manualshive.com logo in svg

Ruckus Wireless ZoneDirector 1200, User Manual

Share
Download
Ruckus Wireless ZoneDirector 1200 User Manual Download Page 124

Report only malicious rogue devices of type

: Select which event types to

report.

Protect the network from malicious rogue access points

: Enable this feature

to automatically protect your network from network connected rogue APs,
SSID-spoofing APs and MAC-spoofing APs. When one of these rogue APs is
detected (and this check box is enabled), the Ruckus AP automatically begins
sending broadcast de-authentication messages spoofing the rogue’s BSSID
(MAC) to prevent wireless clients from connecting to the malicious rogue AP. This
option is disabled by default.

3.

Click the 

Apply

 button in the same section to save your changes.

Figure 81: Intrusion Prevention option

See 

Detecting Rogue Access Points

 on page 292 for more information on monitoring

and handling rogue devices.

Rogue DHCP Server Detection

A rogue DHCP server is a DHCP server that is not under the control of network
administrators and is therefore unauthorized.

When a rogue DHCP server is introduced to the network, it could start assigning invalid
IP addresses, disrupting network connections or preventing client devices from accessing
network services. It could also be used by hackers to compromise network security.
Typically, rogue DHCP servers are network devices (such as routers) with built-in DHCP
server capability that has been enabled (often, unknowingly) by users. ZoneDirector has
a rogue DHCP server detection feature that can help you prevent connectivity and security
issues that rogue DHCP servers may cause. When this feature is enabled, ZoneDirector
scans the network every five seconds for unauthorized DHCP servers and generates an
event every time it detects a rogue DHCP server.

Ruckus Wireless ZoneDirector™ Release 10.0 User Guide

124

Configuring Security and Other Services

Configuring Wireless Intrusion Prevention

Summary of Contents for ZoneDirector 1200

Page 1: ...Ruckus Wireless ZoneDirector Release 10 0 User Guide Part Number 800 71463 001 Rev A Published 02 May 2017 www ruckuswireless com...

Page 2: ...LICENSORS MAKE NO WARRANTY OF ANY KIND EXPRESS OR IMPLIED WITH REGARD TO THE MATERIAL INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY NON INFRINGEMENT AND FITNESS FOR A PARTICUL...

Page 3: ...w to Ensure that APs Can Discover ZoneDirector on the Network 27 Firewall Ports that Must be Open for ZoneDirector Communications 35 Accessing ZoneDirector s Command Line Interface 36 Using the ZoneDi...

Page 4: ...Systems 65 Enabling SmartCell Insight Communication 65 Enabling Management via FlexMaster 66 Enabling Northbound Portal Interface Support 68 Configuring SNMP Support 69 Enabling Telnet 75 4 Configurin...

Page 5: ...128 Bridge Service Records 128 Creating a Bonjour Gateway Rule ZD Site 129 Creating a Bonjour Gateway Rule AP Site 131 Applying a Bonjour Policy to an AP 132 Example Network Setup 133 Bonjour Fencing...

Page 6: ...rvice Provider Profile 185 Create an Operator Profile 186 Create a Hotspot 2 0 WLAN 188 Bypass Apple CNA 189 Customizing the Web Portal Logo 190 6 Managing Access Points Adding New Access Points to th...

Page 7: ...or 228 Internal User Database 228 Managing Current User Accounts 229 Changing an Existing User Account 229 Deleting a User Record 230 Creating New User Roles 230 Role Based Access Control Policy 231 M...

Page 8: ...nitoring Location Services 290 Monitoring Mesh Status 291 Real Time Monitoring 291 Real Time Monitoring Widgets 292 Detecting Rogue Access Points 292 Monitoring System Information 295 Monitoring Syste...

Page 9: ...efault Factory Settings 321 Alternate Factory Default Reset Method 323 Upgrading ZoneDirector and ZoneFlex APs 323 Importing an AP Firmware Patch 324 Enabling Secure AP Image Upgrade 325 Performing an...

Page 10: ...g ZoneDirector 353 13 Mesh Networking Best Practices Calculating the Number of APs Required 355 Placement and Layout Considerations 355 Signal Quality Verification 356 Mounting and Orientation of APs...

Page 11: ...vised that the ZoneDirector will periodically connect to Ruckus and Ruckus will collect the ZoneDirector serial number software version and build number Ruckus will transmit a file back to the ZoneDir...

Page 12: ...interface and is searchable Command Line Reference Guide Provides a list of CLI commands their usage syntax and examples SNMP Reference Guide Provides a list of supported Simple Network Management Pr...

Page 13: ...including free introductory courses to wireless networking essentials site surveys and Ruckus Wireless products visit the Ruckus Wireless Training Portal at https training ruckuswireless com 13 Ruckus...

Page 14: ...Ruckus Wireless ZoneDirector Release 10 0 User Guide 14 About This Guide Online Training Resources...

Page 15: ...highly configurable guest access features and advanced security features within a single system User authentication can be accomplished using an internal user database or forwarded to an external Aut...

Page 16: ...oneDirector to factory default settings press and hold the F D button for at least five 5 seconds For more information refer to Alternate Factory Default Reset Method on page 323 NOTE Resetting ZoneDi...

Page 17: ...arting up or shutting down Flashing Red The port is connected to a device Solid Green or Amber Ethernet Link The port is transmitting or receiving traffic Flashing Green or Amber The port has no netwo...

Page 18: ...wo seconds Reset For Ruckus Wireless Support use only USB RJ 45 port for accessing the ZoneDirector command line interface Console Two auto negotiating 10 100 1000Mbps Ethernet ports 10 100 1000 Ether...

Page 19: ...nected or is not receiving a link signal Off The port is connected to a 1000Mbps device Amber Ethernet Rate The port is connected to a 100Mbps device Green The port is connected to a 10Mbps device Off...

Page 20: ...l lock to remove the front bezel and gain access to the hard drive bays Front Bezel Lock Front Panel Bezel Removed Figure 4 ZoneDirector 5000 front panel bezel removed Table 8 ZoneDirector front panel...

Page 21: ...nitions Table 3 Fan status LED 4 Critical alarm not used 5 MJR alarm not used 6 NMI pin hole button factory reset button 7 Chassis ID button 8 NIC 1 NIC 2 activity LED 9 HDD activity LED not used 10 P...

Page 22: ...power source detected 3 More than one fan failure detected Amber On Non critical alarm Amber Blinking Rear Panel Features Figure 6 ZoneDirector 5000 rear panel features Table 11 Rear panel features Fe...

Page 23: ...IT refers to ZoneDirector s simple setup and ease of use features which allow end users to automatically self configure wireless settings on Windows and Mac OS clients as well as many mobile devices...

Page 24: ...overy in the Network and Sharing Center Advanced Sharing Settings 2 Double click the ZoneDirector icon when UPnP displays it or 3 Point your web browser to ZoneDirector s IP address default 192 168 0...

Page 25: ...ed to obtain IP addresses from a DHCP server If APs are assigned static IP addresses they must be using a local DNS server that you can configure to resolve the ZoneDirector IP address using zonedirec...

Page 26: ...he same time and waits for a response from any ZoneDirector that can respond The AP may receive multiple responses from DHCP and DNS if multiple ZoneDirector IP addresses have been configured on the D...

Page 27: ...subnet as ZoneDirector before moving the AP to another subnet To do this connect the AP to the same network as ZoneDirector When the AP starts up it will discover and attempt to register with ZoneDir...

Page 28: ...ma separated IP address strings for discovering ZoneDirectors and also TLV based option 43 encapsulation as specified in RFC 2132 For ZoneDirector information sub option code 03 Type 0x03 Length Count...

Page 29: ...ts 1 In the Server Manager window right click the IPv4 icon and choose Define Vendor Classes from the menu 2 In the DHCP Vendor Classes dialogue click Add to create a new vendor class 3 Enter the valu...

Page 30: ...nterface eth1 AdvSendAdvert on AdvOtherConfigFlag on prefix 2001 db8 0 2 64 4 Edit the dhcp6 conf file as follows default lease time 600 max lease time 7200 log facility local7 subnet6 2001 db8 0 2 64...

Page 31: ...the correct IP info through DHCPv6 option 17 you can check the tmp dhcp6_vendor_opts file Use the following command on the AP CLI cat tmp dhcp6_vendor_opts code3 2001 1920 1cf 3 2001 1920 1cf 4 end c...

Page 32: ...NOTE The following procedures describe how to customize a DHCP server running on Microsoft Windows Server If your DHCP server is running on a different operating system the procedure may be different...

Page 33: ...click Configure Options The tab of the Scope Options dialog box appears 4 Under Available Options look for the 6 DNS Servers check box and then select it 5 In the IP address box under Data Entry type...

