Home
/
Ruckus Wireless
/
ZoneDirector 3000
/
User Manual

Ruckus Wireless ZoneDirector 3000, User Manual, Page: 126 / 430

Share

Page: 126 / 430

Ruckus Wireless ZoneDirector 3000 User Manual Download Page 126

Configuring Wireless Intrusion Prevention

Rogue Access Points

126

Ruckus Wireless, Inc.

•

SSID-Spoofing

: These are rogue access points that are beaconing the same

SSID name as a ZoneDirector-managed access point. They pose a threat as
someone may be attempting to use them as a honey pot to attract your clients
into their network to attempt hacking or man-in-the-middle attacks to exploit
passwords and other sensitive data.

•

Same-Network

: These are rogue access points that are detected by other

access points as transmitting traffic on your internal network. They are detected
by ZoneDirector-managed access points seeing packets coming from a 'similar'
MAC address to one of those detected from an over the air rogue AP. Similar
MAC addresses are +-5 MAC address lower or higher than the detected over
the air MAC address.

•

MAC-spoofing

: These are rogue access points that are beaconing the same

MAC address as a ZoneDirector-managed access point. They pose a threat as
someone may be attempting to use them as a honey pot to attract your clients
into their network to attempt hacking or man-in-the-middle attacks to exploit
passwords and other sensitive data.

The last type of malicious rogue device is “User Marked.” These are devices that
are manually marked as malicious rogues by a ZoneDirector administrator using the

Mark as Malicious

button on the

Monitor > Rogue Devices

page.

To configure intrusion detection and prevention options:

1

In the

Intrusion Detection and Prevention

section, configure the following

settings:

•

Enable report rogue devices

: Enabling this check box allows ZoneDirector

to include rogue device detection in logs and email alarm event notifications.

-

Report all rogue devices

: Send alerts for all rogue AP events.

-

Report only malicious rogue devices of type

: Select which event types to

report.

•

Protect the network from malicious rogue access points

: Enable this

feature to automatically protect your network from network connected rogue
APs, SSID-spoofing APs and MAC-spoofing APs. When one of these rogue
APs is detected (and this check box is enabled), the Ruckus AP automatically
begins sending broadcast de-authentication messages spoofing the rogue’s
BSSID (MAC) to prevent wireless clients from connecting to the malicious
rogue AP. This option is disabled by default.

2

Click the

Apply

button that is in the same section to save your changes.

«
...
124
125
126
127
128
...
»

Summary of Contents for ZoneDirector 3000

Page 1: ...Ruckus Wireless ZoneDirector Release 9 8 User Guide Part Number 800 70599 001 Rev B Published July 2014 www ruckuswireless com...

Page 2: ......

Page 3: ...IS PROVIDED FOR GENERAL INFORMATION PURPOSES ONLY RUCKUS AND ITS LICENSORS MAKE NO WARRANTY OF ANY KIND EXPRESS OR IMPLIED WITH REGARD TO THE MATERIAL INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTI...

Page 4: ...4 Ruckus Wireless Inc...

Page 5: ...eDirector 30 How APs Discover ZoneDirector on the Network 31 How to Ensure that APs Can Discover ZoneDirector on the Network 32 Firewall Ports that Must be Open for ZoneDirector Communications 39 Inst...

Page 6: ...ail Alarm Notifications 83 Customizing Email Alarms that ZoneDirector Sends 86 Configuring SMS Settings for Guest Pass Delivery via SMS 86 Enabling Network Management Systems 88 Enabling Management vi...

Page 7: ...l Policies 137 Configuring User Defined Applications 139 Configuring Application Port Mapping 140 Configuring Precedence Policies 142 Blocking Client Devices 143 Using an External AAA Server 148 Activ...

Page 8: ...Shared Keys on a WLAN 220 Setting Dynamic Pre Shared Key Expiration 221 Generating Multiple Dynamic PSKs 223 Creating a Batch Dynamic PSK Profile 224 Enabling the Bypass Apple CNA Feature 225 5 Managi...

Page 9: ...Efficient Positions 268 Reviewing Current Alarms 269 Reviewing Recent Network Events 269 Clearing Recent Events Activities 270 Moniting WLAN Status 270 Reviewing Current User Activity 272 Viewing Appl...

Page 10: ...er for User Authentication 311 Activating Web Authentication 313 8 Managing Guest Access Configuring Guest Access 316 Creating a Guest Access Service 316 Configuring Guest Subnet Access 317 Creating a...

Page 11: ...361 Best Practices and Recommendations 363 10 Setting Administrator Preferences Changing the ZoneDirector Administrator User Name and Password 366 Setting Administrator Login Session Timeout 367 Chan...

Page 12: ...wing Current System and AP Logs 402 Packet Capture and Analysis 404 Local Capture 405 Streaming Mode 405 Importing a Script 408 Enabling Remote Troubleshooting 408 Restarting an Access Point 408 Resta...

Page 13: ...Most user guides and release notes are available in Adobe Acrobat Reader Portable Document Format PDF or HTML on the Ruckus Wireless Support website at https support ruckuswireless com documents NOTE...

Page 14: ...enter Device name set ipaddr 10 0 0 12 default font bold Keyboard keys software buttons and field names On the Start menu click All Programs italics Screen or page names Click Advanced Settings The A...

Page 15: ...Notes Provide information about the current software release including new features enhancements and known issues Documentation Feedback Ruckus Wireless is interested in improving its documentation a...

Page 16: ...Documentation Feedback 16 Ruckus Wireless Inc...

Page 17: ...his chapter Overview of ZoneDirector ZoneDirector Physical Features Introduction to the Ruckus Wireless Network Ensuring That APs Can Communicate with ZoneDirector Installing ZoneDirector Accessing Zo...

Page 18: ...e requirements of deploying an enterprise class WLAN in addition to providing much greater flexibility in AP placement ZoneDirector also integrates network monitoring sophisticated user access control...

Page 19: ...irector 1100 This section describes the following physical features of ZoneDirector 1100 Buttons Ports and Connectors Front Panel LEDs Figure 1 ZoneDirector 1100 Buttons Ports and Connectors Table 1 d...

Page 20: ...ory Default Reset Method WARNING Resetting ZoneDirector to factory default settings will erase all configuration changes that you made except for AP licenses and SSL certificates LED Label State Meani...

Page 21: ...e set to 100Mbps auto negotiation or 1000Mbps auto negotiation Ethernet Link Solid Green or Amber The port is connected to a device Flashing Green or Amber The port is transmitting or receiving traffi...

Page 22: ...and connectors on ZoneDirector 3000 Table 3 ZoneDirector 3000 front panel elements Label Meaning Power Located on the rear panel Press this button to power on ZoneDirector F D To reset ZoneDirector t...

Page 23: ...ps Ethernet ports For information on what the two Ethernet LEDs indicate refer to Table 4 LED Label State Meaning Power Green ZoneDirector is receiving power Off ZoneDirector is NOT receiving power If...

Page 24: ...s connected to a device Flashing Green or Amber The port is transmitting or receiving traffic Off The port has no network cable connected or is not receiving a link signal Ethernet Rate Amber The port...

Page 25: ...Removed Control Panel Rear Panel Features Figure 3 ZoneDirector 5000 Front Panel Front Panel Features Table 5 ZoneDirector 5000 front panel features Feature Description Control Panel See Control Panel...

Page 26: ...l bezel removed Table 6 ZoneDirector front panel elements Control Panel Figure 5 Control panel buttons and indicators Number Feature 1 ESD ground strap attachment 2 Hard drive bays not used 3 Control...

Page 27: ...ton 9 NIC 1 NIC 2 activity LED 10 HDD activity LED not used 11 PWR alarm LED not used 12 MNR alarm Amber system unavailable OFF system available LED Status Definition Off No power supply detected or t...

Page 28: ...nnector not used 2 Two low profile PCIe add in cards not used 3 Three full length PCIe add in cards not used 4 Power supply 2 backup AC power 5 Power supply 1 primary AC power 6 RJ45 serial port COM2...

Page 29: ...tor 5000 ZoneDirector 9 8 User Guide 800 70599 001 Rev B 29 Table 10 NIC status LEDs LED Color LED State NIC State Green Amber Left Off 10Mbps Green 100Mbps Amber 1000Mbps Green Right On Active connec...

Page 30: ...orkers contractors and visitors can be granted limited controlled access to a separate Guest WLAN with minimal setup You can now fine tune and monitor your network through the web interface which enab...

Page 31: ...tor s and will skip the DHCP DNS last joined ZoneDirector steps If it is unable to contact its pre configured Zone Director it will enter sulk state and will remain in an idle discover sulk loop until...

Page 32: ...Option 1 Perform Auto Discovery on Same Subnet then Transfer the AP to Intended Subnet Option 2 Customize Your DHCP Server Option 3 Register ZoneDirector with a DNS Server NOTE If the AP and ZoneDirec...

Page 33: ...the AP If there are multiple ZoneDirector devices on the network the AP will automatically select a ZoneDirector to register with from this list of IP addresses RFC 2132 describes DHCP Option 60 and O...

Page 34: ...to hexadecimal you can use an online conversion website such as http www easycalculation com decimal converter php to perform the conversion The table below lists the sub option code FlexMaster URL an...

Page 35: ...ormat of the sub option code 03 for ZoneDirector and comma separated IP addresses in ASCII text string 7 Configure the option with a value either at the server level scope level or at Reservation just...

Page 36: ...em the procedure may be different Step 1 Set the DNS Domain Name on the DHCP Server 1 From Windows Administrative Tools open DHCP and then select the DHCP server that you want to configure 2 If the Sc...

Page 37: ...t the DHCP server you want to configure 2 If the Scope folder is collapsed click the plus sign to expand it 3 Right click Scope Options and then click Configure Options The General tab of the Scope Op...

Page 38: ...he DHCP server with DNS related information you need to register the IP addresses of ZoneDirector devices on the network with your DNS server The procedure for this task depends on the DNS server soft...

Page 39: ...9 2 ZoneDirector can be deployed in a private network behind a NAT Network Address Translation device When ZoneDirector is deployed on an isolated private network where NAT is used administrators can...

Page 40: ...ed to ZoneDirector s private IP address on the NAT device s port mapping table ports 21 22 80 443 12222 12223 Note that there are some limitations with this configuration including SpeedFlex performan...

