plug and Play). •...
  • Page 42: Accessing Zonedirector's Command Line Interface

    (using either a DB-9 serial cable for the console port or an Ethernet cable for LAN ports). 2 Launch a terminal program, such as Hyperterminal, PuTTy, etc. 3 Enter the following connection settings: • Bits per second: 115200 • Data bits: 8 • Parity: None Ruckus Wireless, Inc.
  • Page 43 To view a list of commands that are available at the root level, enter help or ?. For more information on using the CLI, see the Ruckus Wireless ZoneDirector Command Line Interface Reference Guide, available from http://support.ruck-...
  • Page 44: Using The Zonedirector Web Interface

    Firewall Ports that Must be Open for ZoneDirector Communications Using the ZoneDirector Web Interface The ZoneDirector web interface consists of several interactive components that you can use to manage and monitor your Ruckus Wireless WLANs (including ZoneDi- rector and all APs). Dashboard...
  • Page 45: Navigating The Dashboard

    Using the ZoneDirector Web Interface Navigating the Dashboard Navigating the Dashboard The Dashboard offers a number of self-contained indicators and tables that summa- rize the network and its current status. Some indicators have fields that link to more focused, detailed views on elements of the network. Figure 12.
  • Page 46: Using Indicator Widgets

    • Currently Managed AP Groups: Shows details of the System Default and user- defined AP groups. Click the + button next to an AP group to expand the group to display all members of the AP group. • Support: Shows contact information for Ruckus Wireless support. Ruckus Wireless, Inc.
  • Page 47 Using the ZoneDirector Web Interface Using Indicator Widgets • Smart Redundancy: Displays the status of primary and backup ZoneDirector devices, if configured. • AP Activities: Shows a list of recent log events from APs. • Client Device Type: Displays a pie chart of currently connected client devices by OS type as a percentage of the total.
  • Page 48 The Widgets pane opens at the upper-left corner of the Dashboard. 3 Select any widget icon and drag and drop it onto the Dashboard to add the widget. If you have closed a widget, it appears in this pane. Ruckus Wireless, Inc.
  • Page 49 Using the ZoneDirector Web Interface Using Indicator Widgets Figure 14. The widget icons appear at the top-left corner of the Dashboard Widget icons 4 Click Finish in the Widgets pane to close it. Removing a Widget To remove a widget from the Dashboard, click the icon for any of the widgets currently open on the Dashboard.
  • Page 50: Real Time Monitoring

    To view the Real Time Monitoring page, locate the Toolbox link at the top of the page and select Real Time Monitoring from the pull-down menu. You can also access the Real Time Monitoring page from the Monitor > Real Time Monitoring tab. Figure 16. Select Real Time Monitoring from the Toolbox Ruckus Wireless, Inc.
  • Page 51 Using the ZoneDirector Web Interface Real Time Monitoring Like the Dashboard, you can drag and drop Widgets onto the Real Time Monitoring page to customize the information you want to see. Figure 17. The Real Time Monitoring screen Select a time increment to monitor statistics by (5 minutes, 1 hour or 1 day) and click Start Monitoring to begin.
  • Page 52: Stopping And Starting Auto Refresh

    (greyed out). To restart auto refresh, click Start Auto Refresh from the Toolbox. Figure 18. Stopping and starting automatic page refreshing Figure 19. The Refresh icon on all widgets is disabled when auto refresh is stopped Ruckus Wireless, Inc.
  • Page 53: Registering Your Product

    Registering Your Product NOTE: Ruckus Wireless encourages you to register your ZoneDirector product to receive updates and important notifications, and to make it easier to receive support in case you need to contact Ruckus for customer assistance. You can register your ZoneDirector along with all of your APs in one step using ZoneDirector’s Registration...
  • Page 54 Registering Your Product Stopping and Starting Auto Refresh Figure 21. The Product Registration page Your ZoneDirector is now registered with Ruckus Wireless. Ruckus Wireless, Inc.
  • Page 55: Configuring System Settings

    Configuring System Settings In this chapter: • System Configuration Overview • Changing the Network Addressing • Creating Static Route Entries • Enabling Smart Redundancy • Configuring the Built-in DHCP Server • Controlling ZoneDirector Management Access • Setting the System Time •...
  • Page 56: System Configuration Overview

    (_) and hyphens (-). Do not use spaces or other special characters. The first character must be a letter. System names are case sensitive. 3 3. Click Apply to save your settings. The change goes into effect immediately. Ruckus Wireless, Inc.
  • Page 57: Changing The Network Addressing

    Changing the Network Addressing Changing the System Name Figure 22. The Identity section on the Configure > System page Changing the Network Addressing If you need to update the IP address and DNS server settings of ZoneDirector, follow the steps outlined below. CAUTION! As soon as the IP address has been changed (applied), you will be disconnected from your web interface connection to ZoneDirector.
  • Page 58: Ipv6 Configuration

    ZoneDirector supports IPv6 and dual IPv4/IPv6 operation modes. If both IPv4 and IPv6 are used, ZoneDirector will keep both IP addresses. Ruckus ZoneFlex APs operate in dual IPv4/v6 mode by default, so you do not need to manually set the mode for each AP. Ruckus Wireless, Inc.
  • Page 59 Changing the Network Addressing IPv6 Configuration If you enable IPv6, you have the option to manually configure an IP address in IPv6 format (128 bits separated by colons instead of decimals) or to choose Auto Configuration. If you choose Manual, you will need to enter IP Address, Prefix Length and Gateway.
  • Page 60: Enabling An Additional Management Interface

    It can also be used for Smart Redundancy -- when two redundant ZoneDirectors are deployed, you can create a separate management interface to be shared by both devices. Then, you only have to remember one IP address that you can log Ruckus Wireless, Inc.
  • Page 61 Changing the Network Addressing Enabling an Additional Management Interface into regardless of which ZoneDirector is the active unit. This shared management IP address must be configured identically on both ZoneDirectors (see Configuring ZoneDirector for Smart Redundancy). To enable an additional management interface: 1 Go to Configure >...
  • Page 62: Creating Static Route Entries

    ZoneDirector primary IP address or the Management IP address. To create a static route to an additional gateway 1 Go to Configure > System and locate the Static Route section. 2 Click Create New to create a new static route. Ruckus Wireless, Inc.
  • Page 63: Static Route Example

    Creating Static Route Entries Static Route Example 3 Enter a Name for this access route. 4 Enter a Subnet (in the format A.B.C.D/M (where M is the netmask). 5 Enter the Gateway address. 6 Click OK to save your changes. You can create up to 4 static route entries. Figure 26.
  • Page 64: Enabling Smart Redundancy

    APs. When failover occurs, all associated APs will continue to provide wireless service to clients during the transition, and will associate to the newly active ZoneDirector within approximately one minute. Ruckus Wireless, Inc.
  • Page 65: Configuring Zonedirector For Smart Redundancy

    This feature is only available using two ZoneDirectors of the same model and number of licensed APs. You can not enable Smart Redundancy using a ZoneDirector 3000 as the primary and a ZoneDirector 1100 as the backup unit, for example.
  • Page 66 8 Click Apply to save your changes and prompt ZoneDirector to immediately attempt to discover its peer on the network. 9 If discovery is successful, the details of the peer device will be displayed to the right. Ruckus Wireless, Inc.
  • Page 67 Enabling Smart Redundancy Configuring ZoneDirector for Smart Redundancy 10 If discovery is unsuccessful, you will be prompted to retry discovery or continue configuring the current ZoneDirector. 11 Install the second ZoneDirector and complete the Setup Wizard. 12 Go to Configure > System, enable Smart Redundancy and enter the primary ZoneDirector’s IP address in Peer Device IP address.
  • Page 68: Forcing Failover To The Backup Zonedirector

    NOTE: If you disable Smart Redundancy after it has been enabled, both ZoneDirectors will revert to active state, which could result in unpredictable network topologies. Therefore, Ruckus Wireless recommends first factory resetting the standby ZoneDirector before disabling Smart Redundancy. NOTE:...
  • Page 69: Enabling The Built-In Dhcp Server

    Enabling the Built-in DHCP server NOTE: Ruckus Wireless recommends that you only enable the built-in DHCP server if there are no other DHCP servers on the network. ZoneDirector’s internal DHCP server can service only a single subnet (the one it’s in) and not other VLANs that may be associated with client WLANs.
  • Page 70: Viewing Dhcp Clients

    A table appears and lists all current DHCP clients with their MAC address, assigned IP address, and the remaining lease time. You can clear DHCP leases on ZoneDirector by disabling and re-enabling the DHCP service. Ruckus Wireless, Inc.
  • Page 71: Controlling Zonedirector Management Access

    Controlling ZoneDirector Management Access Viewing DHCP Clients Figure 32. To view current DHCP clients, click the “click here” link Controlling ZoneDirector Management Access The Management Access Control option can be used to control access to ZoneDi- rector’s management interface. The Management Access Control interface is located on the Configure >...
  • Page 72 ACL that prevents the admin’s own IP address from accessing the web interface. 5 Click OK to confirm. You can create up to 16 entries to the Management ACL. Figure 33. Management Access Control Figure 34. Creating a new ZoneDirector management ACL Ruckus Wireless, Inc.
  • Page 73: Setting The System Time

    Setting the System Time Viewing DHCP Clients Setting the System Time The internal clock in ZoneDirector is automatically synchronized with the clock on your administration PC during the initial setup. You can use the web interface to check the current time on the internal clock, which shows up as a static notation in the Configure tab workspace.
  • Page 74: Setting The Country Code

    APs under its control. To set the Country Code to the proper location: 1 Go to Configure > System. 2 Locate the Country Code section, and choose your location from the pull-down menu. 3 Click Apply to save your settings. Ruckus Wireless, Inc.
  • Page 75: Channel Optimization

    DFS (Dynamic Frequency Selection) channels in the 5 GHz band should be available for use by your APs. Note that these settings only affect Ruckus Wireless APs that support the extended DFS channel list. Channel Optimization settings are described in the following table.
  • Page 76: Channel Mode

    Germany restricts channels in the 5.15 GHz to 5.25 GHz band to indoor use. When ZoneFlex Outdoor APs and Bridges with 5 GHz radios (ZoneFlex 7762, 7782, 7761- CM and 7731) are set to a country code where these restrictions apply, the AP or Ruckus Wireless, Inc.
  • Page 77: Changing The System Log Settings

    Changing the System Log Settings Reviewing the Current Log Contents Bridge can no longer be set to an indoor-only channel and will no longer select from amongst a channel set that includes these indoor-only channels when SmartSelect or Auto Channel selection is used, unless the administrator configures the AP to allow use of these channels.
  • Page 78: Customizing The Current Log Settings

    ZoneDirector to supply client association information to a third party application that can then deploy ACL policies to a firewall based on client association information such as user name, IP, MAC address, etc. First, ZoneDirector retrieves client association information, then reorganizes the Ruckus Wireless, Inc.
  • Page 79 Changing the System Log Settings Customizing the Current Log Settings information and sends it to the syslog server, from which it can be collected by the third party software and sent it to the firewall for access restriction based on client association information. 4 Click Apply to save your settings.
  • Page 80 5 The script on the syslog server extracts user information from the log message and sends it to the firewall. A similar flow can be used to remove user mappings if the station sends a disconnect message. Ruckus Wireless, Inc.
  • Page 81 Changing the System Log Settings Customizing the Current Log Settings Log format The log format consists of the following fields: • operation: Indicates whether to add, delete or update client association infor- mation. • sta_ip: Indicates the IP address of station. •...
  • Page 82 5 Repeat step 4 for Managed AP Settings. ZoneDirector and Access Points can use different facility and priority settings. All managed APs share the same facility and priority settings. Ruckus Wireless, Inc.
  • Page 83: Setting Up Email Alarm Notifications

    Setting Up Email Alarm Notifications Customizing the Current Log Settings Figure 40. Remote Syslog Advanced Settings Setting Up Email Alarm Notifications If an alarm condition is detected, ZoneDirector will record it in the event log. If you prefer, an email notification can be sent to a configured email address of your choosing.
  • Page 84 TLS check box. Check with your ISP or mail administrator for the correct encryption settings that you need to set. If using a Yahoo! email account, STARTTLS must be disabled. If using a Hotmail account, both TLS and STARTTLS must be enabled. Ruckus Wireless, Inc.
  • Page 85 Setting Up Email Alarm Notifications Customizing the Current Log Settings 6 To verify that ZoneDirector can send alarm messages using the SMTP settings you configured, click the Test button. • If ZoneDirector is able to send the test message, the message Success! appears at the bottom of the Email Notification page.
  • Page 86: Customizing Email Alarms That Zonedirector Sends

    3 Enter your Account SID, Auth Token and From Phone Number (Twilio) or your User Name, Password and API ID (Clickatell). 4 Click the Test button to test your settings. 5 Once confirmed, click Apply to save your changes. Ruckus Wireless, Inc.
  • Page 87 Configuring SMS Settings for Guest Pass Delivery via SMS Customizing Email Alarms that ZoneDirector Sends You can now allow guest pass generators to deliver guest pass codes to guests using the SMS button when generating a new guest pass. (You must also enter a phone number for receiving the SMS messages for each guest pass created.) Figure 42.
  • Page 88: Enabling Network Management Systems

    Enabling Management via FlexMaster If you have a Ruckus Wireless FlexMaster server installed on the network, you can enable FlexMaster management to centralize monitoring and administration of ZoneDirector and other supported Ruckus Wireless devices. This version of Zone- Director supports the following FlexMaster-deployed tasks: •...
  • Page 89: Enabling Northbound Portal Interface Support

    Enabling Network Management Systems Enabling Northbound Portal Interface Support Figure 43. The FlexMaster Management options Monitoring ZoneDirector Performance from FlexMaster If you want to monitor ZoneDirector’s performance statistics from FlexMaster, select Enable Performance Monitoring, enter an update interval, and click Apply. This option is disabled by default.
  • Page 90: Configuring Snmp Support