Page 34: ...rmation on configuring the built in DNS server on Windows is available at http support microsoft com kb 814591 NOTE If your DNS server prompts you for the corresponding host name for each ZoneDirector...

Page 35: ...irmware upgrade TCP destination port as specified in FM Inventory Device Web Port Number Mapping FlexMaster ZoneDirector management interface TCP destination port 22 SSH ZoneDirector CLI access TCP de...

Page 36: ...and secondary ZD IPs An active ZoneDirector behind NAT will be unable to perform upgrades to the standby ZoneDirector on the other side of the NAT device Accessing ZoneDirector s Command Line Interfa...

Page 37: ...information on using the CLI see the Ruckus Wireless ZoneDirector Command Line Interface Reference Guide available from http support ruckuswireless com Using the ZoneDirector Web Interface The ZoneDir...

Page 38: ...mmary of the total number of WLANs APs and clients currently connected above the map view The map view itself provides a geographical view of the placement of APs if map coordinates are configured and...

Page 39: ...ector 1 Go to Administer Registration 2 Enter your contact information on the Registration page and click Apply 3 The information is sent to a CSV file that opens in a spreadsheet program if you have...

Page 40: ...Figure 14 The Product Registration page Your ZoneDirector is now registered with Ruckus Wireless...

Page 41: ...ognizable system name for ZoneDirector If needed you can change that name by following these steps 1 Go to Configure System 2 In System Name under Identity delete the text and then type a new name The...

Page 42: ...ess in your web browser or use the UPnP application to rediscover ZoneDirector IPv6 Configuration ZoneDirector supports IPv6 and dual IPv4 IPv6 operation modes If both IPv4 and IPv6 are used ZoneDirec...

Page 43: ...HCPv6 vendor specific options Aeroscout RFID tag detection SSL certificate generation UPnP remote access to ZD and L2TP and WISPr in standalone APs are not supported when in IPv6 mode Figure 16 Enabli...

Page 44: ...ment interface with a different gateway from the gateway configured under Device IP Settings select Default gateway is connected with this interface and enter the gateway IP address in the field provi...

Page 45: ...l gateway 1 Go to Configure System and locate the Static Route section 2 Click Create New to create a new static route 3 Enter a Name for this access route 4 Enter a Subnet in the format A B C D M whe...

Page 46: ...by state If the active ZoneDirector fails the standby device becomes active When the original active device recovers it automatically assumes the standby state as it discovers an already active ZoneDi...

Page 47: ...address Configuring ZoneDirector for Smart Redundancy For management convenience both ZoneDirectors in a Smart Redundancy deployment can be managed via a single shared IP address In this situation thr...

Page 48: ...empt to discover its peer on the network 9 If discovery is successful the details of the peer device will be displayed to the right 10 If discovery is unsuccessful you will be prompted to retry discov...

Page 49: ...ensed APs the total number of licenses is displayed in the Smart Redundancy dashboard widget in the License Pool entry When one device is disconnected the remaining active ZD will continue to use the...

Page 50: ...nse level only Figure 23 If a third ZD connects with a lower license level than the 2nd disconnected ZD the user can choose to use the original license pool for up to 60 days Table 15 Max AP Licenses...

Page 51: ...DHCP Server section select the Enable DHCP Server check box 3 In Starting IP type the first IP address that the built in DHCP server will allocate to DHCP clients The starting IP address must be on th...

Page 52: ...ses that have been assigned by the DHCP server sentence A table appears and lists all current DHCP clients with their MAC address IP address and the remaining lease time You can clear DHCP leases on Z...

Page 53: ...tor s web interface To restrict access to ZoneDirector s web interface 1 Go to Configure System 2 Locate the Management Access Control section and click the Create New link 3 In the Create New menu th...

Page 54: ...ime 1 Go to Configure System 2 In the System Time features you have the following options Refresh Click this to update the ZoneDirector display a static snapshot from the internal clock Sync Time with...

Page 55: ...cate the Country Code section and choose your location from the pull down menu 3 Click Apply to save your settings Figure 28 The Country Code settings Channel Optimization If your Country Code is set...

Page 56: ...P as its downlink you will need to set the Channel Optimization setting to Optimize for Compatibility This is due to the DFS capable AP s ability to use more channels than the non DFS capable APs whic...

Page 57: ...ing a restricted indoor only channel Changing the System Log Settings ZoneDirector maintains an internal log of current events and alarms This file has a fixed capacity at a certain level ZoneDirector...

Page 58: ...remote syslog server for APs __ IP Address Enabling this feature allows ZoneDirector to supply client association information to a third party application that can then deploy ACL policies to a firew...

Page 59: ...e priority level as follows All Include all syslog messages 0 emerg 1 alert 2 crit 3 err 4 warning 5 notice 6 info 7 debug Lower numbers indicate higher priority The syslog server will only receive lo...

Page 60: ...or All Figure 32 Enable client association logs in syslog for firewall integration The flow of user data from the end point to the firewall will use the following path 1 The user authenticates to an...

Page 61: ...Add operation add seq 1 sta_ip 192 168 120 16 sta_mac 60 36 dd 19 17 ac zd ap 00 0c 29 11 5a 0b 58 93 96 29 4c 60 sta_ostype Windows7 Vista sta_name 60 36 dd 19 17 ac stamgr_handle_remote_ipc Delete o...

Page 62: ...name provided by your ISP or mail administrator This might be just the part of your email address before the symbol or it might be your complete email address If you are using a free email service su...

Page 63: ...rver for 10 seconds If it is unable to connect to the mail server it will stop trying and quit NOTE When the alarm email is first enabled the alarm recipient may receive a flood of alarm notifications...

Page 64: ...configure ZoneDirector to use an existing Twilio or Clickatell account for SMS delivery The first step is to inform ZoneDirector of your Twilio or Clickatell account information 1 Go to Configure Syst...

Page 65: ...ZoneDirector supports several external network management systems including Ruckus Wireless SmartCell Insight FlexMaster server SNMPv2 SNMPv3 and Telnet server These options are configured from the C...

Page 66: ...Enter the SCI login user name used for ZD SCI communications Password Enter the SCI login password used for ZD SCI communications System ID Enter the System ID that you used for the ZD data source on...

Page 67: ...the Enable management by FlexMaster check box 5 In URL type the FlexMaster DNS host name or IP address of the FlexMaster server 6 In Interval type the time interval in minutes at which ZoneDirector w...

Page 68: ...registration account setup or authentication ZoneDirector redirects authentication requests to an outside portal If access is granted ZoneDirector provides a unique dynamic PSK The DPSK can be delive...

Page 69: ...s Both SNMPv2 and SNMPv3 can be enabled at the same time The SNMPv3 framework provides backward compatibility for SNMPv1 and SNMPv2c management applications so that existing management applications ca...

Page 70: ...ick Apply to save your changes Figure 40 Enabling the SNMPv2 agent If your network uses SNMPv3 To enable SNMPv3 management 1 Go to Configure System Scroll down to the bottom of the page and click the...

Page 71: ...and client events that indicate possible network issues To enable SNMP trap notifications 1 In the Network Management section of the Configure System page scroll down to the bottom of the page 2 Under...

Page 72: ...s to the SNMP server that you specified The following table lists the trap notifications that ZoneDirector sends and when they are sent Table 17 Trap notifications Description Trap Name An AP has join...

Page 73: ...contact with ZoneDirector The AP s MAC address is included in the trap notification ruckusZDEventAPLostTrap An AP s heartbeat has been lost The AP s MAC address is included in the trap notification r...

Page 74: ...MAC address AP s MAC address and SSID are included ruckusZDEventClientRoamOut A client has roamed in to an AP The client s MAC address AP s MAC address and SSID are included ruckusZDEventClientRoamIn...

Page 75: ...d state ruckusZDEventSmartRedundancy ActiveDisconnected The standby ZoneDirector has detected its peer and is in standby connected state ruckusZDEventSmartRedundancy StandbyConnected The standby ZoneD...

Page 76: ...4 Click Apply to save your changes Figure 44 Enabling Telnet server...

Page 77: ...are very close to each other The 2 4G and 5G radio bands are considered independently If all conditions are met the AP will reduce its power by half The other AP may or may not necessarily reduce its...

Page 78: ...which scans are run Run a background scan on the 2 4 GHz radio every Select this check box enter the time interval 1 65535 seconds default is 20 that you want to set between each scan Run a backgroun...

Page 79: ...ity every 15 seconds and changes channel when based on historical data a different channel is likely to offer higher capacity than the current channel Each AP makes channel decisions based on this his...

Page 80: ...ChannelFly per band If you have 2 4 GHz clients that do not support 802 11h Ruckus recommends disabling ChannelFly for 2 4 GHz but leaving it enabled for the 5 GHz band To configure the self healing...

