Ruckus BPDG_Cloudpath For K 12 BPG: Best Practice Guide Cloudpath In Education BPDG

BPG: Best Practice Guide for Cloudpath in Education K-12 BPDG_Cloudpath%20for%20K-12

2017-11-10

User Manual: Ruckus BPG: Best Practice Guide for Cloudpath in Education K-12

Open the PDF directly: View PDF .
Page Count: 72

Download
Open PDF In Browser	View PDF

-----------

Deploying Cloudpath for K-12
Best Practices and Design Guide

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

Copyright Notice and Proprietary Information
Copyright 2017 Ruckus Wireless, Inc. All rights reserved.
No part of this documentation may be reproduced, transmitted, or translated, in any form or by any means, electronic, mechanical, manual,
optical, or otherwise, without prior written permission of Ruckus Wireless, Inc. (“Ruckus”), or as expressly provided by under license from
Ruckus.
Destination Control Statement
Technical data contained in this publication may be subject to the export control laws of the United States of America. Disclosure to nationals
of other countries contrary to United States law is prohibited. It is the reader’s responsibility to determine the applicable regulations and to
comply with them.
Disclaimer
THIS DOCUMENTATION AND ALL INFORMATION CONTAINED HEREIN (“MATERIAL”) IS PROVIDED FOR GENERAL INFORMATION
PURPOSES ONLY. RUCKUS AND ITS LICENSORS MAKE NO WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, WITH REGARD TO THE
MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS
FOR A PARTICULAR PURPOSE, OR THAT THE MATERIAL IS ERROR-FREE, ACCURATE OR RELIABLE. RUCKUS RESERVES THE RIGHT TO
MAKE CHANGES OR UPDATES TO THE MATERIAL AT ANY TIME.
Limitation of Liability
IN NO EVENT, SHALL RUCKUS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES, OR
DAMAGES FOR LOSS OF PROFITS, REVENUE, DATA OR USE, INCURRED BY YOU OR ANY THIRD PARTY, WHETHER IN AN ACTION IN
CONTRACT OR TORT, ARISING FROM YOUR ACCESS TO, OR USE OF, THE MATERIAL.
Trademarks
Ruckus Wireless is a trademark of Ruckus Wireless, Inc. in the United States and other countries. All other product or company names may be
trademarks of their respective owners.

©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

Table of Contents
Overview ......................................................................................................................................................... 6
What is the Cloudpath ES ........................................................................................................................................... 6
Certificate Management ............................................................................................................................................. 7
Policy Management .................................................................................................................................................... 7
Device Enablement .................................................................................................................................................... 7
Why Use Cloudpath? .................................................................................................................................................. 7
Overall Benefits of Cloudpath .................................................................................................................................... 7
Benefits for Education ................................................................................................................................................ 7
Common Deployment Scenarios ............................................................................................................................... 8
Configuration Requirements ...................................................................................................................................... 8

Configuring Cloudpath for Chromebooks ................................................................................................... 9
Supported Devices ...................................................................................................................................................... 9
Configuration Requirements ...................................................................................................................................... 9
Procedure Overview .................................................................................................................................................... 9
Step 1: Enable Chrome OS Devices for Your Cloudpath Workflow ....................................................................... 9
Step 2: Configure the Chromebook User Experience ............................................................................................ 10
Unmanaged Devices ................................................................................................................................................ 10
Managed Devices ..................................................................................................................................................... 10
User Experience Settings ......................................................................................................................................... 10
Download the Root CA ............................................................................................................................................. 12
Download Additional CAs ......................................................................................................................................... 12
Configuring the Chrome Extension in the Chrome Management Console.......................................................... 13
Configure Wi-Fi Settings ........................................................................................................................................... 16
Configure Policies for Device Users........................................................................................................................ 20
Force-install Unlisted Apps (beta) ............................................................................................................................ 20
Step 3: Enable Chrome OS Devices for Your Cloudpath Workflow ..................................................................... 23
Enrollment Workflow ................................................................................................................................................. 23
Troubleshooting Chrome OS Enrollment................................................................................................................ 31
Error Messages ........................................................................................................................................................ 31
Server CA ................................................................................................................................................................. 31
Access to URL .......................................................................................................................................................... 31
Length of Private Key ............................................................................................................................................... 31
Chromebook Testing Shortcuts ................................................................................................................................ 31

Sponsored Guest Access ............................................................................................................................ 32
Prerequisites - Authentication Server Setup .......................................................................................................... 32
Configuring Cloudpath for Sponsored Guest Access ........................................................................................... 32
Edit the Authentication Server Profile in Cloudpath Admin Console ........................................................................ 32
Add a Voucher Prompt to the Enrollment Workflow ................................................................................................. 33
Adding a Request for Access Prompt ....................................................................................................................... 35
Adding Vouchers to a Voucher List .......................................................................................................................... 37
How to Add Multiple Vouchers to a Voucher List ..................................................................................................... 39
©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

Adding Sponsors to a Voucher List .......................................................................................................................... 40
External Sponsors .................................................................................................................................................... 42
Sponsorship Portal ................................................................................................................................................... 42
Managing Vouchers From the Sponsorship Portal ................................................................................................... 43
Sponsorship Process ................................................................................................................................................ 44
Guest User Process ................................................................................................................................................. 47
Example Use Case – Generated Voucher Lists ....................................................................................................... 49

Support for Headless Devices .................................................................................................................... 51
What Are “Headless Devices”?................................................................................................................................ 51
What is Ruckus DPSK?............................................................................................................................................. 51
Using Cloudpath with Ruckus DPSK ....................................................................................................................... 51
Configuration Procedure ........................................................................................................................................... 51
Step 1: Configure the DPSK-enabled SSID ............................................................................................................. 51
Step 2: Configure access to the Ruckus WLAN controller for Cloudpath ES ........................................................... 54
Step 3: Configure Cloudpath to distribute DPSKs .................................................................................................... 58
Congratulations: you are done ................................................................................................................................ 62
Displaying the DPSK in the portal ........................................................................................................................... 62
This message: .......................................................................................................................................................... 63
Produces this result: ................................................................................................................................................. 64
Branching users by identity and adding Dynamic VLANs to the DPSK assignment ......................................... 64

Web Content Filtering in an SSL/HTTPS World ......................................................................................... 70
Enable 3rd Party SSL Inspection and Decryption with Cloudpath ........................................................................ 70
Obtain the Web Or Content Filter Root Certificate ................................................................................................... 70

About Ruckus ............................................................................................................................................... 72

©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

Intended Audience
This document addresses special factors and concerns related to deploying Cloudpath for K-12 environments. These environments include a
large number of classroom devices that need to be onboarded simultaneously. After an initial Cloudpath deployment, possibly using our
White Glove Sevice, School IT personnel may want to gradually taking more and greater advantage of Cloudpath ES’s many options. Several
of these are described her along configuration guidelines. The document describes what the Cloudpath ES does, and options that are
particularly useful in K-12 / primary education
This document is written for and intended for use by technical engineers with a background in Wi-Fi design and 802.11/wireless engineering
principles. An understanding of X.509 SSL certificates and public key infrastructure (PKI) is also highly recommended. This document covers
special Cloudpath subjects, and is not an initial deployment guide. For initial deployment, the reader should see on the Ruckus Support Site:

•

CP_ES 5.0 (GA) Q UICK S TART G UIDE

•

C LOUDPATH ES 5.0 (GA) D EPLOYMENT C HECKLIST

•

C LOUDPATH ES 5.0 (GA) D EPLOYMENT G UIDE

©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

Overview
The Cloudpath Enrollment System (ES) is a Security and Policy Management platform that provides a single point-of-entry for devices entering
the network environment. The Automated Device Enablement (ADE) approach gives network administrators control over the onboarding of
new devices by blending traditional employee-centric capabilities (Active Directory, LDAP, RADIUS, and Integration with Microsoft CA) with
guest-centric capabilities (sponsorship, email, SMS, Facebook, and more).
The Cloudpath ES can differentiate the devices by ownership, in addition to just device type, offering the world’s first solution to extend secure
Set-It-And-Forget-It-Wi-Fi™ to all users, devices, and networks without manual IT involvement.