    The procedure for enabling ZoneDirector’s internal SNMP agent depends on whether your network is using SNMPv2 or SNMPv3. SNMPv3 mainly provides security enhancements over the earlier version, and therefore requires you to enter authorization passwords and encryption settings instead of simple clear text community strings. Ruckus Wireless, Inc.
  • Page 91 ZoneDirector with SNMPv3 enabled. NOTE: For a list of the MIB variables that you can get and set using SNMP, check the related SNMP documentation on the Ruckus Wireless Support Web site at http://support.ruckuswireless.com/documents. If your network uses SNMPv2 To enable SNMPv2 management: 1 Go to Configure >...
  • Page 92 • Auth Pass Phrase: Enter a passphrase between 8 and 32 characters in length. • Privacy: Choose DES, AES or None. DES: Data Encryption Standard, data block cipher. AES: Advanced Encryption Standard, data block cipher. None: No Privacy passphrase is required. Ruckus Wireless, Inc.
  • Page 93 Enabling Network Management Systems Configuring SNMP Support • Privacy Phrase: If either DES or AES is selected, enter a Privacy phrase between 8 and 32 characters in length. 4 Click Apply to save your changes. Figure 46. Enabling the SNMPv3 agent Enabling SNMP Trap Notifications If you have an SNMP trap receiver on the network, you can configure ZoneDirector to send SNMP trap notifications to the server.
  • Page 94 Configuring SNMP Support • If you select SNMPv3, enter up to four trap receiver IP addresses along with authentication method passphrase and privacy (encryption) settings. 4 Click Apply to save your changes. Figure 47. Enabling SNMPv2 trap notifications Ruckus Wireless, Inc.
  • Page 95 Enabling Network Management Systems Configuring SNMP Support Figure 48. Enabling SNMP trap notifications with SNMPv3 Trap Notifications That ZoneDirector Sends There are several events for which ZoneDirector will send trap notifications to the SNMP server that you specified. Table 15 lists the trap notifications that ZoneDirector sends and when they are sent.
  • Page 96 A client has roamed away from an AP. The client's MAC address, AP's MAC address and SSID are included. ruckusZDEventClientRoamIn A client has roamed in to an AP. The client's MAC address, AP's MAC address and SSID are included. Ruckus Wireless, Inc.
  • Page 97 Enabling Network Management Systems Configuring SNMP Support Table 15. Trap notifications Trap Name Description ruckusZDEventClientAuthFailed A client authentication attempt has failed. The client's MAC address, AP's MAC address, SSID and failure reason are included. ruckusZDEventClientAuthorization A client authorization attempt to join an AP Failed has failed.
  • Page 98: Configuring Dhcp Relay

    To configure DHCP Relay for tunneled WLANs: 1 Go to Configure > DHCP Relay. 2 Click Create New. 3 Enter a Name and IP address for the server. 4 Click OK to save your changes. The new server appears in the list. Ruckus Wireless, Inc.
  • Page 99 Configuring DHCP Relay Configuring SNMP Support Figure 49. Creating a DHCP Relay server To enable DHCP Relay for a WLAN: 1 Go to Configure > WLANs. 2 If creating a new WLAN, click Create New. Otherwise, click Edit for the WLAN you want to configure.
  • Page 100: Enabling Bonjour Gateway

    Bonjour services from one VLAN to another. ZoneDirector’s Bonjour Gateway feature addresses this requirement by providing an mDNS proxy service configurable from the web interface to allow administrators to specify which types of Bonjour services can be accessed from/to which VLANs. Ruckus Wireless, Inc.
  • Page 101: Creating A Bonjour Gateway Rule - Zd Site

    Enabling Bonjour Gateway Creating a Bonjour Gateway Rule - ZD Site In order for the Bonjour Gateway to function, the following network configuration requirements must be met: 1 The target networks must be segmented into VLANs. 2 VLANs must be mapped to different SSIDs. 3 The controller must be connected to a VLAN trunk port.
  • Page 102: Creating A Bonjour Gateway Rule - Ap Site

    • Some APs of one local area link must be in one subnet. The switch interfaces connected to these APs in a local area link to must be configured in VLAN-trunk mode. Only by doing so can the designated AP can receive all the multicast Bonjour protocol packets from other VLANs. Ruckus Wireless, Inc.
  • Page 103 Enabling Bonjour Gateway Creating a Bonjour Gateway Rule - AP Site • Dynamic VLANs are not supported. • Some AP models are incompatible with this feature due to memory requirements. To configure rules for AP site bridging Bonjour services across VLANs: 1 Go to Configure >...
  • Page 104: Applying A Bonjour Policy To An Ap

    The following example illustrates how ZoneDirector’s Bonjour Gateway can be used to allow users to access Bonjour resources on different VLANs in a school setting, where access to certain resources must generally be separated between teachers and students, but where sharing may sometimes be necessary. Ruckus Wireless, Inc.
  • Page 105 Enabling Bonjour Gateway Example Network Setup • Assume a network with three VLANs mapped to separate SSIDs, all on separate subnets or multicast domains. The three segments host different devices for different users: • Classroom SSID (VLAN 100): WEP authentication, includes an iMac desktop for file sharing and iOS Sync for backup, and an Apple TV attached to a projector.
  • Page 106 Enabling Bonjour Gateway Example Network Setup Ruckus Wireless, Inc.
  • Page 107: Configuring Security And Other Services

    Configuring Security and Other Services In this chapter: • Configuring Self Healing Options • Configuring Wireless Intrusion Prevention • Controlling Network Access Permissions • Using an External AAA Server ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
  • Page 108: Configuring Self Healing Options

    ZoneDirector offers two methods of automatic channel selection for spectrum utilization and performance optimization: • ChannelFly • Background Scanning While Background Scanning must be enabled for rogue AP detection, AP location detection and radio power adjustment, either can be used for automatic channel optimization. Ruckus Wireless, Inc.
  • Page 109 Configuring Self Healing Options Automatic Channel Selection ChannelFly The main difference between ChannelFly and Background Scanning is that Chan- nelFly determines the optimal channel based on real-time statistical analysis of actual throughput measurements, while Background Scanning uses channel measure- ment and other techniques to estimate the impact of interference on Wi-Fi capacity based on progressive scans of all available channels.
  • Page 110 • Automatically adjust 2.4 GHz channels using Background Scanning ChannelFly • Automatically adjust 5 GHz channels using Background Scanning ChannelFly 3 Click the Apply button in the same section to save your changes. Figure 55. Self Healing options Ruckus Wireless, Inc.
  • Page 111 Configuring Self Healing Options Automatic Channel Selection NOTE: ChannelFly channel selection data is persistent across reboots for the following APs only: 7982, 7782, 7782-x, 7781-CM, SC-8800-S. It is not persistent across power cycles for any AP. Background Scanning Using Background Scanning, ZoneDirector regularly samples the activity in all Access Points to assess RF usage, to detect rogue APs and to determine which APs are near each other for mesh optimization.
  • Page 112 To see whether Background Scanning is enabled or disabled for a particular AP, go to Monitor > Access Points, and click on the AP’s MAC address. The access point detail screen displays the Background Scanning status for each radio. Ruckus Wireless, Inc.
  • Page 113: Load Balancing

    Configuring Self Healing Options Load Balancing Figure 57. Viewing whether Background Scanning is enabled for an AP Load Balancing Enabling load balancing can improve WLAN performance by helping to spread the client load between nearby access points, so that one AP does not get overloaded while another sits idle.
  • Page 114 To enable Load Balancing globally: 1 Go to Configure > Services. 2 In Load Balancing, choose to perform load balancing on either the 2.4 or 5 GHz radio. 3 Enter Adjacent Radio Threshold (in dB), and click Apply. Ruckus Wireless, Inc.
  • Page 115 Configuring Self Healing Options Load Balancing Figure 58. Enable Load Balancing across adjacent APs by radio type To disable Load Balancing on a per-WLAN basis: 1 Go to Configure > WLANs. 2 Click the Edit link beside the WLAN for which you want to disable load balancing. 3 Click the Advanced Options link to expand the options.
  • Page 116: Band Balancing

    2.4 GHz and 5 GHz radios. This feature is enabled by default and set to a target of 25% of clients connecting to the 2.4 GHz band. To balance the load on a radio, the AP encourages dual-band clients to connect to the 5 GHz band when the configured percentage threshold is reached. Ruckus Wireless, Inc.
  • Page 117: Radar Avoidance Pre-Scanning

    Configuring Self Healing Options Radar Avoidance Pre-Scanning Figure 60. Distributing clients between the 2.4 and 5 GHz radios Radar Avoidance Pre-Scanning The Radar Avoidance Pre-Scanning (RAPS) setting allows pre-scanning of DFS channels in the 5 GHz band to ensure the channel is clear of radar signals prior to transmitting on the channel.
  • Page 118: Aeroscout Rfid Tag Detection

    To enable AeroScout RFID tag detection on ZoneDirector: 1 Go to Configure > Services. 2 Scroll down to the AeroScout RFID section (near the bottom of the page). 3 Select the Enable AeroScout RFID tag detection check box. Ruckus Wireless, Inc.
  • Page 119: Ekahau Tag Detection

    Configuring Self Healing Options Ekahau Tag Detection 4 Click the Apply button in the same section to save your changes. ZoneDirector enables AeroScout RFID tag detection on all its managed APs that support this feature. Figure 62. Enabling AeroScout Tag detection NOTE: Tag locations are not accurate if the 2.4 GHz band is noisy or if the AP setup is not optimal (according to AeroScout documents).
  • Page 120: Active Client Detection

    1 Go to Configure > Services, and scroll down to the Active Client Detection section. 2 Click the check box next to Enable client detection ... and enter an RSSI threshold, below which an event will be triggered. 3 Click Apply to save your changes. Ruckus Wireless, Inc.
  • Page 121: Tunnel Configuration

    Configuring Self Healing Options Tunnel Configuration Figure 64. Enabling active client detection A low severity event is now triggered each time a client connects with an RSSI lower than the threshold value entered. Go to Monitor > All Events/Activities to monitor these events.
  • Page 122 Packet Inspection Filter (see Packet Inspection Filter). 4 Click Apply in the same section to save your changes. Figure 65. Set tunnel configuration parameters for all WLANs with tunnel mode enabled. Ruckus Wireless, Inc.
  • Page 123: Packet Inspection Filter

    Configuring Self Healing Options Packet Inspection Filter Packet Inspection Filter The Packet Inspection Filter (PIF) allows configuration of rate limits for broadcast neighbor discovery (IPv4 Address Resolution Protocol and IPv6 Neighbor Solicit) packets. The PIF rate limiting threshold affects the following services: •...
  • Page 124: Configuring Wireless Intrusion Prevention

    (10~1200 seconds, default is 30). Clients temporarily blocked by the Intrusion Prevention feature are not added to the Blocked Clients list under Monitor > Access Control. 3 Click Apply to save your changes. Ruckus Wireless, Inc.
  • Page 125: Intrusion Detection And Prevention

    Configuring Wireless Intrusion Prevention Intrusion Detection and Prevention Figure 67. Denial of Service (DoS) prevention options Intrusion Detection and Prevention ZoneDirector’s intrusion detection and prevention features rely on background scanning results to detect rogue access points connected to the network and optionally, prevent clients from connecting to malicious rogue APs.
  • Page 126 BSSID (MAC) to prevent wireless clients from connecting to the malicious rogue AP. This option is disabled by default. 2 Click the Apply button that is in the same section to save your changes. Ruckus Wireless, Inc.
  • Page 127: Rogue Dhcp Server Detection

    Configuring Wireless Intrusion Prevention Rogue DHCP Server Detection Figure 68. Intrusion Prevention options Detecting Rogue Access Points for more information on monitoring and handling rogue devices. Rogue DHCP Server Detection A rogue DHCP server is a DHCP server that is not under the control of network administrators and is therefore unauthorized.
  • Page 128 3 Click the Apply button that is in the same section. You have completed enabling rogue DHCP server detection. Ruckus Wireless recommends checking the Monitor > All Events/Activities page periodically to determine if ZoneDirector has detected any rogue DHCP servers. When a rogue...
  • Page 129 Configuring Wireless Intrusion Prevention Rogue DHCP Server Detection Figure 69. Enabling Rogue DHCP server detection ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
  • Page 130: Controlling Network Access Permissions

    7 Click OK to save the L2/MAC based ACL. You can create up to 32 L2/MAC ACL rules and each rule can contain up to 128 MAC addresses. Each WLAN can be configured with one L2 ACL. Ruckus Wireless, Inc.
  • Page 131: Creating Layer 3/Layer 4/Ip Address Access Control Lists

    Controlling Network Access Permissions Creating Layer 3/Layer 4/IP Address Access Control Lists Figure 70. Configuring an L2/MAC access control list Creating Layer 3/Layer 4/IP Address Access Control Lists In addition to L2/MAC based ACLs, ZoneDirector also provides access control options at Layer 3 and Layer 4. This means that you can configure the access control options based on a set of criteria, including: •...
  • Page 132 • Destination Port: Enter a valid port number (1-65534) or port range (e.g., 80- 443). 8 Click OK to save the ACL. 9 Repeat these steps to create up to 32 L3/L4/IP address-based access control rules. Figure 71. Configuring an L3/L4 access control list Ruckus Wireless, Inc.
  • Page 133: Configuring Device Access Policies

    Controlling Network Access Permissions Configuring Device Access Policies Configuring Device Access Policies In response to the growing numbers of personally owned mobile devices such as smart phones and tablets being brought into the network, IT departments are requiring more sophisticated control over how devices connect, what types of devices can connect, and what they are allowed to do once connected.
  • Page 134 2 To edit an existing WLAN, click Edit next to the WLAN you want to edit. 3 Expand the Advanced Options, and locate the Access Control section. 4 In Device Policy, select the policy you created from the list. 5 Click OK to save your changes. Ruckus Wireless, Inc.
  • Page 135: Configuring Client Isolation White Lists

    Controlling Network Access Permissions Configuring Client Isolation White Lists Figure 73. Applying a device access policy for a WLAN Configuring Client Isolation White Lists When Wireless Client Isolation is enabled on a WLAN, all communication between clients and other local devices is blocked at the Access Point. To prevent clients from communicating with other nodes, the Access Point drops all ARP packets from stations on the WLAN where client isolation is enabled and which are destined to IP addresses that are not part of a per-WLAN white list.
  • Page 136 • Isolate wireless client traffic from other clients on the same AP: Enable client isolation on the same Access Point (clients on the same subnet but connected to other APs will still be able to communicate). Ruckus Wireless, Inc.
  • Page 137: Configuring Application Denial Policies

    Controlling Network Access Permissions Configuring Application Denial Policies • Isolate wireless client traffic from all hosts on the same VLAN/subnet: Prevent clients from communicating with any other hosts on the same subnet or VLAN other than those listed on the Client Isolation Whitelist. If this option is chosen, you must select a Whitelist from the drop-down list of those you created on the Configure >...
  • Page 138 There is no distinction between the TCP and UDP protocols, so care should be taken if wishing to block a specific application port as that will apply to both IP protocols and may inadvertently block another application using the other protocol. Ruckus Wireless, Inc.
  • Page 139: Configuring User Defined Applications

    Controlling Network Access Permissions Configuring User Defined Applications Figure 76. Blocking an application by HTTP host name Configuring User Defined Applications When an application is unrecognized and generically (or incorrectly) categorized, you can configure an explicit application identification policy by IP Address/Mask, Port and Protocol.
  • Page 140: Configuring Application Port Mapping