Page 81: ...client s signal is so strong that it really belongs on this AP The APs maintain these desired client limits and enforce them once they reach the limits by withholding probe responses and authenticati...

Page 82: ...e This setting affects select outdoor dual band 802 11n AP also only be available if the Country Code settings are configured to allow use of DFS channels see Setting the Country Code on page 55 AeroS...

Page 83: ...to the Ekahau Settings section near the bottom of the page 3 Select the Enable Ekahau tag detection check box 4 Enter the Ekahau Controller IP address and Ekahau Controller Port 5 Click the Apply butt...

Page 84: ...ncrypted tunnel to send them to ZoneDirector Block multicast traffic from network to tunnel Prevents all non well known multicast traffic from propagating on the tunnel Block broadcast traffic from ne...

Page 85: ...ghbor discovery traffic over the air by replacing broadcast messages with unicast messages for known hosts When these packets are received for an unknown host the Packet Inspection Filter supplements...

Page 86: ...d To enable Ethernet Port Redundancy 1 Go to Configure Services 2 Locate the Ethernet Port Redundancy section at the bottom of the page 3 Enable the check box and enter the Up Delay Time and Down Dela...

Page 87: ...ction describes the tasks that you need to perform on ZoneDirector to ensure ZoneDirector can communicate with your AAA server NOTE For specific instructions on AAA server configuration refer to the d...

Page 88: ...ctive Directory server in one of two ways Single Domain Active Directory Authentication Multi Domain Active Directory Authentication Single Domain Active Directory Authentication To enable Active Dire...

Page 89: ...ust support TLS1 0 TLS1 1 TLS1 2 NOTE Note that Secure Active Directory requires the import of a root CA for TLS encryption The import option is provided on the Configure Certificate Advanced Options...

Page 90: ...vell eDirectory Sun JES limited support To configure an LDAP server for user authentication 1 Go to Configure AAA Servers and click Create New under Authentication Accounting Servers The Create New fo...

Page 91: ...If you want to filter more specific settings see Advanced LDAP Filtering on page 91 The Admin account need not have write privileges but must able to read and search all users in the database Figure 5...

Page 92: ...udent and enter student in the Group Attributes field Then you can select which WLANs you want this Role to have access to and decide whether this Role should have Guest Pass generation privileges and...

Page 93: ...port number and Shared Secret of the RADIUS RADIUS Accounting server When an external RADIUS RADIUS Accounting server is used for authentication or accounting user credentials can be entered as a sta...

Page 94: ...oth a primary and backup RADIUS server an additional option will be available in the Test Authentication Settings To configure a backup RADIUS RADIUS Accounting server 1 Click the check box next to En...

Page 95: ...r See Using an External AAA Server on page 87 2 Create a user on the RADIUS server using the MAC address of the client as both the user name and password The MAC address format can be configured in on...

Page 96: ...AC Address Authentication With the 802 1X EAP MAC Address authentication method clients configured with either open or EAP MD5 authentication methods are both supported on the same WLAN The encryption...

Page 97: ...ss request or accounting request messages The RADIUS server in turn sends an access challenge access accept or access reject message in response to an access request and an accounting response message...

Page 98: ...the RADIUS access request packet In the case of a state attribute it indicates that an access request packet is a response to the last received access challenge packet by copying the state AVP unmodi...

Page 99: ...me 7 WISPr Bandwidth Max Up Maximum transmit rate bits second 8 WISPr Bandwidth Max Down Maximum receive rate bits second 25 Class 27 Session timeout 29 Termination action Session timeout event become...

Page 100: ...80 Message Authenticator WISPr Web Auth Guest RADIUS Accounting attributes The following table lists attributes used in RADIUS accounting messages Table 19 RADIUS attributes used in Accounting Attribu...

Page 101: ...ot supplicant restart idle timeout 802 1X MAC Auth Sent from RADIUS server in Accept messages 1 User name 25 Class 85 Acct interim interval 27 Session timeout 29 Termination action Session timeout eve...

Page 102: ...itional attributes supported in WISPr WLANs WISPr vendor specific attributes vendor id 14122 1 WISPr location id 2 WISPr location name WISPr Web Auth Guest Access Configuring Microsoft IAS for PAP Aut...

Page 103: ...e 59 On the Microsoft IAS page right click the user group and select Properties 103 Ruckus Wireless ZoneDirector Release 10 0 User Guide Configuring Security and Other Services Using an External AAA S...

Page 104: ...ent tasks Operator Admin Change settings affecting single AP s only Monitoring Admin Monitoring and viewing operation status only TACACS is an extensible AAA protocol that provides customization and f...

Page 105: ...changes Figure 62 Configuring a TACACS AAA server Once your TACACS server is configured on the AAA Servers page you can select it from the list of servers used to authenticate ZoneDirector administra...

Page 106: ...the Test Against drop down menu 3 In User Name and Password enter an Active Directory LDAP or RADIUS user name and password 4 Click Test If ZoneDirector was able to connect to the authentication serve...

Page 107: ...k Create NewAlternatively you can create a Layer 2 MAC ACL from the WLAN creation page while creating a new WLAN or modifying an existing WLAN Configure WLANs Edit Advanced Options Access Control L2 M...

Page 108: ...efault 7 In Rules click Create New or click Edit to edit an existing rule 8 Define each access policy by configuring a combination of the following Type The access privilege allow or deny that this po...

Page 109: ...ng WLAN Configure WLANs Edit Advanced Options Access Control Precedence Policy Create New 3 Under Rules click Create New to create a new rule for this policy 4 Select an Attribute VLAN or Rate Limitin...

Page 110: ...s precedence over an ACL MAC addresses that are in the deny list are blocked at the AP not at ZoneDirector Temporarily Disconnecting Specific Client Devices Follow these steps to temporarily disconnec...

Page 111: ...these steps to permanently block a client device from WLAN connections 1 Look at the Status column to identify any unauthorized users 2 Click the Block button in the Action column in a specific user r...

Page 112: ...P addresses that are not part of a per WLAN white list You can create exceptions to client isolation such as allowing access to a local printer for example by creating Client Isolation White Lists To...

Page 113: ...ess Client Isolation under Options select the level of client isolation you want to enforce Isolate wireless client traffic from other clients on the same AP Enable client isolation on the same Access...

Page 114: ...limit traffic by application and then apply the policy to WLANs using the WLAN Advanced Options The Application Recognition and Filtering aka Application Recognition and Control or ARC features allow...

Page 115: ...policy s name on the Applications pie charts tables on the Wireless Clients monitoring page Application identification policies are implemented according to the following priority order 1 IP based us...

Page 116: ...hence it has the lowest priority as a means of application identification If for example you configure a port based user defined application for port 80 TCP any such matching wireless traffic not iden...

Page 117: ...h as blocking social media sites The following usage guidelines need to be taken into consideration when defining Application Denial Policies www corporate com This will block access to the host web s...

Page 118: ...ications or to user defined applications Rate Limiting Rate limiting rules can be applied to any of the system defined or user defined applications Set the maximum uplink and downlink rates 0 25 20 Mb...

Page 119: ...Type NOTE When using port based rules There is no distinction between the TCP and UDP protocols so care should be taken if wishing to block a specific application port as that will apply to both IP p...

Page 120: ...the Dashboard To import a floorplan map go to Configure Maps and click Create New Enter a Name for the map and either enter the street Address or GPS coordinates in Latitude and Longitude Next click C...

Page 121: ...ters or feet Figure 78 Create a floorplan map Click Next On the next screen drag APs from the list on the left onto the map to represent their actual physical locations Figure 79 Drag an AP on to the...

Page 122: ...ect my wireless network against excessive wireless requests If this capability is activated excessive 802 11 probe request frames and management frames launched by malicious attackers will be discarde...

Page 123: ...nd other sensitive data Same Network These are rogue access points that are detected by other access points as transmitting traffic on your internal network They are detected by ZoneDirector managed a...

Page 124: ...A rogue DHCP server is a DHCP server that is not under the control of network administrators and is therefore unauthorized When a rogue DHCP server is introduced to the network it could start assignin...

Page 125: ...ion on ZoneDirector enabled by default 1 Go to Configure WIPS 2 In the Rogue DHCP Server Detection section select the Enable rogue DHCP server detection check box 3 Click the Apply button that is in t...

Page 126: ...essages from the DHCP server back to the client The traffic flow is as follows 1 Client sends DHCP discover broadcast 2 AP tunnels this DHCP discover frame to ZoneDirector 3 DHCP Relay Agent sends uni...

Page 127: ...ant to configure 3 Under Advanced Options when Tunnel Mode is enabled the DHCP Relay option becomes available 4 Under DHCP Relay select Enable DHCP relay agent with __ DHCP server and select the serve...