F IGURE 1: C LOUDPATH ES D EPLOYMENT E XAMPLE

What is the Cloudpath ES

Cloudpath Enrollment System is a security management platform with three components: Certificate Management, Policy Management, and
Device Enablement. The combination of these capabilities creates a powerful new way to provision, secure and enforce policy on every device
©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017
connecting to the network, through simple portal based self service for end users. Cloudpath ES is the industry's first Automated Device
Enablement (ADE) solution.

Certificate Management

Cloudpath ES software includes a built-in, comprehensive Certificate Authority (CA) that enables any IT department to create and manage its
own Public Key Infrastructure (PKI). A built-in RADIUS server and user database greatly simplifies installation and setup and helps in tying
policies with certificates. In addition to built-in capabilities, APIs and other mechanisms enable Cloudpath software to easily integrate with
existing external CA, RADIUS and user database infrastructures.

Policy Management

Cloudpath ES software provides IT with a simple, workflow-based policy management portal that can be used to establish granular policybased access control for all users and all devices. The policy engine identifies client and user privileges and applies the correct policies to each
user and each device. The software works together with policy enforcement points to ensure policies are properly exercised.

Device Enablement

Cloudpath ES software enables portal-based, self-service onboarding for end users and their devices and further enables pre-boarding for
users and devices prior to their arrival at a given location. To ensure the network is properly protected, administrators can control which devices
are allowed to join the network and can ensure the requisite on-device enforcement, such as enabling a firewall, installing certain applications,
or updating anti-virus software.

Why Use Cloudpath?
The Cloudpath ES provides one portal for automatically onboarding and provisioning authorized devices on the secure network. The process is
simple enough to be self-service by end users on an open captive portal, and automated so that the migration to the secure network can be
managed without contacting the help desk. Cloudpath achieves this through the use of a dissolvable agent for the initial configuration and
provisioning. Cloudpath creates a better Wi-Fi experience by simplifying the network, and implemented in your existing WLAN or wired
infrastructure using standards-based security and policy mechanisms.
With user and device authorization, issues with sniffers, snoopers and evil twins are prevented. The reporting capabilities allow user and device
visibility and control, so that a network administrator can easily view what is happening on the network.

Overall Benefits of Cloudpath
There are many configuration options and benefits that make Cloudpath a good choice in a variety of environments. These include:
•

Reduce manual intervention by IT for network access and device provisioning – end password trouble tickets and end-user device
configuration by IT

•

Peace of mind – all users, including guests, and devices, including BYOD, are securely connected in a policy-compliant fashion.
Network data is more secure because policies keep unauthorized users out

•

Quick remediation – devices are associated with users, enabling identity-based policies and rapid remediation of usage violations

•

Simplicity – intuitive workflows speed policy configuration. Per user licensing means there’s no need to guess device count. Price is allinclusive. Works with the network you have

•

Better end-user experience - provision and configure devices one time and one time only. Same process for all device and device
types. Hassle-free roaming across campuses.

Benefits for Education

Cloudpath has specific benefits that are of interest to education environments. These include:
•

Chromebook support – The K-12 market is seeing a tsunami of Chromebooks, more so than any other device. Cloudpath allows them
to be configured with a click or remotely, using Google Console

•

Sponsored guest access – allows authorized employees to grant network access to third parties. It is most commonly used to provide
secure wireless network access to corporate visitors and partners, and is typically time-restricted. Cloudpath enables this without IT
involvement while maintaining the security aspect of the solution.

©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017
•

Support for headless devices - proliferation of headless devices like Apple TVs, Interactive whiteboards, printers etc pose a unique
onboarding challenge that Cloudpath solves.

•

Student Protection - enable a content filter (using 3rd party vendors) to filter encrypted/https content, including potentially harmful
encrypted content.

•

Student Typhoon – easily handle massive influxes of new devices common at the beginning of a school year. Incoming / returning
students implies mass authentication, multiple, disparate devices

•

Pre-boarding - incoming and returning students can “pre-board” their devices, even before they arrive on campus, further
streamlining the process and easy onboarding experience

•

Personal Student Network - students can easily access their own stuff as well as other data they’ve agreed to share. In the meantime
the network much easier for IT to troubleshoot

•

Eduroam-ready - all Cloudpath-secured devices are inherently Eduroam-ready.

Common Deployment Scenarios
This document discusses best practices for planning and deploying Cloudpath in K-12 environments, namely the following:
•

Managed and unmanaged Chromebooks

•

Sponsored guest access

•

Headless devices

•

Enable HTTPS inspection with a content filter

It also lists some of the additional benefits Cloudpath offers via third party vendor integration for a more integrated and complete end-to-end
experience across multiple systems.

Configuration Requirements
This document requires the following:
•

Cloudpath ES system (cloud or on premise) pre-configured for basic enrollment service
o

Please see the following documents on the Ruckus Support site
(https://support.ruckuswireless.com/documents?filter=89#documents )

Cloudpath ES Deployment Checklist

Cloudpath ES Quick Start Guide

Cloudpath Es Deployment Guide

We offer a “White Glove Service for EDU” remote deployment assistance for initially deployment that you may wish to make
use of.

•

Wi-Fi network and access to the WLAN controller

•

Appropriate user database

•

Devices to be onboarded

©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

Configuring Cloudpath for Chromebooks
The Cloudpath Enrollment System (ES) extends the benefits of certificates to Chromebooks with the additional security of Public Key
Infrastructure (PKI). The certificate is installed in the Trusted Platform Module (TPM) of the Chromebook, and can be used for a variety of
certificate-based security such as Wi-Fi (WPA2-Enterprise with EAP-TLS), web SSO authentication, web two-factor authentication and more.
Cloudpath can automatically distribute user and device certificates to both IT-managed and unmanaged (BYOD) Chromebooks.
•

For IT-managed Chromebooks, Cloudpath deploys both user and device certificates via a Chrome extension provisioned through the
Chromebook management console. Whether tied to the user or the device, the certificates are TPM-backed, which means they are
burned into hardware for maximum protection

•

For unmanaged Chromebooks, Cloudpath provides a web portal for self-service and automated installation of the certificate and
configuration of related services such as WPA2-Enterprise Wi-Fi with EAP-TLS

•

Whether your network supports IT-managed or unmanaged Chromebook devices (or both), Cloudpath provides a secure method for
Automatic Device Enablement. Cloudpath can differentiate the devices on your network by ownership, not just device type, offering
the world’s first solution to extend secure Set-It-And-Forget-It Wi-Fi to all users, devices and networks without IT involvement

Supported Devices

Cloudpath supports all Chrome OS devices supported by Google. To see a list of devices currently supported by Google, please consult the
following URLs:
https://www.google.com/chrome/devices/eol.html

Configuration Requirements
Configuring Cloudpath to support Chromebooks requires the following:
•

Google Console Integration

•

User Or Device Certificates - support Installation Into the TPM of both user and device certificates. Certificates may be tied to the
user, the device, or user+device

•

User, IT, or distributor provisioned

•

Built-In Cloudpath PKI or Microsoft CA -dDistribute Certificates From the Built-In PKI or Microsoft CA

Procedure Overview

To create a Chromebook configuration in the Cloudpath ES, enable the OS on the Cloudpath Admin UI and configure the user experience
appropriate for your network. During user enrollment, if the Chrome OS is detected, the ES displays Chrome OS-specific instructions for
downloading the configuration file and installing it on the device, or if extensions are configured, the certificate and Wi-Fi settings are installed
in the TPM.
The basic procedure to configure Cloudpath for Chromebook support is as follows:

Enable Chrome OS device configuration for your workflow

Configure the Chromebook User Experience

Configure the Cloudpath Enrollment Workflow

Step 1: Enable Chrome OS Devices for Your Cloudpath Workflow
Each workflow in Cloudpath is configured for a specific set of devices and operating systems. The Chrome operating is enabled by default. If it
is not, use the following steps to enable Chrome OS device configuration.
1.

On the Cloudpath Admin UI, go to Configuration > Advanced > Device Configurations

©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017
2.

Select the device configuration to support the Chrome OS

On the OS-Specific Settings page, edit the Chrome: User experience options

F IGURE 2: E NABLE C HROME OS D EVICE M ANAGEMENT

Select Operating System: Chrome

Leave the default settings for Validate Server Certificate

Click Save to save your work

Step 2: Configure the Chromebook User Experience
The Chromebook user experience can be configured for managed (school owned) or unmanaged (student owned) Chromebooks

Unmanaged Devices
For unmanaged devices, the user downloads the ONC configuration file. This contains the X.509 SSL certificate and Wi-Fi settings required to
connect to the secure network. It is similar in functionality to the mobileconfig file used by Mac OS X and iOS devices.