    Figure 78 shows how an Application Port Mapping policy could be used to identify all port 8081 wireless traffic as “HTTP Proxy” traffic and display this name in application recognition pie charts and tables. Ruckus Wireless, Inc.
  • Page 141 Controlling Network Access Permissions Configuring Application Port Mapping Figure 78. Application Port Mapping Well-Known Service and Destination Port Mappings Defined in Application Visibility ZoneDirector automatically identifies several hundred applications for use in appli- cation recognition and denial policies. The following links provide lists of many the most common applications and ports that are included: •...
  • Page 142: Configuring Precedence Policies

    6 Click Save to save the rule. You can create up to two rules per policy. The rules will be applied in the order shown in the Order column. 7 Click OK to save the precedence policy. This policy is now available for selection in WLAN configuration. Ruckus Wireless, Inc.
  • Page 143: Blocking Client Devices

    Controlling Network Access Permissions Blocking Client Devices Figure 79. Precedence Policy settings Blocking Client Devices When users log into a ZoneDirector network, their client devices are recorded and tracked. If, for any reason, you need to block a client device from network use, you can do so from the web interface.
  • Page 144 1 Look at the Status column to identify any “Unauthorized” users. 2 Click the Delete button in the Action column in a specific user row. The entry is deleted from the Active/Current Client list, and the listed device is disconnected from your Ruckus Wireless WLAN. Ruckus Wireless, Inc.
  • Page 145 1 Look at the Status column to identify any unauthorized users. 2 Click the Block button in the Action column in a specific user row. The status is changed to Blocked. This will prevent the listed device from using your Ruckus Wireless WLANs. ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
  • Page 146 Reviewing a List of Previously Blocked Clients 1 Go to Configure > Access Control. 2 Review the Blocked Clients table. 3 You can unblock any listed MAC address by clicking the Unblock button for that address. Figure 83. Unblocking a previously blocked client Ruckus Wireless, Inc.
  • Page 147 Controlling Network Access Permissions Blocking Client Devices ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
  • Page 148: Using An External Aaa Server

    Active Directory server in one of two ways: • Single Domain Active Directory Authentication • Multi-Domain Active Directory Authentication Single Domain Active Directory Authentication To enable Active Directory authentication for a single domain: Ruckus Wireless, Inc.
  • Page 149 Using an External AAA Server Active Directory 1 Go to Configure > AAA Servers. 2 Click the Edit link next to Active Directory. 3 Do not enable Global Catalog support. 4 Enter the IP address and Port of the AD server. The default Port number (389) should not be changed unless you have configured your AD server to use a different port.
  • Page 150 NOTE: The Admin account need not have write privileges, but must able to read and search all users in the database. 6 Click OK to save changes. 7 To test your authentication settings, see Testing Authentication Settings. Ruckus Wireless, Inc.
  • Page 151: Ldap

    Using an External AAA Server LDAP Figure 85. Active Directory with Global Catalog enabled LDAP ZoneDirector supports several of the most commonly used LDAP servers, including: • OpenLDAP • Apple Open Directory • Novell eDirectory • Sun JES (limited support) To enable LDAP user authentication for all users 1 Click the Edit link next to LDAP on the Configure >...
  • Page 152 For example, objectClass=Person limits the search to those whose “objectClass” attribute is equal to “Person”. More complicated examples are shown when you mouse over the “show more” section, as shown in Figure 87 below. Ruckus Wireless, Inc.
  • Page 153 Using an External AAA Server LDAP Figure 87. LDAP search filter syntax examples Mouse over “show more” Group Extraction By using the Search Filter, you can extract the groups to which a user belongs, as categorized in your LDAP server. Using these groups, you can attribute Roles within ZoneDirector to members of specific groups.
  • Page 154: Radius / Radius Accounting

    Accounting server is used for authentication or accounting, user credentials can be entered as a standard username / password combination, or client devices can be limited by MAC address. If using MAC address as the authentication method, you Ruckus Wireless, Inc.
  • Page 155 Using an External AAA Server RADIUS / RADIUS Accounting must enter the MAC addresses of each client on the AAA server, and any clients attempting to access your WLAN with a MAC address not listed will be denied access. A RADIUS/RADIUS Accounting server can be used with 802.1X, MAC authentica- tion, Web authentication (captive portal) and Hotspot WLAN types.
  • Page 156 Using an External AAA Server RADIUS / RADIUS Accounting 6 In Reconnect Primary, enter the number of minutes after which ZoneDirector will attempt to reconnect to the primary RADIUS server after failover to the backup server. Ruckus Wireless, Inc.
  • Page 157 Using an External AAA Server RADIUS / RADIUS Accounting Figure 89. Enable backup RADIUS server ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
  • Page 158 • All caps colon separated: AA:BB:CC:DD:EE:FF 3 Log in to the ZoneDirector web interface, and go to Configure > WLANs. 4 Click the Edit link next to the WLAN you would like to configure. 5 Under Authentication Options: Method, select MAC Address. Ruckus Wireless, Inc.
  • Page 159 Using an External AAA Server RADIUS / RADIUS Accounting 6 Under Authentication Server, select your RADIUS Server. 7 Select the MAC Address Format according to your RADIUS server’s requirements. 8 Click OK to save your changes. Figure 91. RADIUS authentication using MAC address You have completed configuring the WLAN to authenticate users by MAC address from a RADIUS server.
  • Page 160 2 Under Authentication Options: Method, select 802.1X EAP. 3 Under Encryption Options: Method, select None. 4 Under Authentication Server, select either Local Database or a previously configured RADIUS server from the list. 5 Click OK to save your changes. Ruckus Wireless, Inc.
  • Page 161 Using an External AAA Server RADIUS / RADIUS Accounting RADIUS Attributes Ruckus products communicate with an external RADIUS server as a RADIUS client. Packets from Ruckus products are called “access-request” or “accounting-request” messages. The RADIUS server, in turn, sends an “access-challenge“, “access- accept”...
  • Page 162 ==> (24) State: if radius access-challenge in last received radius msg from AAA (80) Message Authenticator (95) NAS IPv6 address (if using/talking to an IPv6 RADIUS server) Ruckus private attribute: Vendor ID: 25053 Vendor Type / Attribute Number: 3 (Ruckus-SSID) Ruckus Wireless, Inc.
  • Page 163 Using an External AAA Server RADIUS / RADIUS Accounting Figure 93. RADIUS attributes used in authentication WLAN Type Attributes 802.1X / MAC Sent from RADIUS server in Access Accept messages: Auth (1) User name (25) Class (27) Session-timeout & (29) Termination-action: Session-timeout event becomes a disconnect event or re-authentication event if termination- action indicates "(1) radius-request"...
  • Page 164 (2) WISPr location name (4) WISPr redirection URL (7) WISPr Bandwidth-Max-Up: Maximum transmit rate (bits/second) (8) WISPr Bandwidth-Max-Down: Maximum receive rate (bits/second) (80) Message Authenticator RADIUS Accounting attributes The following table lists attributes used in RADIUS accounting messages. Ruckus Wireless, Inc.
  • Page 165 Using an External AAA Server RADIUS / RADIUS Accounting Table 16. RADIUS attributes used in Accounting WLAN Type Attribute 802.1X / MAC Common to Start, Interim Update, and Stop messages Auth (1) User Name (4) NAS IP Address (5) NAS Port (8) Framed IP (30) Called Station ID: user configurable (31) Calling Station ID: format is sta's mac...
  • Page 166 (64) Tunnel-Type: value only relevant if it is (13) VLAN (65) Tunnel-Medium-Type: value only relevant if it is (6) 802 (as in all 802 media plus Ethernet) (81) Tunnel-Private-Group-ID: this is the VLAN ID assignment (per RFC, this is between 1 and 4094) Ruckus Wireless, Inc.
  • Page 167 Using an External AAA Server RADIUS / RADIUS Accounting Table 16. RADIUS attributes used in Accounting WLAN Type Attribute WISPr / Web Common to Start, Interim Update, and Stop messages: Auth / Guest (1) User name Access (2) Password (4) NAS IP address (5) NAS port (8) Framed-IP (30) Called station ID: user configurable...
  • Page 168 Properties dialog box. 3 On the Properties dialog box, click Edit Profile..The Edit Dial-in Profile dialog box opens. 4 Click the Authentication tab at the top of the screen. 5 Select Unencrypted authentication (PAP, SPAP). Ruckus Wireless, Inc.
  • Page 169 Using an External AAA Server RADIUS / RADIUS Accounting 6 Click OK. 7 Repeat this procedure for additional users or groups. Figure 94. On the Microsoft IAS page, right-click the user/group and select Properties. ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
  • Page 170 Using an External AAA Server RADIUS / RADIUS Accounting Figure 95. On the Properties page, click Edit Profile... Figure 96. On the Authentication tab of the Edit Dial-in Profile dialog, select Unencrypted authentication (PAP, SPAP) Ruckus Wireless, Inc.
  • Page 171 Using an External AAA Server RADIUS / RADIUS Accounting You have completed configuring Microsoft IAS for PAP authentication. TACACS+ Terminal Access Controller Access-Control System Plus (TACACS+) is an Authen- tication, Authorization and Accounting protocol used to authenticate ZoneDirector administrators. ZoneDirector admins can be assigned any of the same three administration privilege levels that can be set manually on the Configure >...
  • Page 172 Figure 97. Configuring a TACACS+ AAA server Once your TACACS+ server is configured on the AAA Servers page, you can select it from the list of servers used to authenticate ZoneDirector administrators on the Administer > Preferences page. Ruckus Wireless, Inc.
  • Page 173 Using an External AAA Server RADIUS / RADIUS Accounting Figure 98. Select TACACS+ for ZoneDirector administrator authentication Testing Authentication Settings The Test Authentication Settings feature allows you to query an AAA server for a known authorized user, and return Groups associated with the user that can be used for configuring Roles within ZoneDirector.
  • Page 174 • Admin invalid • User name or password invalid • Search filter syntax invalid (LDAP only) These results can be used to troubleshoot the reasons for failure to authenticate users from an AAA server through ZoneDirector. Ruckus Wireless, Inc.
  • Page 175: Managing A Wireless Local Area Network

    Managing a Wireless Local Area Network In this chapter: • Overview of Wireless Networks • About Ruckus Wireless WLAN Security • Creating a WLAN • Creating a New WLAN for Workgroup Use • Customizing WLAN Security • Working with WLAN Groups •...
  • Page 176: Overview Of Wireless Networks

    WLAN for visitors and any needed WLANs that fulfill different wireless security or user segmentation requirements. The maximum number of WLANs configurable per ZoneDirector controller are as follows: Figure 99. Max WLANs by ZoneDirector model Model Max WLANs ZoneDirector 1100 ZoneDirector 3000 1024 ZoneDirector 5000 2048 Ruckus Wireless, Inc.
  • Page 177: About Ruckus Wireless Wlan Security

    CAUTION! Deploying a large number of WLANs per AP will have a performance impact. Ruckus Wireless recommends deploying no more than eight WLANs per AP radio. About Ruckus Wireless WLAN Security One of the first things you should decide for each WLAN you create is which methods of authentication and encryption to use for both internal users and guests.
  • Page 178: Creating A Wlan

    The WLAN Create New workspace includes the following configuration options used to customize your new WLAN. The individual options are explained in detail in the next section, beginning with General Options. Table 17. Create new WLAN options Option Description General Options Enter WLAN name and description. Ruckus Wireless, Inc.
  • Page 179: General Options

    Creating a WLAN General Options Table 17. Create new WLAN options Option Description WLAN Usages Select usage type (standard, guest access, hotspot, autonomous). Authentication Options Select an authentication method for this WLAN (open, 802.1X EAP, MAC address, 802.1X EAP + MAC Address).
  • Page 180: Wlan Usage Types

    Creating a Hotspot Service. • Hotspot 2.0: Create a Hotspot 2.0 WLAN. A Hotspot 2.0 Operator must first have been created (Configure > Hotspot 2.0 Services) before it will be available for selection. See Creating a Hotspot 2.0 Service. Ruckus Wireless, Inc.
  • Page 181: Authentication Method

    Creating a WLAN Authentication Method • Autonomous: Autonomous WLANs are special WLANs designed to continue providing service to clients when APs are disconnected from ZoneDirector. See Autonomous WLANs. Autonomous WLANs The Autonomous WLAN usage type supports Open authentication and WPA2 (WPA2/WPA-Mixed), WEP or no encryption only.
  • Page 182: Fast Bss Transition

    Encryption choices include WPA2, WPA-Mixed, WEP-64, WEP-128 and None. WPA2 is the only encryption method certified by the Wi-Fi Alliance and is the recommended method. WEP has been proven to be easily circumvented, and Ruckus Wireless recommends against using WEP if possible. Method •...
  • Page 183 Creating a WLAN Encryption Options • WEP-64: Provides a lower level of encryption, and is less secure, using shared key 40-bit WEP encryption. • WEP-128: Provides a higher level of encryption than WEP-64, using a shared 104-bit key for WEP encryption. However, WEP is inherently less secure than WPA2.
  • Page 184 For example, if you want to prioritize internal traffic over guest WLAN traffic, you can set the priority in the guest WLAN configuration settings to “Low.” By default all WLANs are set to high priority. Ruckus Wireless, Inc.
  • Page 185: Advanced Options

    Creating a WLAN Advanced Options Advanced Options The advanced options can be used to configure special WLANs; for example, you might want to create a special WLAN for VoIP phone use only, or create a student WLAN that should be time-controlled to provide access only during school hours. •...
  • Page 186 • Tunnel Mode: Select this check box if you want to tunnel the WLAN traffic back to ZoneDirector. Tunnel mode enables wireless clients to roam across different APs on different subnets. If the WLAN has clients that require uninterrupted wireless connection (for example, VoIP devices), Ruckus Wireless recommends enabling tunnel mode. NOTE:...
  • Page 187 • Load Balancing: Client load balancing between APs is disabled by default on all WLANs. To disable load balancing for this WLAN only (when enabled globally), check this box. Ruckus Wireless recommends disabling load balancing on VoIP WLANs. For more information, see Load Balancing.
  • Page 188 Click on a day of the week to enable/disable this WLAN for the entire day. Colored cells indicate WLAN enabled. Click and drag to select specific times of day. You can also disable a WLAN temporarily for testing purposes, for example. Ruckus Wireless, Inc.
  • Page 189 Creating a WLAN Advanced Options NOTE: This feature will not work properly if ZoneDirector does not have the correct time. To ensure ZoneDirector always maintains the correct time, configure an NTP server and point ZoneDirector to the NTP server’s IP address, as described in Setting the System Time.
  • Page 190 If these options are not enabled, the AP will send neighbor reports consisting of only APs found on the same channel as the operating channel of the AP. Figure 101. Advanced options for creating a new WLAN Ruckus Wireless, Inc.
  • Page 191: Creating A New Wlan For Workgroup Use