Page 128: ...ction the following network configuration requirements must be met The target networks must be segmented into VLANs VLANs must be mapped to different SSIDs The controller must be connected to a VLAN t...

Page 129: ...ce Apple File Server will have at least one service entry depending on what is enabled mdnsservice name Apple File Sharing id 6 service type _afpovertcp _tcp mdnsservice In heavy use and if using AirP...

Page 130: ...onjour service from the list Selecting Other allows you to create custom rules for example creating a rule for _googlecast _tcp would allow you to bridge Chromecast services across VLANs From VLAN Sel...

Page 131: ...col packets from other VLANs Dynamic VLANs are not supported Some AP models are incompatible with this feature due to memory requirements To configure rules for AP site bridging Bonjour services acros...

Page 132: ...policy To enable Bonjour policy on an AP 1 Go to Configure Access Points 2 Click Edit next to the AP you want to configure 3 In Bonjour Gateway enable the check box and select a Bonjour policy that yo...

Page 133: ...access to all classroom resources Students SSID VLAN 300 Students have a separate SSID with no authentication they must be able to backup their iPads to the classroom iMac but should not have access...

Page 134: ...the following 1 Name Type a name for the policy 2 Description Type a description for the policy 3 Fencing Rule Create the policy rule by configuring the following a Click Create The Create New Fencing...

Page 135: ...onjour Fencing Policy to an AP or AP Group on page 135 Applying a Bonjour Fencing Policy to an AP or AP Group Once you have created a Bonjour Fencing policy you will need to apply the policy to either...

Page 136: ...oup SPoT Location Services To take advantage of Ruckus Wireless SmartPositioning Technology SPoT location services ZoneDirector must be configured with the Venue information that is displayed in the S...

Page 137: ...the SPot Admin Portal nto the four fields provided 7 Click OK to save your changes 8 Go to Configure Access Points and in Access Point Groups click Create New or Edit to configure one or more AP group...

Page 138: ...page Figure 94 Enter the venue information in ZoneDirector s Configure Location Services page For more information on configuration and management of your SPoT Location Services see the SPoT User Guid...

Page 139: ...eed a WLAN that utilizes WEP encryption for wireless devices that only support WEP key encryption To create special WLANs with different settings for specific purposes For example a VoIP WLAN for voic...

Page 140: ...encryption WLANs also known as WPA Personal are the most common type of WLAN and should be the default configuration if there are no special requirements for authentication or encryption The 802 1X EA...

Page 141: ...ew WLAN The individual options are explained in detail in the next section beginning with General Options on page 142 Table 22 Create new WLAN options Description Option Enter WLAN name and descriptio...

Page 142: ...atically removed If a disallowed ASCII character not within the range 32 126 is included an error message will appear In general the WLAN name is the same as the advertised SSID the name of the wirele...

Page 143: ...s WLANs on page 143 Social Media Social Media WLANs require the visitor to log in using a social media account before being allowed Internet access See Social Media WLANs on page 144 Autonomous WLANs...

Page 144: ...and other options using the Facebook WiFi configuration panel For more information see the Facebook Wi Fi Help Center The following caveats and limitations should be considered before deploying a Fac...

Page 145: ...r Social Media login methods you must enter an Application ID and Application Refer to the documentation for the social media website for which you want to provide social media login to obtain this in...

Page 146: ...you have selected a Social Media Login type Figure 97 Click here link from within ZD WLAN creation screen Figure 98 Create new project on Google OAuth Console 2 Once the project has been created go t...

Page 147: ...e project https console developers google com project _ apiui credential 3 The Credentials page appears as shown below Figure 100 Credentials page 4 Click New credentials and select OAuth client ID as...

Page 148: ...p as shown below NOTE If you have imported a certificate with FQDN to ZoneDirector you should use the real FQDN instead of zd ruckuswireless com For example if the FQDN is mydomain com the Authorized...

Page 149: ...shown Figure 103 OAuth Client ID and Client Secret 7 Take note of the Client ID and Client Secret You will need to enter these values into the ZoneDirector web interface 8 Continue to Create an OAuth...

Page 150: ...edIn developer network https www linkedin com developer apps Figure 104 LinkedIn My Applications 2 Click Create application 3 Enter the required application information and click Submit Ruckus Wireles...

Page 151: ...com user auth jsp NOTE If you have imported a certificate with FQDN to ZoneDirector you should use the real FQDN instead of zd ruckuswireless com For example if the FQDN is mydomain com the Authorized...

Page 152: ...to launch Microsoft Live development dashboard and create an application https account live com developers applications index 2 Click Create application NOTE If you have not previously created any pro...

Page 153: ...id redirect callback URL http zd ruckuswireless com user auth jsp NOTE If you have imported a certificate with FQDN to ZoneDirector you should use the real FQDN instead of zd ruckuswireless com For ex...

Page 154: ...provide you Client ID and Client secret Take note of these values as you will need to enter them into the ZoneDirector web interface later Ruckus Wireless ZoneDirector Release 10 0 User Guide 154 Mana...

Page 155: ...for example Google OAuth 2 0 4 Input the Client ID and Client Secret 5 Click OK to save your changes Figure 111 Creating an OAuth 2 0 Social Media WLAN on ZoneDirector User Login to Social Media WLAN...

Page 156: ...will only be displayed once the first time the user logs in unless the user revokes the relationship from the Google account management center 5 Click Accept ZoneDirector immediately sets the user to...

Page 157: ...is way clients that support the 11r standard including iOS devices can achieve significantly faster roaming between APs Encryption Options Encryption choices include WPA2 WPA Mixed WEP 64 WEP 128 and...

Page 158: ...6 characters in length Alternatively click Generate to have ZoneDirector automatically generate a WEP key Passphrase WPA PSK methods only Click in this field and type the text of the passphrase used f...

Page 159: ...eate New button to create a new AAA server object from within the WLAN configuration screen Figure 114 Click Create New to create a new AAA server A popup window appears in which you can configure an...

Page 160: ...ed Keys on page 222 Priority Set the priority of this WLAN to Low if you would prefer that other WLAN traffic takes priority For example if you want to prioritize internal traffic over guest WLAN traf...

Page 161: ...ng on the 2 4 GHz radio and 10 calls on the 5 GHz radio seven active and three reserved for roaming Enable this feature if you want this WLAN to serve as a VoIP WLAN to support Spectralink phones You...

Page 162: ...E When tunnel mode is enabled on a WLAN multicast video packets are blocked on that WLAN Multicast voice packets however are allowed Proxy ARP When enabled on a WLAN the AP provides proxy service for...

Page 163: ...P name SSID and MAC address into the DHCP request packets before forwarding them to the DHCP server The DHCP server can then use this information to allocate an IP address to the client from a particu...

Page 164: ...ple NOTE This feature will not work properly if ZoneDirector does not have the correct time To ensure ZoneDirector always maintains the correct time configure an NTP server and point ZoneDirector to t...

Page 165: ...anning Configure Services and Report Rogue Devices Configure WIPS must be enabled for 802 11k radio resource management to work properly If these options are not enabled the AP will send neighbor repo...

Page 166: ...it its use to a select group of users e g Marketing Engineering you can do so by following these steps 1 Make a list of the group of users 2 Go to Configure WLANs 3 When the WLANs page appears the int...

Page 167: ...ir first wireless network To review the security configuration and the available options customize the existing WLAN setup or replace it with a totally different configuration review the following pro...

Page 168: ...ion for modern wireless clients Open Auth WPA Mixed encryption Allows both WPA and WPA2 devices on the same WLAN Use this option only if older WPA devices cannot be upgraded to WPA2 802 1X EAP Auth An...

Page 169: ...equires the selection of Local Database as the authentication server If you are re configuring your internal WLAN to use 802 1X EAP authentication you normally have to generate and install certificate...

Page 170: ...lient use use the wireless settings generated by ZoneDirector Working with WLAN Groups WLAN groups are used to specify which APs provide which WLAN services If your wireless network covers a large phy...

Page 171: ...AN Groups section click Create New The Create New form appears 3 In Name type a descriptive name that you want to assign to this WLAN group For example if this WLAN will contain WLANs that are designa...

Page 172: ...u can set up a ZoneDirector wireless LAN as an extension of a VLAN network environment by tagging wireless client traffic to specific VLANs Qualifications include the following Verifying that the VLAN...

Page 173: ...above the switch ports would need to be configured as follows Corp VLAN 20 Guest VLAN 30 Management VLAN optional Some common VLAN scenarios include WLANs assigned to specific VLANs ZD and APs with n...