Managed Devices

For managed devices, the Cloudpath extension is used. This is configured in the Chrome Management Console. The extension installs the
X.509 SSL certificate and settings into the TPM as the user or as the device.
After the configuration file is installed (manually, or using the extension), the user simply connects the secure network.

User Experience Settings

Cloudpath provides the prompts that guide the user through the sequence of steps that make up the enrollment workflow. During this process,
the user enters information as requested, and makes selections about user type, device type, among others. The sequences of steps for the
enrollment differ, depending on the selections that are made.
To configure the Chromebook user experience:
1.

Log into the Cloudpath Admin Console

Go to Configuration > Advanced > Device Configuration

Select the OS Settings tab for the appropriate device configuration

©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017
4.

Edit the Chrome: User experience options

F IGURE 3: U SER E XPERIENCE S ETTINGS

Select the Behavior settings for the device configuration.
•

The Supported Method setting controls the installation methods available to end-users. By default, installation is handled using
an ONC file, which can be used by both unmanaged and managed devices.
o

ONC Only - Allows installation using the ONC file only.

ONC + User Extension - Allows installation using the ONC file or Chrome extension. If the extension is used, the
certificate is installed as the user.

ONC + Device Extension - Allows installation using the ONC file or Chrome extension. If the extension is used, the
certificate is installed as the device.

©Ruckus Wireless

User Extension Only - Allows installation to the user TPM using only the Chrome extension.

Device Extension Only - Allows installation to the device TPM using only the Chrome extension.
11

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017
•

The ONC Install Instructions contain the instructions displayed to the user if the ONC file is used to install the certificate and Wi-Fi
settings. This occurs if ONC Only is enabled or if ONC + (User or Device) Extension is enabled, but the user does not have the
extension installed.

Configure Extension Messages.
•

The Extension Install Instructions are displayed to the user if an extension is used to install the certificate on the device.

•

After the certificate has been successfully installed using the extension, the Completed Message appears.

Configure ONC Messages.
•

The App ID to Notify notifies an app when the certificate installation is complete. This can be useful if an app is managing the
enrollment process for the user.

•

If using extensions, you can specify that the extension remove existing certificates from the certificate manager. This can be useful
in cleaning up the device.

Save the configuration settings. If the active workflow in Cloudpath supports the Chromebook OS with extensions, the Explain
Chrome Setup button displays Chromebook setup instructions on the Configuration > Deploy page.

Download the Root CA

The Chrome extension (Cloudpath Certificate Generator) installs the root CA certificate (and any additional CAs) into the TPM as the user or as
the device, depending on the Chrome OS configuration in Cloudpath. Use the link in Step 1 of the Managed Chromebook Setup page to
download the root CA. This certificate will be imported into the Chrome management console later in this configuration process.

Download Additional CAs

If you have additional CAs configured (in the Cloudpath Admin UI, see the Trusted RADIUS chain in the device configuration network settings),
use the link in Step 2 to download the additional CAs.

©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

F IGURE 4: M ANAGED C HROMEBOOK S ETUP I NSTRUCTIONS

Configuring the Chrome Extension in the Chrome Management Console
Cloudpath provides all of the information you need to set up the Chrome extension, which is used to install the certificate and Wi-Fi settings
on IT managed Chromebook devices. After configuring the Chrome OS settings in Cloudpath, move on to the Chrome management console
to set up the extension.

Chrome Admin Console Settings
The web-based management console for the Chrome OS allows you to centrally configure network settings for users and extensions for your
managed Chromebooks devices. The Admin Console > Device Management is the portal for configuring Wi-Fi and network settings for the
user. Configured Wi-Fi and Certificates on the Networks page. Configure force-installed apps on the Chrome Management page.
The following steps are required to configure a device through the Chrome Admin Console:
1.

Import any required certificates

Configure Wi-Fi settings

Configure policies for users

Import Certificates
Use the following steps to upload all required certificates:
1.

Log into the Chrome management console at https://admin.google.com

©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

F IGURE 5: C HROME A DMIN C ONSOLE

Select Device Management.

F IGURE 6: D EVICE M ANAGEMENT

Click the Network link to set up Wi-Fi and Certificates for managed devices. Use the Chrome management link to set up Wi-Fi and
Certificates for managed devices.

Navigate to the Networks page to import the CA certificate and configure the Wi-Fi settings, which will be dispersed to users or
devices through the Chrome extension

©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

F IGURE 7: N ETWORK S ETTINGS

Click the Networks > Certificates link to import the CA certificate.

On the left side, select the organization for which you want to import the certificate, or if you don’t select an organization, the
certificate settings apply to all organizations and groups.

Click Add Certificate.

Locate and import the root CA certificate that was downloaded from the Chrome Setup

If your Cloudpath configuration contains additional CAs, you must also import the additional CAs.

10. When the certificates have been successfully uploaded, return to the Networks page to configure Wi-Fi settings.

©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

F IGURE 8: M ANAGE C ERTIFICATES

Configure Wi-Fi Settings

Configure Wi-Fi settings for the managed Chrome devices enrolled in your domain, or for logged-in users from specific sub-organizations
within your domain.
1.

Return to the Networks page and click the Networks >Wi-Fi link. On the left side, select the organization for which you want to
import the certificate, or if you don’t select an organization, the certificate settings apply to all organizations and groups

©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

F IGURE 9: W I -F I N ETWORKS

Click Add Wi-Fi. The Add Wi-Fi page displays.

©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

F IGURE 10: W I -F I S ETTINGS

Enter the Wi-Fi data according to step 3 in the Chromebook setup instructions (Managed Devices). The Name and SSID do not
need to match.

•

Typically the SSID is broadcast

•

Automatically connect is optional.

•

Security type must be WPA/WPA2 Enterprise (802.1x).

•

EAP type must be EAP-TLS.

•

The Username must be populated. Typically, the value for this field is @, but @ also works.

Select the Root CA listed in the setup instructions (see Managed Chromebook Setup Instructions). When selecting the Server
Certificate Authority, be sure to select the certificate that contains both the root and intermediate certificates

Enter the Client enrollment URL that is listed on the Chromebook setup instructions (see Managed Chromebook Setup
Instructions)

©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017
6.

Enter the Issuer pattern fields as directed by the Managed Chromebook Setup instructions. Common Name is a required field

Apply network by user

F IGURE 11: I MPORTED R OOT CA

WITH I NTERMEDIATE

F IGURE 12: W I -F I S ETUP C ONTINUED

Click Add to add the Wi-Fi configuration for the organization

Return to the Device Management page to configure the force-install for the Cloudpath Certificate Generator

©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

Configure Policies for Device Users
The Cloudpath Certificate Generator must be added to the “Force-installed Apps and Extensions.” Configure policies for Chrome device users
within a school, and configure the policy for the Cloudpath extension in the Apps and Extensions section.
Force-installed Apps: You can force installation of specified apps on managed Chrome devices so that they see the apps from their

apps list when they're signed in to their Chrome devices.

Configure Force Install Apps in User Settings
1.

Navigate to Device Management > Chrome Management, and select User Settings

Scroll down to the Apps and Extensions section

Click Manage force-installed apps

F IGURE 13: F ORCE I NSTALLED APP S & E XTENSIONS

The left side lists the available apps and extensions, and the right side lists the apps and extensions to install on the managed devices

for this network. Search for the Cloudpath Certificate Generator and add it to the force-install list. The extension is installed on the
user device according to the Chrome OS user experience Behavior setting in Cloudpath.

Force-install Unlisted Apps (beta)

If you have an application that is unlisted, you must load it as a custom application.