Page 41: ...oneDirector using UPnP Universal Plug and Play On Windows 7 you may need to Turn on network discovery in the Network and Sharing Center Advanced Sharing Settings 2 Double click the ZoneDirector icon w...

Page 42: ...tor web interface You can also perform many management and configuration tasks using the ZoneDirector Command Line Interface CLI by connecting directly to the Console port or an Ethernet port To acces...

Page 43: ...efault admin and password default admin You are now logged into ZoneDirector with limited privileges As a user with limited privileges you can view a history of previously executed commands and ping a...

Page 44: ...ard summary needs Tabs Click any of the four tabs Dashboard Configure Monitor and Administer to take advantage of related sets of features and options When you click a tab ZoneDirector displays a coll...

Page 45: ...Figure 12 The Dashboard NOTE Some indicators may not be present upon initial view The Add Widgets feature located at the bottom left area of the screen enables you to show or hide indicators See Using...

Page 46: ...a mesh uplinks or downlinks Most Active Client Devices Identifies the most active clients by MAC address IP address and user name Bandwidth usage is calculated in megabytes MB and is based on the tota...

Page 47: ...Usage Lists the top 10 applications their total usage in KB and percent of the total Top 10 APs by Usage Lists the top 10 APs their total usage in KB and percent of the total Top 10 Clients by Usage L...

Page 48: ...13 The Add Widgets link is at the bottom left corner of the Dashboard The Widgets pane opens at the upper left corner of the Dashboard 3 Select any widget icon and drag and drop it onto the Dashboard...

Page 49: ...widget icons appear at the top left corner of the Dashboard 4 Click Finish in the Widgets pane to close it Removing a Widget To remove a widget from the Dashboard click the icon for any of the widgets...

Page 50: ...verview of performance statistics such as CPU and memory utilization number of APs and clients on the network and number of packets transmitted To view the Real Time Monitoring page locate the Toolbox...

Page 51: ...process itself consumes a small amount of system resources it should be used as a general overview tool rather than a precise measurement Actual resources used CPU and memory utilization will be lower...

Page 52: ...oneDirector performance Stopping and Starting Auto Refresh By default ZoneDirector web interface pages automatically refresh themselves periodically depending on activity You can pause auto refresh on...

Page 53: ...P information To register your ZoneDirector 1 Click the Product Registration link in the Support widget on the Dashboard or 2 Go to Administer Registration 3 Enter your contact information on the Regi...

Page 54: ...Registering Your Product Stopping and Starting Auto Refresh 54 Ruckus Wireless Inc Figure 21 The Product Registration page Your ZoneDirector is now registered with Ruckus Wireless...

Page 55: ...ddressing Creating Static Route Entries Enabling Smart Redundancy Configuring the Built in DHCP Server Controlling ZoneDirector Management Access Setting the System Time Setting the Country Code Chang...

Page 56: ...y from the page or your changes will not be saved Changing the System Name When you first worked through the Setup Wizard you were prompted for a network recognizable system name for ZoneDirector If n...

Page 57: ...If you need to update the IP address and DNS server settings of ZoneDirector follow the steps outlined below CAUTION As soon as the IP address has been changed applied you will be disconnected from y...

Page 58: ...information in the now active fields IP Address Netmask and Gateway are required DHCP If you select DHCP no further information is required 4 Click Apply to save your settings You will lose connection...

Page 59: ...y been configured such as Access Control Lists ACLs AAA server addresses Syslog server SNMP trap receiver etc When IPv6 is enabled the other fields where IP addresses are entered such as Additional Ma...

Page 60: ...be configured to allow an administrator to manage ZoneDirector from its management VLAN thereby separating management traffic from LWAPP traffic between the controller and the access points The Manag...

Page 61: ...s Netmask and Access VLAN information for the additional interface If IPv6 enter Prefix Length instead of Netmask 4 Optional If you want to configure this management interface with a different gateway...

Page 62: ...are deployed in a Smart Redundancy configuration both of the actual IP addresses must be used rather than the management IP address Creating Static Route Entries Static routes can be created to allow...

Page 63: ...address 6 Click OK to save your changes You can create up to 4 static route entries Figure 26 Creating a static route entry Static Route Example As an example in a network where the APs are connected...

Page 64: ...ce becomes active When the original active device recovers it automatically assumes the standby state as it discovers an already active ZoneDirector on the network The ZoneDirector in active state man...

Page 65: ...vior They will continue trying to commu nicate sending discover messages every 6 seconds to peers until the ZDs are communicating again when they will determine Active Standby roles based on 1 most ma...

Page 66: ...under Configure Access Points Access Point Policies you must identify the IP address of both ZoneDirectors that the APs should connect to when Smart Redundancy is active If the Limited ZD Discovery a...

Page 67: ...rompted to retry discovery or to continue configuring the current device Once Smart Redundancy has been enabled a status link is displayed at the top of the web interface Figure 29 Smart Redundancy st...

Page 68: ...ondary Alternatively you can specify the IP addresses of both ZoneDirectors through DHCP Option 43 see Option 2 Customize Your DHCP Server Forcing Failover to the Backup ZoneDirector After Smart Redun...

Page 69: ...section select the Enable DHCP check box 3 In Starting IP Address type the first IP address that the built in DHCP server will allocate to DHCP clients The starting IP address must be on the same subn...

Page 70: ...HCP clients click the click here link at the end of the To view all currently assigned IP addresses that have been assigned by the DHCP server sentence A table appears and lists all current DHCP clien...

Page 71: ...stem screen Options include limiting access by subnet single IP address and IP address range NOTE When you create a management access control rule all IP addresses and subnets other than those specifi...

Page 72: ...rrent IP address is shown for convenience be sure not to create an ACL that prevents the admin s own IP address from accessing the web interface 5 Click OK to confirm You can create up to 16 entries t...

Page 73: ...erver as detailed below which provides continual updating with the latest time 1 Go to Configure System 2 In the System Time features you have the following options Refresh Click this to update the Zo...

Page 74: ...tions Setting the Country Code to the proper regulatory region ensures that your ZoneFlex network does not violate local and national regulatory restrictions ZoneDirector s web interface can be used t...

Page 75: ...band should be available for use by your APs Note that these settings only affect Ruckus Wireless APs that support the extended DFS channel list Channel Optimization settings are described in the foll...

Page 76: ...s including 100 104 108 112 116 120 124 128 132 136 140 Channel Mode Some countries restrict certain 5 GHz channels to indoor use only For instance Germany restricts channels in the 5 15 GHz to 5 25 G...

Page 77: ...unctioning as MAPs the mesh backhaul link must initially use a non indoor only channel Your ZoneFlex Outdoor MAPs may fail to join if the mesh backhaul link is using a restricted indoor only channel C...

Page 78: ...ging levels Show More Warning and Critical Events or Critical Events Only Remote Syslog To enable syslog logging select the Enable reporting to remote syslog server at check box and then type the IP a...

Page 79: ...ting with release 9 8 ZoneDirector will generate syslog messages upon acqui sition update or deletion of an IP address by a wireless station This feature allows enhanced integration with popular firew...

Page 80: ...w of user data from the end point to the firewall will use the following path 1 The user authenticates to an authentication server via AP 2 ZoneDirector verifies the user s identity 3 After the statio...

Page 81: ...P to which the station is currently connected seq Indicates the sequence number of the log message It is increased by one after a log is sent The UDP packet can be adjusted to the right order by this...

Page 82: ...ettings and expand the Remote Syslog Advanced Settings section 3 In ZoneDirector Settings set the facility name as follows Keep Original Retain the original facility name local0 local7 Specify facilit...

Page 83: ...t log If you prefer an email notification can be sent to a configured email address of your choosing To activate this option follow these steps 1 Go to Configure Alarm Settings 2 To enable email notif...

Page 84: ...d by your ISP or mail administrator This might be just the part of your email address before the symbol or it might be your complete email address If you are using a free email service such as Hotmail...

Page 85: ...ailed appears at the bottom of the Email Notification page Go back to Step 5 and then verify that the SMTP settings are correct 7 Click Apply The email notification settings you configured become acti...

Page 86: ...il Notification section NOTE With the exception of the Lost contact with AP event ZoneDirector only sends one email alarm notification for each event If the same event happens again no alarm will be s...

Page 87: ...eDirector 9 8 User Guide 800 70599 001 Rev B 87 You can now allow guest pass generators to deliver guest pass codes to guests using the SMS button when generating a new guest pass You must also enter...

Page 88: ...m Reboot Backup of ZoneDirector settings Performance monitoring When the FlexMaster management option is enabled you will still be able to access the ZoneDirector web interface to perform other manage...

Page 89: ...n authentication WLANs meant for public access By enabling the Northbound Portal Interface a wireless service provider can provide simple but secure Wi Fi access without pre registration account setup...

Page 90: ...irector information such as system status WLAN list AP list and clients list and to set a number of system settings using a Network Management System NMS or SNMP MIB browser You can also enable SNMP t...

Page 91: ...ge and click the Network Management link to open the Network Management section 2 Under the SNMPv2 Agent section select the Enable SNMP Agent check box 3 Enter the following information In SNMP RO com...

Page 92: ...3 Enter the following information for both the Read Only and Read Write privileges User Enter a user name between 1 and 31 characters Authentication Choose MD5 or SHA authentication method default is...

Page 93: ...SNMP trap notifications to the server Enable this feature if you want to automatically receive notifications for AP and client events that indicate possible network issues see Trap Notifications That...

Page 94: ...Support 94 Ruckus Wireless Inc If you select SNMPv3 enter up to four trap receiver IP addresses along with authentication method passphrase and privacy encryption settings 4 Click Apply to save your...

Page 95: ...trap notifications that ZoneDirector sends and when they are sent Table 15 Trap notifications Trap Name Description ruckusZDEventAPJoinTrap An AP has joined ZoneDirector The AP s MAC address is includ...

Page 96: ...ent has successfully joined an AP The client s MAC address the AP s MAC address and SSID are included in the trap notification ruckusZDEventClientJoinFailed A client has attempted and failed to join a...

Page 97: ...has exceeded the set value ruckusZDEventAPMEMvalve An AP s memory utilization has exceeded the set value ruckusZDEventSmartRedundancyChan getoActive The standby Smart Redundancy ZoneDirector has fail...

Page 98: ...packets and sends them to the DHCP servers then delivers DHCP Offer Ack messages from the DHCP server back to the client The traffic flow is as follows 1 Client sends DHCP discover broadcast 2 AP tun...

Page 99: ...Go to Configure WLANs 2 If creating a new WLAN click Create New Otherwise click Edit for the WLAN you want to configure 3 Under Advanced Options when Tunnel Mode is enabled the DHCP Relay option beco...

Page 100: ...network configuration required Multicast applications such as Bonjour require special consideration when being deployed over wireless networks Bonjour only works within a single broadcast domain whic...

Page 101: ...es from one VLAN to another Using the ZD Site Bonjour Gateway feature ZoneDirector serves as the Bonjour proxy for forwarding Bonjour packets to the designated VLANs Requirements Layer 2 switch betwee...

Page 102: ...s the memory processor requirements this feature is only supported on certain APs and delivers a set of service rules a Bonjour policy to the AP to perform the VLAN bridging NOTE This feature is only...

Page 103: ...n the AP Site table to create a new Bonjour service rule 3 In the Create New form configure the following options Bridge Service Select the Bonjour service from the list From VLAN Select the VLAN from...

Page 104: ...nt to configure 3 in Bonjour Gateway enable the check box and select a Bonjour policy that you created on the Configure Bonjour Gateway page from the list 4 Click OK to save your changes Figure 53 Des...

Page 105: ...pple TV attached to a projector Teachers SSID VLAN 200 802 1X authentication for a MacBook and iPad needs to have access to all classroom resources Students SSID VLAN 300 Students have a separate SSID...

Page 106: ...Enabling Bonjour Gateway Example Network Setup 106 Ruckus Wireless Inc...

Page 107: ...e 800 70599 001 Rev B 107 3 Configuring Security and Other Services In this chapter Configuring Self Healing Options Configuring Wireless Intrusion Prevention Controlling Network Access Permissions Us...

Page 108: ...d same Zone Director 3 The AP can hear the other AP at a minimum of 50dB which means the Access Points are very close to each other Note that the 2 4G and 5G radio bands are considered independently I...

Page 109: ...orical data and maintains an internal log of channel performance individually When ChannelFly changes channels it utilizes 802 11h channel change announce ments to seamlessly change channels with no p...

Page 110: ...healing options 1 Go to Configure Services 2 Review and change the following self healing options Automatically adjust AP radio power to optimize coverage where interference is present Enable automati...

Page 111: ...s not helpful or adjust the frequency if you want scans at greater or fewer intervals Note that Background Scanning must be enabled for ZoneDirector to detect rogue APs on the network To configure Ba...

Page 112: ...disable scanning for a particular WLAN click the Edit link next to the WLAN for which you want to disable scanning open Advanced Options and click the check box next to Disable Background Scanning To...

Page 113: ...ses subsequent scans to update the list of adjacent radios periodically and when a new AP sends its first scan report When an AP leaves ZoneDirector immediately updates the list of adjacent radios and...

Page 114: ...sbehavior The process does not require any time critical interaction between APs and ZoneDirector Provides control of adjacent AP distance with safeguards against abandoning clients Can be disabled on...

Page 115: ...ng across adjacent APs by radio type To disable Load Balancing on a per WLAN basis 1 Go to Configure WLANs 2 Click the Edit link beside the WLAN for which you want to disable load balancing 3 Click th...

Page 116: ...ing balances the client load on radios by distributing clients between the 2 4 GHz and 5 GHz radios This feature is enabled by default and set to a target of 25 of clients connecting to the 2 4 GHz ba...

Page 117: ...hannels in the 5 GHz band to ensure the channel is clear of radar signals prior to transmitting on the channel If a channel is blocked by this feature it will be listed as DFS Block Radar in the AP mo...

Page 118: ...software component of the AeroScout visibility system that produces accurate location and presence data If you are using AeroScout Tags in your organization you can use the APs that are being managed...

Page 119: ...ocuments For more information on AeroScout Tags and the AeroScout Engine refer to your AeroScout documentation Ekahau Tag Detection Utilizing Wi Fi wireless network as an infrastructure the Ekahau Rea...

Page 120: ...or enables Ekahau tag detection on all its managed APs that support this feature Figure 63 Enabling Ekahau tag detection Active Client Detection Enabling active client detection allows ZoneDirector to...

Page 121: ...el Mode To configure data encryption and filtering for tunneled WLANs 1 Go to Configure Services 2 Scroll down to the bottom of the page and locate the Tunnel Configuration section 3 Enable the check...

Page 122: ...6 Neighbor Solicit over tunnels When ZoneDirector receives a broadcast ARP request for a known host it acts on behalf of the known host to send out unicast ARP replies at the rate limit specified If Z...

Page 123: ...r for Mesh links see Optional Mesh Configuration Features Proxy ARP for WLAN interfaces see Advanced Options under Creating a WLAN Proxy ARP for Tunneled WLANs see Tunnel Configuration When Proxy ARP...

Page 124: ...m Denial of Service attacks To configure the DoS protection options 1 Go to Configure WIPS 2 In the Denial of Service DoS section configure the following settings Protect my wireless network against e...

Page 125: ...ts A Rogue Access Point is any access point detected by a ZoneDirector managed access point that is not part of the ZoneFlex network managed by ZoneDirector Rogue devices are detected during off chann...

Page 126: ...or man in the middle attacks to exploit passwords and other sensitive data The last type of malicious rogue device is User Marked These are devices that are manually marked as malicious rogues by a Zo...

Page 127: ...ork connections or preventing client devices from accessing network services It could also be used by hackers to compromise network security Typically rogue DHCP servers are network devices such as ro...

Page 128: ...wing procedure to re enable To enable rogue DHCP server detection on ZoneDirector enabled by default 1 Go to Configure WIPS 2 In the Rogue DHCP Server Detection section select the Enable rogue DHCP se...

Page 129: ...Configuring Wireless Intrusion Prevention Rogue DHCP Server Detection ZoneDirector 9 8 User Guide 800 70599 001 Rev B 129 Figure 69 Enabling Rogue DHCP server detection...

Page 130: ...ss Control Lists Using the Access Controls configuration options you can define Layer 2 MAC address ACLs which can then be applied to one or more WLANs upon WLAN creation or edit ACLs are either allow...

Page 131: ...ovides access control options at Layer 3 and Layer 4 This means that you can configure the access control options based on a set of criteria including Destination Address Application Protocol Destinat...

Page 132: ...xample if you enter 192 168 0 1 24 the rule would allow or deny the entire Class C subnet To allow deny a single host use 32 as the netmask Application If you select a specific application from the me...

Page 133: ...nother To create a Device Access Policy 1 Go to Configure Access Control 2 In the Device Access Policy section click Create New 3 Enter a Name and optionally a description for the access policy 4 In D...

Page 134: ...evice Access Policy To apply a Device Access Policy to a WLAN 1 Go to Configure WLANs 2 To edit an existing WLAN click Edit next to the WLAN you want to edit 3 Expand the Advanced Options and locate t...

Page 135: ...on is enabled and which are destined to IP addresses that are not part of a per WLAN white list You can create exceptions to client isolation such as allowing access to a local printer for example by...

Page 136: ...nd click Delete 7 Click OK to save the white list Figure 74 Creating a Client Isolation White List To apply a Client Isolation White List to a WLAN 1 Go to Configure WLANs 2 Click Edit next to the WLA...

Page 137: ...elect a Whitelist from the drop down list of those you created on the Configure Access Control page 4 Click OK to save your changes Figure 75 Selecting a Client Isolation White List Configuring Applic...

Page 138: ...com This is an invalid rule Wildcard and other regular expres sions cannot be used in any part of the FQDN www corporate com games This is an invalid rule The filter cannot parse and block access on t...

Page 139: ...ches a configured policy will be displayed using the policy s name on the Application widget on the Dashboard and the Applications pie charts tables on the Wireless Clients monitoring page In case of...

Page 140: ...page You can create new port to application name mappings individually or you can batch upload a list in csv format Click the click here link to download a sample of the csv file format This type of p...

Page 141: ...Application Visibility ZoneDirector automatically identifies several hundred applications for use in appli cation recognition and denial policies The following links provide lists of many the most co...

Page 142: ...create a new policy to be selectable from the WLAN configuration dialog 3 Under Rules click Create New to create a new rule for this policy 4 Select an Attribute VLAN or Rate Limiting to apply a prec...

Page 143: ...rm to monitor block and unblock client devices manually from the ZoneDirector web interface Note the following considerations when managing the Blocked Clients list The block list is system wide and i...

Page 144: ...all active clients are displayed on the page the Show More button disappears 4 To block any listed client devices follow the next set of steps Temporarily Disconnecting Specific Client Devices Follow...

Page 145: ...f this proves to be a problem may prompt you to consider Permanently Blocking Specific Client Devices Permanently Blocking Specific Client Devices Follow these steps to permanently block a client devi...

Page 146: ...the Block button to permanently delete a client Reviewing a List of Previously Blocked Clients 1 Go to Configure Access Control 2 Review the Blocked Clients table 3 You can unblock any listed MAC add...

Page 147: ...Controlling Network Access Permissions Blocking Client Devices ZoneDirector 9 8 User Guide 800 70599 001 Rev B 147...

Page 148: ...tory objects are organized in a number of levels such as domains trees and forests At the top of the structure is the forest A forest is a collection of multiple trees that share a common global catal...

Page 149: ...r the Windows Domain Name e g domain ruckuswireless com 6 Click OK Figure 84 Enable Active Directory for a single domain For single domain authentication admin name and password are not required Multi...

Page 150: ...tory partitions in the forest If the server attempting to bind over port 3268 is not a Global Catalog server the server refuses the bind 3 Leave the Windows Domain Name field empty to search all domai...

Page 151: ...ser authentication for all users 1 Click the Edit link next to LDAP on the Configure AAA Servers page The Editing LDAP form appears 2 Enter the IP address and Port of your LDAP server The default port...

Page 152: ...te privileges but must able to read and search all users in the database Figure 86 Creating a new LDAP server object in ZoneDirector Advanced LDAP Filtering A search string in LDAP format conforming t...

Page 153: ...to If everything is configured correctly the result will display the groups associated with the student which should include a group called student or whatever was configured on your LDAP server Next...