Page 174: ...kes automatic AP provisioning more complicated and should not be undertaken without a thorough understanding of your own network configuration as well as the ZoneFlex wireless deployment Configuring a...

Page 175: ...n be used to automatically and dynamically assign wireless clients to different VLANs based on RADIUS attributes Dynamic VLAN Requirements A RADIUS server must have already been added to ZoneDirector...

Page 176: ...ules ZoneDirector prioritizes and applies these three features in the following order Dynamic VLAN top priority VLAN Tunnel Mode How It Works User associates with a WLAN on which Dynamic VLAN has been...

Page 177: ...pe 802 6 65 Tunnel Medium Type VLAN ID 81 Tunnel Private Group Id Here is an example of the required attributes for three users as defined on Free RADIUS 0018ded90ef3 User Name user1 Tunnel Type VLAN...

Page 178: ...clients into multiple VLANs without the need for a RADIUS server To create a VLAN pool 1 Go to Configure WLANs and locate the VLAN Pooling section 2 Click Create New to create a new VLAN pool 3 Enter...

Page 179: ...ent features In case of conflict the priority is as follows 1 Role Based Access Control RBAC 2 AAA Server 3 Device Policy 4 VLAN Pooling For additional information on configuring VLANs for Access Poin...

Page 180: ...AN s for which you want to enable Hotspot service ZoneDirector supports up to 32 WISPr Hotspot service entries each of which can be assigned to multiple WLANs To create a Hotspot service 1 Go to Confi...

Page 181: ...AA Servers page If a RADIUS server is selected an additional option appears Enable MAC authentication bypass no redirection Enabling this option allows users with registered MAC addresses to be transp...

Page 182: ...ation will be blocked for 300 seconds If the same user unsuccessfully attempts to authenticate 30 times within the same time period the user will be blocked for 300 seconds 11 Click OK to save the hot...

Page 183: ...reviously 5 Click OK to save your changes Figure 127 Assigning a Hotspot service to a Hotspot WLAN Common WISPr Attribute Abbreviations Table below lists common WISPr attributes and their definitions...

Page 184: ...ff reason NOTE For more information on Captive Portal redirection for Hotspot Web Auth and Guest Access WLANs see Captive Portal Redirect on Initial Browser HTTPS Request on page 236 Creating a Hotspo...

Page 185: ...a new WLAN or modifying an existing WLAN Configure WLANs Edit Type Hotspot 2 0 Hotspot 2 0 Operator Create New Service Provider Profiles Create New 3 Configure the settings in to create a Service Pro...

Page 186: ...ternatively you can create a Hotspot 2 0 Operator Profile from the WLAN creation page while creating a new WLAN or modifying an existing WLAN Configure WLANs Edit Type Hotspot 2 0 Hotspot 2 0 Operator...

Page 187: ...iles Homogenous extended service set identifier The HESSID is a 6 octet MAC address that identifies the homogeneous ESS The HESSID value must be identical to one of the BSSIDs in the homogeneous ESS H...

Page 188: ...t 2 0 for WLAN type 4 In Hotspot 2 0 Operator select the name of the Operator profile that you created previously or click Create New to create a new HS2 0 Operator profile 5 In Authentication Server...

Page 189: ...benefit However for other guest or public access designs the lack of ability to control the entire web authentication process is not desirable ZoneDirector provides an option to work around the Apple...

Page 190: ...ats JPG GIF or PNG The recommended image size is 138 x 40 pixels and the maximum file size is 20KB To customize the guest login page 1 Go to Configure WLANs 2 Scroll down to the Web Portal Logo sectio...

Page 191: ...Figure 130 Customizing the Web Portal logo 191 Ruckus Wireless ZoneDirector Release 10 0 User Guide Managing a Wireless Local Area Network Customizing the Web Portal Logo...

Page 192: ...Ruckus Wireless ZoneDirector Release 10 0 User Guide 192 Managing a Wireless Local Area Network Customizing the Web Portal Logo...

Page 193: ...ic AP approval is enabled by default Deselect this option to manually approve each AP join request Connecting the APs to the Network 1 Place the new APs in the appropriate locations 2 Write down the M...

Page 194: ...e Action column click Allow After the status is changed from Disconnected to Connected the new AP is activated and ready for use Figure 132 The Monitor Access Points page Working with Access Point Gro...

Page 195: ...r of AP groups by ZoneDirector model Max AP Groups ZoneDirector Model 128 ZoneDirector 1200 256 ZoneDirector 3000 512 ZoneDirector 5000 Modifying the System Default AP Group If you want to apply globa...

Page 196: ...fault Enable this option if this AP radio will be used as a voice WLAN for Polycom Spectralink phones This option changes several AP radio settings such as DTIM BSS minrate and RTS CTS to improve voic...

Page 197: ...Configure Access Points 2 In the Access Point Groups section click the Create New button 3 Enter a Name and optionally a Description for the new AP group 4 Modify any of the settings that you want to...

Page 198: ...AP group membership Modifying Model Specific Controls The following settings can be applied to all APs of a particular model that are members of the AP group Max Clients Set the maximum number of clie...

Page 199: ...tion to them External Antenna On APs with external antenna options select Override System Default and Enable for the external antenna to be enabled Once enabled enter a gain value in the range of 0 to...

Page 200: ...guring AP Ethernet Ports You can use AP groups to control Ethernet ports on all APs of a certain model Then if you want to override the port settings for a specific AP you can do so as explained in th...

Page 201: ...82 on page 202 8 For any enabled ports you can choose whether the port will be used as a Trunk Port an Access Port or a General Port The following restrictions apply All APs must be configured with a...

Page 202: ...a request that is being forwarded to a DHCP server When this option is enabled for an Ethernet port or a WLAN SSID additional information will be encapsulated in DHCP option 82 and inserted into DHCP...

Page 203: ...d to send the AP s MAC address or the client MAC plus ESSID or AP MAC plus ESSID Sub option 150 can be enabled to encapsulate the VLAN ID Sub option 151 can be enabled to encapsulate either the ESSID...

Page 204: ...ffic is sent untagged If configured as a Trunk Port all untagged ingress traffic is the configured Untag VLAN by default 1 and all VLAN tagged traffic on VLANs 1 4094 will be seen when present on the...

Page 205: ...onfigured Outgoing Traffic to the client Incoming Traffic from the client VLAN Settings All outgoing traffic on the port is sent untagged All incoming traffic is native VLAN VLAN 1 Access Port Untag V...

Page 206: ...X authenticator it can be further defined as either Port based or MAC based MAC based authenticator mode is only supported if the port is an Access Port Table 28 Authenticator support vs Port Type Gen...

Page 207: ...rnet Port as Supplicant You can also configure a port to act as a supplicant and force it to authenticate itself to an upstream authenticator port Until the AP has successfully done so the state of th...

Page 208: ...ewing AP Ethernet Port Status You can view the status of an AP s port configuration by going to Monitor Access Points and clicking on the MAC address of the AP Ruckus Wireless ZoneDirector Release 10...

Page 209: ...do this select the Limited ZD Discovery check box and then enter the IP addresses or FQDN of the primary and secondary ZoneDirector units to which you want APs to join When Limited ZD Discovery is ena...

Page 210: ...set the Management VLAN ID that ZoneDirector needs to use on the Configure System page Otherwise ZoneDirector and the APs will be unable to communicate via the Management VLAN Load Balancing Balances...

Page 211: ...as been restored 6 Click Apply to save your changes 7 Once all the APs WLANs WLAN groups and AP groups have been deployed on the primary ZoneDirector s back up the AP configurations for each primary c...

Page 212: ...rt a range of 3G 4G LTE and WiMAX wireless USB devices for non Wi Fi wireless connection to a service provider s network The ZoneDirector web interface allows administrators to provision SmartPoint AP...

Page 213: ...n process and establishes an LWAPP tunnel with ZoneDirector 7 ZoneDirector pushes the 802 11 wireless configuration to the AP 8 The AP implements the 802 11 wireless configuration and is ready to prov...

Page 214: ...e 133 4 By clicking Override Group Config and changing the default values the following parameters can be configured independently for each AP radio Channel Range Settings Deselect any channels that y...

Page 215: ...settings netmask gateway and DNS servers If you want to assign a static IP address to the AP click the Manual option next to Device IP Settings and then set the values for the following options IP Add...

Page 216: ...Click OK to save your settings Figure 146 Ethernet port configuration Override Group Config Configuring Hotspot 2 0 Venue Settings for an AP If this Access Point will be serving a Hotspot 2 0 hotspot...

Page 217: ...sessing AP performance in the context of network performance you can reset channels and adjust transmission power or adjust the priority of certain WLANs over others as needed Assessing Current Perfor...