©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

Configure Force Install Unlisted Apps in User Settings
10. Navigate to Device Management > Chrome > App Management

F IGURE 14: C HROME A PP M ANAGEMENT

11. From the top-right Settings menu, select Add Custom App

F IGURE 15: A DD A C USTOM A PP

12. Enter the App ID and URL

©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

F IGURE 16: C ONFIGURE C USTOM A PP P ARAMETERS

13. After the app is created, configure the settings for users that log in with an account in your domain.
14. Select User settings

F IGURE 17: C USTOM A PP U SER S ETTINGS

15. On the User settings page for your application, select an organization under Orgs in the left pane

©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

F IGURE 18: C ONFIGURE C USTOM A PP

16. In the right pane, enable Force installation
17. Save the configuration
18. The unlisted application can now be added as a Force-install app

Step 3: Enable Chrome OS Devices for Your Cloudpath Workflow
Cloudpath provides the prompts that guide the user through the sequence of steps that make up the enrollment workflow. During this process,
the user enters information as requested, and makes selections about user type, device type, among others. The sequence of steps for the
enrollment differs, depending on the selection that is made.

Enrollment Workflow

During enrollment, the Chrome OS is detected and Cloudpath provides Chrome OS-specific instructions for downloading the configuration file
and installing it on the device manually, or automatically if extensions are configured. After the configuration file is installed, the Chromebook
automatically connects to the secure network.
The following section provides an example of the one time Chromebook enrollment user experience for student owned or unmanaged devices
and district owned managed devices. The exact sequence of steps for the enrollment differs, depending on the selections administrators have
made. That is, the enrollment workflow will branch, and an IT person setting up a managed device will follow a slightly different path than an
unmanaged student owned device.
1.

The user connects to the deployment URL (either directly, or through a Captive Portal)

The Cloudpath Welcome screen displays. The login screen can be customized with the logo, colors, and text for the organization
or institution. The screens in this example use the default look and feel of the application

©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

F IGURE 19: C LOUDPATH W ELCOME S CREEN ( CUSTOMIZABLE )

If required by the network, the user might see a User Type prompt. A user type prompt can provided as part of a branch in the
workflow for the different types of users on your network. For example, in an education network, the user types might be
Student/Staff/Faculty, or in Enterprise network, they might be Employees/Guests/Contractors.

F IGURE 20: U SER T YPE P ROMPT

©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017
4.

If required by the network, the user can be prompted enter their credentials. A user credential prompt might request credentials
from an AD or LDAP server, or from RADIUS

F IGURE 21: U SER C REDENTIALS P ROMPT

If required by the network, the user might see a Device Type prompt. A device type prompt can be provided as a branch in the
workflow for the different types of devices on your network.

F IGURE 22: D EVICE O WNERSHIP T YPE P ROMPT

©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017
6.

The final portion of the user experience differs, depending on if the certificate and Wi-Fi settings are set for delivery using the
ONC file (unmanaged devices) or an extension (managed devices). See the following links to continue with the user experience
example for your configuration.

•

Unmanaged Devices

•

Managed Devices

Unmanaged Chromebook User Experience
With an unmanaged Chromebook device, the user downloads and installs the ONC file, which contains configuration information required to
access the secure network, including the certificate and Wi-Fi settings. For unmanaged devices, the application detects the Chrome operating
system and displays instructions for installing the Chrome configuration on the device.

F IGURE 23: C ONFIGURATION I NSTALLATION I NSTRUCTIONS

The manual download page shows the Chromebook instructions, which are as follows:
1.

Step 1 provides the link to download the ONC file

Follow Step 2, which provides instructions for importing the ONC file

Copy the URL from the instructions and then paste the URL into a new browser window. The Chrome OS Import ONC File page
will then display.

©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

F IGURE 24: I MPORT ONC F ILE

Click Choose File and browse to select the .onc file.

After the ONC file has installed, click the Wi-Fi icon in the bottom right corner of your screen and select the secure network.

F IGURE 25: C ONNECT TO W I -F I N ETWORK

The next screen shows the configuration settings and credentials that will be used. Typically, user credentials are populated using
the information passed during the enrollment process. Click Connect.

©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

F IGURE 26: U SER C REDENTIALS

The user should now be connected to the secure network and you have completed the configuration.

Managed Chromebooks With Extension User Experience
If managed Chromebooks are configured, the download page does not display. When Cloudpath detects the Chrome OS during enrollment,
the extension automatically generates and installs the CA certificate into the TPM. The extension generates the certificate.
The process is as follows:
1.

IT personal connect to the Cloudpath deployment URL (either directly, or through a Captive Portal)

Cloudpath detects the device is using Chrome OS

The extension imports the certificate into the TPM

©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017
4.

When the certificate installation is complete, a message displays indicating that the certificate is installed and ready for use

F IGURE 27: G ENERATING C ERTIFICATE

F IGURE 28: C ERTIFICATE I MPORTED

©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

F IGURE 29: C ERTIFICATE I NSTALLED

Click the Wi-Fi icon in the bottom right corner of your screen and select the secure network.

F IGURE 30: S ELECT W I -F I N ETWORK

©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017
The user should now be connected to the secure network and you have completed the configuration.

Troubleshooting Chrome OS Enrollment

This section describes issues to consider when testing or troubleshooting the configuration for the Cloudpath extension.

Error Messages

If a user receives a message "This device requires management controlled extension ", typically this means that the device
does not have the extension installed.

Server CA

If the network does not accept the CA certificate, check that the Issued to section for the Server CA includes both the root and intermediate
CA.

Access to URL

If the user unable to reach the enrollment URL, be sure that the client enrollment URL begins with HTTPS://.

Length of Private Key
While older versions of the Chromium OS did not enforce the minimum key length of 1024, the newer releases appear to enforce this change.
However, it appears that this change does not support a 4096-bit key.
If you see an error that says "Error: The operation failed for an operation-specific reason.", view the page source on the page4download.html
and locate the keylength/alg info. If it lists the following:

The fix for this issue is to navigate to the certificate template in the Cloudpath Admin UI and change the private key length to 2048 and the
algorithm to SHA-256.

Chromebook Testing Shortcuts

Use the following browser shortcuts to manage different aspects of your Chrome configuration.
Shortcut URL

Description

chrome://policy

Displays all the policies which are currently in effect for the browser. Use the
Reload policies button to force a re-sync with an updated policy.

chrome://extensions

Manage installed extensions. Check the Developer mode box (upper-right) to
display the Update extensions now button. This is a useful testing tool.

chrome://settings

Directs you to the Menu > Settings page. From here you can control various
browser related settings.

chrome://net-internals

This displays all networking related information. Use this to capture network events
generated by the browser. You can also export this data.

chrome://certificate-manager

Manage user, server, and CA certificates.

chrome://dns

Displays the list of hostnames for which the browser will pre-fetch the DNS records.

chrome://chrome-urls

View all the available chrome:// commands.

T ABLE 1

©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

Sponsored Guest Access
Sponsored guest access allows authorized employees to grant network access to third parties. It is most commonly used to provide wireless
network access to corporate visitors and partners, and is typically time-restricted. By distributing authorization to employees, third parties can
quickly gain access without IT involvement and with appropriate traceability. Sponsored guest access is a useful scenario in a environment as it
allows the school employees to sponsor guest access for visitors without involvement from the IT, cutting a large overhead.

Prerequisites - Authentication Server Setup
To configure the sponsored access feature, the network administrator must set up a sponsor group in the corporate AD or LDAP server for
employees that can be authorized as sponsors. For example, create a group named Manager or Wireless Sponsors in Active Directory. This
group name is then used by Cloudpath to determine which users can log into the sponsorship portal and sponsor guest users.

Configuring Cloudpath for Sponsored Guest Access
This section describes how to configure Cloudpath for sponsorship, add a voucher or request for access prompt to the enrollment workflow,
and how to add vouchers and sponsors to the voucher list. The basic process is as follows:
1.

Edit the authentication server profile in Cloudpath

Add a voucher prompt to the enrollment workflow

Add a request for access prompt

Edit the Authentication Server Profile in Cloudpath Admin Console
1.

Log into the Cloudpath Admin Console and go to Administration > Advanced > Authentication Servers.

On the Authentication Servers page, edit the AD or LDAP server you will be using to authenticate sponsors and guest users

F IGURE 31: E DIT THE AD S ERVER C ONFIGURATION IN C LOUDPATH A DMIN C ONSOLE

Select the User For Sponsor Logins box, to allow sponsors to log into the sponsorship portal using credentials from this authentication
server.

©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

Add a Voucher Prompt to the Enrollment Workflow

This section describes how to add a step in the enrollment workflow to prompt a guest user for a voucher or one-time password. Use this
configuration if you plan to use generated voucher lists.