    Creating a New WLAN for Workgroup Use Advanced Options Figure 102. Configuring WLAN service schedule Creating a New WLAN for Workgroup Use If you want to create an additional WLAN based on your existing default WLAN and limit its use to a select group of users (e.g, Marketing, Engineering), you can do so by following these steps: 1 Make a list of the group of users.
  • Page 192: Customizing Wlan Security

    3 You have three options for the internal WLAN: [1] continue using the current configuration, [2] fine-tune the existing security mode, or [3] replace this mode entirely with a different authentication and encryption method. The two WLAN- editing processes are described separately, below. Ruckus Wireless, Inc.
  • Page 193: Fine-Tuning The Current Security Mode

    Customizing WLAN Security Fine-Tuning the Current Security Mode Figure 103. Viewing WLAN security configurations from the Monitor > WLANs page Fine-Tuning the Current Security Mode To keep the original security mode and fine-tune its settings: 1 Go to Configure > WLANs. 2 In the Internal WLAN row, click Edit.
  • Page 194 MAC addresses. Before you can use this option, you need to add your external RADIUS server to ZoneDirector’s Configure > AAA Servers page. You also need to define the MAC addresses that you want to allow on the RADIUS server. Ruckus Wireless, Inc.
  • Page 195: Using The Built-In Eap Server

    7 When you are finished, click OK to apply your changes. NOTE: Replacing your WPA configuration with 802.1X requires the users to make changes to their Ruckus wireless connection configuration—which may include the importation of certificates. Using the Built-in EAP Server (Requires the selection of “Local Database”...
  • Page 196: If You Change The Internal Wlan To Wep Or 802.1X

    WLAN groups to do this. For example, if your wireless network covers three building floors (1st Floor to 3rd Floor) and you need to provide wireless access to visitors on the 1st Floor, you can do the following: Ruckus Wireless, Inc.
  • Page 197: Creating A Wlan Group

    The maximum number of WLAN groups that you can create depends on the ZoneDirector model. Table 18. Maximum number of WLAN groups by ZoneDirector model ZoneDirector Model Max WLAN Groups ZoneDirector 1100 ZoneDirector 3000 1024 ZoneDirector 5000 2048 Creating a WLAN Group 1 Go to Configure >...
  • Page 198: Assigning A Wlan Group To An Ap

    Assigning a WLAN Group to an AP 1 Go to Configure > Access Points. 2 In the list of access points, find the MAC address of the AP that you want to assign to a WLAN group, and then click Edit. Ruckus Wireless, Inc.
  • Page 199: Viewing A List Of Aps That Belong To A Wlan Group

    Working with WLAN Groups Viewing a List of APs That Belong to a WLAN Group 3 In WLAN Group, click Override Group Config and select the WLAN group to which you want to assign the AP. Each AP (or radio, on dual radio APs) can only be a member of a single WLAN group.
  • Page 200: Deploying Zonedirector Wlans In A Vlan Environment

    • Verifying that those trunk ports are on the same native VLAN. Example configuration (Figure 106): VLAN 20 is used for internal clients, VLAN 30 is used for guest clients, and Management VLAN configuration is optional. Ruckus Wireless, Inc.
  • Page 201 Deploying ZoneDirector WLANs in a VLAN Environment Viewing a List of APs That Belong to a WLAN Group Figure 106. Sample VLAN configuration You must ensure that switch ports are configured properly to pass the VLAN traffic necessary for ZoneDirector, AP and client communications. In the sample VLAN scenario above, the switch ports would need to be configured as follows: •...
  • Page 202: Tagging Management Traffic To A Vlan

    5 In Device IP Settings, enter the VLAN ID in the Access VLAN field. 6 If you are using an additional management interface for ZoneDirector, enter the same ID in the Access VLAN field for the additional management interface. 7 Click Apply to save your settings. Ruckus Wireless, Inc.
  • Page 203 Deploying ZoneDirector WLANs in a VLAN Environment Tagging Management Traffic to a VLAN NOTE: ZoneDirector will need to be rebooted after changing management VLAN settings. 8 Go to Administer > Restart, and click Restart to reboot ZoneDirector. CAUTION! When configuring or updating the management VLAN settings, make sure that the same VLAN settings are applied on the Configure >...
  • Page 204: How Dynamic Vlan Works

    2 In Authentication Server, select the RADIUS server that you configured on the AAA Servers page. 3 Expand the Advanced Settings section and click the Enable Dynamic VLAN box next to Access VLAN. 4 Click OK to save your changes. Ruckus Wireless, Inc.
  • Page 205 Deploying ZoneDirector WLANs in a VLAN Environment How Dynamic VLAN Works Figure 109. Enabling Dynamic VLAN Priority of VLAN, Dynamic VLAN and Tunnel Mode If the VLAN, Dynamic VLAN and Tunnel Mode features are all enabled and they have conflicting rules, ZoneDirector prioritizes and applies these three features in the following order: 1 Dynamic VLAN (top priority) 2 VLAN...
  • Page 206 VLAN (13) Tunnel-Medium-Type 802 (6) Tunnel-Private-Group-Id VLAN ID Here is an example of the required attributes for three users as defined on Free RADIUS: 0018ded90ef3 User-Name = user1, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 0014 00242b752ec4 Ruckus Wireless, Inc.
  • Page 207: Working With Hotspot Services

    Working with Hotspot Services Creating a Hotspot Service User-Name = user2, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 0012 013469acee5 User-Name = user3, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 0012 The values in bold are the users' MAC addresses. NOTE: Working with Hotspot Services A hotspot is a venue or area that provides Internet access to devices with wireless...
  • Page 208 HTTP or HTTPS. 5 In Login Page (under Redirection), type the URL of the captive portal (the page where hotspot users can log in to access the service). 6 Configure optional settings as preferred: Ruckus Wireless, Inc.
  • Page 209 Working with Hotspot Services Creating a Hotspot Service • In Start Page, configure where users will be redirected after successful login. You could redirect them to the page that they want to visit, or you could set a different page where users will be redirected (for example, your company website).
  • Page 210 The page refreshes and the hotspot service you created appears in the list. You may now assign this hotspot service to the WLANs that you want to provide hotspot Internet access, as described in Assigning a WLAN to Provide Hotspot Service. Figure 110. Creating a Hotspot service Ruckus Wireless, Inc.
  • Page 211: Assigning A Wlan To Provide Hotspot Service

    Working with Hotspot Services Assigning a WLAN to Provide Hotspot Service NOTE: If ZoneDirector is located behind a NAT device and signed certificates are used with portal authentication, a static entry must be added to the DNS server to resolve ZoneDirector’s private IP address to its FQDN. Otherwise, client browsers may enter an infinite redirect loop and be unable to reach the login page.
  • Page 212: Common Wispr Attribute Abbreviations

    For a more complete guide on enabling WISPr Hotspot services with ZoneDirector, refer to the Ruckus Enabling WISPr Application Note. Table 20. Common WISPr Attributes Abbreviation Description The IP address of ZoneDirector. The MAC address of the Access Point (Ethernet). Ruckus Wireless, Inc.
  • Page 213: Creating A Hotspot 2.0 Service

    Creating a Hotspot 2.0 Service Common WISPr Attribute Abbreviations Table 20. Common WISPr Attributes Abbreviation Description The Location ID of the Hotspot service. The client’s real IP address. In a Layer 3 NAT environment, the client’s IP address will be translated to the gateway’s IP address when logging to the Hotspot service.
  • Page 214: Create A Service Provider Profile

    Contains cellular information such as network advertisement information to assist a 3GPP station in selecting an AP for 3GPP network access, as defined in Annex A of 3GPP TS 24.234 v8.1.0. Up to eight entries can be created. Ruckus Wireless, Inc.
  • Page 215 Creating a Hotspot 2.0 Service Create a Service Provider Profile 4 Click OK to save your changes. 5 Continue to Create an Operator Profile. Figure 112. Creating a Service Provider Profile Create an Operator Profile To create an Operator Profile: 1 Go to Configure >...
  • Page 216 Connection Capability Provides information on the connection status within the hotspot of the most commonly used communications protocols and ports. 11 static rules are available, as defined in WFA Hotspot 2.0 Technical Specification, section 4.5. Ruckus Wireless, Inc.
  • Page 217 Creating a Hotspot 2.0 Service Create a Service Provider Profile Figure 113. Hotspot 2.0 Operator profile configuration options Option Description Additional Connection Capability Allows addition of custom connection capability rules. Up to 21 custom rules can be created. 4 Click OK to save this Operator Profile. 5 Continue to Create a Hotspot 2.0 WLAN.
  • Page 218 DGAF option. This option prevents stations from forwarding group-addressed (multicast/broad- cast) frames and converts group-addressed DHCP and ICMPv6 router advertisement packets from layer 2 multicast to unicast. 7 Click OK to save your changes. Ruckus Wireless, Inc.
  • Page 219: Working With Dynamic Pre-Shared Keys

    AP venue names for individual APs. Working with Dynamic Pre-Shared Keys Dynamic PSK is a unique Ruckus Wireless feature that enhances the security of normal Pre-shared Key (PSK) wireless networks. Unlike typical PSK networks, which share a single key amongst all devices, a Dynamic PSK network assigns a unique key to every authenticated user.
  • Page 220: Enabling Dynamic Pre-Shared Keys On A Wlan

    Local Database or RADIUS Server. 8 Ensure that the Zero-IT Activation check box is enabled. 9 Next to Dynamic PSK, enable the check box next to Enable Dynamic PSK. Select a DPSK passphrase length (between 8 and 62 characters). Ruckus Wireless, Inc.
  • Page 221: Setting Dynamic Pre-Shared Key Expiration

    Working with Dynamic Pre-Shared Keys Setting Dynamic Pre-Shared Key Expiration • Limit DPSK: By default each authenticated user can generate multiple DPSKs. Select this option to limit the number of DPSKs each user can generate (1-4). 10 Click OK to save your settings. This WLAN is now ready to authenticate users using Dynamic Pre-Shared Keys once their credentials are verified against either the internal database or an external RADIUS server.
  • Page 222 If you change the dynamic PSK expiration period, the new expiration period will only be applied to new PSKs. Existing PSKs will retain the expiration period that was in effect when the PSKs were generated. To force expiration, go to Monitor > Generated PSK/Certs. Ruckus Wireless, Inc.
  • Page 223: Generating Multiple Dynamic Psks

    Working with Dynamic Pre-Shared Keys Generating Multiple Dynamic PSKs Generating Multiple Dynamic PSKs If you will be generating DPSKs frequently (for example, to configure school-owned laptops in batch), you may want to generate multiple DPSKs at once and distribute them to your users in one batch. Before performing this procedure, check your WLAN settings and make sure that the Dynamic PSK check box is selected.
  • Page 224: Creating A Batch Dynamic Psk Profile

    5 Go back to the Dynamic PSK Batch Generation section, and then complete steps 4 to 6 in “Generating Multiple Dynamic PSKs” above to upload the batch dynamic PSK profile and generate multiple dynamic PSKs. Ruckus Wireless, Inc.
  • Page 225: Enabling The Bypass Apple Cna Feature

    Enabling the Bypass Apple CNA Feature Creating a Batch Dynamic PSK Profile Figure 118. DPSK batch generation Enabling the Bypass Apple CNA Feature Some Apple iOS and OS X clients include a feature called Captive Network Assistant (Apple CNA), which allows clients to connect to an open captive portal WLAN without displaying the login page.
  • Page 226 3 Select any or all of the following WLAN types for which you want to bypass the Apple CNA feature: • Web Authentication • Guest Access • Hotspot service 4 Click Apply to save your changes. Figure 119. Enabling the Bypass Apple CNA Feature Ruckus Wireless, Inc.
  • Page 227: Managing Access Points

    Managing Access Points In this chapter: • Adding New Access Points to the Network • Working with Access Point Groups • Reviewing Current Access Point Policies • Importing a USB Software Package • Managing Access Points Individually • Optimizing Access Point Performance ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
  • Page 228: Adding New Access Points To The Network

    2 Write down the MAC address (on the bottom of each device) and note the specific location of each AP as you distribute them. 3 Connect the APs to the LAN with Ethernet cables. NOTE: If using Gigabit Ethernet, ensure that you use Cat5e or better Ethernet cables. Ruckus Wireless, Inc.
  • Page 229: Verifying/Approving New Aps

    Verifying/Approving New APs NOTE: By default, Ruckus Wireless APs will attempt to obtain an IP address via DHCP as soon as they are connected to the network. If you do not want the AP to automatically request an IP address, you must first configure a static IP address using the AP web interface or CLI before connecting them to your network.
  • Page 230 Adding New Access Points to the Network Verifying/Approving New APs Figure 121. The Monitor > Access Points page Ruckus Wireless, Inc.
  • Page 231: Working With Access Point Groups

    > Edit [AP MAC address]) and set the Tx Power setting to a lower setting. Table 22. Maximum number of AP groups by ZoneDirector model ZoneDirector Model Max AP Groups ZoneDirector 1100 ZoneDirector 3000 ZoneDirector 5000 ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
  • Page 232: Modifying The System Default Ap Group

    2.4 GHz or 5 GHz radio. If 11n only Mode is enabled, all older 802.11b/g devices will be denied access to the radio. WLAN Group Specify which WLAN group this AP group belongs to. Ruckus Wireless, Inc.
  • Page 233 Working with Access Point Groups Modifying the System Default AP Group Setting Description Call Admission Control (Disabled by default). Enable Wi-Fi Multimedia Admission Control (WMM-AC) to support Polycom/Spectralink VIEW certification. See Advanced Options under Creating a WLAN for more information. Spectralink (Disabled by default).
  • Page 234: Creating A New Access Point Group

    Modifying Access Point Group Membership When more than one AP group exists, you can move APs between groups using the Group Settings section of the Editing [AP Group] form. To add more access points to this group: Ruckus Wireless, Inc.
  • Page 235: Modifying Model Specific Controls