Page 218: ...lly configure this AP s Mesh role Root AP Mesh AP or Disable Default is Auto Uplink Selection Use this setting to manually define which APs can serve as an uplink for this Mesh AP 5 Click OK The adjus...

Page 219: ...ero IT activation do the following 1 Go to Configure WLANs 2 Click Edit on the WLAN where you want to enable Zero IT Activation 3 Enable WPA2 not WPA Mixed selecting WPA Mixed will disable the Zero IT...

Page 220: ...the user simply connects to the ZoneDirector activation URL and runs the self activation script For clients running Mac OS X the user must be logged in as an administrator for Zero IT activation to w...

Page 221: ...e wireless settings by clicking the link at the bottom of the page see Provisioning Clients that Do Not Support Zero IT on page 222 Figure 150 Corporate WLAN configuration You have completed Zero IT c...

Page 222: ...nfiguration page displays the settings needed for manual configuration Figure 151 Manual configuration information Working with Dynamic Pre Shared Keys Dynamic PSK is a unique Ruckus Wireless feature...

Page 223: ...ot enable it during the initial ZoneDirector Setup Wizard process To enable DPSK for a WLAN 1 Go to Configure WLANs 2 Either Edit an existing WLAN or Create New to open the WLAN configuration form 3 U...

Page 224: ...ynamic Pre Shared Keys once their credentials are verified against either the internal database or an external AAA server Figure 152 Enabling Dynamic PSK for a WLAN Setting Dynamic Pre Shared Key Expi...

Page 225: ...Scroll down to the Dynamic PSK Batch Generation section 3 In Target WLAN select one of the existing WLANs with which the users will be allowed to associate Only WLANs with DPSK enabled will be listed...

Page 226: ...d them the following information User Name The user name generated via batch DPSK generation by default Batch_DPSK_User_ WLAN Name This is the WLAN with which they are authorized to access and use the...

Page 227: ...ng columns User Name Required Type the name of the user one name per row MAC Address Optional If you know the MAC address of the device that the user will be using type it here Figure 154 Editing the...

Page 228: ...base To use the internal user database as the default authentication source and to create new user accounts in the database 1 Go to Configure Users 2 In the Internal User Database table click Create N...

Page 229: ...ose the appropriate role for this user For more information on roles and their application see Creating New User Roles on page 230 5 Click OK to save your settings Be sure to communicate the user name...

Page 230: ...o log in with non standard client devices or to grant permission to generate guest passes You can then edit the default role to disable the guest pass generation option To create a new user Role 1 Go...

Page 231: ...ccess Control Policy Enforce an access control policy on members of this role See Role Based Access Control Policy on page 231 5 When you finish click OK to save your settings This role is ready for a...

Page 232: ...RBAC Policy Options The following control policies can be applied to a role OS type Limit access based on operating system device type VLAN Assign a VLAN ID to this role Rate Limiting Limit per statio...

Page 233: ...lowing these steps 1 Go to Monitor Generated PSK Certs The Generated PSK Certs page appears 2 Select the check boxes for the PSKs and Certificates that you want to delete 3 Click Delete to delete the...

Page 234: ...nting If you select this option you also need to enter the IP address of the RADIUS Accounting server its port number default is 1813 and its shared secret 4 Additional options appear depending on whi...

Page 235: ...onnect to the Login page and enter the required login information To activate web authentication 1 Go to Configure WLANs The WLAN page appears 2 Look for the WLAN that you want to edit and then click...

Page 236: ...re when browsing secure sites and ensure their authenticity However there are two options to help mitigate these warnings 1 Completely disable the redirect on initial browser HTTPS request feature ref...

Page 237: ...t Access Service which defines the behavior of the guest WLAN interface To create a Guest Access Service 1 Go to Configure Guest Access 2 Click Create New to configure a guest access service NOTE Alte...

Page 238: ...ior to forwarding them to their destination When guest users land on this page they are shown the expiration time for their guest pass 8 Customize any of the following optional configuration settings...

Page 239: ...icate with ZoneDirector until the specified expiration time An additional parameter A Guest Pass will expire in X days can be configured to specify when a guest pass will expire when unused The defaul...

Page 240: ...lf Service Guest WLAN The simplest way to deploy a self service guest WLAN is to enable the self service option and do not change any of the default settings When a self service guest WLAN is deployed...

Page 241: ...f Use page appears if enabled Click Accept and Continue Figure 167 Terms of Use 7 The Authenticated page appears Your guest pass is now activated and you can begin using the wireless network Click Con...

Page 242: ...via Email on page 267 and Delivering Guest Passes via SMS on page 267 for more information Configure the following options if Sponsor Approval is enabled Sponsor number Set how many sponsors the user...

Page 243: ...When a user connects to a guest WLAN with Sponsor Approval enabled the option to Request password appears Figure 170 Click Request Password to request a guest pass after sponsor approval To request a...

Page 244: ...open the Sponsor Approver Authentication page Figure 172 Sponsor approval email 5 On the Sponsor Approver Authentication page enter a valid User Name and Password and click Log in to continue NOTE Thi...

Page 245: ...wish to approve set the Duration for each and click Approve to approve them Figure 174 Guest Pass Approval 7 Approving a guest pass triggers delivery of an email and or SMS message containing the gue...

Page 246: ...which the guest user is connected If you want to create additional rules that allow or restrict guest users from specific subnets use the Restricted Subnet Access section You can create up to 22 subne...

Page 247: ...Repeat Steps 4 to 9 to create up to 22 subnet access rules Figure 177 The Restricted Subnet Access options Creating a Guest WLAN Once you have created a guest access service create a WLAN of the type...

Page 248: ...the options to enable for this WLAN For more information on WLAN advanced options see Advanced Options on page 160 Optionally enable a Grace Period disabled by default and enter a value in minutes to...

Page 249: ...Show Zero IT Device Registration button only 5 If Guest Pass is enabled configure Guest Pass options as described in Working with Guest Passes 6 Click Apply Figure 179 Enable Onboarding Portal When a...

Page 250: ...st Access welcome and terms of use screens If the user clicks the Register Device button the web page will be redirected to the WLAN Connection Activation page from which the user can enter user name...

Page 251: ...are temporary privileges granted to guests to access your wireless LANs ZoneDirector provides many options for customizing guest passes controlling who is allowed to issue guest passes and controlling...

Page 252: ...000 concurrently connected clients When the maximum number of users that ZoneDirector supports has been reached additional clients attempting to connect will be refused Generating a Guest Pass from th...

Page 253: ...vanced Options and configure the following Session Timeout Enable this check box and select a time increment after which guests will be required to log in again If this feature is disabled connected u...

Page 254: ...rector admin privileges you can create a new user Role for the task and optionally you can also edit the Default role to not have guest pass generation privileges Users with the new role will then be...

Page 255: ...Generation Privileges on page 255 and create a new role with guest pass generation enabled as described in Creating a Guest Pass Generation User Role on page 256 Controlling Guest Pass Generation Priv...

Page 256: ...onnect to all WLANs or 2 limit this role s users to specific WLANs and then pick the WLANs they can connect to NOTE When creating a guest pass generator Role you must ensure that this Role is given ac...

Page 257: ...to the appropriate end user Generating and Delivering a Single Guest Pass You can provide the following instructions to users with guest pass generation privileges A single guest pass can be used for...

Page 258: ...User Name type your user name 4 In Password type your password 5 Click Log In The Guest Information page appears On this page you need to provide information about the guest user to enable ZoneDirecto...

Page 259: ...s key must be unique and is distributed on all guest WLANs Remarks optional Type any notes or comments For example if the guest user is a visitor from a partner organization you could type the name of...

Page 260: ...elect Default 13 Click Print Instructions A new browser page appears and displays the guest pass instructions At the same time the Print dialog box appears 14 Select the printer that you want to use a...

Page 261: ...261 Ruckus Wireless ZoneDirector Release 10 0 User Guide Managing Guest Access Working with Guest Passes...

Page 262: ...oneDirector to generate the guest passes 6 On the Guest Information page fill in the following options Creation Type Select Multiple Valid for Specify the time period during which the guest passes wil...

Page 263: ...ass instructions that you want to print out If you did not create custom guest pass printouts select Default 9 Print the instructions for a single guest pass or print all of them To print instructions...

Page 264: ...st Access page and then complete steps 6 to 10 in Generating and Printing Multiple Guest Passes at Once on page 262 to upload the guest pass profile and generate multiple guest passes Monitoring Gener...

Page 265: ...Go to Configure Guest Access 2 Scroll down to the Guest Pass Printout Customization section 3 Click the click here link under the Guest Pass Printout Customization section title to download the sampl...

Page 266: ...at are used in the guest pass printout Make sure that they are not accidentally deleted when you customize the guest pass printout Table 30 Tokens that you can use in the guest pass printout Desriptio...