How to Add a Voucher Prompt for Guest Users in the Workflow
4.

From the ES Admin UI, go to Configuration > Enrollment and create an enrollment workflow for guest users.

Add an enrollment step that prompts guest users to Authenticate via a voucher.

F IGURE 32: C REATE V OUCHER E NROLLMENT S TEP

Create a new voucher list for guest users.

©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

F IGURE 33: C REATE V OUCHER L IST

In the Sponsorship section, enter the appropriate information in the following fields:

©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017
•

Format - In addition to defining the voucher format, determine if you want to enable RequireUsername Match.

•

LDAP Group Regex - Defines with groups within LDAP are allowed to be sponsors. For example, if you enter Wireless Sponsors,

this means that anyone in the Wireless Sponsors AD group can sponsor a guest user. LDAP Username defines which usernames
within LDAP are allowed to be sponsors, LDAP Username DN defines with username DNs are allowed to be sponsors.
•

Maximum Certificates - Maximum number of vouchers that a sponsor is allowed to create and allocate for a particular voucher list.

•

Default Permissions - The permissions to be used for sponsors authenticated using the Sponsorship AD Group Regex.

•

Add/Edit/Delete Sponsors In Group - If checked, the sponsor can add, edit, and delete other sponsors within the group.

•

Manage Devices Enrolled By Sponsor - If checked, the sponsor can review and revoke devices enrolled via vouchers issued by

that sponsor.
•

Manage Devices Enrolled By All - If checked, the sponsor can review and revoke devices enrolled via vouchers issued by any

sponsor (within the Voucher List).

•

New Sponsor Email Subject - When a new sponsor is added, an email is sent to the sponsor with this subject.

•

New Sponsor Email Template - When a new sponsor is added, an email is sent to the sponsor with this message.

In the Fields Displayed to Sponsor section, select Do not show, Show, or Show and require entry to specify the information to be
shown when a sponsor creates a voucher list for guest access.

If needed, create one or more Initial vouchers.

10. Create a webpage that will prompt the user to enter their voucher and Save. The voucher prompt is saved in the workflow.

F IGURE 34: C LOUDPATH W ORKFLOW

Adding a Request for Access Prompt

This section describes how to create a workflow plug-in that allows guests to request access via sponsorship upon arrival. Use this configuration
if you want users to request immediate access from sponsors. While the voucher list workflow plug-in requires the sponsor to pre-sponsor the
guest, the request for access workflow plug-in allows the guest to enter their information on a webpage and then request access. The guest is
held in a pending state until the sponsor accepts or rejects the request. The request may go to a static user (like a receptionist), to a sponsor
selected from a list by the guest, or to a sponsor that is entered by the guest upon arrival.

How to Add a Request for Access Prompt to the Workflow
1.

From the ES Admin UI, go to Configuration > Enrollment and create an enrollment workflow for guest users.

Add an enrollment step that prompts guest users to Request Access From a Sponsor.

©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

F IGURE 35: C REATE A CCESS R EQUEST

For Sponsors, enter the email address for a dedicated contact, create a drop-down list of sponsors, or allow the guest to enter the

email address of a sponsor.

©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017
5.

The Sponsor Email Template is the information sent to the sponsor when a guest is requesting access. Use the default sponsor

email template or create a custom email subject and message.

Specify the fields to display to the guest user.

Specify the fields to display to the sponsor receiving the access request.

The User Webpage Information is the prompt that displays to the guest during the enrollment process. Use the default guest

10. prompt, enter your own messaging, or upload a custom HTML file.
11. The User Error Messages display to the guest user if there is an issue with the access request.
12. Click Save.

F IGURE 36: R EQUEST FOR A CCESS W ORKFLOW

The workflow now includes the step for requesting guest access.

Adding Vouchers to a Voucher List

This section describes how to populate a voucher list. You can add a single voucher or upload multiple vouchers from a CSV file.

Voucher Lists
1.

From the ES Admin UI, go to Sponsorship > Vouchers to view the voucher lists. (Alternately, you access the Voucher List page by
double-clicking the Voucher List link in the enrollment workflow.)

Expand the voucher list.

©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

F IGURE 37: V OUCHER L IST

Click Add Vouchers to create a single voucher or upload a list of vouchers. The Create Vouchers page opens.

F IGURE 38: C REATE V OUCHERS

How to Add a Single Voucher to a Voucher List
4.

On the Create Vouchers page, select Create a single voucher

©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

F IGURE 39: C REATE S INGLE V OUCHER

On the Modify Voucher page, enter the guest user information in the fields, as described below, and Save. Only the Voucher field

•

is equired.
Voucher - This field is pre-populated, but can be changed.

•

Name - Guest user name.

•

Company - Guest user company.

•

Email - Guest user email address.

•

Email Voucher to User? - Checked by default. If checked and email is entered, voucher is sent to guest user by email.

•

Phone Number - Select country and enter guest user phone number.

•

SMS Voucher to User? - Checked by default. If this is checked and Phone Number is entered, voucher is sent to guest user

•
•

by SMS.
Reason - The reason the guest user is provided access.

•

Redeem Voucher By - The date after which the voucher may longer be redeemed.

How to Add Multiple Vouchers to a Voucher List

If you are using a comma-separated value (CSV) file to upload multiple vouchers, the information must be formatted according to the
instructions on the Create Vouchers page. A template file is available for download.
6.

On the Create Vouchers page, select Upload a CSV file containing a list of vouchers.

Click Choose File to navigate to the CSV file to upload and click Next.

©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

F IGURE 40: R EVIEW V OUCHERS TO I MPORT

Verify the vouchers to import and specify if voucher should be sent to user by email or SMS, and Save.

•

Send vouchers by TXT messages - If checked, the voucher is sent to the user by TXT, if a phone number is specified in the CSV
file.

•

Send vouchers by Email - If checked, the voucher is sent to the user by email, if an email address is specified in the CSV file.

The Voucher Lists page shows which vouchers have been used, the expiration dates, and any guest user details that were entered when the
sponsor created the voucher, or contained in the CSV file.

Adding Sponsors to a Voucher List

Administrators can add sponsors to a voucher list. Sponsors can create vouchers and invite guest users to join the secure network. Cloudpath
supports Onboard and External sponsors. Onboard sponsors are created locally on the ES Admin UI. External sponsors can log into the
Sponsorship Portal if they match a username or group name specified in the Authentication server.

How to Add Onboard Sponsors
An onboard sponsor is created locally on the ES Voucher list.
9.

From the ES Admin UI, go to Sponsorship > Vouchers to view the voucher list to be used for sponsors. (Alternately, you access
the Voucher List page by double-clicking the voucher list link in the enrollment workflow.)

F IGURE 41: V OUCHER L IST - A DD S PONSOR

10. In the Sponsor Group section, click Add Sponsors. The Sponsor Email pop-up appears.
©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

F IGURE 42: S PONSOR E MAIL

11. Enter the email address of the sponsor for this voucher list and click Continue. The email address becomes their Name.

F IGURE 43: ES A DMIN UI - M ODIFY S PONSOR

12. On the Modify Sponsor page, enter the sponsor Name, Description, and Enable the sponsor.
13. In the Login Information section, enter the sponsor’s Email address and Password. If you check the Send Email box, this
information is emailed to the sponsor.
14. In the Permissions section, check the box for the appropriate sponsor permissions.
o

Add/Edit/Delete Sponsors In Group - If checked, the sponsor can add, edit, and delete other sponsors within the group.

Manage Devices Enrolled By Sponsor - If checked, the sponsor can review and revoke devices enrolled via vouchers issued
by that sponsor.

Manage Devices Enrolled By All - If checked, the sponsor can review and revoke devices enrolled via vouchers issued by any
sponsor (within the Voucher List).

o
©Ruckus Wireless

Allow Bulk Creation - If checked, the sponsor can create vouchers in bulk by importing a spreadsheet of vouchers. A default
41

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017
template is provided.
15. Save the sponsor information. The sponsor information is displayed in the lower part of the voucher list.