Page 154: ...they were returned from the Test Authentication Settings dialog Specify WLAN access Guest Pass generation and ZoneDirector administra tion privileges as desired for this Role At this point any user w...

Page 155: ...server is available enable the check box next to Backup RADIUS and additional fields appear Enter the relevant information for the backup server and click OK When you have configured both a primary a...

Page 156: ...Server RADIUS RADIUS Accounting 156 Ruckus Wireless Inc 6 In Reconnect Primary enter the number of minutes after which ZoneDirector will attempt to reconnect to the primary RADIUS server after failove...

Page 157: ...Using an External AAA Server RADIUS RADIUS Accounting ZoneDirector 9 8 User Guide 800 70599 001 Rev B 157 Figure 89 Enable backup RADIUS server...

Page 158: ...DIUS server using the MAC address of the client as both the user name and password The MAC address format can be configured in one of the following formats A single string of characters without punctu...

Page 159: ...completed configuring the WLAN to authenticate users by MAC address from a RADIUS server Using 802 1X EAP MAC Address Authentication With the 802 1X EAP MAC Address authentication method clients confi...

Page 160: ...onitor Wireless Clients page shows the actual authentication method used for clients in an 802 1X EAP MAC Address authentication WLAN Using 802 1X with EAP MD5 EAP MD5 differs from other EAP methods i...

Page 161: ...tication and Table 16 lists those used in accounting ZoneDirector will terminate a user session if it receives a Change of Authorization Disconnect Message COA DM from the RADIUS server The COA DM mes...

Page 162: ...rd coded to be Framed User 2 12 Framed MTU hard coded to be 1400 30 Called Station ID user configurable 31 Calling Station ID format is sta s mac 32 NAS Identifier user configurable 61 NAS Port Type h...

Page 163: ...Tunnel Type value only relevant if it is 13 VLAN 65 Tunnel Medium Type value only relevant if it is 6 802 as in all 802 media plus ethernet 81 Tunnel Private Group ID this is the VLAN ID assignment p...

Page 164: ...o be Framed User 2 8 Framed IP address 30 Called Station ID user configurable 31 Calling Station ID format is sta s mac 32 NAS Identifier user configurable 44 Account session ID Ruckus private attribu...

Page 165: ...radius auth 1 50 Acct Multi Session ID 61 NAS Port Type hard coded to be 802 11 port 19 77 Connection Info indicates client radio type 25 Class if received in radius accept message from AAA Ruckus pri...

Page 166: ...lass 85 Acct interim interval 27 Session timeout 29 Termination action Session timeout event becomes a disconnect event or re authentication event if termination action indicates 1 radius request For...

Page 167: ...le 45 Acct authentic 50 Acct Multi Session Id 61 NAS port type 77 Connection Info indicates client radio type Ruckus private attribute Vendor ID 25053 Vendor Type Attribute Number 3 Ruckus SSID Additi...

Page 168: ...click the user or group and select Properties to open the user group name Properties dialog box 3 On the Properties dialog box click Edit Profile The Edit Dial in Profile dialog box opens 4 Click the...

Page 169: ...RADIUS RADIUS Accounting ZoneDirector 9 8 User Guide 800 70599 001 Rev B 169 6 Click OK 7 Repeat this procedure for additional users or groups Figure 94 On the Microsoft IAS page right click the user...

Page 170: ...Server RADIUS RADIUS Accounting 170 Ruckus Wireless Inc Figure 95 On the Properties page click Edit Profile Figure 96 On the Authentication tab of the Edit Dial in Profile dialog select Unencrypted au...

Page 171: ...ngle AP s only Monitoring Admin Monitoring and viewing operation status only TACACS is an extensible AAA protocol that provides customization and future development features and uses TCP to ensure rel...

Page 172: ...172 Ruckus Wireless Inc Figure 97 Configuring a TACACS AAA server Once your TACACS server is configured on the AAA Servers page you can select it from the list of servers used to authenticate ZoneDire...

Page 173: ...neDirector After you have configured one or more authentication servers in ZoneDirector perform this task to ensure that ZoneDirector can connect to the authentication server and retrieve the groups a...

Page 174: ...ups attributes the information appears at the bottom of the page The following is an example of the message that will appear when ZoneDirector authenticates successfully with the server Success Groups...

Page 175: ...works About Ruckus Wireless WLAN Security Creating a WLAN Creating a New WLAN for Workgroup Use Customizing WLAN Security Working with WLAN Groups Deploying ZoneDirector WLANs in a VLAN Environment Wo...

Page 176: ...urity settings For example you may need a WLAN that utilizes WEP encryption for wireless devices that only support WEP key encryption To create special WLANs with different settings for specific purpo...

Page 177: ...oth internal users and guests Authentication options include Open 802 1X EAP MAC Address 802 1X EAP MAC Address Encryption options depend on which type of authentication is chosen Open authentication...

Page 178: ...ays all WLANs that have already been created in ZoneDirector 2 In the top section WLANs click Create New The Create New workspace displays the following Figure 100 Creating a new WLAN The WLAN Create...

Page 179: ...26 is included an error message will appear WLAN Usages Select usage type standard guest access hotspot autonomous Authentication Options Select an authentication method for this WLAN open 802 1X EAP...

Page 180: ...efault Guest Access WLAN with open access and customizable encryption see Configuring Guest Access Guest WLANs are subject to guest access policies such as redirection and subnet access restric tions...

Page 181: ...uding ZoneDirector displayed client statistics may be incorrect Stations may be disconnected when an unreachable ZoneDirector becomes reachable again as ZoneDirector will re deploy all WLAN services t...

Page 182: ...tion choices include WPA2 WPA Mixed WEP 64 WEP 128 and None WPA2 is the only encryption method certified by the Wi Fi Alliance and is the recommended method WEP has been proven to be easily circumvent...

Page 183: ...802 11i compliant NICs Auto Automatically selects TKIP or AES encryption based on the client s capabilities Note that since it is possible to have clients using both TKIP and AES on the same WLAN onl...

Page 184: ...ireless Client Isolation to prevent all commu nication between WLAN clients and other local resources unless they are specifically allowed in a white list A Client Isolation White List must first be c...

Page 185: ...Control Policy Call Admission Control Disabled by default Enable Wi Fi Multimedia Admission Control WMM AC to support Polycom Spectralink VIEW certification When enabled the AP announces in beacons i...

Page 186: ...dvertised at any time This will not affect performance or force the WLAN user to perform any unnecessary tasks Tunnel Mode Select this check box if you want to tunnel the WLAN traffic back to ZoneDire...

Page 187: ...when enabled globally check this box For more information see Band Balancing Max Clients Limit the number of clients that can associate with this WLAN per AP radio default is 100 You can also limit t...

Page 188: ...walled garden web pages without adding to transmission statistics until after authorization Application Visibility Enable this option to allow APs to collect client application data which can then be...

Page 189: ...pt according to the Web Proxy Autodiscovery Protocol WPAD WPAD uses discovery methods such as DNS and DHCP Option 252 to locate the configuration file To use this feature you must designate where the...

Page 190: ...returns a neighbor report containing information about known neighbor APs that are candidates for a service set transition NOTE Background Scanning Configure Services and Report Rogue Devices Configu...

Page 191: ...ngineering you can do so by following these steps 1 Make a list of the group of users 2 Go to Configure WLANs 3 When the WLANs page appears the default internal and guest networks are listed in the ta...

Page 192: ...their first wireless network To review the security configuration and the available options customize the existing WLAN setup or replace it with a totally different configuration review the following...

Page 193: ...WPA encryption with no authentication Open Auth WPA2 Switch to this encryption method if you prefer the IEEE 802 11i standard which provides the highest level of security but is limited to devices wit...

Page 194: ...ll want to review and then change the security options for the internal network To start click Edit in the Internal WLAN row 3 When the Editing Internal options appear look at the two main categories...

Page 195: ...t in EAP server and Zero IT Wireless Activation certificates are automatically generated and installed on the end user s computer Users simply follow the instructions provided during the Zero IT Wirel...

Page 196: ...eir wireless device connection settings If Switching to 802 1X based Security 1 Applies only to the use of the built in EAP server Each user should be able to repeat the Zero IT Wireless Activation pr...

Page 197: ...WLAN Group and provide normal level access NOTE Creating WLAN groups is optional If you do not need to provide different WLAN services to different areas in your environment you do not need to create...

Page 198: ...want to be part of this WLAN group 6 In the VLAN override settings choose whether to override the VLAN configured for each member WLAN Available options include No Change Click this option if you want...

Page 199: ...h AP or radio on dual radio APs can only be a member of a single WLAN group 4 Click OK to save your changes Figure 105 Assign a WLAN group to an AP Viewing a List of APs That Belong to a WLAN Group 1...

Page 200: ...that allows the user to designate untagged frames going in out of a port to a specific VLAN For example if an 802 1Q port has VLANs 1 20 and 30 enabled with VLAN 1 being the native VLAN frames on VLA...

Page 201: ...mon VLAN scenarios include WLANs assigned to specific VLANs ZD and APs with no management VLAN WLANs assigned to specific VLANs ZD and APs within their own single management VLAN WLANs assigned to spe...

Page 202: ...d to segment management traffic to a specific VLAN and you want to include ZoneDi rector s AP management traffic in this VLAN you can set the parameters in the ZoneDirector system configuration NOTE A...

Page 203: ...anging management VLAN settings 8 Go to Administer Restart and click Restart to reboot ZoneDirector CAUTION When configuring or updating the management VLAN settings make sure that the same VLAN setti...

Page 204: ...amic VLAN Requirements A RADIUS server must have already been added to ZoneDirector WLAN authentication method must be set to 802 1X MAC address or 802 1X MAC address To enable Dynamic VLAN for a WLAN...

Page 205: ...N Priority of VLAN Dynamic VLAN and Tunnel Mode If the VLAN Dynamic VLAN and Tunnel Mode features are all enabled and they have conflicting rules ZoneDirector prioritizes and applies these three featu...

Page 206: ...s attribute to VLAN Tunnel Medium Type Set this attribute to IEEE 802 Tunnel Private Group ID Set this attribute to the VLAN ID to which you want to segment this user Depending on your RADIUS setup yo...

Page 207: ...eDirector provides two types of Hotspot services based on the WISPr Wireless Internet Service Provider roaming 1 0 and 2 0 specifications as described in the following sections Creating a Hotspot Serv...

Page 208: ...Create New The Create New form appears 3 In Name enter a name for this hotspot service You will need to choose this name from a list when creating a WLAN to serve this hotspot service 4 In WISPr Smar...

Page 209: ...nfigure AAA Servers page If a RADIUS server is selected an additional option appears Enable MAC authentication bypass no redi rection Enabling this option allows users with registered MAC addresses to...

Page 210: ...Garden In Restricted Subnet define L3 4 IP address access control rules for the hotspot service to allow or deny wireless devices based on their IP addresses Under Advanced Options enable Intrusion Pr...

Page 211: ...ts added the client gets redirected to the IP address of the ZD instead of the FQDN Assigning a WLAN to Provide Hotspot Service After you create a hotspot service you need to specify the WLANs to whic...

Page 212: ...L sent to the captive portal server See the following URL for an example http portal free com sip 192 168 120 15 mac 74911a20 dac0 client_mac 00216a95b0de uip 192 168 120 13 lid 101 dn free com url ss...

Page 213: ...rvices offered or allow the user to manually select an SSID for which the user has login credentials ZoneDirector s Hotspot 2 0 implementation complies with the IEEE 802 11u stan dard and the Wi Fi Al...

Page 214: ...st List of network access identifier NAI realms corresponding to SSPs or other entities whose networks or services are accessible via this AP Up to five NAI realm entries can be created Each NAI realm...

Page 215: ...To create an Operator Profile 1 Go to Configure Hotspot 2 0 Services 2 Click Create New under Operator Profiles 3 Configure the settings in Table 113 to create a Hotspot 2 0 Operator profile Figure 1...

Page 216: ...r including NAI realm domain name roaming consortium 3GPP cellular network info A Service Provider profile must first be created before it appears here Up to six Service Provider Profiles can be indic...

Page 217: ...e Create a Hotspot 2 0 WLAN After you create a HS2 0 service you need to specify the WLANs to which you want to deploy the hotspot configuration To configure an existing WLAN to provide hotspot servic...

Page 218: ...In Hotspot 2 0 Operator select the name of the Operator profile that you created previously 5 In Authentication Server select the RADIUS server used to authenticate users 6 Optionally enable Proxy ARP...

Page 219: ...Keys Dynamic PSK is a unique Ruckus Wireless feature that enhances the security of normal Pre shared Key PSK wireless networks Unlike typical PSK networks which share a single key amongst all devices...

Page 220: ...using Zero IT Activation see Enabling Automatic User Activation with Zero IT Enabling Dynamic Pre Shared Keys on a WLAN To use DPSK for client authentication you must enable it for a particular WLAN i...

Page 221: ...ck OK to save your settings This WLAN is now ready to authenticate users using Dynamic Pre Shared Keys once their credentials are verified against either the internal database or an external RADIUS se...

Page 222: ...checked expired DPSKs will remain in the system though unusable after expiration and clients using an expired DPSK can remain connected until the user disconnects from the WLAN 4 Click the Apply butto...

Page 223: ...tomatically populate the names of each user BatchDPSK_User_1 BatchDPSK_User_2 and so on to generate the dynamic PSKs 5 In Role select the Role you want to apply to this batch of DPSK users 6 In Dynami...

Page 224: ...longer be able to access the WLAN using the same passphrase network key Alternatively you can allow users to automatically self provision their clients using Zero IT as described in Enabling Automatic...

Page 225: ...device assumes it has network connectivity and no action is taken However this login utility is not a fully functional browser and does not support HTML HTML5 PHP or other embedded video In some situ...

Page 226: ...Locate the Bypass Apple CNA Feature section at the bottom of the page 3 Select any or all of the following WLAN types for which you want to bypass the Apple CNA feature Web Authentication Guest Access...

Page 227: ...anaging Access Points In this chapter Adding New Access Points to the Network Working with Access Point Groups Reviewing Current Access Point Policies Importing a USB Software Package Managing Access...

Page 228: ...ing AP join requests If you prefer you can disable Automatic Approval If this is your preference ZoneDirector will detect new APs alert you to their presence and then wait for you to manually approve...

Page 229: ...first 15 access points that have been approved or are awaiting approval If ZoneDirector is managing more than 15 access points the Show More button at the bottom of the list will be active To display...

Page 230: ...Adding New Access Points to the Network Verifying Approving New APs 230 Ruckus Wireless Inc Figure 121 The Monitor Access Points page...

Page 231: ...n steps involved in working with AP groups Modifying the System Default AP Group The first step in working with AP groups is defining the default behavior of all APs controlled by ZoneDirector Creatin...

Page 232: ...p settings Setting Description Name The System Default group name cannot be changed you can edit this field when creating editing any other AP group Description The System Default description cannot b...

Page 233: ...s SmartPositioning Technology SPoT location based service solution Enter the SPoT server URL port password and venue name as configured on the SmartPositioning server For information on configuration...

Page 234: ...Access Point Groups section click the Create New button The Create New form appears 3 Enter a Name and optionally a Description for the new AP group 4 Modify any of the settings in Table 23 that you...

Page 235: ...p click the check box at the top of the column 2 Select the target AP group from the drop down list and click Move To The AP disappears from the current group list 3 Click OK to save your changes Figu...

Page 236: ...e 7300 series APs This can be useful if your APs are installed in a public location and you don t want to draw attention to them External Antenna External antenna configuration is available for the 5...

Page 237: ...least one Trunk Port For single port APs e g ZoneFlex R300 the single LAN port must be a trunk port and is therefore not configurable For ZoneFlex 7025 7055 the LAN5 Uplink port on the rear of the AP...

Page 238: ...Working with Access Point Groups Modifying Model Specific Controls 238 Ruckus Wireless Inc Figure 124 The ZoneFlex 7982 has two Ethernet ports LAN1 and LAN2...

Page 239: ...ing with Access Point Groups Modifying Model Specific Controls ZoneDirector 9 8 User Guide 800 70599 001 Rev B 239 Figure 125 The ZoneFlex 7025 7055 has four front facing Ethernet ports and one rear p...

Page 240: ...ub options can be used to further customize the format and content of information provided in DHCP requests As of release 9 8 ZoneDirector supports the following Option 82 sub options Sub option 1 Age...

Page 241: ...s members of specific VLANs thereby separating the traffic on these ports from traffic on other VLANs General Ports are user defined ports that can have any combination of up to 20 VLAN IDs assigned F...

Page 242: ...e VLANs that exist on the AP switch and carries traffic for all those VLANs between switches Access Ports All Access Ports are set to Untag VLAN 1 by default This means that all Access Ports belong to...

Page 243: ...supplicant and authenticator functionality at the same time NOTE If mesh mode is enabled on ZoneDirector the 802 1X port settings will be unavailable for any APs that support mesh The ZoneFlex 7025 d...

Page 244: ...he network In MAC based mode each MAC host is individually authenticated Each newly learned MAC address triggers an EAPOL request identify frame Guest VLAN Default disabled When a station fails to aut...

Page 245: ...pstream authenticator port Until the AP has successfully done so the state of the authenticator port is closed and packets from the AP or stations behind it will be dropped at the authenticator port I...

Page 246: ...tatus 246 Ruckus Wireless Inc Figure 128 Configuring an AP Ethernet port as an 802 1X Supplicant Viewing AP Ethernet Port Status You can view the status of an AP s port configuration by going to Monit...

Page 247: ...Working with Access Point Groups Viewing AP Ethernet Port Status ZoneDirector 9 8 User Guide 800 70599 001 Rev B 247 Figure 129 Viewing an AP s Ethernet port configuration...

Page 248: ...ry If you have multiple ZoneDirectors on the network and want specific APs to join specific ZoneDirectors you can limit ZoneDi rector discovery To do this select the Limited ZD Discovery check box and...

Page 249: ...e AP is disabled by default VLAN ID Enter a valid VLAN ID to segment management traffic into the VLAN specified Valid VLAN IDs are 1 4094 NOTE If you change the Management VLAN ID here you also need t...

Page 250: ...rollers for example using a ZD3000 as a backup for several ZD1100s in remote locations you can use Limited ZD Discovery to achieve limited N 1 redundancy NOTE Using Limited ZD Discovery for redundancy...

Page 251: ...apped to their respective settings on the backup controller If you do not configure these settings first before importing AP lists you will need to configure them for each AP after importing For examp...

Page 252: ...guration files directly through ZoneDirector providing a simple and straightfor ward provisioning process with minimal human intervention required Provisioning requires that the SmartPoint Access Poin...

Page 253: ...nnect the wired network connection then reboot the AP 6 After reboot the AP detects the appropriate drivers on its persistent storage goes through the 3G 4G LTE network connection process and establis...

Page 254: ...umbers hyphens and underscores Note however that only the first 17 characters of the device name will be displayed in the Events Activities tables Description Enter a description for the AP This descr...

Page 255: ...n also disable service for a particular WLAN at specific times of day or days of the week by setting the Service Schedule For more information see Advanced Options for creating a WLAN 13 External Ante...

Page 256: ...et which APs can serve as its uplinks select the Manual radio button under Advanced Options Uplink Selection default is Smart The other APs in the mesh appear below the selection 18 Select the check b...

Page 257: ...et the Venue Name for the venue at which the AP will be operating You can create up to two Venue Names two languages for the venue name To set the Hotspot 2 0 Venue Name for an AP 1 Go to Configure Ac...

Page 258: ...eset channels and adjust transmission power or adjust the priority of certain WLANs over others as needed Assessing Current Performance Using the Map View REQUIREMENT The importing of a floorplan and...

Page 259: ...e APs to a power source 4 To refresh the ZoneDirector Map View run a full system RF Scan as detailed in Starting a Radio Frequency Scan 5 When the RF scan is complete and ZoneDirector has recalibrated...

Page 260: ...t is Auto Uplink Selection Use this setting to manually define which APs can serve as an uplink for this Mesh AP 5 Click OK The adjusted AP will be automatically restarted and when it is active will b...

Page 261: ...ew Tools Evaluating and Optimizing Network Coverage Reviewing Current Alarms Reviewing Recent Network Events Moniting WLAN Status Reviewing Current User Activity Monitoring Individual Clients Monitori...

Page 262: ...boring and rogue client devices and RF coverage You can see what devices are where in your floorplan and visually evaluate network coverage NOTE Map View to work your computer must have Java version 7...

Page 263: ...rror message appears when these file size limits are reached Additionally the maximum file size per floorplan image is 512kb 200kb or smaller is recommended Requirements A floorplan image in GIF JPG o...

Page 264: ...nting multiple floors in your building s make sure you place the access point markers on the correct floorplan 1 Have the list of APs handy with MAC addresses and locations 2 Go to Monitor Map View if...

Page 265: ...the Map View as noted here and marked in the above illustration 1 Map drop down list Select the floorplan to view from the Map drop down list 2 Coverage and Show Rogue APs box For Coverage selecting...

Page 266: ...the size and angle of the floorplan by using the tools on this screen Note the following icons 7 Signal This colored legend displays the signal strength coverage when you selected either 2 4 GHz or 5...

Page 267: ...ove the icon A rogue AP displays a smaller red icon imprinted with a bug A bug icon with a lock on it indicates a rogue AP with security enabled In a Smart Mesh network an isolated AP displays a red X...

Page 268: ...color range especially colors that indicate low coverage 6 Look at the floorplan and evaluate the current coverage Moving the APs into More Efficient Positions You can now move the APs into more effic...

Page 269: ...e 137 The All Alarms page 3 Review the contents of this table The Activities column is especially informative 4 If a listed alarm condition has been resolved click the now active Clear link to the rig...

Page 270: ...st events will be overwritten when new events occur Clearing Recent Events Activities To review the current events and if appropriate clear all resolved events follow these steps 1 Go to Monitor All E...

Page 271: ...Moniting WLAN Status Clearing Recent Events Activities ZoneDirector 9 8 User Guide 800 70599 001 Rev B 271 Figure 138 The Monitor WLANs page...

Page 272: ...in more detail Additionally you can perform a number of actions on individual clients from this page including blocking unauthorized clients deleting clients from the table which will allow them to at...

Page 273: ...Activity Viewing Application Usage Statistics ZoneDirector 9 8 User Guide 800 70599 001 Rev B 273 Figure 139 Monitoring client activity Click the Show Details button to display detailed application or...

Page 274: ...columns displayed by clicking the Edit Columns button You can also delete block run SpeedFlex and test connectivity using the action icons in this table Inactive Clients The Inactive Clients table di...

Page 275: ...Reviewing Current User Activity Events Activities ZoneDirector 9 8 User Guide 800 70599 001 Rev B 275 Figure 141 Monitoring Clients...

Page 276: ...ou want to monitor The page refreshes to display a page of client specific information and statistics The Monitoring Clients client MAC address page displays the following information about the connec...

Page 277: ...d to track the uplink downlink throughput of a specific client over time To monitor a client s performance 1 Go to Monitor Wireless Clients and locate the client MAC address in the Active Clients list...

Page 278: ...his estimate is based on measurements of downlink traffic and is updated only when the AP transmits more than 1000 packets each containing at least 1024 bytes of data within a one minute measurement i...

Page 279: ...cate information on the APs that ZoneDirector is managing Open the Dashboard for a snapshot of the most active APs Click the MAC address link of any AP record to see more details Go to Monitor Map Vie...

Page 280: ...om ZoneDirector s perspective Approval Pending Connected Disconnected Root AP Mesh AP eMesh AP Number of hops Mesh Mode Displays whether the AP is manually set as a Root or Mesh AP or set to automatic...

Page 281: ...ant to display the option to Export to CSV appears If the search box is empty all APs will be saved to the CSV file If you enter text in the search box only the APs currently matching the search text...

Page 282: ...t Status Using the AP Status Overview Page 282 Ruckus Wireless Inc Figure 146 Viewing AP group members Events Activities This table displays an AP related subset of the information on the Monitor All...

Page 283: ...ress and model number Info Displays uptime clients and mesh status Actions Action icons provide tools for managing the AP see Using Action Icons to Configure and Troubleshoot APs in a Mesh On supporte...

Page 284: ...ement interval The uplink and downlink throughput curves show the actual throughput of a particular client or the current mix of clients These curves are influenced by the user session and they vary a...

Page 285: ...n is a measure of noise or other interference that is in fact impacting performance How do customers use this new concept to understand and manage their WiFi networks RF Pollution is an informational...

Page 286: ...Monitoring Individual APs RF Pollution FAQ 286 Ruckus Wireless Inc Figure 147 Viewing an individual AP s information Figure 148 Monitoring an AP s performance...

Page 287: ...signal power readings within each portion of the frequency band in a cumulative distribution format The CDF plot is color coded based upon the frequency with which each point is observed during conse...

Page 288: ...Monitoring Individual APs Spectrum Analysis 288 Ruckus Wireless Inc Figure 149 APs that support spectrum analysis display an extra icon in the Actions table...

Page 289: ...k performance issues Details on neighbor APs include Access Point The AP s description if configured or the MAC address if no name or description is available Channel The channel that the neighbor AP...

Page 290: ...lable on most Ruckus Wire less outdoor APs and orientation sensors are available on the ZoneFlex 7962 indoor AP Orientation This sensor displays the mounting orientation of the AP Three orientations a...

Page 291: ...zed APs pose problems for a wireless network in terms of airtime contention as well as security Usually a rogue AP appears in the following way an employee obtains another manufacturer s AP and connec...

Page 292: ...yet been categorized as malicious or non malicious malicious AP SSID spoof A malicious rogue AP that uses the same SSID as ZoneDirector s AP also known as an Evil twin AP malicious AP MAC spoof A mal...

Page 293: ...a neighboring network you can mark it as known NOTE If your office or worksite is on a single floor in a multistory building your upper and lower floor neighbors wireless access points may show up on...

Page 294: ...Monitoring Rogue Access Points Monitoring System Ethernet Port Status To view the status of ZoneDirector s Ethernet ports go to Monitor System Info The table displays the MAC address Interface ID phy...

Page 295: ...on ZoneDirector 9 8 User Guide 800 70599 001 Rev B 295 Figure 156 Monitoring system Ethernet port information Monitoring AAA Server Statistics To monitor AAA servers that you have configured on the Co...

Page 296: ...or SmartPositioning location servers that you have configured on the Configure Access Points AP Groups page go to Monitor Location Services NOTE For information on configuration and administration of...

Page 297: ...Monitoring Location Services Access Point Sensor Information ZoneDirector 9 8 User Guide 800 70599 001 Rev B 297 Figure 158 Monitoring Location Services...

Page 298: ...Monitoring Location Services Access Point Sensor Information 298 Ruckus Wireless Inc...

Page 299: ...ter Enabling Automatic User Activation with Zero IT Adding New User Accounts to ZoneDirector Managing Current User Accounts Creating New User Roles Managing Automatically Generated User Certificates a...

Page 300: ...S Active Directory or LDAP server Configure Users To enable Zero IT activation do the following 1 Go to Configure WLANs 2 Click Edit on the WLAN where you want to enable Zero IT Activation 3 Enable WP...

Page 301: ...can self provision his her wireless client to securely access your wireless LANs Clients that Support Zero IT NOTE For a detailed list of the operating systems that the Zero IT configuration supports...

Page 302: ...s permission Additionally you must enable permission to modify WZC Windows Zero Configu ration for the users groups by creating a new security template and applying the template to the account using M...

Page 303: ...s wireless settings for access to the secure internal WLAN 5 If you are not running a supported operating system you can manually configure wireless settings by clicking the link at the bottom of the...

Page 304: ...sers are connecting with clients running earlier versions of Windows Linux or other operating systems that do not support Zero IT provisioning users must manually configure wireless settings A manual...

Page 305: ...to 64 characters including special characters and spaces Password Enter a unique password for this user 4 32 characters in length using a combination of letters numbers and special characters includi...

Page 306: ...ting user accounts as needed Changing an Existing User Account 1 Go to Configure Users 2 When the Users features appear locate the specific user account in the Internal User Database panel and then cl...

Page 307: ...users to limit their access to certain WLANs to allow them to log in with non standard client devices or to grant permission to generate guest passes You can then edit the default role to disable the...

Page 308: ...ption NOTE When creating a guest pass generator Role you must ensure that this Role is given access to the Guest WLAN If you create a Role and allow guest pass generation but do not allow the Role acc...

Page 309: ...AN for both students and staff members Then when either connects to the network they would be given access rights based on their roles at the school Users created on an AAA server can be mapped to rol...

Page 310: ...es and Keys With Ruckus Zero IT wireless activation a unique key or certificate is automatically generated for a user during the activation process More precisely for a WLAN configured with WPA or WPA...

Page 311: ...w key or a new certificate Using an External Server for User Authentication Once your wireless network is set up you can instruct ZoneDirector to authenticate wireless users using your existing Authen...

Page 312: ...erver type for more information 5 Click OK to save this server entry The page refreshes and the AAA server that you added appears in the list of authentication and accounting servers Note that input f...

Page 313: ...users to a login web page the first time they connect to this WLAN and requires them to log in before granting access to use the WLAN After you activate web authentication on your WLAN you must then...

Page 314: ...on option See Figure 167 4 Click the check box to Enable captive portal Web authentication 5 Select the preferred authentication server from the Authentication Server drop down menu 6 Click OK to save...

Page 315: ...8 User Guide 800 70599 001 Rev B 315 8 Managing Guest Access In this chapter Configuring Guest Access Creating a Guest Access Service Creating a Guest WLAN Using the BYOD Onboarding Portal Working wit...

Page 316: ...Service 1 Go to Configure Guest Access 2 Click Create New to configure a guest access service 3 In Onboarding Portal choose which options to display in the BYOD Onboarding Portal See Using the BYOD O...

Page 317: ...ion settings Web Portal Logo Upload a logo to replace the Ruckus logo Guest Access Customization Enter text to display on the welcome page Restricted Subnet Access See Configuring Guest Subnet Access...

Page 318: ...under the table columns in which you can enter parameters that define the access rule 5 Under Description type a name or description for the access rule that you are creating 6 Under Type select Deny...

Page 319: ...o the secure internal WLANs To create a Guest WLAN 1 Go to Configure WLANs 2 Under WLANs click Create New The Create New WLAN form appears 3 Enter a Name SSID for this WLAN that will be easy for your...

Page 320: ...to allow disconnected users a grace period after disconnection during which users will not need to re authenticate 10 Click OK to save your changes Figure 170 Create a Guest Access WLAN Using the BYO...

Page 321: ...arding Portal Guest Pass Device Registration Show both buttons Device Registration Show Zero IT Device Registration button only 5 If Guest Pass is enabled configure Guest Pass options as described in...

Page 322: ...WLAN and all settings on the Guest Access configuration page will be put into effect Figure 173 Guest Access welcome and terms of use screens If the user clicks the Register Device button the web pag...

Page 323: ...ith the settings to automatically connect to the secure internal corporate WLAN NOTE You may need to manually switch from the guest WLAN to the secure WLAN after activation on some mobile devices NOTE...

Page 324: ...email with guest credentials NOTE To enable guest pass delivery via email or SMS you must first configure an email server or an SMS delivery account Twilio or Clickatell from the Configure System page...

Page 325: ...uest pass is valid from the time it is first created to the specified expiration time even if it is not being used by any end user Effective from first use This type of guest pass is valid from the ti...

Page 326: ...sting roles including Default 2 Click Edit in the Default role row 3 In the Policies options clear the Allow Guest Pass Generation check box 4 Click OK to save your settings Users with default roles n...

Page 327: ...1 allow all users with this role to connect to all WLANs or 2 limit this role s users to specific WLANs and then pick the WLANs they can connect to NOTE When creating a guest pass generator Role you m...

Page 328: ...er account 1 Go to Configure Users 2 At the bottom of the Internal User Database click Create New 3 When the Create New form appears fill in the text fields with the appropriate entries 4 Open the Rol...

Page 329: ...delivering a guest pass For instructions on how to generate multiple guest passes see Generating and Printing Multiple Guest Passes at Once NOTE If printing the guest pass make sure that your computer...

Page 330: ...er for whom you are generating the guest pass Valid for Specify the time period when the guest pass will be valid Do this by typing a number in the blank box and then selecting a time unit Minutes Hou...

Page 331: ...s 7 Click Next The Wireless Access Portal page appears 8 Choose whether to activate this guest pass for either yourself or a guest and click Next 9 The Request a Guest Pass page appears 10 Enter the g...

Page 332: ...Working with Guest Passes Generating and Delivering a Single Guest Pass 332 Ruckus Wireless Inc Figure 178 The Guest Pass Generated page Figure 179 Sample guest pass printout...

Page 333: ...ector hostname or ipaddress guestpass 3 In User Name type your user name 4 In Password type your password 5 Click Log In The Guest Information page appears On this page you need to provide information...

Page 334: ...expires Figure 180 Generating multiple guest passes at once NOTE If you want to be able to identify the guest pass users by their names for monitoring or auditing purposes in a hotel setting for exam...

Page 335: ...uctions 2 In Creation Type click Multiple 3 Click the click here link in To download a profile sample click here 4 Save the sample guest pass profile in CSV format to your computer 5 Using a spreadshe...

Page 336: ...F or PNG Make sure that the logo file does not exceed the following Length Two inches on any side File size 20kB To customize the guest login page 1 Go to Configure Guest Access Edit or create a new G...

Page 337: ...fault As administrator you can create custom guest pass printouts For example if your organization receives visitors who speak different languages you can create guest pass printouts in other language...

Page 338: ...ck Browse select the HTML file that you customized earlier and then click Open ZoneDirector copies the HTML file to its database 9 Click Import to save the HTML file to the ZoneDirector database You h...

Page 339: ...ustomize the message in the text box and click Apply to save your changes GP_ELSEIF_EFFECTIVE_FROM_FIRST _USE If you set the validity period of guest passes to Effective from first use in the Guest Pa...

Page 340: ...Configure System page are first configured to allow ZoneDirector to use the configured Twilio or Clickatell account to deliver guest passes To customize the content of the SMS message used to deliver...

Page 341: ...Working with Guest Passes Delivering Guest Passes via SMS ZoneDirector 9 8 User Guide 800 70599 001 Rev B 341 Figure 184 Customize the SMS content...

Page 342: ...Working with Guest Passes Delivering Guest Passes via SMS 342 Ruckus Wireless Inc...

Page 343: ...sh Networking Terms Supported Mesh Topologies Deploying a Wireless Mesh via ZoneDirector Understanding Mesh related AP Statuses Using the ZoneFlex LEDs to Determine the Mesh Status Using Action Icons...

Page 344: ...ing When a new node appears it becomes assimilated into the mesh network In the Ruckus Wireless Smart Mesh network all traffic going through the mesh links is encrypted A passphrase is shared between...

Page 345: ...gh its wireless interface Ethernet Linked Mesh AP eMAP An eMAP is a mesh node that is connected to its uplink AP through a wired Ethernet cable rather than wirelessly eMAP nodes are used to bridge wir...

Page 346: ...ou can set up a mesh network using the wireless bridge topology In this topology ZoneDirector and the upstream router are on the primary wired LAN segment and another isolated wired segment exists tha...

Page 347: ...n eMAP is a special kind of Mesh AP that uses a wired Ethernet link as its uplink rather than wireless An eMAP is not considered a Root AP despite the fact that it discovers ZoneDirector through its E...

Page 348: ...mesh network from the Monitor Access Points page or from the Mesh Topology widget on the Dashboard Deploying a Wireless Mesh via ZoneDirector Deploying a wireless mesh via ZoneDirector involves the fo...

Page 349: ...each Root AP and Mesh AP Remember that Root APs need to be connected to ZoneDirector via their Ethernet ports Make sure that the Root AP locations can be wired easily if cabling is not yet available...

Page 350: ...to prevent isolating nodes If you want to disable Smart Mesh once it has been enabled you will have to factory reset ZoneDirector or disable mesh for each AP as described in Managing Access Points Ind...

Page 351: ...request from a known host the AP converts the broadcast request packet into a unicast request by replacing the broadcast address with the MAC address If the AP receives a request from an unknown host...

Page 352: ...pable Mesh AP as its downlink you will need to set the channel for the Root AP to one of the non DFS channels Specifically choose one of the following channels 36 40 44 48 149 153 157 161 165 This is...

Page 353: ...possible for a node to be associated to a different ZoneDirector than its parent or children Figure 189 Dotted lines indicate that these APs are part of the wireless mesh network The symbols next to t...

Page 354: ...d Action Connected AP is connected to ZoneDirector but mesh is disabled If mesh is enabled on the AP you may need to reboot it to activate the mesh Connected Root AP AP is connected to ZoneDirector vi...

Page 355: ...LED Indicates downlink status and client association status AIR Signal Air Quality LED Indicates uplink status and the quality of the wireless signal to the uplink AP WLAN LED When Smart Mesh is enabl...

Page 356: ...w for more information LED Color Behavior Root AP eMAP Mesh AP Solid green N A Connected to a Root AP or another Mesh AP Signal quality is good Fast blinking green N A Connected to a Root AP or anothe...

Page 357: ...havior Root AP eMAP Mesh AP Fast blinking green No Mesh AP is connected Disconnected from the Root AP Solid green At least one Mesh AP is connected Signal quality is good Connected to a Root AP Signal...

Page 358: ...d to disable Smart Uplink Selection and manually set the mesh nodes to which an AP can connect Note that in most situations Ruckus Wireless recommends against manually changing the roles of APs in a m...

Page 359: ...or an AP manually 1 On the ZoneDirector web interface click the Configure tab 2 On the menu click Access Points 3 In the Access Points table find the AP you want to restrict and click Edit under the A...

Page 360: ...e Isolated Mesh AP statuses that may appear on the Monitor Access Points page and provides possible reasons for the isolation and the recommended steps for resolving the issue Status Possible Reason N...

Page 361: ...such as Notepad Step 1 Obtain the Mesh SSID and Passphrase 1 On the ZoneDirector web interface click the Configure tab and then click Mesh on the menu Config error The AP attempted to establish the m...

Page 362: ...reless connection list locate the Mesh recovery SSID The SSID will be named island xxxxxx where xxxxxx is the last 6 digits of the AP s MAC address 2 Connect to this WLAN using WPA and the passphrase...

Page 363: ...uto 6 If there are multiple ZoneDirectors on the network you may need to specify which ZoneDirector the AP should connect to using the command set director ip ZoneDirector s IP address 7 If a manageme...

Page 364: ...Best Practices and Recommendations Recovering an Isolated Mesh AP 364 Ruckus Wireless Inc...

Page 365: ...oneDirector Administrator User Name and Password Changing the Web Interface Display Language Upgrading ZoneDirector and ZoneFlex APs Working with Backup Files Restoring ZoneDirector to Default Factory...

Page 366: ...save your changes To edit or replace the current name or password 1 Go to Administer Preferences 2 When the Preferences page appears you have the following options under Administrator Name Password Au...

Page 367: ...tes 24 hours To change the admin idle timeout period enter a new value in Administer Preferences Timeout interval and click Apply Changing the Web Interface Display Language Depending on your preferen...

Page 368: ...from the network To minimize network disruption Ruckus Wireless recommends performing the upgrade procedure at an off peak time NOTE If ZoneDirector is running a software version or earlier than versi...

Page 369: ...ge Performing an Upgrade with Smart Redundancy If you have two ZoneDirectors in a Smart Redundancy configuration the procedure is similar Note however that the active and standby ZoneDirectors will re...

Page 370: ...with Backup Files After you have set up and configured your Ruckus wireless network you may want to back up the full configuration The resulting archive can be used to restore your ZoneDirector and ne...

Page 371: ...r Restore Configuration click Browse 3 Locate a previously saved backup file select the file and then click Open 4 Three restore options appear Restore everything Select this option if you want the de...

Page 372: ...N settings 3 Smart Redundancy settings 4 DHCP server settings 5 Session timeout 6 Limited ZD Discovery and Management VLAN settings in Access Point Policies Restore only WLAN settings access control l...

Page 373: ...n near the line that begins If you need to import the APs configuration 3 Browse to a previously saved backup file select the file and click Open The page refreshes and the name of the backup file you...

Page 374: ...s accounts and preference configurations would need to be manually reconfigured CAUTION Resetting ZoneDirector to factory default settings will erase all configuration changes that you made except for...

Page 375: ...Backup 2 When the Backup Restore page appears look for Restore Factory Settings and click the button 3 Owing to the drastic effect of this operation one or more confirmation dialog boxes will appear C...

Page 376: ...nd therefore not trusted by any web browser This is the reason why the SSL security warnings appear when establishing an HTTPS connection to the ZoneDirector To eliminate the security warnings adminis...