Page 267: ...t pass code use the following procedure 1 On the Configure Guest Access page locate the Customize the Email Content section 2 Customize the message in the text box and click Apply to save your changes...

Page 268: ...Customize the message in the text box and click Apply to save your changes Figure 195 Customize the SMS content NOTE For more information on Captive Portal redirection for Hotspot Web Auth and Guest A...

Page 269: ...ard for a map view of active APs Click the MAC address link of any AP record to see more details 2 Go to Monitor Access Points and review the usage and coverage of your APs Click the MAC address link...

Page 270: ...n The ZoneFlex model number Model Displays the current status of the AP from ZoneDirector s perspective Approval Pending Connected Disconnected Root AP Mesh AP eMesh AP Number of hops Status Displays...

Page 271: ...icking the Edit Columns button Additionally you can export the content of this table using the Export to CSV on page 271 button Figure 197 Click Edit Columns to customize the Currently Managed APs tab...

Page 272: ...he search text will be exported Figure 198 Saving a managed AP list as a CSV file Currently Managed AP Groups Click the icon to expand the AP group to display all members of the group Ruckus Wireless...

Page 273: ...e specific AP Table 32 AP Information details Description Heading Displays general information on the AP including software version IP address and model number uptime clients and mesh status General I...

Page 274: ...urves show the actual throughput of a particular client or the current mix of clients These curves are influenced by the user session and they vary as a function of gaps in browsing activity and inter...

Page 275: ...ng the RF environment RF Info Go to the Configure Access Points page and edit the configuration settings for this AP Configure Launch the SpeedFlex performance test tool to measure uplink downlink spe...

Page 276: ...new controller either on premises or in the cloud Once the Migrate button is clicked the following two actions will be taken 1 The AP s SmartZone discovery process called wsgclient will be started 2...

Page 277: ...e may or may not have an impact on performance RF Pollution is a measure of noise or other interference that is in fact impacting performance How do customers use this new concept to understand and ma...

Page 278: ...tribution format The CDF plot is color coded based upon the frequency with which each point is observed during consecutive spectral sweeps of the entire 2 4 5Ghz frequency band Frequently occurring po...

Page 279: ...several calculations to determine which APs are in proximity to one another This information can be useful in planning or redesigning your Smart Mesh topology or in troubleshooting link performance is...

Page 280: ...status in this section Temperature and orientation sensors are available on most Ruckus Wireless outdoor APs Orientation Desktop Horizontal Mount Ceiling Horizontal Mount Wall Vertical Mount Temperatu...

Page 281: ...and testing connectivity using Ping and Traceroute using the Action icons see Active Client Action Icons on page 282 The Wireless Clients monitoring page also includes the following details on active...

Page 282: ...speeds to from this client See MeasuringWirelessNetworkThroughputwithSpeedFlexonpage339 SpeedFlex Troubleshoot connectivity issues using Ping and Traceroute See Using the Ping and Traceroute Tools on...

Page 283: ...ient activity Click the Show Details button to display detailed application or port usage percentages 283 Ruckus Wireless ZoneDirector Release 10 0 User Guide Monitoring Your Wireless Network Reviewin...

Page 284: ...ions pie chart can also be used to discover which clients are using the most used applications When you mouse over a section of the pie chart a table is displayed to the right providing a list of the...

Page 285: ...information is displayed To view detailed information about a specific client 1 Go to Monitor Wireless Clients 2 Click the link for the MAC address of the client you want to monitor The page refreshe...

Page 286: ...ring Client Performance on page 286 General Displays a client specific subset of the events in the All Events Activities table Events Figure 214 Viewing individual client information and performance s...

Page 287: ...ransmitting to that client It is measured in bits s and takes into account the PHY rate error rate and all contention due to 802 11 and non 802 11 transmitters Because it takes into account every sour...

Page 288: ...cent connection and authentication events related to wired clients only Monitoring AAA Server Statistics To monitor AAA server RADIUS statistics go to Monitor AAA Servers Reviewing Current Alarms If a...

Page 289: ...ies table 3 The first 15 entries are displayed by default Click Show More to expand the display 4 Click Clear All to delete all entries in the table NOTE AP events display the first 17 characters of a...

Page 290: ...n Services NOTE For information on configuration and administration of Ruckus SmartPositioning Technology SPoT service please refer to the SPoT User Guide available from the Ruckus support site https...

Page 291: ...sh page Real Time Monitoring The Real Time Monitoring tool provides a convenient at a glance overview of performance statistics such as CPU and memory utilization number of APs and clients on the netw...

Page 292: ...ting Rogue Access Points Rogue unauthorized APs pose problems for a wireless network in terms of airtime contention as well as security Usually a rogue AP appears in the following way an employee obta...

Page 293: ...the user 4 To mark an AP as malicious click Mark as Malicious This AP will now be blocked and listed in the User Blocked Rogue Devices table The malicious rogue AP protection mechanisms enabled from...

Page 294: ...n physically locating rogue devices click the plus sign icon next to a detected rogue AP This expands a list to display which ZoneFlex APs have detected this rogue sorted according to signal strength...

Page 295: ...Monitoring System Ethernet Port Status To view the status of ZoneDirector s Ethernet ports go to Monitor System Info The table displays the MAC address Interface ID physical link status link speed and...

Page 296: ...Ruckus Wireless ZoneDirector Release 10 0 User Guide 296 Monitoring Your Wireless Network Monitoring System Information...

Page 297: ...imilated into the mesh network In the Ruckus Wireless Smart Mesh network all traffic going through the mesh links is encrypted A passphrase is shared between mesh nodes to securely pass traffic When d...

Page 298: ...acket takes from one Mesh AP to the Root AP For example if the Root AP is the uplink of Mesh AP 1 then Mesh AP 1 is one hop away from the Root AP In the same scenario if Mesh AP 1 is the uplink of Mes...

Page 299: ...bridge topology In this topology ZoneDirector and the upstream router are on the primary wired LAN segment and another isolated wired segment exists that needs to be bridged to the primary LAN segmen...

Page 300: ...h AP to for example bridge a wired LAN segment inside a building to a wireless mesh outdoors In designing a mesh network connecting an eMAP to a Mesh AP extends the Smart Mesh network without expendin...

Page 301: ...ecide on the number of APs that you will deploy including the number of Root APs and Mesh APs and then create a simple sketch of where you will deploy each Root AP and Mesh AP Remember that Root APs n...

Page 302: ...as described in Managing Access Points Individually 5 In Mesh Name ESSID type a name for the mesh network Alternatively do nothing to accept the default mesh name that ZoneDirector has generated 6 In...

Page 303: ...esh related settings to take effect To provision and deploy a mesh node 1 Using one of the AP s Ethernet ports connect it to the same wired network to which ZoneDirector is connected and then power it...

Page 304: ...cations on the network you can check the Monitor Mesh page to verify that mesh associations have been established and mesh trees formed 1 Go to Monitor Mesh 2 Check if all the mesh nodes that you have...

Page 305: ...n to checking the mesh status of ZoneFlex APs from the ZoneDirector web interface you can also check the LEDs on the APs The LED behaviors that indicate the AP s mesh status vary depending whether the...

Page 306: ...st one mesh downlink exists and At least one client is associated with the AP Fast blinking green At least one mesh downlink exists and No client is associated with the AP Slow blinking green Signal A...

Page 307: ...t blinking green This is a Mesh AP that is currently searching for a Root AP or This AP is currently searching for ZoneDirector Slow blinking green Indoor Dual Band APs On dual band ZoneFlex indoor AP...

Page 308: ...e flash every two seconds Mesh network is enabled Not connected to an uplink AP searching for a mesh uplink Off AIR LED Using Action Icons to Configure and Troubleshoot APs in a Mesh The following act...

Page 309: ...route Troubleshoot Initiate a reboot of this AP Restart Recover an isolated Mesh AP Recover Allow this AP to be managed by ZoneDirector This icon will only appear if you have disabled automatic approv...

Page 310: ...Director via Ethernet and on the same LAN segment should be configured as Root APs Mis configuring a Mesh AP or an eMAP as a Root AP can cause the AP to become isolated or in the case of eMAP can resu...

Page 311: ...the Monitor Access Points page and provides possible reasons for the isolation and the recommended steps for resolving the issue Possible Reason Status You have set uplink selection to Manual but none...

Page 312: ...type near this AP No APs with matching radio type Recovering an Isolated Mesh AP When a Mesh AP becomes isolated it begins broadcasting a recovery SSID named island last 6 digits of AP s MAC address...

Page 313: ...neDirector 3 You can now access the AP s web interface by entering the AP s recovery IP address 169 254 1 1 in the browser NOTE Note that because the AP is still in ZoneDirector managed state you cann...

