This guide describes how to set up and test your wireless LAN controller so you can use it with Cloud4Wi Passpoint services:
- Log in to the RUCKUS SmartZone wireless LAN controller as a user with administrative privileges.
- Configure the Hotspot 2.0 identity provider and RADIUS authentication and accounting service options.
- Troubleshoot the configuration.
Log in to the RUCKUS SmartZone wireless LAN controller
To start the configuration process, log in to the SmartZone wireless LAN controller as admin. For existing environments with additional users, log in as a user with administrative privileges.
The RUCKUS Dashboard appears.
Create a Wireless LAN and Hotspot 2.0 Profile with RADIUS
This procedure describes how to create a wireless LAN that you’ll enable with Hotspot 2.0. Hotspot 2.0 allows mobile devices to join a WiFi network automatically, including during roaming, when the devices enter the Hotspot 2.0 area.
Before creating a new wireless LAN for Hotspot 2.0, review the RUCKUS documentation.
Create a wireless LAN
Complete the following steps to create a WLAN that you can enable with Hotspot 2.0.
- From the RUCKUS Dashboard, select Network > Wireless > Wireless LANs.
The Wireless LANs page appears. - In the Wireless LANs page, click Create.
The Create WLAN Configuration dialog box appears.
We recommend creating a new wireless LAN to avoid impacting any existing wireless LAN configurations running in production.
Note: There are a number of options to set. Only the options that require your input are shown. Default values are used for options that don’t need adjustment. - Under General Options, enter the following fileds:
- Name: Enter the name of the WLAN you are creating (recommended you use “Orion”)
- SSID: Enter the SSID (such as "Cloud4Wi Secure WiFi"). While the connection process is automatic, the SSID name will be recognized by more users over time
- Zone: Select the zone from the list.
- WLAN Group: Select the WLAN group from the list. For large RUCKUS environments where your company uses WLAN groups, set the zone based on company preferences and use the correct WLAN group for the company WLAN categorization. Otherwise, use the default zone (Default Zone) and default WLAN group (default).
- Under the Authentication Options, select the following options:
- Authentication Type: Select Hotspot 2.0 Access. (You can’t specify Hotspot 2.0 Onboarding because that option doesn’t give you the ability to add a Hotspot 2.0 profile.)
- Method: 802.1X EAP is set by default. It cannot be changed.
- Under Encryption Options, select the following options:
- Method: WPA2 is enabled by default. It cannot be changed.
- Algorithm: Select AES.
- 802.11r Fast Roaming: Must be disabled or OFF.
- 802.11w MFP: Select Disabled.
- Under RADIUS Options, define your venue
(Important: Cloud4Wi uses the RADIUS NAS ID to identify your venue (a site location) with each RADIUS access request. By default RUCKUS uses the WLAN BSSID for the NAS ID. Replace the default with your site-specific venue name or address- NAS ID: select User Defined.
- Set the NAS ID to something site-specific to your wireless LAN configuration. Example: “Shopping-Center_123-Main-Street_AnyCity_State_Zip-Code”.
- Under Hotspot 2.0 Profile, select the following options:
- Accounting Server: set to 5 minutes so that interim updates arrive every 5 minutes
- Click ➕ to the right of Hotspot 2.0 Profile
The Create Hotspot 2.0 WLAN Profile dialog box appears.
- In the Name field enter the profile name, such as “Cloud4Wi-Profile”.
Creating an Operator
To create an operator, complete the following steps.
- On the Create Hotspot 2.0 WLAN Profile dialog box, click ➕ to the right of Operator.
The Create Hotspot 2.0 Wi-Fi Operator Profile dialog box appears. - Enter the operator name in the Name field, for example “Cloud4Wi-Operator”.
- Enter the Domain Name from your environment, as displayed in your Passpoitn settings in the Cloud4Wi dashboard (for example “companyname.securewifi.io”.)
- Click ➕ Add to the right of Domain Name to add the domain.
- Enter at least one name for Friendly Names, “Cloud4Wi Secure WiFi”. Friendly names are additional descriptors. The friendly name is what a Hotspot 2.0 client sees on their screen and we suggest setting it with the value you configure as Operator Name in the Passpoitn settings of your Cloud4Wi account.
- Click ➕ Add to the right of the friendly name to add the friendly name.
- Click OK. You return to the Create Hotspot 2.0 WLAN Profile dialog box.
Create Identity Provider
- On the Create Hotspot 2.0 WLAN Profile dialog box, to the right of Identity Provider, click Create to start the Identity Provider creation process.
The Create Hotspot 2.0 Identity Provider dialog box appears. Network Identifier is selected in the top navigation. - Enter the name of the identity provider in the Name field, such as “Cloud4Wi-Identity-Provider”.
- In the Realms section, enter the realm name in the Name field, for example “Cloud4Wi-Realm”.
- For Encoding, take the default of “RFC-4282”.
- For EAP Method, select #1 and select EAP-TTLS. A section appears where you can add EAP Auth Info.
- Below EAP Method, click ➕ Create. The Create New Auth Info dialog box appears.
- For Auth Info, select Credential Type.
- For Auth Type, select MS-CHAPv2. Click OK. You return to the Realms section of the Create Hotspot 2.0 Identity Provider dialog box.
- Click ➕ Add in the upper right corner of the Realms section to add the realm entry. The Realms information should look like this example.
- Click Next on the bottom right.
Set up a RADIUS connection
It’s important to set up a RADIUS connection between the wireless LAN controller and Cloud4Wi WiFi.
Create RADIUS Authentication Service
This procedure describes settings for RADIUS Authentication. By default, two realms exist: No Match and Unspecified. When configured with the same RADIUS service, these two Authentication realms together accept all traffic realms for the RCOI, essentially acting as a wildcard pattern match which is the ideal configuration for Cloud4Wi.
Best Practice: If you’re creating a dedicated wireless LAN, you can configure all realms to point to the Cloud4Wi RADIUS end point for authentication and accounting.
No Match Realm configuration (authentication)
- Select Authentication at the top of the Create Hotspot 2.0 Identity Provider dialog box.
- Double click the No Match row. The Edit Realm Based Authentication Service: No Match dialog box appears.
- Click ➕ next to Service. The Create Authentication Service dialog box appears.
- Enter the RADIUS service values shown for the primary server, and follow the instructions in the RUCKUS documentation.
Primary server RADIUS service values: Authentication Service
Name |
Description |
Value |
Name |
Name of the RADIUS service |
RADIUS |
Service Protocol |
Protocol service to use |
RADIUS |
Primary Server IP Address |
Primary RADIUS IP address |
52.48.102.108
|
Primary Server Port |
Port for RADIUS authentication |
1812 (default) |
Primary Server Shared Secret |
Secret key to use for RADIUS |
<as communicated by Cloud4Wi team> |
Primary Server Confirm Secret |
Confirmation of the secret key |
<as communicated by Cloud4Wi team> |
- Add the secondary RADIUS server, and follow the instructions in the RUCKUS documentation.
Secondary server RADIUS service values: Authentication Service
Name |
Description |
Value |
Name |
Name of the RADIUS service |
RADIUS |
Service Protocol |
Protocol service to use |
RADIUS |
Secondary Server IP Address |
Secondary RADIUS IP address |
34.252.97.217
|
Secondary Server Port |
Port for RADIUS authentication |
1812 (default) |
Secondary Server Shared Secret |
Secret key to use for RADIUS |
<as communicated by Cloud4Wi team> |
Secondary Server Confirm Secret |
Confirmation of the secret key |
<as communicated by Cloud4Wi team> |
- Click OK. You return to the Edit Realm Authentication Service: No Match dialog box.
- In the Edit Realm Authentication Service: No Match dialog box, click OK.
Unspecified Realm configuration (authentication)
- Double click the Unspecified row. The Edit Realm Based Authentication Service: Unspecified appears.
- For Service, select [RADIUS] RADIUS. This selection uses the same defaults as the No Match realm. Click OK.
- Verify that the Authentication Service values look like this example. Click Next on the bottom right.
After clicking Next, Accounting is selected on the Create Hotspot 2.0 Identity Provider dialog box.
Create RADIUS Accounting Service
This procedure describes settings for RADIUS Accounting. By default, two realms exist: No Match and Unspecified. When configured with the same RADIUS service, these two Authentication realms together accept all traffic realms for the RCOI, essentially acting as a wildcard pattern match.
If you’re creating a dedicated wireless LAN, you can configure all realms to point to the Cloud4Wi RADIUS end point for authentication and accounting.
No Match Realm configuration (accounting)
- Toggle Enable Accounting to ON so you can edit the two realms.
- Double click the No Match row. The Edit Realm Based Authentication Service: No Match dialog box appears.
- Click ➕ next to Service. The Create Accounting Service dialog box appears.
- Enter the RADIUS service values shown for the primary server, and follow the instructions in the RUCKUS documentation.