    Working with Access Point Groups Modifying Model Specific Controls 1 In Group Settings, click Add more Access Points to this group (or Add more Access Points from System Default group to this group). 2 Select the APs you want to add, and click Add to this group. The AP is added to the Members list above.
  • Page 236 3 Locate the Model Specific Control section, and select the AP model that you want to configure from the list. 4 In Port Setting, select Override System Default. The screen changes to display the Ethernet ports on the AP model currently selected. Ruckus Wireless, Inc.
  • Page 237 Working with Access Point Groups Modifying Model Specific Controls 5 Deselect the check box next to Enable to disable this LAN port entirely. All ports are enabled by default. 6 Select DHCP_Opt82 if you want to enable this option for this port (see “DHCP Option 82”).
  • Page 238 Working with Access Point Groups Modifying Model Specific Controls Figure 124. The ZoneFlex 7982 has two Ethernet ports, LAN1 and LAN2 Ruckus Wireless, Inc.
  • Page 239 Working with Access Point Groups Modifying Model Specific Controls Figure 125. The ZoneFlex 7025/7055 has four front-facing Ethernet ports and one rear port ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
  • Page 240 AP’s MAC address, or the client MAC plus ESSID or AP MAC plus ESSID. Sub-option 150 can be enabled to encapsulate the VLAN ID. Sub-option 151 can be enabled to encapsulate either the ESSID or a configurable Area Name. Ruckus Wireless, Inc.
  • Page 241 Working with Access Point Groups Modifying Model Specific Controls Figure 126. Enabling DHCP Option 82 sub-options for a WLAN Designating Ethernet Port Type Ethernet ports are defined as one of the following port types: • “Trunk Ports” • “Access Ports” •...
  • Page 242 VLAN 1 VLAN (VLAN 1). is sent untagged. Access Port, Untag All incoming traffic is sent to the Only traffic belonging to the VLAN [2-4094] VLANs specified. specified VLAN is forwarded. All other VLAN traffic is dropped. Ruckus Wireless, Inc.
  • Page 243 Working with Access Point Groups Modifying Model Specific Controls General Ports General ports are user-specified ports that can have any combination of up to 20 VLAN IDs assigned. Enter multiple valid VLAN IDs separated by commas or a range separated by a hyphen. Using Port-Based 802.1X 802.1X authentication provides the ability to secure the network and optionally bind service policies for an authenticated user.
  • Page 244 MAC-based authenticator. 5 Enable MAC authentication bypass: Enable this option to allow AAA server queries using the MAC address as both the user name and password. If MAC authentication is unsuccessful, the normal 802.1X authentication exchange is attempted. Ruckus Wireless, Inc.
  • Page 245 Working with Access Point Groups Modifying Model Specific Controls Figure 127. Enabling Guest VLAN and Dynamic VLAN on a MAC-based 802.1X Authenticator port AP Ethernet Port as Supplicant You can also configure a port to act as a supplicant and force it to authenticate itself to an upstream authenticator port.
  • Page 246: Viewing Ap Ethernet Port Status

    Figure 128. Configuring an AP Ethernet port as an 802.1X Supplicant Viewing AP Ethernet Port Status You can view the status of an AP’s port configuration by going to Monitor > Access Points and clicking on the MAC address of the AP. Ruckus Wireless, Inc.
  • Page 247 Working with Access Point Groups Viewing AP Ethernet Port Status Figure 129. Viewing an AP’s Ethernet port configuration ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
  • Page 248: Reviewing Current Access Point Policies

    Discovery to provide limited redundancy; however, this method does not provide synchronization of the user database. For information on Smart Redundancy configuration, see Enabling Smart Redundancy. For information on N+1 redundancy using Limited ZD Discovery, see Using Limited ZD Discovery for N+1 Redundancy. Ruckus Wireless, Inc.
  • Page 249 Reviewing Current Access Point Policies Viewing AP Ethernet Port Status Prefer Primary ZD: Enable this option if you want APs to revert to the primary ZoneDirector’s control after connection to the primary controller is restored. Keep AP’s Primary and Secondary ZD Settings: Enable this option if you want the AP’s existing settings to take precedence (not be overwritten by secondary controller’s settings after failover to secondary ZD).
  • Page 250: Using Limited Zd Discovery For N+1 Redundancy

    Point Policies and locate the Limited ZD Discovery section. 2 Activate the check box next to Only connect to the following ZoneDirector. 3 Enter the IP address of the primary ZoneDirector (the one you are currently configuring) in Primary ZoneDirector Addr. Ruckus Wireless, Inc.
  • Page 251 Reviewing Current Access Point Policies Using Limited ZD Discovery for N+1 Redundancy 4 Enter the IP address of the backup ZoneDirector in Secondary ZoneDirector Addr. 5 (Optional) Enable the check box next to Prefer Primary ZD. This ensures that the AP will revert to its primary controller after connection to the primary has been restored.
  • Page 252: Importing A Usb Software Package

    Default AP Group/WLAN Group. Additionally, you must make sure that the maximum number of APs is not exceeded. Table 26. Max APs by ZoneDirector model Model Max APs per controller ZoneDirector 1100 ZoneDirector 3000 ZoneDirector 5000 1000 Importing a USB Software Package Ruckus ZoneFlex Access Points with USB ports (“SmartPoint”...
  • Page 253 Importing a USB Software Package Using Limited ZD Discovery for N+1 Redundancy 3 Once an LWAPP tunnel between the AP and ZoneDirector has been established, ZoneDirector automatically pushes the corresponding USB drivers, network connection scripts and configuration files to the AP. 4 The AP saves the files to its persistent storage.
  • Page 254: Managing Access Points Individually

    7 Channel: Manually set the channel used by the AP radio. 8 Tx Power: Manually set the maximum transmit power level relative to the calibrated power. 9 WLAN Group: Specify a WLAN group for this radio. Ruckus Wireless, Inc.
  • Page 255 Managing Access Points Individually Using Limited ZD Discovery for N+1 Redundancy 10 Call Admission Control: (Disabled by default). Enable Wi-Fi Multimedia Admission Control (WMM-AC) to support Polycom/Spectralink VIEW certification. See Advanced Options under Creating a WLAN for more information. 11 Spectralink Compatibility: (Disabled by default). Enable this option if this AP radio will be used as a voice WLAN for Polycom/Spectralink phones.
  • Page 256 Root AP, Mesh AP, or Disable (default is Auto). In most cases, Ruckus Wireless recommends leaving this setting on Auto to reduce the risk of isolating a Mesh AP. Select Disable if you do not want this AP to be part of your mesh network.
  • Page 257: Configuring Hotspot 2.0 Venue Settings For An Ap

    Managing Access Points Individually Configuring Hotspot 2.0 Venue Settings for an AP 20 Click OK to save your settings. Figure 133. Ethernet port configuration - Override Group Config Configuring Hotspot 2.0 Venue Settings for an AP If this Access Point will be serving a Hotspot 2.0 hotspot, you can set the Venue Name for the venue at which the AP will be operating.
  • Page 258: Optimizing Access Point Performance

    APs, in terms of coverage. (For detailed information on the Map View, see Using the Map View Tools.) 2 In the Coverage options, select 2.4 GHz or 5 GHz to view coverage for the radio band. Ruckus Wireless, Inc.
  • Page 259: Improving Ap Rf Coverage

    Optimizing Access Point Performance Improving AP RF Coverage 3 When the “heat map” appears, look for the Signal (%) scale in the upper right corner of the map. 4 Note the overall color range, especially colors that indicate low coverage. 5 Look at the floorplan and evaluate the current coverage.
  • Page 260: Prioritizing Wlan Traffic

    To set a specific WLAN to lower priority: 1 Go to Configure > WLANs. 2 Click the Edit link next to the WLAN for which a lower priority will be set. 3 Select Low next to Priority, and click OK. Ruckus Wireless, Inc.
  • Page 261: Monitoring Your Wireless Network

    Monitoring Your Wireless Network In this chapter: • Reviewing the ZoneDirector Monitoring Options • Importing a Map View Floorplan Image • Using the Map View Tools • Evaluating and Optimizing Network Coverage • Reviewing Current Alarms • Reviewing Recent Network Events •...
  • Page 262: Reviewing The Zonedirector Monitoring Options

    • Configure: Use the options in this tab to assess the current state of WLAN users, any restricted WLANs, along with the settings for guest access, user roles, etc. You can also combine this tab's options with those in the Administer tab to perform system diagnostics and other preventive tasks. Ruckus Wireless, Inc.
  • Page 263: Importing A Map View Floorplan Image

    You can import an unlimited number of floorplan images to ZoneDirector. However, the total file size of all imported floor maps is limited to 2MB on ZoneDirector 1100 and 10MB on ZoneDirector 3000/5000. An error message appears when these file size limits are reached.
  • Page 264: Placing The Access Point Markers

    5 Drag each marker icon from the upper left corner into its correct location on the floorplan. When you finish, you can make immediate use of the Map View to optimize your wireless coverage, as detailed in Optimizing Access Point Performance. Ruckus Wireless, Inc.
  • Page 265: Using The Map View Tools

    Using the Map View Tools Placing the Access Point Markers Using the Map View Tools If your worksite floorplan has been scanned in and mapped with APs, the Map View will display a graphical image of your physical Ruckus network AP distribution. Figure 136.
  • Page 266 10 Scale legend: To properly assess the distances in a floorplan, a scaler has been provided so that you can place APs in the most precise location. Ruckus Wireless, Inc.
  • Page 267: Ap Icons

    Using the Map View Tools AP Icons 11 Open Space Office drop-down list: Open Office Space refers to the methodology used to compute RF coverage/signal% (i.e., heat map) based on the current environment. AP Icons Each AP marker has variable features that help indicate identity and status: A normal AP marker displays the description of the AP and the number of users that are currently associated...
  • Page 268: Evaluating And Optimizing Network Coverage

    3 After physically relocating the actual APs in accordance with Map View repositioning, reconnect each AP to a power source. When ZoneDirector has recalibrated the Map View after each AP restart, you can assess your changes and make further adjustments as needed. Ruckus Wireless, Inc.
  • Page 269: Reviewing Current Alarms

    Reviewing Current Alarms Moving the APs into More Efficient Positions Reviewing Current Alarms If an alarm condition is detected, ZoneDirector will record it in the events log, and if configured, will send an email warning. To review the current alarms and clear all resolved alarm records, follow these steps: 1 Go to Monitor >...
  • Page 270: Clearing Recent Events/Activities

    4 You can click Clear All at the bottom of the table to resolve and clear all events in the view. Moniting WLAN Status The Monitor > WLANs page lists the currently deployed WLANs, WLAN Groups, Events/Activities and RADIUS statistics for any WLANs that use RADIUS authenti- cation. Ruckus Wireless, Inc.
  • Page 271 Moniting WLAN Status Clearing Recent Events/Activities Figure 138. The Monitor > WLANs page ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
  • Page 272: Reviewing Current User Activity

    The Applications/Ports pie chart displays user activity by application or port for the selected time span. The Application Performance chart displays uplink and downlink throughput over time. Select time span, AP group and SSID to change the values displayed in the charts. Ruckus Wireless, Inc.
  • Page 273 Reviewing Current User Activity Viewing Application Usage Statistics Figure 139. Monitoring client activity Click the Show Details button to display detailed application or port usage percentages. ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
  • Page 274: Active Clients

    The Inactive Clients table displays a list of inactive clients and can be used to view usage statistics of recently disconnected clients. Events/Activities The Events/Activities table displays a client-specific subset of the events listed on the All Events/Activities page. Ruckus Wireless, Inc.
  • Page 275 Reviewing Current User Activity Events/Activities Figure 141. Monitoring Clients ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
  • Page 276: Monitoring Individual Clients

    Charts General Displays general information on the client, including OS, AP and WLAN and signal strength indication. Also contains a Client Performance icon (see Events Displays a client-specific subset of the events in the All Events/Activities table. Ruckus Wireless, Inc.
  • Page 277 Monitoring Individual Clients Events/Activities Figure 142. Viewing individual client information and performance statistics Monitoring Client Performance The Client Performance graph can be used to track the uplink/downlink throughput of a specific client over time. To monitor a client’s performance: 1 Go to Monitor > Wireless Clients and locate the client MAC address in the Active Clients list.
  • Page 278 The uplink and downlink throughput curves show the actual throughput of the client. These curves are influenced by the user session, and they vary as a function of gaps in browsing activity and internet server response times. Ruckus Wireless, Inc.
  • Page 279: Monitoring Wired Clients

    Monitoring Access Point Status Monitoring Wired Clients Monitoring Wired Clients You can also monitor currently connected wired clients using the Monitor > 802.1X Wired Clients page. Note that connected devices will only be displayed when 802.1X is enabled on the Ethernet port to which they are connected. The Clients table lists the wired client’s MAC address, user name or IP address, the AP it is connected to, the port number, VLAN and authorization status.
  • Page 280 The number of clients currently connected to this AP. Bonjour Gateway Indicates whether Bonjour Gateway service is enabled, disabled or not supported on this AP. Application Capability Indicates whether Application Visibility is enabled, disabled or not supported on this AP. Ruckus Wireless, Inc.
  • Page 281 Monitoring Access Point Status Using the AP Status Overview Page Action These icons allow you to configure and troubleshoot APs individually. See Using Action Icons to Configure and Troubleshoot APs in a Mesh. Export to CSV The Currently Managed APs table can be exported as a CSV file, which can be opened in a spreadsheet program such as Microsoft Excel.
  • Page 282 Monitoring Access Point Status Using the AP Status Overview Page Figure 146. Viewing AP group members Events/Activities This table displays an AP-related subset of the information on the Monitor > All Events/Activities page. Ruckus Wireless, Inc.
  • Page 283: Monitoring Individual Aps

    Monitoring Individual APs Using the AP Status Overview Page Monitoring Individual APs When you click on the MAC address of any AP, the Monitor > Access Points page changes to a detailed view of information related to that specific AP. You can also click the AP name or MAC address in any of the tables or dashboard widgets in which it appears as a link to go directly to the AP detail page.
  • Page 284: Rf Pollution Faq

    “RF Pollution” is a linear index used to describe the level of performance- impacting RF contention and interference that an AP is experiencing. It distills several low-level mac and phy-level error metrics into a single parameter. Values Ruckus Wireless, Inc.
  • Page 285 Monitoring Individual APs RF Pollution FAQ can range from 0 to infinity, although in most normal environments the RF Pollution index will average between 10 and 100. Higher values are indicative of a noisier environment. • What is RF Pollution measuring? It is measuring the level of RF contention and interference experienced by the AP.
  • Page 286 Monitoring Individual APs RF Pollution FAQ Figure 147. Viewing an individual AP’s information Figure 148. Monitoring an AP’s performance Ruckus Wireless, Inc.
  • Page 287: Spectrum Analysis