Page 377: ...r will be accessed in your browser e g by device name such as ZoneDirector NOTE Ruckus Wireless recommends using the FQDN as the Common Name if possible If your network does not have a DNS server you...

Page 378: ...ountry or region from the pull down menu 3 Click Apply A dialog box appears and prompts you to save the CSR file myreq csr that you have just created 4 Save the file to your computer Figure 198 Genera...

Page 379: ...RA MR dDI1dTPtSUG7 zWjXO5jC 0pykSldW q8hgO8kq30S8JzCwkqrXJfQ050N4TJtgb YC4gwH3BuB9wqpRjUahTiK1V1 ju9bHB bFkMWIIMIXc1Js62JClWzwFgaGUS2DLE8xICQ3wU1ez8RUPGn wSxAYtZ2N7zDxYDP2tEiO5j2cXY7O8mR3ni0C30 END CE...

Page 380: ...the end certificate click on the intermediate certificate import option Click on the Import button to reveal the Import Intermediate Certificates form Click on Browse button and select the file conta...

Page 381: ...ther ZoneDirector If your ZoneDirector is replaced due to an RMA you will need to restore the private key if you have installed a public certificate Ensure that the private key is kept secure because...

Page 382: ...certificate When you try to import a wildcard certificate the ZoneDirector will notify you that it does not have the matching private key At this point click on the click here link to import the priva...

Page 383: ...figuration with the Hotspot captive portal when it is being used for Zero IT activation through the ZoneDirector because the FQDN for the activate URL is identical on both ZoneDirectors To achieve thi...

Page 384: ...to belong Remember the group names that you set you will enter this information when you create administrator roles in ZoneDirector see Step 3 TACACS See TACACS for more information 2 Set up ZoneDire...

Page 385: ...t details that you will see Admin user_name login authenticated by Authentication Server with Role Upgrading the License Depending on the number of Ruckus Wireless APs you need to manage with your Zon...

Page 386: ...se 2 Repeat for the standby ZoneDirector 3 After both have been upgraded and the license levels match the Smart Redundancy indicator displays Active Connected or Standby Connected Support Entitlement...

Page 387: ...pport Service section click Choose File to import a new support upgrade file 3 Once the new support entitlement is applied click Check Entitlement to display the entitlement status service purchased s...

Page 388: ...Support Entitlement Upgrading the License with Smart Redundancy 388 Ruckus Wireless Inc...

Page 389: ...Connections Measuring Wireless Network Throughput with SpeedFlex Diagnosing Poor Network Performance Starting a Radio Frequency Scan Using the Ping and Traceroute Tools Viewing Current System and AP L...

Page 390: ...g another OS or running a version of Windows pre XP SP2 This includes XP SP1 Your users client devices are using wireless network adapters without a WPA implementation The following list of options ma...

Page 391: ...ious problems will hopefully be resolved To fix the connection of an active client 1 Go to Monitor Wireless Clients 2 In the Clients table locate the problematic client and click the Delete button on...

Page 392: ...with instructions on how to re configure their client and log into the WLAN again At the end of this process the user should be reconnected If problems persist they may originate in Windows or in the...

Page 393: ...click Monitor Access Points If you want to test client throughput click Monitor Wireless Clients 5 In the list of APs or clients look for the MAC address of the AP or wireless client that you want to...

Page 394: ...re Their Own Wireless Throughput After SpeedFlex is installed and running on the client click Start again to continue with the wireless performance test A progress bar appears below the speedometer as...

Page 395: ...Flex If WLAN Connection Problems Persist ZoneDirector 9 8 User Guide 800 70599 001 Rev B 395 Figure 206 Click the download link for the target client s operating system Figure 207 A progress bar appea...

Page 396: ...ns throughput results for each hop as well as the aggregate throughput from ZoneDirector to the final AP in the tree To measure throughput across multiple hops in a Smart Mesh tree 1 Go to Monitor Mes...

Page 397: ...Throughput with SpeedFlex Using SpeedFlex in a Multi Hop Smart Mesh Network ZoneDirector 9 8 User Guide 800 70599 001 Rev B 397 Figure 209 Running Multi Hop SpeedFlex in a mesh tree Figure 210 Multi...

Page 398: ...nected only to the wireless network If your wireless device is also connected to the wired network unplug the network cable 2 Start your web browser and then enter the following in the address or loca...

Page 399: ...work administrator for assistance Diagnosing Poor Network Performance You can try the following diagnostic and troubleshooting techniques to resolve poor network performance 1 Go to Monitor Map View 2...

Page 400: ...ection and an updated coverage evaluation Figure 211 The Diagnostics page Using the Ping and Traceroute Tools The ZoneDirector web interface provides two commonly used tools that allow you to diagnose...

Page 401: ...The Network Connectivity window opens Click Ping to ping the IP address or Trace Route to diagnose the number of hops to the IP address Figure 213 Network Connectivity dialog You can also access the...

Page 402: ...Info section click Save Debug Info 6 When the File Download dialog box appears select Save File and click OK 7 When the Save As dialog box appears pick a convenient destination folder type a name for...

Page 403: ...hroughput ZoneDirector 9 8 User Guide 800 70599 001 Rev B 403 1 Go to Administer Diagnostics and locate the AP Logs section 2 Click the Click Here link next to To show current AP logs The log data is...

Page 404: ...apture Streaming Mode NOTE Performing packet capture on the 5 GHz radio of a Mesh AP MAP can result in connectivity issues due to the AP s use of the 5 GHz radio for Mesh communications Therefore Ruck...

Page 405: ...which applies it before streaming Both modes allow compound filter expressions conforming to the pcap filter syntax which is described at http www manpagez com man 7 pcap filter Local Capture To capt...

Page 406: ...GHz radio or select wlan101 if streaming on the 5 GHz radio 9 Click Start Wireshark displays the packet stream in a new window Figure 216 Add APs from Currently Managed APs list to Capture APs list F...

Page 407: ...its convey additional TX and RX descriptor indicators described in the table below Table 33 Ruckus defined indicators conveyed in MAC Flags Limitation The AP can report RX EVM values or the RX LDPC in...

Page 408: ...g purposes Do not enable this feature unless instructed to do so by Ruckus support Figure 218 The Upload Scripts and Remote Troubleshooting features are used by Ruckus Support in diagnosing customer n...

Page 409: ...figuration changes Ruckus Wireless recommends shutting down ZoneDirector to ensure that all configuration changes are saved and remain after reboot Performing a Restart may cause ZoneDirector to lose...

Page 410: ...Restarting ZoneDirector Streaming Mode 410 Ruckus Wireless Inc...

Page 411: ...rt Mesh Networking Best Practices In this chapter Choosing the Right AP Model for Your Mesh Network Calculating the Number of APs Required Placement and Layout Considerations Signal Quality Verificati...

Page 412: ...802 11n AP Calculating the Number of APs Required This is an important step in planning your mesh network You will need calculate the number of total APs Root APs and Mesh APs that are needed to prov...

Page 413: ...o have 2 or more RAPs so that there are alternate paths back to the wired network More roots are better The more Root APs in the design the higher the performance Therefore as far as possible try to w...

Page 414: ...locations temporarily using a tripod stand or other means and actually checking the Signal Quality throughout the mesh network In addition once the mesh is deployed the Signal Quality should be period...

Page 415: ...may use 35 as your Signal benchmark Ensure Minimum 2 Uplink options for every MAP In addition under Neighbor APs it is best practice that there exists an alternate path for this mesh uplink This alte...

Page 416: ...entation and placement is that during the planning phase it is advisable to use the Signal Quality as your benchmark as explained in the Signal Quality Verification section Ensure that the Signal is b...

Page 417: ...tation A less typical vertical orientation may be used in certain cases where it is not possible for mechanical or aesthetic reasons to use the typical horizontal orientation In such cases indoor APs...

Page 418: ...attention to the elevation of an AP for reliable mesh operation More specifically large differences in elevation should be avoided So whether you are deploying an indoor mesh an outdoor mesh or a mixe...

Page 419: ...r all single band or all dual band APs 2 Avoid an excessive number of hops Ideally keep hop count to 3 or less 3 Having more RAPs is better for performance 4 Ensure that there are RAPs near the middle...

Page 420: ...Best Practice Checklist Elevation of RAPs and MAPs 420 Ruckus Wireless Inc...

Page 421: ...t 118 AES option values 183 airtime 283 Alarms activating email notification 83 Algorithm New WLAN creation 183 All Events Activities Logs 77 AP Activities 47 AP Groups 231 AP markers overview 267 App...

Page 422: ...26 Country Code 74 Create New options Authentication Servers 311 Create New User internal database 305 create user 304 Creating a Guest Pass Generation User role 326 Creating a new WLAN Access VLAN 18...

Page 423: ...t state restoring ZoneDirector 374 Fail Over 64 Failed user connections 390 Failover force 68 Fast BSS Transition 182 Firewall open ports 39 Firewall Integration 79 Firmware upgrade 368 FlexMaster ena...

Page 424: ...nt ACL 71 Management VLAN 249 Managing current user accounts 306 Map View adding a floorplan 258 adjusting AP positions and settings 259 importing a floorplan 263 placing AP markers on a floorplan 264...

Page 425: ...ting key expiration 221 PSK lifetime settings 221 R Radar Avoidance Pre Scanning 117 Radio Band ZoneFlex 7321 236 255 Radio frequency scans starting a scan 399 Radio Resource Management 190 radio stat...

Page 426: ...ettings 173 Timeout interval 367 TKIP option values 183 Toolbox 44 50 401 Tools Map View 265 Traceroute 400 transmission statistics 283 Troubleshooting diagnosing poor network performance 399 manually...

Page 427: ...ation 184 209 Wireless networks overview 30 176 Wireless performance test tool 392 WLAN creation 178 optimizing coverage 268 recent events reviewing 269 WLAN Group 196 232 254 WLAN network security cu...

Page 428: ...428 Ruckus Wireless Inc band selection 236 255 ZoneFlex APs upgrading software 368...

Page 429: ...ZoneDirector 9 8 User Guide 800 70599 001 Rev B 429...

Page 430: ...Copyright 2006 2014 Ruckus Wireless Inc 350 West Java Dr Sunnyvale CA 94089 USA www ruckuswireless com...

Reviews:

No comments