Ruckus and guest access
I'm trying to get my head around using our Ruckus for allowing certain students to access the internet from their own devices in school. I would like them to effectively only have access to the web proxy (smoothwall) and authenticate using their AD credentials. We don't have our APs on a seperate VLAN (due to the nature and variety of network switches) so I'm hoping that Ruckus's own isolation will help with that, but I am struggling to get my head around how Ruckus do this.
I've tried to enable guest pass authentication, using our RADIUS server, but when redirected to the authentication page no valid credentials work so I get the feeling I'm missing a stage out at some point.
Has anyone managed to do this, and have they got an idiot guide handy!
should be able to walk you through this, have PM'd.
Cheers for the offer - I might take you up on that when I get some time set aside.
I've got a simple guest network running, which works with RADIUS and allows valid AD accounts to connect. However my wpad.dat file isn't recognised by any device. I've got the wpad.dat on the Zoendirector and configured in DHCP but everything that connects seems to ignore it!
I was trying to do you same with wpad.dat to get proxy setup on guest laptop! don't get it to work and gave up in the end after being off work for a week.
Would like to get this to work some how?
Any one had any luck with setup Ruckus with wpad.dat?
There's a really good video on you tube that shows how to setup BYOD access with Ruckus (How to BYOD with Ruckus Wireless - YouTube)
Should give you a good oversight; I managed to set ours up after watching this as a sort of primer.
Can't get youtube! as it blocked :mad:....
I think theres something fundamentally wrong with my ruckus. I've got the RADIUS servers setup, and configured Roles for each group (admins/staff/students etc) but the AAA query always shows success but the group assignment will be 'default'!
I've never used VLANs before - is there an idiots guide somewhere?
I've got Ruckus to authenticate with AD, no worries, and without the VLAN settings it's getting IP addresses from a DHCP server and, when the proxy settings are put in manually, all is well.
I'm thinking one way to proceed now is:
1. set a spare port on a managed switch to be a new VLAN
2. connect a smoothwall transparent proxy with DHCP, which I've used before to add a proxy setting where the client device didn't support it, to it
3. set that VLAN to the BYOD Network in Ruckus
How does that sound? will that then give a client device an IP from Smoothwall and allow it to access the web? or have I fundamentally missed a point or two along the way?
edit: I've just read through the thread again and it looks as if I've hijacked it - mods if you want to move this to a new thread that's fine by me!
You need to get your head round that first, took me a while as well and I believe a number of posts on here will point you in the right direction.
Originally Posted by BatchFile
But, in a nutshell ;) - You'll need switches that are managed, you'll need to setup the VLANs on all your switches (obviously, only those that will have traffic flowing for each VLAN), 'tag' the trunks/uplinks to each Edge switch with the associate VLANS, setup DHCP helper on your Core Switch for the VLANs to point at your DHCP server, Setup a DHCP scope for the BYOD with the gateway set to the IP address of your Core Switch, 'tag' the port that has the AP plugged into for your guest VLAN (you'll need to tag it with the other VLANs as well if you have other SSIDs for on it and management so that ZoneDirector can still access it), setup the SSID on the ZoneDirector to be associated with a particular VLAN and, errr, that is about it. I think, working from memory. May have missed out a step but hopefully it'll help.
You need to add some additional attributes to get the radius groups working
Originally Posted by Sheridan
Windows NPS Radius + ZoneDirector, A How to guide. - Ruckus Wireless Forums
I have got it working to assign available ssids via group membership
Hmm I feel I am so near to getting this working, yet so far!
I've got AD authentication working, and using the youtube example above I've managed to get a hotspot service set up and zero-it provisioning working, with a WLAN for staff and another for students.
This seems to work, a user select the 'open' wlan and then when any web page is requested the authentication page appears. After successful authentication the zero-it installer comes in and adds the correct WLAN on the test pc (in this case an iMac).
But thats where it stops, the mac stays connected to the hotspot wlan and ignores the specific wlan that is assigned to the user's group. The zero it part seems to configure this correctly and thats where it falls apart as you can't go any further!
It's the one failing, that myself and others have noticed - it doesn't switch the user to the SSID automatically that has been setup with the Auto Provisioning. The user has to switch to that Wireless SSID themself to start using your internet connection. Also, the problem on Android devices is that by default they don't allow .apk files to be installed from unknown sources; this has to be setup on the phone by the user, but of course, trying to explain that to some users is tricky.
Looks like your there really, try it out on a few guinea pigs and see how it goes.
I noticed the issue with apk files on android phones as well, but thats something thats easy to work around I suppose.
I gave up with the mac, and got it working on and android device but that ignores the proxy settings I uploaded to the zonedirector (wpad.dat) so even when I get a connection its useless!
I'm so close I can almost taste it!
EDIT, spoke too soon! Android devices just sit in a loop of Authenticating... and Obtaining ip address.
The macs connect and fail to connect to the correctly assigned wlan, and even when manually connected they ignore the wpad.dat settings. Oddly my test mac now refuses to open the zero-it file (prov-mobileconfig) and attempts to open it with Apple Logic Pro!
I think I'll have to ditch the byod aspect of ruckus - it doesn't seem to work very well. For starters the zero-it part doesn't work on Macs and then the correct WLAN isn't selected. Plus it simply ignores the wpad.dat file that is uploaded to the zonedirector so it means manual proxy details have to be entered - that defeats the purpose a bit.
Its inconsistent on android devices as well, so I have no faith in rolling this out to staff/students who might be on ipod/ipads/macs/phones etc!
Has anyone implemented a robust byod system with anything like Aruba or a similar competitor?
All I would say in conclusion is - don't waste too much time with byod on ruckus. It looks like a bit of a mess and I've given up trying to sort it out.
I've decided to ditch the ruckus and use some Dlink WAP's (just using wpa) and stick them on a seperate vlan in key areas of the school. This Vlan will have its own non-authenticating smoothwall web filter and thats all they will have access to. They will still need to put the proxy settings manually in but that would have been the case with ruckus anyway. Frustrated and disappointed with ruckus - but I've wasted too much time on this.