    Monitoring Individual APs Spectrum Analysis Spectrum Analysis Spectrum analysis provides two real time views of the RF environment using data generated by the AP to chart power levels across the 2.4 and 5GHz frequency bands. • Instantaneous Samples View (top view): The instantaneous samples plot provides a real time display of signal power across the entire 2.4 or 5GHz frequency bands.
  • Page 288 Monitoring Individual APs Spectrum Analysis Figure 149. APs that support spectrum analysis display an extra icon in the Actions table Ruckus Wireless, Inc.
  • Page 289: Neighbor Aps

    Monitoring Individual APs Neighbor APs Figure 150. The Spectrum Analysis page Neighbor APs ZoneDirector uses several calculations to determine which APs are in proximity to one another. This information can be useful in planning or redesigning your Smart Mesh topology or in troubleshooting link performance issues. Details on neighbor APs include: •...
  • Page 290: Access Point Sensor Information

    This sensor displays the mounting orientation of the AP. Three orientations are possible: • Desktop/Horizontal Mount • Ceiling/Horizontal Mount • Wall/Vertical Mount Figure 151. AP orientation sensor information Temperature This sensor displays the temperature statistics as reported by the AP. Figure 152. AP temperature sensor information Ruckus Wireless, Inc.
  • Page 291: Monitoring Mesh Status

    LAN resources. This would potentially allow even more unauthorized users to access your corporate LAN - posing a security risk. Rogue APs also interfere with nearby Ruckus Wireless APs, thus degrading overall wireless network coverage and performance.
  • Page 292 “malicious”, whether user-blocked or another type. 5 If a listed AP is part of another, known neighbor network, click Mark as Known. This identifies the AP as posing no threat, while copying the record to the Known/ Recognized Rogue Devices table. Ruckus Wireless, Inc.
  • Page 293 Detecting Rogue Access Points Access Point Sensor Information 6 To locate rogue APs that do pose a threat to your internal WLAN, click the Map View icon for a device to open the Map View. 7 Open the Map View, and look for rogue AP icons .
  • Page 294: Monitoring System Ethernet Port Status

    To view the status of ZoneDirector’s Ethernet ports, go to Monitor > System Info. The table displays the MAC address, Interface ID, physical link status, link speed, and total packets/bytes received/transmitted on the port since last restart. Ruckus Wireless, Inc.
  • Page 295: Monitoring Aaa Server Statistics

    Monitoring AAA Server Statistics Access Point Sensor Information Figure 156. Monitoring system Ethernet port information Monitoring AAA Server Statistics To monitor AAA servers that you have configured on the Configure > AAA Servers page, go to Monitor > AAA Servers Statistics. ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
  • Page 296: Monitoring Location Services

    Configure > Access Points > AP Groups page, go to Monitor > Location Services. NOTE: For information on configuration and administration of Ruckus SmartPositioning Technology (SPoT) service, please refer to the SPoT User Guide, available from the Ruckus support site: https://support.ruckuswireless.com. Ruckus Wireless, Inc.
  • Page 297 Monitoring Location Services Access Point Sensor Information Figure 158. Monitoring Location Services ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
  • Page 298 Monitoring Location Services Access Point Sensor Information Ruckus Wireless, Inc.
  • Page 299: Managing User Access

    Managing User Access In this chapter: • Enabling Automatic User Activation with Zero-IT • Adding New User Accounts to ZoneDirector • Managing Current User Accounts • Creating New User Roles • Managing Automatically Generated User Certificates and Keys • Using an External Server for User Authentication •...
  • Page 300: Enabling Automatic User Activation With Zero-It

    Enabling Automatic User Activation with Zero-IT Ruckus Wireless Zero-IT Activation allows network users to self-activate their devices for secure access to your wireless networks with no manual configuration required by the network administrator. Once your ZoneFlex network is set up, you need only direct users to the Activation URL, and they will be able to automatically authenticate themselves to securely access your wireless LAN.
  • Page 301: Clients That Support Zero-It

    Enabling Automatic User Activation with Zero-IT Clients that Support Zero-IT Figure 159. Enabling Zero-IT for a WLAN You have completed enabling Zero-IT for this WLAN. At this point, any user with the proper credentials (username and password) and running a supported operating system can self-provision his/her wireless client to securely access your wireless LANs.
  • Page 302: Self-Provisioning Clients With Zero-It

    /<zonedirector’s_IP_address>/activate). A WLAN Connection Activation web page appears. 3 Enter User Name and Password, and click OK. If the user name and password are confirmed and the computer is running a supported operating system, an automated script will launch. Ruckus Wireless, Inc.
  • Page 303 Enabling Automatic User Activation with Zero-IT Self-Provisioning Clients with Zero-IT Figure 160. Zero-IT automatic activation 4 Run the prov.exe script to automatically configure this computer’s wireless settings for access to the secure internal WLAN. 5 If you are not running a supported operating system, you can manually configure wireless settings by clicking the link at the bottom of the page (see Provisioning Clients that Do Not Support...
  • Page 304: Self-Provisioning Clients Without Ethernet Ports

    Once your wireless network is set up, you can instruct ZoneDirector to authenticate wireless users using an existing Active Directory, LDAP or RADIUS server, or to authenticate users by referring to accounts that are stored in ZoneDirector's internal user database. Ruckus Wireless, Inc.
  • Page 305: Internal User Database

    • Confirm Password: Re-enter the same password for this user. NOTE: ZoneDirector 1100 can support up to 1,250 combined total DPSK users and guest passes in the internal database. ZoneDirector 3000 can support up to 10,000 total DPSK users and guest passes. ZoneDirector 5000 can support up to 20,000 guest passes and 10,000 DPSKs.
  • Page 306: Managing Current User Accounts

    4 If a role must be replaced, open that menu and choose a new role for this user. (For more information, see Creating New User Roles.) 5 Click OK to save your settings. Be sure to communicate the relevant changes to the appropriate end user. Ruckus Wireless, Inc.
  • Page 307: Deleting A User Record

    Creating New User Roles Deleting a User Record Deleting a User Record 1 Go to Configure > Users. 2 When the Users screen appears, review the “Internal User Database.” 3 To delete one or more records, click the check boxes next to those account records.
  • Page 308 - either full access or limited access. 5 When you finish, click OK to save your settings. This role is ready for assignment to authorized users. 6 If you want to create additional roles with different policies, repeat this procedure. Ruckus Wireless, Inc.
  • Page 309: Role Based Access Control Policy

    Creating New User Roles Role Based Access Control Policy Figure 164. The Create New form for adding a role Role Based Access Control Policy Using the Role Based Access Control Policy (RBAC) feature, organizations can deploy a single SSID for multiple roles and provide different access privileges based on the user’s role in the organization.
  • Page 310: Managing Automatically Generated User Certificates And Keys

    WPA or WPA2 and Dynamic PSK enabled, a unique and random key phrase is generated for each wireless user. Similarly, for a WLAN configured with 802.1X/EAP authentication, a unique certificate for each wireless user is created. Ruckus Wireless, Inc.
  • Page 311: Using An External Server For User Authentication

    Using an External Server for User Authentication Role Based Access Control Policy When using the internal user database, automatically generated user certificates and keys are deleted whenever the associated user account is deleted from the user database. In the case of using Windows Active Directory, LDAP or RADIUS as an authentication server, you can delete the generated user keys and certificates by following these steps: 1 Go to Monitor >...
  • Page 312 RADIUS server configuration and the choice you made in RADIUS/ RADIUS Accounting. Make sure that either PAP or CHAP is enabled on the Remote Access Policy (assuming Microsoft IAS as the RADIUS server) before continuing with testing authentication settings. Ruckus Wireless, Inc.
  • Page 313: Activating Web Authentication

    Activating Web Authentication Role Based Access Control Policy Figure 166. The Create New form for adding an authentication server For more information on configuring an external authentication server, see Using an External AAA Server. Activating Web Authentication Web authentication (also known as a “captive portal”) redirects users to a login web page the first time they connect to this WLAN, and requires them to log in before granting access to use the WLAN.
  • Page 314 5 Select the preferred authentication server from the Authentication Server drop- down menu. 6 Click OK to save this entry. Repeat this “enabling” process for each WLAN to which you want to apply web authentication. Figure 167. Activating captive portal/web authentication Ruckus Wireless, Inc.
  • Page 315: Managing Guest Access

    Managing Guest Access In this chapter: • Configuring Guest Access • Creating a Guest Access Service • Creating a Guest WLAN • Using the BYOD Onboarding Portal • Working with Guest Passes ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
  • Page 316: Configuring Guest Access

    6 Under Redirection, select one of the following radio buttons to use/not use redirection: • Redirect to the URL that the user intends to visit: Allows the guest user to continue to their destination without redirection. Ruckus Wireless, Inc.
  • Page 317: Configuring Guest Subnet Access

    Creating a Guest Access Service Configuring Guest Subnet Access • Redirect to the following URL: Redirect the user to a specified web page (entered into the text box) prior to forwarding them to their destination. When guest users land on this page, they are shown the expiration time for their guest pass.
  • Page 318 8 If you want to allow or restrict subnet access based on the application, protocol, or destination port used, click the Advanced Options link, and then configure the settings. 9 Click OK to save the subnet access rule. Repeat Steps 4 to 9 to create up to 22 subnet access rules. Ruckus Wireless, Inc.
  • Page 319: Creating A Guest Wlan

    Creating a Guest WLAN Configuring Guest Subnet Access Figure 169. The Restricted Subnet Access options Creating a Guest WLAN After you have created a guest access service, create a WLAN of the type “Guest Access.” This WLAN can be configured to allow access only to a specific set of resources - such as ZoneDirector’s Zero-IT activation address, from which users can then activate their devices to gain access to the secure internal WLANs.
  • Page 320: Using The Byod Onboarding Portal

    WLAN using Zero-IT activation. To enable the Onboarding Portal for mobile devices: 1 Go to Configure > Guest Access. 2 Click Edit or Create New to configure a guest access service. Ruckus Wireless, Inc.
  • Page 321 Using the BYOD Onboarding Portal Configuring Guest Subnet Access 3 Enable the check box next to Onboarding Portal to enable Zero-IT device registration from the Guest Portal. 4 Select one of the following options to display when connecting to the Onboarding Portal: •...
  • Page 322 If the user clicks the Register Device button, the web page will be redirected to the WLAN Connection Activation page, from which the user can enter user name and password to activate this device. A Zero-IT activation file is generated for download once the client is registered with ZoneDirector. Ruckus Wireless, Inc.
  • Page 323 Using the BYOD Onboarding Portal Configuring Guest Subnet Access Figure 174. Activate device using the WLAN Connection Activation screen, and download activation file After running the downloaded Zero-IT file, the device will be configured with the settings to automatically connect to the secure internal/corporate WLAN. NOTE: You may need to manually switch from the guest WLAN to the secure WLAN after activation (on some mobile devices).
  • Page 324: Working With Guest Passes

    System page. NOTE: ZoneDirector 1100 can support up to 1,250 combined total DPSK users and guest passes in the internal database. ZoneDirector 3000 can support up to 10,000 total DPSK users and guest passes. ZoneDirector 5000 can support up to 20,000 guest passes and 10,000 DPSKs.
  • Page 325 Working with Guest Passes Configuring Guest Pass Generation • If you configured an AAA server (RADIUS, Active Directory or LDAP) on the Configure > AAA Servers page and you want to use that server to authenti- cate users, select the server name from the drop-down menu. (See Using an External Server for User Authentication.)
  • Page 326 1 Go to Configure > Roles. 2 In the Roles table, click Create New. 3 When the Create New features appear, make these entries: • Name: Enter a name for this role (e.g., “Guest Pass Generator”). Ruckus Wireless, Inc.
  • Page 327 Working with Guest Passes Configuring Guest Pass Generation • Description: Enter a short description of this role's application. • Group Attributes: This field is only available if you choose Active Directory as your authentication server. Enter the Active Directory User Group names here.
  • Page 328 You can edit an existing user account and reassign the guest pass generator role, if you prefer. 5 Click OK to save your settings. Be sure to communicate the role, user name and password to the appropriate end user. Ruckus Wireless, Inc.
  • Page 329: Generating And Delivering A Single Guest Pass

    Working with Guest Passes Generating and Delivering a Single Guest Pass Generating and Delivering a Single Guest Pass You can provide the following instructions to users with guest pass generation privileges. A single guest pass can be used for one-time login, time-limited multiple logins for a single guest user, or can be configured so that a single guest pass can be shared by multiple users.
  • Page 330 • Key: Leave as is if you want to use the random key that ZoneDirector generated. If you want to use a key that is easy to remember, delete the random key, and then type a custom key. For example, if ZoneDirector Ruckus Wireless, Inc.
  • Page 331 Working with Guest Passes Generating and Delivering a Single Guest Pass generated the random key OVEGS-RZKKF, you can change it to joe- guest-key. Customized keys must be between one and 16 ASCII charac- ters. NOTE: Each guest pass key must be unique and is distributed on all guest WLANs. Therefore, you cannot create the same guest pass for use on multiple WLANs.
  • Page 332 Working with Guest Passes Generating and Delivering a Single Guest Pass Figure 178. The Guest Pass Generated page Figure 179. Sample guest pass printout Ruckus Wireless, Inc.
  • Page 333: Generating And Printing Multiple Guest Passes At Once

    Working with Guest Passes Generating and Printing Multiple Guest Passes at Once Generating and Printing Multiple Guest Passes at Once You can provide the following instructions to users with guest pass generation privileges. NOTE: The following procedure will guide you through generating and printing multiple guest passes.
  • Page 334 If you did not create custom guest pass printouts, select Default. 9 Print the instructions for a single guest pass or print all of them. • To print instructions for all guest passes, click Print All Instructions. Ruckus Wireless, Inc.
  • Page 335: Monitoring Generated Guest Passes

    Working with Guest Passes Monitoring Generated Guest Passes • To print instructions for a single guest pass, click the Print link that is in the same row as the guest pass for which you want to print instructions. A new browser page appears and displays the guest pass instructions. At the same time, the Print dialog box appears.
  • Page 336: Customizing The Guest Login Page

    (ZoneDirector will notify you if the file is too large.) 4 Scroll down to the Guest Access Customization section. 5 (Optional) Delete the text in the Title field and type a short descriptive title or “welcome” message. 6 Click OK to save your settings. Ruckus Wireless, Inc.
  • Page 337: Creating A Custom Guest Pass Printout

    Working with Guest Passes Creating a Custom Guest Pass Printout Figure 182. The Guest Access Customization options Creating a Custom Guest Pass Printout The guest pass printout is a printable HTML page that contains instructions for the guest pass user on how to connect to the wireless network successfully. The authenticated user who is generating the guest pass will need to print out this HTML page and provide it to the guest pass user.
  • Page 338 {GP_IF_EFFECTIVE_FROM_CREATION_ If you set the validity period of guest TIME} passes to Effective from the creation time (in the Guest Pass Generation section), this token shows when the guest pass was created and when it will expire. Ruckus Wireless, Inc.
  • Page 339: Delivering Guest Passes Via Email

    Working with Guest Passes Delivering Guest Passes via Email Token Description {GP_ELSEIF_EFFECTIVE_FROM_FIRST If you set the validity period of guest _USE} passes to Effective from first use (in the Guest Pass Generation section), this token shows the number of days during which the guest pass will be valid after activation.
  • Page 340: Delivering Guest Passes Via Sms

    To customize the content of the SMS message used to deliver the guest pass code, use the following procedure: 1 On the Configure > Guest Access page, locate the Customize the SMS Content section. 2 Customize the message in the text box and click Apply to save your changes. Ruckus Wireless, Inc.
  • Page 341 Working with Guest Passes Delivering Guest Passes via SMS Figure 184. Customize the SMS content ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
  • Page 342 Working with Guest Passes Delivering Guest Passes via SMS Ruckus Wireless, Inc.
  • Page 343: Deploying A Smart Mesh Network

    Deploying a Smart Mesh Network In this chapter: • Overview of Smart Mesh Networking • Smart Mesh Networking Terms • Supported Mesh Topologies • Deploying a Wireless Mesh via ZoneDirector • Understanding Mesh-related AP Statuses • Using the ZoneFlex LEDs to Determine the Mesh Status •...
  • Page 344: Overview Of Smart Mesh Networking

    A Smart Mesh network is a peer-to-peer, multi-hop wireless network wherein participant nodes cooperate to route packets. In a Ruckus wireless mesh network, the routing nodes (that is, the Ruckus Wireless APs forming the network), or “mesh nodes,” form the network's backbone. Clients (for example, laptops and other mobile devices) connect to the mesh nodes and use the backbone to communicate with one another, and, if permitted, with nodes on the Internet.
  • Page 345: Supported Mesh Topologies

    Supported Mesh Topologies Standard Topology Term Definition Mesh AP (MAP) A mesh node that communicates with ZoneDirector through its wireless interface. Ethernet-Linked An eMAP is a mesh node that is connected to its uplink AP through Mesh AP (eMAP) a wired Ethernet cable, rather than wirelessly. eMAP nodes are used to bridge wireless LAN segments together.
  • Page 346: Wireless Bridge Topology

    LAN segment, and another isolated wired segment exists that needs to be bridged to the primary LAN segment. You can bridge these two wired LAN segments by forming a wireless mesh link between the two wired segments, as shown in Figure 186 below. Ruckus Wireless, Inc.
  • Page 347: Hybrid Mesh Topology

    Supported Mesh Topologies Hybrid Mesh Topology Figure 186. Mesh - wireless bridge topology Hybrid Mesh Topology A third type of network topology can be configured using the Hybrid Mesh concept. Ethernet-connected Mesh APs (eMAP) enable the extension of wireless mesh functionality to a wired LAN segment.
  • Page 348: Deploying A Wireless Mesh Via Zonedirector

    Deploying a wireless mesh via ZoneDirector involves the following steps: • “Step 1: Prepare for Wireless Mesh Deployment” • “Step 2: Enable Mesh Capability on ZoneDirector” • “Step 3: Provision and Deploy Mesh Nodes” • “Step 4: Verify That the Wireless Mesh Network Is Up” Ruckus Wireless, Inc.
  • Page 349: Step 1: Prepare For Wireless Mesh Deployment

    Step 1: Prepare for Wireless Mesh Deployment Step 1: Prepare for Wireless Mesh Deployment Before starting with your wireless mesh deployment, Ruckus Wireless recommends performing a number of tasks that can help ensure a smooth deployment. • Ensure that the APs that will form the mesh are of the same radio type.
  • Page 350 6 In Mesh Passphrase, type a passphrase that contains at least 12 characters. This passphrase will be used by ZoneDirector to secure the traffic between Mesh APs. Alternatively, click Generate to generate a random passphrase with 32 characters or more. Ruckus Wireless, Inc.
  • Page 351: Step 3: Provision And Deploy Mesh Nodes

    Deploying a Wireless Mesh via ZoneDirector Step 3: Provision and Deploy Mesh Nodes 7 In the Mesh Settings section, click Apply to save your settings and enable Smart Mesh. You have completed enabling mesh capability on ZoneDirector. You can now start provisioning and deploying the APs that you want to be part of your wireless mesh network.
  • Page 352: Step 4: Verify That The Wireless Mesh Network Is Up

    View on the menu. The Map View appears and shows the mesh nodes that are currently active. (See Importing a Map View Floorplan Image for instructions on importing a map.) 2 Check if all the mesh nodes that you have provisioned and deployed appear on the Map View. Ruckus Wireless, Inc.
  • Page 353 Deploying a Wireless Mesh via ZoneDirector Step 4: Verify That the Wireless Mesh Network Is Up 3 Verify that a mesh network has been formed by checking if dotted lines appear between the mesh nodes. These dotted lines identify the neighbor relationships that have been established in the current mesh network.
  • Page 354: Understanding Mesh-Related Ap Statuses

    • The AP may be configured ZoneDirector mesh incorrectly. Verify that the mesh SSID and passphrase configured on the AP are correct. • If Uplink Selection is set to Manual, the uplink AP specified for this AP may be off or unavailable. Ruckus Wireless, Inc.
  • Page 355: Using The Zoneflex Leds To Determine The Mesh Status

    Using the ZoneFlex LEDs to Determine the Mesh Status On Single-band ZoneFlex APs Using the ZoneFlex LEDs to Determine the Mesh Status In addition to checking the mesh status of ZoneFlex APs from the ZoneDirector web interface, you can also check the LEDs on the APs. The LED behaviors that indicate the AP's mesh status vary depending whether the AP is a single-band or a dual- band model.
  • Page 356: On Dual-Band Zoneflex Aps

    • This is a Mesh AP, and; • The Root AP signal is fair Slow blinking green • This is a Mesh AP that is currently searching for a Root AP, or; • This AP is currently searching for ZoneDirector Ruckus Wireless, Inc.
  • Page 357: Using Action Icons To Configure And Troubleshoot Aps In A Mesh

    Using Action Icons to Configure and Troubleshoot APs in a Mesh On Dual-band ZoneFlex APs Indoor Dual Band APs On dual band ZoneFlex indoor APs, the 5G LED indicates the AP's mesh status. See the table below for more information. LED Color/Behavior Root AP / eMAP Mesh AP...
  • Page 358: Setting Mesh Uplinks Manually

    Smart Uplink Selection and manually set the mesh nodes to which an AP can connect. Note that in most situations, Ruckus Wireless recommends against manually changing the roles of APs in a mesh, because it can result in isolated Mesh APs.
  • Page 359 Setting Mesh Uplinks Manually On Dual-band ZoneFlex APs Figure 190. Setting Uplink Selection to Manual NOTE: Do not manually set a Mesh AP as a Root AP. Only APs that are connected to ZoneDirector via Ethernet (and on the same LAN segment) should be configured as Root APs.
  • Page 360: Troubleshooting Isolated Mesh Aps

    15 minutes as the mesh network stabilizes. If there is a significant number of APs on the network, it might take longer for the AP to resolve this. Ruckus Wireless, Inc.
  • Page 361: Recovering An Isolated Mesh Ap

    No APs with matching radio type The AP is unable to find an uplink AP with the same radio type. Ruckus Wireless Smart Mesh APs must use the same radio type to be able connect to each other via the mesh network. For example, an 802.11n Mesh AP will only connect...
  • Page 362 Therefore you will need to proceed to the next step and connect to the AP’s CLI to make changes. Step 4: Connect to the AP and update its Mesh settings 1 Launch your SSH client and enter the IP address 169.254.1.1. Ruckus Wireless, Inc.
  • Page 363: Best Practices And Recommendations

    Best Practices and Recommendations Recovering an Isolated Mesh AP 2 Log into the AP via SSH using the same user name and password that you use to log into the ZoneDirector web interface. 3 Enter the command set meshcfg ssid <current_ssid>, where current_ssid is the SSID that the mesh network is currently using.
  • Page 364 Best Practices and Recommendations Recovering an Isolated Mesh AP Ruckus Wireless, Inc.
  • Page 365: Setting Administrator Preferences

    Setting Administrator Preferences In this chapter: • Changing the ZoneDirector Administrator User Name and Password • Changing the Web Interface Display Language • Upgrading ZoneDirector and ZoneFlex APs • Working with Backup Files • Restoring ZoneDirector to Default Factory Settings •...
  • Page 366: Changing The Zonedirector Administrator User Name And Password

    (used solely to log into ZoneDirector via the web interface). • Password/Confirm Password: Delete the text in both fields and type the same text for a new password. 3 Click Apply to save your settings. The changes go into effect immediately. Ruckus Wireless, Inc.
  • Page 367: Setting Administrator Login Session Timeout

    Changing the Web Interface Display Language Setting Administrator Login Session Timeout Figure 192. The Preferences page Setting Administrator Login Session Timeout By default, administrators logged into the web interface are automatically logged out after 30 minutes of inactivity. This timeout can be configured with a value between 1 and 1440 minutes (24 hours).
  • Page 368: Upgrading Zonedirector And Zoneflex Aps

    3 Click Apply to save your settings. The changes go into effect immediately. Upgrading ZoneDirector and ZoneFlex APs Check the Ruckus Wireless Support web site on a regular basis for updates that can be applied to your Ruckus Wireless network devices — to ZoneDirector and all your ZoneFlex APs.
  • Page 369: Performing An Upgrade With Smart Redundancy

    Upgrading ZoneDirector and ZoneFlex APs Performing an Upgrade with Smart Redundancy NOTE: The full network upgrade is successive in sequence. After ZoneDirector is upgraded, it will contact each active AP, upgrade it, and then restore it to service. NOTE: The AP uses FTP to download firmware updates from ZoneDirector. If you have an access control list (ACL) or firewall between ZoneDirector and the AP, make sure that FTP traffic is allowed to ensure that the AP can successfully download the firmware update.
  • Page 370: Working With Backup Files

    9 Each AP reboots after upgrading. Working with Backup Files After you have set up and configured your Ruckus wireless network, you may want to back up the full configuration. The resulting archive can be used to restore your ZoneDirector and network. And, whenever you make additions or changes to the setup, you can create new backup files at that time, too.
  • Page 371: Restoring Archived Settings To Zonedirector

    Working with Backup Files Restoring Archived Settings to ZoneDirector Figure 194. The Back Up Configuration option Restoring Archived Settings to ZoneDirector NOTE: Restoring a backup file will automatically reboot ZoneDirector and all APs that are currently associated with it. Users associated with these APs will be temporarily disconnected;...
  • Page 372 When the restore process is complete, ZoneDirector automatically restarts and your wireless network will be ready for use again. Figure 195. Select the restore level for restoring from a backup file Ruckus Wireless, Inc.
  • Page 373 You can also restore previously saved access point configurations from a backup file without restoring any other ZoneDirector configuration settings. This feature can be useful in deploying N+1 redundancy. For example, if three ZoneDirector 1100 controllers are deployed in different locations and with one ZoneDirector 3000 serving as a backup, you can use this feature to export AP lists from the three ZD1100s and import them one by one into the ZD3000.
  • Page 374: Restoring Zonedirector To Default Factory Settings

    In this case, the system can be discovered by a UPnP client application, such as Windows “My Network Places.” If there is no DHCP server on the connected network, the system's default IP address is 192.168.0.2 with subnet mask 255.255.255.0. Ruckus Wireless, Inc.
  • Page 375: Alternate Factory Default Reset Method

    Restoring ZoneDirector to Default Factory Settings Alternate Factory Default Reset Method NOTE: A complete set of instructions is available in the ZoneDirector Quick Start Guide (QSG). Before restoring ZoneDirector to factory default settings, you should open and print out the QSG pages. You can follow those instructions to set up ZoneDirector after restoring factory defaults.
  • Page 376: Working With Ssl Certificates

    (CSR) file and send it to a certificate authority (CA) to purchase an SSL certificate. The ZoneDirector web interface provides a form that you can use to create the CSR file. Fields with an asterisk (*) are required entries. Those without an asterisk are optional. Ruckus Wireless, Inc.
  • Page 377 “ZoneDirector”). NOTE: Ruckus Wireless recommends using the FQDN as the Common Name if possible. If your network does not have a DNS server, you may use ZoneDirector’s IP address instead. However, note that some CA’s may not allow this.
  • Page 378 After the certificate authority approves your CSR, you will receive the SSL certificate via email. The following is an example of a signed certificate that you will receive from a certificate authority: -----BEGIN CERTIFICATE----- Ruckus Wireless, Inc.
  • Page 379: Importing An Ssl Certificate

    Working with SSL Certificates Importing an SSL Certificate MIIFVjCCBD6gAwIBAgIQLfaGuqKukMumWhbVf5v4vDANBgkqhkiG9w0B AQUFADCBsDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJ bmMuMR8wHQYDVQQLBgEFBQcBAQRtMGswJAYIKwYBBQUHMAGGGGh0dHA6 Ly9vY3NwLnZlcmlzaWduLmNvbTBDBggrBgEFBQcwAoY3aHR0cDovL1NW UlNlY3VyZS1haWEudmVyaXNpZ24uY29tL1NWUlNlY3VyZTIwMDUtYWlh LmNlcjBuBggrBgEFBQcBDARiMGChXqBcMFowWDBWFglpbWFnZS9naWYw ITAfMAcGBSsOAwIaBBRLa7kolgYMu9BSOJsprEsHiyEFGDAmFiRodHRw Oi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvMS5naWYwDQYJKoZIhvcN AQEFBQADggEBAI/S2dmm/kgPeVAlsIHmx- 751o4oq8+fwehRDBmQDaKiBvVXGZ5ZMnoc3DMyDjx0SrI9lkPsn223CV 3UVBZo385g1T4iKwXgcQ7WF6QcUYOE6HK+4ZGcHermFf3fv3C1- FoCjq+zEu8ZboUf3fWbGprGRA+MR/dDI1dTPtSUG7/zWjXO5jC// 0pykSldW/q8hgO8kq30S8JzCwkqrXJfQ050N4TJtgb/ YC4gwH3BuB9wqpRjUahTiK1V1- ju9bHB+bFkMWIIMIXc1Js62JClWzwFgaGUS2DLE8xICQ3wU1ez8RUPGn wSxAYtZ2N7zDxYDP2tEiO5j2cXY7O8mR3ni0C30= -----END CERTIFICATE----- 7 Copy the content of the signed certificate, and then paste it into a text file. Save the file.
  • Page 380 ZoneDirector certificate file. Then, you just need to import a single file. The intermediate certificate(s) will be imported automatically. In this case, you will see multiple ---BEGIN CERTIFICATE--- and ---END CERTIFICATE- -- pairs in the file. Ruckus Wireless, Inc.
  • Page 381: Ssl Certificate Advanced Options