F IGURE 44: ES A DMIN UI - V OUCHER L ISTS

External Sponsors

An external sponsor uses AD or LDAP credentials to log into the Sponsorship Portal. An external sponsor can create voucher, invite users to
join the secure network, and if the voucher list permissions allow, they can manage other sponsors and enrolled devices. If you want to allow
sponsors to log in to the Sponsorship Portal using AD or LDAP credentials, the authentication server must be configured with the specified
username or group name filter.

Sponsorship Portal

From the sponsorship portal, a sponsor can invite guest users to join the network by creating one or multiple vouchers, view outstanding,
consumed, expired, and revoked vouchers, and manage devices, and sponsor accounts in your AD or LDAP group. Use the Sponsorship Portal
if guest access is managed using voucher lists.

How to Customize Sponsorship Portal
You can customize the labeling, images, and colors for the sponsorship portal.
1.

From the ES Admin UI, go to Sponsorship > Look & Feel. The sponsorship portal System Setup page displays the titles and colors
for the sponsorship portal.

Click Edit to customize the sponsorship portal.

©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

F IGURE 45: C USTOMIZE S PONSORSHIP P ORTAL

Modify titles and colors as needed.

4. To import a customized logo file to display in the upper-left corner of the sponsorship portal, the image size should be 180 x
84

pixels.

Save the customizations.

Managing Vouchers From the Sponsorship Portal

Sponsors can access the sponsorship portal by entering the sponsorship URL https:///portal/sponsor/. When the
portal login page opens, follow these steps to sponsor a guest:
1.

Log into the sponsorship portal

F IGURE 46: S PONSORSHIP P ORTAL L OGIN

Enter the Username and Password that was sent when the voucher list was created.

4. The first time a sponsor logs in, the password must be changed.

©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

F IGURE 47: S PONSORSHIP P ORTAL - C HANGE P ASSWORD

After the password updates, the Sponsorship Portal opens.

F IGURE 48: S PONSORSHIP P ORTAL N AVIGATION M ENU

The left-hand navigation menu includes tabs for Sponsorship operations and Administration operations. Use the sponsorship tab to invite users
and review outstanding, consumed, expired, and revoked invitations. The Administration tab is where sponsors can add, change, or remove
other sponsors (if allowed by the administrator).
For more information on how to manage invitations and sponsors, please refer to the Cloudpath administrator’s guide.

Sponsorship Process
The Sponsor Experience - Generated Voucher Lists
An administrator gives an employee permission to sponsor guest users by placing them in a Sponsor group in the corporate authentication
server (AD or LDAP). When a visitor arrives, the employee sponsor checks the visitor in. To provide a guest user with network access, the
sponsor must log in to the Sponsorship Portal to create a voucher for the guest user. Sponsors can access the Sponsorship Login Portal from:
•

ES Admin UI Deployment Locations page or Sponsor Portal button.

•

ES Admin UI Voucher Lists page

•

The Sponsorship URL: https:/portal/sponsor

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

F IGURE 49: L INK TO S PONSORSHIP L OGIN P AGE - D EPLOYMENT L OCATIONS P AGE

After sponsor credentials are checked against the corporate authentication server, the sponsorship portal Welcome page appears.

F IGURE 50: S PONSORSHIP P ORTAL W ELCOME P AGE

The sponsor clicks the Create Voucher button to create a voucher for the guest user.

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

F IGURE 51: C REATE V OUCHER FOR G UEST U SER

The sponsorship portal can be used to create vouchers, view voucher usage, and with the correct permissions, manage vouchers and sponsors.
When finished, the sponsor must log out of the sponsorship portal.

Sponsor Experience - Request Network Access
A sponsor receives an email notification that indicates they are approved for granting network access to guest users.

F IGURE 52: E MAIL TO SPONSOR

The sponsor receives and email from the guest user requesting access. This messaging is configurable.

F IGURE 53: E MAIL FROM S YSTEM

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

F IGURE 54: S PONSOR A PPROVES G UEST A CCESS

Sponsor receives confirmation that access has been accepted.

F IGURE 55: A CCESS A CCEPTED C ONFIRMATION

Guest User Process
Guest User Experience - Generated Voucher Lists
The guest user receives the voucher from the sponsor (by email, SMS, or manual delivery), accesses the onboarding wireless network, and is
redirected to the Cloudpath system. As part of the enrollment process, the visitor is prompted for the voucher code.

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

F IGURE 56: V OUCHER P ROMPT FOR G UEST U SER

The guest user enters the voucher code provided by the sponsor and continues with the enrollment process to gain access to the secure
network.

Guest User Experience - Request Network Access
The guest user connects to the onboarding SSID. If you have a captive portal configured, they are redirected to the Cloudpath system to enroll
their device for the secure SSID. If no captive portal is configured, an enrollment URL is provided to them. As part of the enrollment process,
the guest is prompted for to request access to the secure network. The guest must wait for approval before they can continue.

F IGURE 57: E NROLLMENT P ROCESS R EQUEST A CCESS F ORM

The user enters the required information. The list of required fields is configurable.

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

F IGURE 58: P ENDING A CCESS R EQUEST

If the access is approved, the user continues with the enrollment process. The next screen the users sees depends on how the network

Example Use Case – Generated Voucher Lists

During the setup of the Cloudpath Enrollment System (ES), the network administrator specifies that visitors may gain network access if they are
sponsored. The network administrator specifies that anyone belonging to the Wireless Sponsors group within Active Directory can sponsor a
guest. Along with this, the network administrator specifies that access is valid for three days.

F IGURE 59: C LOUDPATH S PONSORSHIP L OGIN P AGE

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017
Prior to the guest’s arrival, the sponsor accesses the sponsorship portal. After authenticating with the Active Directory server, the sponsor can
specify details about the guest user, including name, email address, and the reason for sponsorship. After doing so, a unique voucher is
generated for the guest user.
A voucher is a one-time password (OTP) and is useful for controlling access to an enrollment process separate from, or in addition to, user
credentials. The system may automatically email the guest user or the sponsor can communicate the voucher manually.
Upon arrival, the guest user accesses the onboarding wireless network. The guest user is redirected to the Cloudpath system. The guest user
completes the workflow specified by the network administrator, including specifying the voucher. Once authorized, the guest user is issued a
certificate and moved to the secure wireless network.

Example Use Case – Request Network Access
While the Generated Vouchers use case requires the sponsor to pre-sponsor a user by generating a voucher ahead of time, the Request
Network Access use case allows the user to enter their information on a webpage during the enrollment process, and request access. The user
is held in a pending state until the sponsor accepts or rejects the request. The request may go to a static user (like a receptionist), to a sponsor
selected from a list by the user, or to a sponsor entered by the user.
In this use case, Cloudpath is set up with a Request Access workflow plug-in, which allows the on-demand access to occur. This enrollment step
allows the user to request access to the network as part of the enrollment process. It is not necessary to create a voucher list ahead of time.

F IGURE 60: R EVIEW A CCESS R EQUEST

Upon arrival, the guest user accesses the onboarding wireless network. The guest user is redirected to the Cloudpath system. The guest user
completes the workflow specified by the network administrator, and when the guest encounters the request access step, they fill in the
required information and this information is sent to an approved sponsor. The sponsor can approve the access request, which allows the user
to continue with the enrollment process. Once authorized, the guest user is issued a certificate and moved to the secure wireless network.

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

Support for Headless Devices
What Are “Headless Devices”?
Unlike a laptop, smartphone or table, headless devices typically lack a traditional monitor and have a limited input. Examples include WebTV
devices (Rocku, AppleTV, Chromecast), interactive whiteboards, printers, possibly game stations, etc. Typically, such devices do not support
802.1X security and are limited to PSK or open WLANs. They are generally marketed for home use, and the designers, not unreasonably,
expect them to use home networks which typically do not rely on full blown RADIUS based PKI certificates.
Nevertheless, these devices are often useful in the classroom, even if the original design has not accounted for robust network security.
However, Cloudpath ES can utilize another Ruckus technology, Dynamic Pre-Shared Key (DPSK) to enable simple onboarding and robust
security of these devices.

