+ Post New Thread
Results 1 to 15 of 15
Wireless Networks Thread, Ruckus - two BYOD WLANs in Technical; Hi all, Our school has a Ruckus system. At present we cater for BYOD by having an activation WLAN where ...
  1. #1

    Join Date
    Jan 2007
    Location
    The Console
    Posts
    236
    Thank Post
    22
    Thanked 29 Times in 23 Posts
    Rep Power
    22

    Ruckus - two BYOD WLANs

    Hi all,

    Our school has a Ruckus system. At present we cater for BYOD by having an activation WLAN where users authenticate, then they are directed to our BYOD WLAN. Their traffic is sent through the controller to a Smoothwall box on a BYOD VLAN, which passes traffic transparently through our student level proxy filter and out to the Internet. This box also dishes out separate IP addresses for BYOD.

    This level of filter is too restrictive for staff so I have been asked to set up a second BYOD WLAN which does the same thing but passes traffic transparently through our staff level proxy.

    I believe I can get the Ruckus controller to differentiate staff and student users via group membership, but I'm not sure how I get the staff users to use a separate proxy on our BYOD VLAN, though I'm now at the point where I'm over thinking it!

    Any advice would be welcome...

  2. #2

    Join Date
    Jun 2007
    Location
    Felixstowe
    Posts
    20
    Thank Post
    2
    Thanked 4 Times in 4 Posts
    Rep Power
    15
    Hello

    Best way is to create an new VLAN and create a new WLAN Called Staff BOYD and allow that address range different filtering on your firewall.

    Yes you can also use AD groups on the controller to allow only staff to use that new WLAN.

    Hope this helps.

    Adam

  3. #3

    Join Date
    Jan 2014
    Location
    NZ
    Posts
    4
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    If you want to keep your amount of broadcasted SSID's down and are using a Windows server, You can use Dynamic VLAN Assignment.

    You will need to create another VLAN and tag it on the appropriate ports etc. e.g BYOD_Staff vid=10 BYOD_Students vid=20

    VLAN Attributes Used in Network Policy -> NPS Side Attirbutes you will need to configure
    http://a030f85c1e25003d7609-b98377ae...accounting.pdf -> Ruckus Side configuration and Vendor Specific Attributes

    However there is also a ruckus document with the required Vendor Specific attributes you will need to configure.

    Basically you want to pass on if they are a student or a staff member to NPS then have it pass back the VLAN assignment based on which group they are in.



    Good Luck!
    Last edited by Phake; 28th January 2014 at 04:35 AM.

  4. #4

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,104
    Thank Post
    891
    Thanked 1,752 Times in 1,511 Posts
    Blog Entries
    12
    Rep Power
    457
    You can get the Smoothwall to do this. Have 1 BYOD SSID, that VLAN redirects you to the Smoothwall login page. They login and are filtered based on the type of user account used.

  5. #5
    rob_coles's Avatar
    Join Date
    Mar 2007
    Location
    Hull
    Posts
    110
    Thank Post
    16
    Thanked 14 Times in 10 Posts
    Rep Power
    18
    We have one guest for both student and staff.

    We set ruckus to auth via wpa enterprise from the smoothwall box which then filters from ad groups. Thus having the same filtering on both guest & network side.

  6. #6

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,104
    Thank Post
    891
    Thanked 1,752 Times in 1,511 Posts
    Blog Entries
    12
    Rep Power
    457
    Quote Originally Posted by rob_coles View Post
    We have one guest for both student and staff.

    We set ruckus to auth via wpa enterprise from the smoothwall box which then filters from ad groups. Thus having the same filtering on both guest & network side.
    Also you can monitor what they are going on.

  7. #7

    Join Date
    Apr 2008
    Location
    Keighley, West Yorks
    Posts
    352
    Thank Post
    52
    Thanked 51 Times in 45 Posts
    Rep Power
    22
    Quote Originally Posted by rob_coles View Post
    We set ruckus to auth via wpa enterprise from the smoothwall box which then filters from ad groups. Thus having the same filtering on both guest & network side.
    This is exactly what I'm after - I've got Ruckus talking to Smoothwall via Radius, but getting 'Failed! Invalid username or password' when testing AAA server auth in Ruckus. SW log shows 'RADIUS authentication failed; username: ######, access point: 192.168.90.251'.

    Do you just use 'username', 'domain\username', 'username@domain.internal' or something else?

    Any other ideas which settings need setting?

    Peter
    Last edited by howartp; 11th September 2014 at 11:00 AM.

  8. #8
    Boredguy's Avatar
    Join Date
    Jun 2011
    Location
    Swindon
    Posts
    617
    Thank Post
    4
    Thanked 138 Times in 129 Posts
    Rep Power
    51
    I found that doing the test via the AAA server page against a 2008 Radius then it always says it fails, which a search said was normal due to how that test worked.

    I know our radius authentication itself is working as we setup the SSID with 802.1x and when entering 'username' and the password it ran off and joined correctly (and showed the username in the ruckus console)

  9. #9

    Join Date
    Apr 2008
    Location
    Keighley, West Yorks
    Posts
    352
    Thank Post
    52
    Thanked 51 Times in 45 Posts
    Rep Power
    22
    Quote Originally Posted by Boredguy View Post
    I found that doing the test via the AAA server page against a 2008 Radius then it always says it fails, which a search said was normal due to how that test worked.
    Ah, that's interesting - and perfectly useless on Ruckus's part!

    In that case, I'll try testing iPhones and iPads - I didn't bother yet until I could get the test working!

    Peter

  10. #10

    Join Date
    Apr 2008
    Location
    Keighley, West Yorks
    Posts
    352
    Thank Post
    52
    Thanked 51 Times in 45 Posts
    Rep Power
    22
    Hi Boredguy,

    I'm still struggling - and becoming a boredguy myself.