    Working with SSL Certificates SSL Certificate Advanced Options Figure 200. Importing a signed certificate (continued) SSL Certificate Advanced Options The Advanced Options section allows you to perform additional certificate manage- ment functions. These include the following: • Restore the factory default certificate and private key. This deletes any certificate and private key that was imported.
  • Page 382 Redundant configuration with Guest Access, Web Portal and Hotspot captive portals, use the following wildcard certificate procedure: 1 Purchase or generate a self-signed wildcard certificate such as *.acompany.com and install it on both ZoneDirectors in the Smart Redundant pair. Ruckus Wireless, Inc.
  • Page 383: Using An External Server For Administrator Authentication

    Using an External Server for Administrator Authentication SSL Certificate Advanced Options 2 In DNS, add 3 host/IP entries similar to the following • management.acompany.com; 192.168.0.100: This is the FQDN you wish to use for reaching the shared virtual management interface and is mapped to its configured IP address.
  • Page 384 Using an External Server for Administrator Authentication SSL Certificate Advanced Options • Ruckus Wireless private attribute Vendor ID: 25053 Vendor Type/Attribute Number: 1 (Ruckus-User-Groups) Value Format: group_attr1,group_attr2,group_attr3,... • Cisco private attribute (if your network is using a Cisco access control server)
  • Page 385: Upgrading The License

    Server} with {Role}). Upgrading the License Depending on the number of Ruckus Wireless APs you need to manage with your ZoneDirector, you may need to upgrade your license as your network expands. Contact your authorized Ruckus Wireless reseller to purchase an upgrade license.
  • Page 386: Upgrading The License With Smart Redundancy

    Ruckus reseller to purchase a new support entitlement. This file will be delivered via email, after which you can import the new entitlement file into your ZoneDirector. To import a new Support entitlement file: 1 Go to Administer > Support. Ruckus Wireless, Inc.
  • Page 387 Support Entitlement Upgrading the License with Smart Redundancy 2 In the Support Service section, click Choose File to import a new support upgrade file. 3 Once the new support entitlement is applied, click Check Entitlement to display the entitlement status, service purchased, serial number, start date, end date and AP numbers allowed by the new entitlement.
  • Page 388 Support Entitlement Upgrading the License with Smart Redundancy Ruckus Wireless, Inc.
  • Page 389: Troubleshooting

    Troubleshooting In this chapter: • Troubleshooting Failed User Logins • Fixing User Connections • Measuring Wireless Network Throughput with SpeedFlex • Diagnosing Poor Network Performance • Starting a Radio Frequency Scan • Using the Ping and Traceroute Tools • Viewing Current System and AP Logs •...
  • Page 390: Troubleshooting Failed User Logins

    • Create an additional WLAN for non-standard client connections, then create a Role that refers to this WLAN, and assign that role to the relevant user accounts. • Enter the WEP key in the network configuration on the client device. Ruckus Wireless, Inc.
  • Page 391: Fixing User Connections

    Fixing User Connections Fixing User Connections If any of your users report problematic connections to the WLAN, the following debugging technique may prove helpful. Basically, you will be deleting that user's client from the Active Clients table in the Ruckus ZoneDirector, and when their client connection automatically renews itself, any previous problems will hopefully be resolved.
  • Page 392: If Wlan Connection Problems Persist

    For example, SpeedFlex may be inaccessible to users at http://{zonedirector-ip-address}/perf or SpeedFlex may prompt you to install the SpeedFlex application on the target client, even when it is already installed. Ruckus Wireless, Inc.
  • Page 393 Measuring Wireless Network Throughput with SpeedFlex If WLAN Connection Problems Persist NOTE: The following procedure describes how to run SpeedFlex from the ZoneDirector web interface to measure a wireless client’s throughput. For instructions on how to run SpeedFlex from a wireless client (for users), refer to Allowing Users to Measure Their Own Wireless Throughput.
  • Page 394 10-30 seconds. If you are testing both Downlink and Uplink options, the two tests take about one minute to complete. When the tests are complete, the results appear below the Start button. Downlink and uplink throughput results are displayed along with packet loss percentages. Figure 205. The SpeedFlex interface Ruckus Wireless, Inc.
  • Page 395 Measuring Wireless Network Throughput with SpeedFlex If WLAN Connection Problems Persist Figure 206. Click the download link for the target client’s operating system Figure 207. A progress bar appears as SpeedFlex measures the wireless throughput ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
  • Page 396: Using Speedflex In A Multi-Hop Smart Mesh Network

    4 Select Uplink, Downlink or both (default is both), and click Start to begin. Note that multi-hop SpeedFlex takes considerably longer to complete than a single hop. If you want to complete the test faster, deselect either Uplink or Downlink and test one direction at a time. Ruckus Wireless, Inc.
  • Page 397 Measuring Wireless Network Throughput with SpeedFlex Using SpeedFlex in a Multi-Hop Smart Mesh Network Figure 209. Running Multi-Hop SpeedFlex in a mesh tree Figure 210. Multi-Hop SpeedFlex test results ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
  • Page 398: Allowing Users To Measure Their Own Wireless Throughput

    How to Measure the Speed of Your Wireless Connection The following instructions describe how you can use SpeedFlex, a wireless perfor- mance test tool from Ruckus Wireless, to measure the speed of your wireless connection to your access point. 1 Make sure that your wireless device is connected only to the wireless network.
  • Page 399: Diagnosing Poor Network Performance

    Diagnosing Poor Network Performance Allowing Users to Measure Their Own Wireless Throughput This indicates that SpeedFlex was successfully started. Keep the command prompt window open. 7 On the SpeedFlex Wireless Performance Test interface, click the Start button again. A progress bar appears below the speedometer as the tool generates traffic to measure the downlink throughput from the AP to the client.
  • Page 400: Using The Ping And Traceroute Tools

    UI. The Ping and Traceroute tools can be accessed from anywhere in the UI that you see the icon. For example, from the Dashboard, if the “Currently Managed APs” widget is open, click the icon next to an AP to launch the troubleshooting window. Ruckus Wireless, Inc.
  • Page 401 Using the Ping and Traceroute Tools Allowing Users to Measure Their Own Wireless Throughput Figure 212. Launching the Ping/Traceroute Troubleshooting window from the Dashboard The Network Connectivity window opens. Click Ping to ping the IP address or Trace Route to diagnose the number of hops to the IP address. Figure 213.
  • Page 402: Generating A Debug File

    After the file is saved, you can email it to the technical support representative. NOTE: The debug (or diagnostics) file is encrypted and only Ruckus Wireless support representatives have the proper tools to decrypt this file. Viewing Current System and AP Logs You can display a list of recent ZoneDirector or AP activity logs from the ZoneDirector web interface.
  • Page 403 Viewing Current System and AP Logs Allowing Users to Measure Their Own Wireless Throughput 1 Go to Administer > Diagnostics, and locate the AP Logs section. 2 Click the “Click Here” link next to “To show current AP logs...”. The log data is displayed in the text box beneath the link.
  • Page 404: Packet Capture And Analysis

    The local capture mode stores packet data from a single capture session in two files using a “ping-pong” method. On 11n APs, each file holds 2 MB of packet data. On 11g APs, each file holds 1 MB. Whenever one file reaches its limit, the other file is Ruckus Wireless, Inc.
  • Page 405: Local Capture

    Packet Capture and Analysis Local Capture cleared and begins filling. Due to memory limitations, the capture files are cleared after they are retrieved by the Save command and before each new capture session, and they are not retained on the AP between reboots. In streaming capture mode, packet data from the 2.4 GHz and 5 GHz radios are available simultaneously on AP interfaces wlan100 and wlan101, respectively.
  • Page 406 Using Ruckus Custom Indicators Packets captured on Ruckus APs include some information that is not available when capturing from other Wi-Fi devices. This additional information is stored in the Per-Packet Information (PPI) header that precedes the over-the-air content. Ruckus Wireless, Inc.
  • Page 407 Packet Capture and Analysis Streaming Mode 1 The PPI:802.11-Common Header antenna signal and antenna noise fields of packets transmitted by the AP contain the next-to-lowest byte and the lowest byte, respectively, of the antenna pattern used to transmit the packet. On some APs, the pattern value may contain more significant bits, which are not stored in this header.
  • Page 408: Importing A Script

    The Status column now displays “Disconnected” along with the date and time when ZoneDirector last communicated with the AP. After restart is complete and the Ruckus ZoneDirector detects the active AP, the status will be returned to “Connected.” Ruckus Wireless, Inc.
  • Page 409: Restarting Zonedirector

    “Restarting an Access Point”.) NOTE: If you have made any configuration changes, Ruckus Wireless recommends shutting down ZoneDirector to ensure that all configuration changes are saved and remain after reboot. Performing a Restart may cause ZoneDirector to lose configuration changes if you forgot to click Apply after making changes and navigate away from a configuration page, for example.
  • Page 410 Restarting ZoneDirector Streaming Mode Ruckus Wireless, Inc.
  • Page 411: Smart Mesh Networking Best Practices

    Smart Mesh Networking Best Practices In this chapter: • Choosing the Right AP Model for Your Mesh Network • Calculating the Number of APs Required • Placement and Layout Considerations • Signal Quality Verification • Mounting and Orientation of APs •...
  • Page 412: Choosing The Right Ap Model For Your Mesh Network

    In other words, if the network is designed to support 10Mbps, it would support 1 user at 10Mbps, or 10 users at 1Mbps each. In reality, due to statistical multiplexing (just like the phone system - Ruckus Wireless, Inc.
  • Page 413: Placement And Layout Considerations

    Placement and Layout Considerations the fact that not all users are using the network concurrently), if you use an oversubscription ratio of 4:1, such a network could actually support 40 users at 1Mbps. In a Smart Mesh network, the Root AP (RAP) has all its wireless bandwidth available for downlink, because the uplink is wired.
  • Page 414: Signal Quality Verification

    • If the customer's network utilizes a wireless backhaul technology for broadband access, it is recommended to not mount the broadband wireless modem right next to a Ruckus Wireless AP. A distance of 10 feet or more would be desirable. Signal Quality Verification The above guidelines for planning will result in a well-designed mesh.
  • Page 415 Signal Quality Verification • Ensure Signal >= 25%: The Signal value under Neighbor APs that shows “Connected” should be 25% or better. If it is lower, you need to bring the AP closer, or move it to avoid an obstruction, such that the Signal value becomes 25% or better.
  • Page 416: Mounting And Orientation Of Aps

    ZoneFlex APs are very tolerant to a variety of mounting and orientation options due to Ruckus Wireless' use of its unique BeamFlex technology, in which the RF signal is dynamically concentrated and focused towards the other end of the RF link.
  • Page 417: Indoor Aps - Vertical Orientation

    Mounting and Orientation of APs Indoor APs - Vertical Orientation Indoor APs - Vertical Orientation A less typical vertical orientation may be used in certain cases where it is not possible for mechanical or aesthetic reasons to use the typical horizontal orientation. In such cases, indoor APs may also be wall mounted vertically.
  • Page 418: Outdoor Aps - Typical Horizontal Orientation

    RAPs and MAPs are at ceiling height (standard 15-foot ceiling), then you would not want to mount the outdoor MAPs on 40-foot poles. You would want to keep all MAPs and RAPs at around the same elevation from the ground. Ruckus Wireless, Inc.
  • Page 419: Best Practice Checklist

    Best Practice Checklist Elevation of RAPs and MAPs Best Practice Checklist Following the mesh best practices will ensure that your mesh is well-designed, and have the capacity and reliability required for your enterprise applications. The best practices are summarized below as a checklist for quick review. 1 Do not mix single band with dual band APs in your mesh.
  • Page 420 Best Practice Checklist Elevation of RAPs and MAPs Ruckus Wireless, Inc.
  • Page 421 Index Administrator Login Session Timeout AeroScout option values airtime % Alarms activating email notification Algorithm Symbols New WLAN creation All Events/Activities (Logs) AP Activities AP Groups Numerics AP markers 11n Only Mode overview 802.11d Application Capability 802.11k Application Denial Policy 802.11r Application Port Mapping 802.1X...
  • Page 422 DHCP Create New options network address option Authentication Servers server customization Create New User DHCP clients internal database viewing create user 187, 240 DHCP Option 82 Creating a Guest Pass Generation User 98, 187 DHCP Relay role Ruckus Wireless, Inc.
  • Page 423 DHCP server Firewall Integration configuring Firmware upgrade Diagnostics FlexMaster tools enabling disabling status LEDs Performance Monitoring Disconnecting specific client devices Floorplan Disconnecting users from the WLAN adding to Map View DNS Server Force DHCP Registering ZoneDirector Downlink Throughput Downlink Traffic Graphic file formats downstream group-addressed frame for- guest user login page...
  • Page 424 Login page guest use Logs sorting contents Name/ESSID viewing New WLAN creation option values 284, 289 Neighbor APs Network addressing 158, 182 MAC Authentication changing RADIUS Network Connectivity 209, 244 MAC authentication bypass Network Diagnostics malicious AP Ruckus Wireless, Inc.
  • Page 425 New User Accounts adding new accounts Radar Avoidance Pre-Scanning New User Roles 236, 255 Radio Band (ZoneFlex 7321) creating Radio frequency scans starting a scan Radio Resource Management radio statistics Optimizing network coverage 153, 154, 311 RADIUS Option 82 using an external server orientation using for authentication Overview...
  • Page 426 System Overview disconnecting a user from the WLAN failed WLAN logins managing accounts Tabs (Web interface) reviewing current activity explained switching to 802.1X-based security Temperature switching to WEP-based security Testing authentication settings troubleshooting connection problems Timeout interval Ruckus Wireless, Inc.
  • Page 427 Wireless performance test tool Using Active Directory WLAN Using an external RADIUS server creation Using Map View to assess network perfor- optimizing coverage mance recent events (reviewing) 196, 232, 254 Using the built-in EAP server WLAN Group Using the Map View WLAN network security customizing WLAN performance...
  • Page 428 236, 255 band selection ZoneFlex APs upgrading software Ruckus Wireless, Inc.
  • Page 429 ZoneDirector 9.8 User Guide, 800-70599-001 Rev B...
  • Page 430 Copyright © 2006-2014. Ruckus Wireless, Inc. 350 West Java Dr. Sunnyvale, CA 94089. USA www.ruckuswireless.com...

This manual is also suitable for:

Zonedirector 3000Zonedirector 5000

Table of Contents

Save PDF