Wireless Networks Thread, Link Ruckus Auth to Lightspeed Auth in Technical; Hi all,
I currently have wifi guest access set up using WPA2-PSK, password, then Ruckus guestpass, and then lightspeed Web ...
7th October 2013, 09:29 PM #1
Link Ruckus Auth to Lightspeed Auth
I currently have wifi guest access set up using WPA2-PSK, password, then Ruckus guestpass, and then lightspeed Web Auth via AD. I have Vlans, and transparent proxy in place and it generally works OK for guest devices
- It's annoying I can't tell lightspeed to forget all web logins at lesson ends, as even with the 55 min auth its is possible to have the wrong student in logs if the machine was turned on half way through a lesson.
- In an ideal world I would like not to need the multiple systems of authentication.
I'm aware Ruckus can do AD and RADIUS auth, the reason I used guestpass, is I like it auto-expiring access after a set amount of time, and it limits each student to one device. I don't see how I would achieve this otherwise but....
If I used RADIUS or AD auth on the ruckus guest SSID, is there a way for Ruckus to pass the auth info along to the lightspeed rocket? The reason for this is that I have had to set the re-auth for students to 55mins (lesson duration) and they find this annoying throughout the day. We collect their MAC address but I can't see how to use this as a method of auth on light speed.
Has anyone managed to get Ruckus AD/Radius auth to be passed on to lightspeed?
P.S Has anyone found a way to save the Ruckus logs for what device connects where? Would be useful for when inclusion lose a laptop to know what AP it used last.
30th October 2013, 02:20 PM #2
If you are on version 2.4> you can use radius Auth information from your Ruckus to transparently Auth to the rocket (802.1x). You basically setup the Wireless controller to point to the rocket as a secondary radius accounting server, the rocket will do the rest.
In the meantime you could increase the authentication timeout and ask the students to manually logout using lsaccess.me/logout
30th October 2013, 11:40 PM #3
I have seen the radius option. My concerns with this are:
Would Ruckus show who is logged in, on the ruckus dashboard using the radius info?
Would it use Ruckus' auth page or lightspeeds? I'm assuming the ruckus one since this is presented first then passed to LS.
Is there a way I could restrict this auth to a specific group, or the option of disabling specific users if there is a need. (without disabling their use of normal college computers\logon)
Would RADIUS auth restrict logons to one device?
LS is currently set to a 55min reauth. After this time would the lightspeed reauth page reappear or Ruckus'.
31st October 2013, 01:55 PM #4
I can not comment on what will happen on the Ruckus, sorry.
Yes the users would only Auth against the Ruckus Auth page / captive portal page.
Not sure if you can restrict the Ruckus to only Auth against certain groups. For the lightspeed rocket you can restrict to a certain OU if that helps.
The 55min Auth timeout is just for the lightspeed captive portal web authentication. If you use radius that will inform the rocket of new login and logout events so the timeout does not apply.
4th November 2013, 11:40 AM #5
Slightly related, if I may ask. Is there a recommended lifetime time to re-auth?
4th November 2013, 11:50 AM #6
Not really, it depends on what the school feel is acceptable for students etc to re Auth. Of course deployment can also make a difference in that a 121 deployment would just need to Auth once a day, perhaps BYOD the same.
Originally Posted by Edu-IT
Also, don't forget the default Auth time is just that, you can specify different Auth times based on Users, User Groups, and User OU's, so for example Staff could be 12 hours and students 1 hour.
5th November 2013, 08:00 PM #7
Is there any benefit to re-auth'ing more often? What exactly is the purpose of re-auth'ing?
5th November 2013, 10:57 PM #8
Originally Posted by Edu-IT
Its really needed for devices that are used by different students each lesson or at different times a day (A device cart for example). You would not want a student logged into a device another student will use next lesson as it will make the reporting inaccurate. So Authentication lifetimes are important from that perspective.
If its a one2one environment the lifetimes can be much longer as devices do not pass from one student to another.
6th November 2013, 11:22 AM #9
That could always happen though unless you set auth to 1 minute, and I'm not sure that's wise. For example if you had a 20 minute auth time and a lesson ended at 10am, if a pupil logged in at 9.55am and another at 10.01am then the Rocket would still think it was the first user at 10.03am?
Originally Posted by Eappariello
6th November 2013, 11:43 PM #10
I agree this is a trade off based on a best case scenario. I doubt that even if I give the students a big log off link that they would ever use it.
We used to have smoothwall and the auth was done transparently without even needing an agent. Shame lightspeed doesn't offer the same but it's interface and ease of use is much better.
There are a few things I miss from SW that lightspeed could easily implement to improve things:
- Improve the auth (NTLM) so no need for agent.
- Add a top 10 domains list with bandwidth to the dashboard
- Add a new summary report that combines the most viewed domains, most bandwidth heavy users, popular searches and graphs in one report.
- A report on duration specific users spend on sites would also be useful especially for staff Facebook access!
By ful56_uk in forum Web Development
Last Post: 8th January 2010, 09:24 PM
By laserblazer in forum How do you do....it?
Last Post: 15th October 2008, 04:02 AM
By DirtySnipe in forum EduGeek Joomla 1.5 Package
Last Post: 15th June 2008, 09:02 PM
By calshopper in forum *nix
Last Post: 30th April 2007, 11:32 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Tags for this Thread