Primary server RADIUS service values: Accounting Service
Name |
Description |
Value |
Name |
Name of the RADIUS service |
RADIUS |
Service Protocol |
Protocol service to use |
RADIUS |
Primary Server IP Address |
Primary RADIUS IP address
|
52.48.102.108
|
Primary Server Port |
Port for RADIUS authentication |
1813 (default) |
Primary Server Shared Secret |
Secret key to use for RADIUS |
<as communicated by Cloud4Wi team> |
Primary Server Confirm Secret |
Confirmation of the secret key |
<as communicated by Cloud4Wi team> |
Rate Limiting— Maximum Outstanding Requests (MOR) |
Total number of requests to handle for accounting. |
4096 |
- Enter the Secondary server RADIUS service values
Name |
Description |
Value |
Name |
Name of the RADIUS service |
RADIUS |
Service Protocol |
Protocol service to use |
RADIUS |
Secondary Server IP Address |
Secondary RADIUS IP address |
34.252.97.217
|
Secondary Server Port |
Port for RADIUS authentication |
1813 (default) |
Secondary Server Shared Secret |
Secret key to use for radsecproxy |
<as communicated by Cloud4Wi team> |
Secondary Server Confirm Secret |
Confirmation of the secret key |
<as communicated by Cloud4Wi team> |
- Click OK. You return to the Edit Realm Accounting Service: No Match dialog box.
- In the Edit Realm Accounting Service: No Match dialog box, click OK.
Unspecified Realm configuration (accounting)
- Double click the Unspecified row. The Edit Realm Based Authentication Service: Unspecified appears.
- For Service, select [RADIUS] RADIUS. This selection uses the same defaults as the No Match realm.
- The Edit Realm Accounting Service: Unspecified dialog box should look like this example. Click OK.
- Verify that the Authentication Service values look like this example.
- Select Review at the top of the Create Hotspot 2.0 WLAN Profile dialog box.
- Review the settings and click OK. You return to the Create Hotspot 2.0 WLAN Profile dialog box.
- On the Create Hotspot 2.0 WLAN Profile dialog box, click ➕ Add next to Identity Provider to add the “Cloud4Wi-Identity-Provider” to the list of identity providers.
- Click OK. You return to the Create WLAN Configuration dialog box.
- On the Create WLAN Configuration dialog box, click OK to save the completed RADIUS-enabled wireless LAN configuration.
Troubleshoot the RUCKUS configuration
If you see errors or problems while testing the RUCKUS configuration, here are some ways to validate the configuration and look for errors. Most problems occur during setup. One way to test whether the setup is correct is to go through the steps again. Another is to look at the primary components of the wireless LAN setup that directly impacts connectivity to Cloud4Wi.
Wireless LAN Configuration
If you’re configuring the wireless LAN for the first time, sometimes option configuration or hardware compatibility prevent the access points from communicating with the wireless LAN controller.
Option configuration
Wireless LAN controller administrators familiar with configuring wireless LAN controller and wireless LANs for other vendors might be used to changing the VLAN ID used by their provider to match the values used by the access points. In RUCKUS environments this can create communication issues between the access point and the wireless LAN controller.
- Click the Wireless LANs menu item on the left side of the page.
- Double-click the Cloud4Wi wireless LAN to open the Edit WLAN Config dialog box.
- Under Advanced Options, make sure the Access VLAN value is set to 1.
If it’s set to a value other than 1, RUCKUS access points might not route traffic to the wireless LAN. Always use the default options provided by RUCKUS unless otherwise specified by the Create a Wireless LAN and Hotspot 2.0 Profile with RADIUS setup instructions. For more information about Access VLANs, review the RUCKUS documentation.
Hardware and software compatibility
Hardware compatibility problems can occur between the access points and the wireless LAN controller if FIPS-supported access points are in use. If you’re using custom releases, RUCKUS might be installing a non-FIPS supported release. If you use FIPS-based access points, they won’t connect to a non-FIPS wireless LAN controller from RUCKUS.
To be fully compliant with FIPS, RUCKUS must have a FIPS-certified software release on the wireless LAN controller and FIPS-supported access points.
- Check the part number on the access point. If it starts with “9F1”, the device is FIPS-certified.
- Check the wireless LAN controller release on the RUCKUS software site to confirm it is FIPS-compliant.
If it’s not compliant, modify your environment to use non-FIPS supported access points that start with the part number “901” or use a FIPS-supported wireless LAN controller software release.
Device type connectivity issues
When checking connectivity to the Cloud4Wi WiFi, it’s important to test both iOS and Android devices to make sure both auto-connect without having to select the RUCKUS WLAN where RADIUS and Cloud4Wi RADIUS are configured.
If iOS connects without issue, but Android doesn’t work, it’s likely the NAI Realm settings for the WLAN aren’t correct. This is because iOS autocorrects without an EAP method specified, while Android does not. See Create Identity Provider for information about configuring EAP-TLS.
Review the Realms settings in Create Identity Provider to verify the Cloud4Wi-Realm is configured with an Auth Info of “Credential Type” for #1, and with an Auth Type of “MS-ChapV2”.