What is Ruckus DPSK?
When a user asks “what’s the Wi-Fi password?”, in strict network security terms, they are asking for the Pre-Shared Key, or PSK, of the WLAN.
“Pre-shared”, because everyone knows it, and “key” because it unlocks the WLAN’s privacy encryption. It is perfectly good security for a home
WLAN or a small office with a limited number of users, but not good practice in even the smallest of schools. However, Ruckus has a
technology that can piggy back on PSK WLANs and give every device a unique encryption key (”Wi-Fi password”).
Dynamic Pre-Shared Key (DPSK) is a patented technology that can provide robust and secure wireless access for devices that can only accept
PSK level security. Dynamic PSK creates a unique encryption key (up to 63 bytes) for each device accessing a PSK WLAN. Although there is a
master PSK for the WLAN, there is no need to share it - although it can be used if needed by IT personnel. With Ruckus DPSK, devices that do
not support 802.1X and certificates can still be uniquely registered and tracked on the network with a record of the registering owner.

Using Cloudpath with Ruckus DPSK

We can add a branch to the Cloudpath ES workflow for the user to “register a headless device” – or other language that will make sense to
your users. Cloudpath can then be configured to check the user’s credentials and, if accepted, communicate with the Ruckus Controller to
generate a DPSK and keep a record of the registering user. The DPSK is sent to the user, and can be typed into the device like a normal “wi-fi
password”, at which point the DPSK is locked to that one device (bound to it’s MAC address), and is already registered to the particular user.

Configuration Procedure

The following steps are required to configure Cloudpath with Ruckus DPSK.
1.

Configure Ruckus controller (ZoneDirector or SmartZone) with a DPSK-enabled SSID

Configure the access to the Ruckus WLAN controller for Cloudpath ES

Enable the Northbound Interface for ZoneDirector

Create a username/password identity on SmartZone

Configure the Cloudpath ES workflow and deploy

Step 1: Configure the DPSK-enabled SSID
ZoneDirector DPSK WLAN Configuration
Use these steps to configure a WLAN with DPSK enabled on it on ZoneDirector controllers. You will create a standard PSK WLAN and then
check the necessary options to enable DPSK. Note that, for historical reasons, we will need to enable Zero-IT to configure DPSK. However, we
will not be making use Zero-IT (a precursor to Cloudpath ES) . Also, we will add a “master” PSK to this WLAN. Keep in mind, this is a normal
PSK (“Wi-Fi password”) for the WLAN, and will work for any device or even any number of devices. Unlike the typical PSK WLAN, only the

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017
WLAN administrator should know this PSK. Ideally, no device should use this key. ALL devices that access the WLAN should be registered via
Cloudpath ES and all should use a unique DPSK.

F IGURE 61 : R UCKUS Z ONE D IRECTOR WLAN

CONFIG

Go to Configure > WLANs
Either Edit an existing WLAN or Create New to open the WLAN configuration form.

Under Type, select Standard Usage.

Under Authentication Options: Method, select MAC Address or Open.
Under Encryption Options: Method, select WPA2 (not WPA-Mixed, as selecting WPA-Mixed will disable the Zero-IT activation

option).
6.
7.

Under Encryption Options: Algorithm, select AES (not Auto, as selecting Auto will disable the Zero-IT activation option).
If using MAC Address authentication, choose an Authentication Server to authenticate clients against--either Local
Database or RADIUS Server.

8.
9.

Ensure that the Zero-IT Activation check box is enabled.
Next to Dynamic PSK, enable the check box next to Enable Dynamic PSK. Select a DPSK passphrase length (between 8 and 62

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017
10. Note: users will type these characters into the PSK settings of their registered devices. They will not have to remember it, they
only need to type it in at the initial configuration. Something reasonable like 8-12 characters is appropriate
11. Because we are creating this WLAN for ‘headless devices,’ choose Mobile Friendly DPSK rather than Secure DPSK
12. Secure DPSK: Includes almost all printable ASCII characters, including periods, hyphens, dashes, etc. This option is more secure,
however it is difficult to input for mobile clients whose keyboards may not contain the entire set of printable ASCII characters.
13. Mobile Friendly DPSK: Choose this option if this WLAN will be used for mobile clients. This option limits the range of characters
to lower case and upper case letters and numbers, which makes it easier for users to input the DPSK when activating a mobile
client to a Zero-IT WLAN. (You may also want to limit the DPSK length to 8 characters for the convenience of your mobile client
users.)
14. Expire DPSK: Set when the DPSK should expire. In Validity period, choose whether the DPSK expiration period will start from first
use or creation time.
15. Limit DPSK: By default each authenticated user can generate multiple DPSKs. Select this option to limit the number of DPSKs
each user can generate (1-4).
16. Click OK to save your settings.

SmartZone DPSK WLAN Configuration
Use these steps to configure a WLAN with DPSK enabled on physical and virtual SmartZone controllers. You will create a standard PSK WLAN
and then check the necessary options to enable DPSK. Also, we will add a “master” PSK to this WLAN. Keep in mind, this is a normal PSK
(“password”) for the WLAN, and will work for any device or even any number of devices. Unlike the typical PSK WLAN, only the WLAN
administrator should know this PSK. Ideally, no device should use this key. ALL devices that access the WLAN should be registered via
Cloudpath and all should use a unique DPSK

Go to Configuration > WLANs

In a vSZ-H, you may have to navigate to the correct admistrative domain and Zone before choosing WLAN

Either Edit an existing WLAN or Create New to open the WLAN configuration form.

Give it a Name and SSID (by default, it will copy the name to SSID)

Under Type, select Standard Usage.

6.
7.

Under Authentication Options: Method, select MAC Address or Open.
Under Encryption Options: Method, select WPA2

Under Encryption Options: Algorithm, select AES

If using MAC Address authentication, choose an Authentication Server to authenticate clients against--either Local
Database or RADIUS Server. Most likely this is unnecessary when using Cloudpath

10. Next to Dynamic PSK, enable the check box next to Enable Dynamic PSK. Select a DPSK passphrase length (between 8 and 62
characters).
11. Note: users will type these characters into the PSK settings of their registered devices. Something reasonable like 12 characters
is appropriate
12. Because we are creating this WLAN for ‘headless devices,’ choose or Mobile Friendly DPSK rather than Secure DPSK
13. Secure DPSK: Includes almost all printable ASCII characters, including periods, hyphens, dashes, etc. This option is more secure,
however it is difficult to input for clients whose keyboards may not contain the entire set of printable ASCII characters.
14. Mobile Friendly DPSK: Choose this option if this WLAN will be used for mobile clients. This option limits the range of characters
to lower case and upper case letters and numbers, which makes it easier for users to input the DPSK when activating a mobile
client to a Zero-IT WLAN. (You may also want to limit the DPSK length to 8 characters for the convenience of your mobile client
users.)
15. Expire DPSK: Set when the DPSK should expire. In Validity period, choose whether the DPSK expiration period will start from first
use or creation time.
16. Limit DPSK: By default each authenticated user can generate multiple DPSKs. Select this option to limit the number of DPSK s
each user can generate (1-4).
©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017
17. Click OK to save your settings.
18. This WLAN is now ready to authenticate users using Dynamic Pre-Shared Keys, once Cloudpath ES has verified their credentials
and issued a DPSK.

Figure 62: Ruckus SmartZone WLAN config

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

ZoneDirector: Configure the Northbound Interface API
Use these steps to configure a password for the NBI API.
1.

Go to Configure->System

Scroll down to Network Management and click the plus (+) sign to expand it

Tick the box titled Enable northbound portal interface support and add a password

Click OK to save your changes

Figure 63: Ruckus Zone Director northbound interface

SmartZone: Configure a DPSK generator user role and login for Cloudpath
Create a user role for DPSK generation in SmartZone v 3.4

In vSZ-E or Smartzone-100, navigate to “Administration -> Administrators – >Administrator Roles., or

In vSZ-H or “Configuration -> Administrators” and scroll down to “Administrator Roles.

Choose Create New

Name the new role (Ex. “cloudpath-dpsk”)

Deselect everything with the deselect all button (square with no checkmark)

10. Navigate the tree to Configuration -> Wireless Network -> WLANs ->WLAN
11. Under WLAN, check “create” and “new”
12. Click OK in the lower left corner to save the new role

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

Figure 64: Ruckus SmartZone administrator role config

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017
Create a user role for DPSK generation in SmartZone v 3.5

Figure 65: Ruckus SmartZone administrator role config

1.
2.