    Would you mind posting (or PM'ing) your Ruckus and Smoothwall setups for this?

    Should my iPhone be prompting for username/password at the point of joining the wifi, or browsing? I've seen a screenshot of someone using HP wireless and Smoothwall where the iPhone does the prompting at the point of joining the wifi but mine is just joining then giving me no internet access. I'm not getting prompted for username anywhere.

    I did a wireshark capture on Friday and I could see the challenge request for username being send by Ruckus, but the laptop (Win 7) wasn't giving me an option to provide details; I didn't continue as I don't know if this is to do with the Win 7 / Certificate requirement, so I'd rather get iDevices working first. If I change the IP addresses at either end of the Radius, then the Ruckus test-auth box times out rather than failing auth. I know I can't use the Ruckus test-auth box to test usernames, but at least it implies both boxes are talking to each other.

    Peter

    Radius_1.png
    Radius_2.png
    Radius_3.png
    Radius_4.png
    Radius_5.png

  11. #11
    Boredguy's Avatar
    Join Date
    Jun 2011
    Location
    Swindon
    Posts
    617
    Thank Post
    4
    Thanked 138 Times in 129 Posts
    Rep Power
    51
    We have 2 SSID's for users. We have a Staff SSID that is hidden and with the advanced settings the same as your screenshot (We don't have accountancy server setup so it's still disabled) and that uses Radius Authentication.

    For our students, we have a Users SSID that has a AAA server setup as Active Directory authentication and a captive portal page.
    Both of these SSID's are set to the same vLan 30.

    When staff join the Staff SSID, they enter their username and password in the wifi prompt and they are done until such time as they forget the SSID.
    For students joining the Users SSID, they get a prompt that they have to sign in and go to the captive portal page, where they enter their network username and password. They have to do this every time they connect (assuming they have timed out the session)

    I found that the AD authentication for students was a better method than Radius, as we wanted the students to get the portal page and that was only possible if authentication method was set to open and not 802.1x

    I did notice that your screenshots have the hand written note about vLan being 90, but the actual setting in your Ruckus is 96
    Attached Images Attached Images

  12. #12

    Join Date
    Apr 2008
    Location
    Keighley, West Yorks
    Posts
    352
    Thank Post
    52
    Thanked 51 Times in 45 Posts
    Rep Power
    22
    Quote Originally Posted by Boredguy View Post
    I found that the AD authentication for students was a better method than Radius, as we wanted the students to get the portal page and that was only possible if authentication method was set to open and not 802.1x

    I did notice that your screenshots have the hand written note about vLan being 90, but the actual setting in your Ruckus is 96
    Thanks for the reply.

    We use AD at the moment, but only iPhones and latest Androids work; the rest need manual intervention x 800 students - which is what I'm trying to avoid next week when I turn wifi back on!

    The APs and ZoneDirector are in 90, staff wifi is 93, guests is 94 and students/BYOD is 96. There's zone bridges in place so 96 can see 90 and vice versa.

    Peter

  13. #13
    Boredguy's Avatar
    Join Date
    Jun 2011
    Location
    Swindon
    Posts
    617
    Thank Post
    4
    Thanked 138 Times in 129 Posts
    Rep Power
    51
    *touch wood* our students are getting online via AD portal page on blackberry, Windows, Android and iOS devices without any major issue.

    3 of our AP's don't like to give an IP address out to iOS devices but we've already escalated that to Ruckus for investigation.

  14. #14

    Join Date
    Apr 2008
    Location
    Keighley, West Yorks
    Posts
    352
    Thank Post
    52
    Thanked 51 Times in 45 Posts
    Rep Power
    22
    Quote Originally Posted by Boredguy View Post
    *touch wood* our students are getting online via AD portal page on blackberry, Windows, Android and iOS devices without any major issue.
    Just realised you're not using Zero-IT.

    We use Zero-IT with captive portal, which installs a profile containing the wifi key for the relevant (staff, student, ....) WLAN. THAT's the bit which only works on some devices.

    How does captive portal work if they're using an internet-based App? Do they have to open internet first to connect (assuming they've timed out)?

    Peter

  15. #15
    Boredguy's Avatar
    Join Date
    Jun 2011
    Location
    Swindon
    Posts
    617
    Thank Post
    4
    Thanked 138 Times in 129 Posts
    Rep Power
    51
    Their device sees the Open WiFi, connects and brings up a prompt that they need to sign in.
    They go to their browser, sign in, and then they carry on using the device as normal.

    Once the connection to the wifi is dropped, it starts the count down before it clears the session authentication (which I've set at 30 minutes before they need to re-auth) so that during the lesson at most they will only need to sign in twice if their connection drops. If staff complain that they are loosing too much time, I'll increase the timeout to 45 minutes.

    I looked into the Zero-IT, and thought it was going to be more hassell than it was worth to tell students to go here, install that etc, where as this way it's the same as using a Hot Spot like TheCloud. Enter details and away you go

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 3
    Last Post: 10th February 2012, 09:30 AM
  2. Wlans Ruckus block clients
    By Jose in forum Wireless Networks
    Replies: 0
    Last Post: 7th February 2011, 12:23 PM
  3. Ruckus two for one?
    By snaggletoothfenton in forum Wireless Networks
    Replies: 6
    Last Post: 12th April 2010, 03:14 PM
  4. Smoothwall/Ruckus guest WLAN
    By badders in forum Internet Related/Filtering/Firewall
    Replies: 10
    Last Post: 1st December 2009, 07:48 PM
  5. B****y WLANs - Save me Ruckus
    By hagridsbeard in forum Wireless Networks
    Replies: 33
    Last Post: 14th November 2009, 10:31 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •