LinkBack URL
About LinkBacks
Reply With QuoteMarkPower (18th May 2009), stevenlong1985 (30th September 2009)
Hi guys
Trying to setup a guest only wlan on my Ruckus kit so that guest clients can access the Internet but not the internal network.
I have the guest lan setup ok and clients can connect fine. The problem comes when they try to go on the Internet.
Our internet comes through a proxy, now because Ruckus doesnt allow the guest network access to the internal network the guest clients cannot see the proxy and therefore cannot get onto the Internet.
Is there anyway around this?
Can I add an exception to allow the guest wlan access to just the proxy server?
Currently have net-ctrl looking into it for me, but i thought i'd post here to see if anyone had got round this somehow
ta . . .
UPDATE:
Sorted within the hour by Net-Ctrl
Just needed a firmware flash after which i could set the layer 3,4 ACL's better
Nice one guys!
MarkPower (18th May 2009), stevenlong1985 (30th September 2009)
Hi,
I've just had installed a Ruckus Wireless network and wish to setup the exact same thing, I have an SSID which has encryption setup for which the staff will connect to to access the school network etc, I also wish to have a "Guest/Student" style SSID which will allow only access to the Internet which goes out thr a proxy server, ideally for students, instead of having to enter a "Guess Pass" could they enter there AD Username and Password to get onto the internet, this will mainly be 6th Form Students bringing in their own personal laptops to access the Internet when in the 6th Form Study Room/Common Room.
How would I go about setting this up, we are running the very latest Firmware Version, 8.0.1.0.15 (I think) Do you have any step by step guides you used please?
Thanks
Matt
You can do this, but I've not found a way that you can do it and also have it as a secure network, other than making the user enter a WPA key as well *before* entering their AD username and password into the captive portal. That gets a bit painful when they need to enter:Originally Posted by mattpant
WPA Key
AD Username (for captive portal)
AD Password (for captive portal)
Proxy settings in IE
AD Username (to auth to the proxy)
AD Password (to auth to the proxy)
I think in the short term I'm going to cut out the captive portal bit, because someone stealing access to the wireless - which will require the WPA key anyway - will also need an AD account to do anything... the L3/L4/IP ACL means they can only do DHCP, DNS and proxy.
I think it's possible to use the zero-it config stuff to redirect users from the captive portal to a WPA2-encrypted WLAN with a PSK unique to their MAC, but I've not tackled that just yet.
Last edited by sahmeepee; 20th August 2009 at 08:49 AM.
Ok,
Say I just setup a "Guest" WLAN for Students (and Visitors) where we generate pass codes out for them, is there away in which the RUCKUS ZoneDirector can automatically push out the proxy settings forr Internet Access to the students/visitors laptop? Also, how do we make sure they only get Internet access and not access to our school network/file servers etc, can they be given a totally different IP Address/Range?
I can't find any info on setting this sceniro up in any support documents etc.
Thanks
Matt
I'm pretty sure there's not, but I have made a feature request to Ruckus. Possibly you can make them redirect to a page with instructions or a batch file/script to download. Not tried it yet. Alternatively you could distribute the batch file via some other means and they could copy it on using a pen drive (not a very sexy solution though)
First off you will need to make sure you are on the latest firmware. I suspect most ZDs are shipped with out of date firmware on them. Version 7.x doesn't have the L3/L4/IP filter options at all.
Then you can set up L3/L4/IP filters to only allow access to specific ports on specific servers. You can achieve the config above by only allowing access to specific ports on your DHCP, DNS and proxy servers.
Hi "Jamin100" or anybody else that can help!!!
How did you manage to do this, do you have a "Step By Step" guide? Do you have to get your clients to manually enter the Proxy server into their web browser when they connect to your Guest Access WLAN or does the internet just work going thr the Proxy once connected to the Guest VLAN without any config changes.
I'm trying to get this setup for our 6th Form Students when they bring their laptops in, but Ideally without having to manually enter any settings.
Thanks
Matt
PS> I am running the latest firmware which allows you to enter the ACLS etc
Anyone???
Thanks
Matt
No, not yet i thought that Edugeek may hold the answer to the question first as it seems the majority of users are running the Ruckus system,
I've tried the Ruckus support forums but seem to be less users on there then there are on here!
Cheers
Matt
Hi Matt,
Sorry, didnt notice this thread again.
ok,
I have setup 2 wlans. One the main school network and then a second "guest" network which just provides access to the internet.
In the Configure > Guest access tab about half way down there is a section called Restricted Subnet Access.
Here you can block and allow access to different IP's.
So i've added an entry and entered the IP and subnet mask of my proxy server and set that to allow.
I've also entered the IP's of my servers and set those to deny.
I did however have to configure the guest clients to access the proxy settings in Internet Explorer.
Hope this helps
Ben
We are in the same position... I need a guest network set with proxy settings set automatically if thats possible? I can set an alternative proxy with no AD authentication to avoid that problem.
Hi Ben,
Thanks for the reply, ahh I too can setup the system to access the proxy server using the guest access as you have mentioned, but I really don't want to have to configure the Proxy Settings manually, just all seems a bit messy, I know other rivals to Ruckus do have a feature which pushes out the Proxy settings when connected to the Guest Access system.
I have spoken to Ruckus and they have said "We have an open feature request to auto-configure client’s browser proxy settings, but this is not yet committed for release. I will add your use case to the feature request."
Hopefully one day soon we will see this feature.
Cheers
Matt
Ha! I made that feature request on one of their blog postings! It was only about a month ago, so they've not had much time to act on it yet. Fingers crossed!
mattpant (1st October 2009)
Nice one,
Thanks, hopefully we will see it featured in the not so distant future! It would also be nice to see it assigning Guest PCs with a totally different IP Range, whilst still allowing access to the proxy, I know with the ACLs in place it can be setup so not to see any other devices on the network, but I like the idea of not having the same IP Address Range.
Cheers
Matt
I couldn't agree more! I don't like having my DHCP scope cluttered up with unmanaged laptops, especially as I currently get an alert when any new leases are given out and it's going to be difficult to tell the difference between PCs plugged into a wall socket and PCs getting a lease through DHCP.
Presumably it could be done with a separate router, but it would be neater if it was handled by the ZoneDirector/APs
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