Page 314: ...If a management VLAN is used for ZoneDirector AP management traffic enter the following command set ipaddr wan vlan vlan ID 8 Enter the command reboot to restart the AP with the new configuration cha...

Page 315: ...name should be changed only if necessary NOTE If authentication with an external server is enabled and the Fallback to admin name password if failed check box is disabled you will be unable to edit th...

Page 316: ...figuration only Monitoring Admin Allows monitoring operations only This section provides basic instructions for setting up ZoneDirector to authenticate additional administrator accounts with an extern...

Page 317: ...eDirector Administration check box administrators that are assigned this role will be unable to log into ZoneDirector even if all other settings are configured correctly 4 Test your authentication set...

Page 318: ...e new backup files at that time too Backing Up a Network Configuration To back up your ZoneDirector configuration to a backup file 1 Go to Administer Backup 2 Under the Backup Configuration sections c...

Page 319: ...e device to use all the settings configured in the backup file including the IP address wireless settings access control lists AP and WLAN group configurations etc NOTE If you use the Restore everythi...

Page 320: ...s complete ZoneDirector automatically restarts and your wireless network will be ready for use again Figure 232 Select the restore level for restoring from a backup file Restoring AP Configuration Set...

Page 321: ...rt this backup file and additional backup file s Then click Import When the import is complete you will be prompted to import AP configurations from additional backup files 4 When finished click Impor...

Page 322: ...ctor Quick Start Guide QSG Before restoring ZoneDirector to factory default settings you should open and print out the QSG pages You can follow those instructions to set up ZoneDirector after restorin...

Page 323: ...k upgrade of both ZoneDirector and APs by following the steps detailed below NOTE Upgrading ZoneDirector and the APs will temporarily disconnect them and any associated clients from the network To min...

Page 324: ...mically support new AP models without requiring a ZoneDirector code change or a full system image upgrade The steps required for importing an AP firmware patch are similar to the steps in Upgrading Zo...

Page 325: ...st followed by the active unit If you do this some configuration options may get lost during the upgrade process Be sure to begin the upgrade process from either the active ZoneDirector s web interfac...

Page 326: ...he required requester information Submit the CSR to a public CA for signing Receive a signed certificate from the CA Import the signed certificate into ZoneDirector Generating a Certificate Signing Re...

Page 327: ...administrator interface standard captive portal and guest access captive portal Subject Alternative Name Optional Select either IP or DNS from the menu and enter either alternative IP addresses or alt...

Page 328: ...ertificate and then paste it into a text file 8 Save the file You may now import the signed certificate into ZoneDirector Importing an SSL Certificate After you receive the signed certificate from the...

Page 329: ...wse button and select the file containing the intermediate certificate PEM format to upload it If there are no additional intermediate certificates click the Import button to install the uploaded cert...

Page 330: ...ing it for disaster recovery or for use on another ZoneDirector If your ZoneDirector is replaced due to an RMA you will need to restore the private key if you have installed a public certificate Ensur...

Page 331: ...on with each trusted CA separated by a string of number symbols Options include Add a new trusted CA Import a single CA file Cover all trusted CA Use the new trusted CA file to cover all existing trus...

Page 332: ...o the following URL https certrenewal ruckuswireless com certificate_renewal_requests new You will need to login to the Ruckus Support portal to continue 5 Once logged in you will be redirected to the...

Page 333: ...23397 res 10 On the SSL Certificate Advanced Options click Choose File to import the new certificate package res file The file is uploaded to ZoneDirector 11 Click Import to import the new certificate...

Page 334: ...ensure that your DNS server is configured to resolve that name to the IP address of ZoneDirector Wildcard Certificates In Smart Redundancy With Captive Portals In order to prevent redirect loops when...

Page 335: ...nding on the number of Ruckus Wireless APs you need to manage with your ZoneDirector you may need to upgrade your license as your network expands Contact your authorized Ruckus Wireless reseller to pu...

Page 336: ...eller to purchase additional support service After you have purchased a support contract you can download the entitlement file and automatically import into your ZoneDirector or manually download the...

Page 337: ...system s qualifications Option 1 If the client is running a supported operating system check the wireless network adapter to verify the implementation of WPA Option 2 Upgrade to Windows 7 and if neede...

Page 338: ...ed to guide the user through a reset of their WLAN configuration This requires deleting the user record then creating a new user record after which the user must repeat the Zero IT Activation process...

Page 339: ...hroughput For instructions on how to run SpeedFlex from a wireless client for users refer to Allowing Users to Measure Their Own Wireless Throughput NOTE SpeedFlex is unable to measure the throughput...

Page 340: ...mance test can continue Click the OK button on the message download the appropriate SpeedFlex version Windows Mac or Android from http ZoneDirector IP Address perf and email it to the user or instruct...

Page 341: ...Figure 248 The SpeedFlex interface 341 Ruckus Wireless ZoneDirector Release 10 0 User Guide Troubleshooting Measuring Wireless Network Throughput with SpeedFlex...

Page 342: ...peedFlex in a Multi Hop Smart Mesh Network SpeedFlex can also be used to measure multi hop throughput between APs and ZoneDirector in a mesh tree For example if you have a mesh tree that is three hops...

Page 343: ...SpeedFlex icon changes to an icon with a green check mark and the Multi Hops SpeedFlex button appears 3 Click Multi Hops SpeedFlex The SpeedFlex utility launches in a new browser window 4 Select Uplin...

Page 344: ...your browser 3 Click the Start button The following message appears Your computer does not have SpeedFlex running Click the OK button download the SpeedFlex application for your operating system and...

Page 345: ...c RF scanning feature that is built into the Ruckus ZoneDirector That automatic scan assesses one radio frequency at a time every 20 seconds by default To manually start a complete radio frequency sca...

Page 346: ...om anywhere in the UI that you see the icon For example from the Monitor Access Points page click the icon next to an AP to launch the troubleshooting window Figure 254 Launching the Ping Traceroute T...

Page 347: ...o a convenient location on your local computer After the file is saved you can email it to the technical support representative NOTE The debug or diagnostics file is encrypted and only Ruckus Wireless...

Page 348: ...kets and either save them to a local file or stream them to a packet inspection program such as Wireshark for later analysis Local Capture Streaming Mode NOTE Performing packet capture on the 5 GHz ra...

Page 349: ...re streaming Both modes allow compound filter expressions conforming to the pcap filter syntax which is described at filter Local Capture To capture packets to a local file for external analysis 1 Cho...

Page 350: ...ed on Ruckus APs include some information that is not available when capturing from other Wi Fi devices This additional information is stored in the Per Packet Information PPI header that precedes the...

Page 351: ...ext spatial streams 28 29 Ness ext spatial streams STBC 0 not applied 1 yes 27 STBC 0 not applied 1 yes LDPC 0 not applied 1 yes 26 LDPC 0 not applied 1 yes LDPC indicator valid 25 LDPC indicator val...

Page 352: ...nd a Delete button Click the Download button to download the core dump log file for delivery to Ruckus Support to assist with troubleshooting if requested to do so Click the Delete button to delete th...

Page 353: ...the particular Access Point record The Status column should display Connected 3 Click the Restart icon The Status column now displays Disconnected along with the date and time when ZoneDirector last...

Page 354: ...hen the Restart Shutdown features appear click Restart You will be automatically logged out of ZoneDirector After a minute when the Status LED is steadily lit you can log back into ZoneDirector Figure...

Page 355: ...urrently if you use an oversubscription ratio of 4 1 such a network could actually support 40 users at 1Mbps In a Smart Mesh network the Root AP RAP has all its wireless bandwidth available for bandwi...

Page 356: ...er means and actually checking the Signal Quality throughout the mesh network In addition once the mesh is deployed the Signal Quality should be periodically monitored to make sure the mesh is operati...

Page 357: ...ty as your benchmark as explained in Signal Quality Verification on page 356 Ensure that the Signal is better than 25 for trouble free operation For additional mounting details please also consult the...

Page 358: ...Ruckus Wireless ZoneDirector Release 10 0 User Guide 358 Mesh Networking Best Practices Mounting and Orientation of APs...

Page 359: ...nient and possible MAPs and RAPs should all be at a similar elevation from the ground For example for an indoor outdoor mesh if all your indoor RAPs and MAPs are at ceiling height standard 15 foot cei...

Page 360: ...distributed evenly throughout the coverage area rather than clumped together 5 Once the APs are mounted on a test basis or permanently use the Signal quality measurement to ensure that the uplink sig...

Page 361: ...Copyright 2017 Ruckus Wireless Inc 350 West Java Drive Sunnyvale CA www ruckuswireless com...

Reviews:

No comments

Brands by name

Popular brands

Load more brands