In all SZ variations, navigate to “Administration -> Admins and roles –> Groups.
Choose + Create

Name the new role (Ex. “cloudpath-dpsk”)

Select “custom” in the permission drop down; click next

Select resources by clicking and then using the arrows to move to “selected resources”

User/Device/App – choose Full Access in the drop down

WLAN – choose Read Only in the drop down

Click next

In SZ-H, select domain(s), click Next

10. In “Configure User Group”, click the plus sign (“+”) near “Available users” to Create and Administrator Account
11. Create a login account for the Cloudpath ES; click OK
©Ruckus Wireless

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017
12. Select the new account by clicking on it, and use the arrows, to move it to “selected users.” Click Next
13. Review and if acceptable, click “OK”.

Figure 66: Ruckus SmartZone administrator account config

Step 3: Configure Cloudpath to distribute DPSKs

Use these steps to configure Cloudpath to use DPSK to onboard devices for this SSID. We will add a branch to an existing workflow. You
should already be familiar with the basics of building a workflow in Cloudpath. If not, please see the “Cloudpath Deployment Guide” and
related documentation on the Cloudpath ES server or the Ruckus support site.

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

Figure 67: Ruckus SmartZone WLAN config

Minimal workflow for DPSK
1.

Add a branch for headless devices

Add User authentication

Generate the DPSK – default behavior includes emailing it to user

Assign device configuration – this step is required for a workflow, but will be set to “none” since this is registration for another device.

Configure “Generate a DPSK via Ruckus Controller
1.
2.
3.
4.
5.
6.

Add a branch for Headless devices to the work flow
•
i.e. – “Teachers, Students, Media devices”
Add a user authentication step –
•
You probably want to reuse an existing user authentication, such as one for Teachers
After user authentication, insert a step, scroll down the list and choose “Generate a Ruckus DPSK. Click Next.
Choose a new DPSK configuration, click Next
Give it a name and choose “Zone Director” or “SmartZone”, as appropriate
For SmartZone
a. Use the username and password you created in the previous section
b. IP/DNS of the Smartzone, SSID and Zone as desired.
c. VLAN ID is optional. Dynamic VLANs will be addressed in the next section
For Zone Director
a. Use the password for the northbound interface you created in the previous section
b. Chose the key length with the slider bar
c. VLAN ID is optional. Dynamic VLANs will be addressed in the next section
Click Save

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

Figure 68: Ruckus Cloudpath insert a step

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

Figure 70: Ruckus ZoneDirector DPSK config

Modify the “assign a device configuration” step
Because this DPSK will be entered on another device, there is no need to download a profile unto the device doing the registration
1.
2.
3.
4.

Click on the pencil icon to Edit, and chose “none”
Click next
Choose ‘Do not issue a certificate”
Click Next

Deploy the workflow to the correct location and test
Don’t forget that a workflow must be deployed/published to the web server before an end user can access it. You can use the “User
Experience” button for local testing.

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

Figure 71: Cloudpath workflow deployment screen

Congratulations: you are done

You have configured a DPSK WLAN and a Cloudpath ES registration portal for DPSK device registration. However, Cloudpath ES is almost
infinitely configurable, and some special topics are discussed below.

Displaying the DPSK in the portal
By default, the DPSK is emailed to the user. You can add a message that displays it to the screen.
1.
2.
3.
4.
5.

Insert a step in the workflow after the DPSK generation
Choose “Display a message”
Click Next
Choose “A New Message from a Standard Template”
Name and modify the template to display the DPSK and an appropriate message
a. Note that the template accepts HTML
b. The DPSK itself can be represented as a variable with ${DPSK}

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

This message:

Figure 72: Cloudpath message display config

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

Produces this result:

Figure 73: Cloudpath message display screen result

Branching users by identity and adding Dynamic VLANs to the DPSK assignment

Up to this point, we have assigned all DPSK devices to the same VLAN, whether tagged or native. That is, all DPSK devices are assigned to the
same SSID and VLAN. However, VLANs and other options can be assigned based on user in put or credentials. For instance multiple DPSK
devices can use the same WLAN/SSID but be VLAN tagged differently.
Please take note: this section is assuming that you are already applying user or user group based network Policy in your AAA servers. It is
unlikely that this would make sense for headless devices other wise. This is intended to supplement an 802.1X based policy for supporting end
user devices with a similar policy application for their headless devices. It usually does not make sense if the former is not in place, although
network goals are infinitely variable. 802.1X policy is covered in the basic Cloudpath deployment documentation.

Configure WLAN controllers for Dynamic VLANs
1.

SmartZones automatically include Dynamic VLANs with any DPSK WLANs. No changes are necessary

ZoneDirectors – in the edit screen for the DPSK WLAN, expand ‘advanced options’ and insure that the Enable Dynamic VLAN box
is checked.

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

Figure 74: ZoneDirector enable dynamic LVANs

Create a group value in your user database for VLAN assignment
This will vary depending on your database. For Active Directory, this will normally involve creating a network policy group. For simplicity’s
sake, we are using the Cloudpath onboard DB to illustrate this the process. Note we have included group assignments of VLANs

Figure 75: Cloudpath onboard DB example

Modify the Cloudpath workflow
3.

In the Cloudpath Workflow, insert a step after “Prompt the user for credentials”

Choose “Split users into different branches”

Choose “use a new split”

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

Figure 76: Cloudpath user split/branch config

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

Figure 78: Cloudpath user split/branch result

Give the split a name and name the desired options

In a split like this, whether the options are displayed to the end user depends on what they are. If, as in this case, the options are
automatic, they will not be displayed to the end user

Edit each branch of the split
1.

Click the pencil at the top of a branch (by “VLAN 10” in the example)

Expand the “Filters & Restrictions” section

Enter an appropriate filter value, such as a group ID

Click “save” at the top

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

Figure 79: Cloudpath filter config

add or edit a “generate a DPSK” step

This time, include the VLAN ID that you want to map to your filter condition

Click Save

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017
8.

Check that the “assign a device configuration” step leads to “none” and “Do not assign a device configuration”

Repeat for the other branches.

Filters are a powerful tool in Cloudpath, and can be used for a wide variety of branching and configuration options.

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

Web Content Filtering in an SSL/HTTPS World
Enable 3rd Party SSL Inspection and Decryption with Cloudpath
Web content filters are vital in a K-12 educational environment, but more and more web traffic is automatically encrypted https, rather than
unencrypted http. Even Google searches are routinely encrypted, and encrypted traffic cannot be inspected. That is, unless your content filter
can act as an SSL proxy, also known as a “Trusted Man in the Middle.” The client device, instead of creating an SSL tunnel directly to a website
passes through the proxy server/content filter and two related tunnels are created, one between the proxy server and the desired website, one
between the client and proxy server. The proxy server is then able to decrypt and examine the web traffic, but it is always fully encrypted in
transition. Details will vary with the content filter vendor. Often there are options to proxy or not proxy certain sites, such as banking and
financial sites.
However, the whole system depends on the client trusting the web filter, which depends on recognizing a trusted root certificate. Web
browsers come preinstalled with most major Certificate Authorities root certificates. On the other hand, the content filter certificate will not be
pre-installed and will have to be distributed to each client device on the network – even personal BYOD devices – a challenging proposition for
any IT organization.
This is where Cloudpath comes in. Cloudpath ES registration can distribute the content filter certificate at device registration. One only has to
install the certificate one time on the Cloudpath Es server, and add the certificate to the Device Configuration the normal last step of most
workflows. When the client gets its specific certificate that allows network access, it also get the certificate necessary for the content filter to act
as an SSL proxy.

Obtain the Web Or Content Filter Root Certificate

This is going to vary from vendor to vendor, but every Content Filter will have clear instructions on this. See your vendor’s documentation. As
a rule, you will:
1.
2.

Download the certificate onto a local system
Upload it into Cloudpath as part of modifying the Device Configuration

Download the Content Filter Certificate
As stated, this will depend on the vendor. As an example, Ruckus partner Lighspeed certificate can be downloaded from the following link:
https://rukus.lightspeedsystems.com/lsaccess/proxycerthelp
The Lightspeed download automatically detects your operating system and browser and provides full instructions on install to your local
machine. However, you interest in this case is to upload it to Cloudpath.

Add the Certificate to a Device Configuration
1.
2.
3.
4.

Go to Configuration -> advanced -> Device Configuration
Choose the correct device configuration from the drop down menu
Go to the Trust tab
Under Web Browser Trust, Install additional CAs, upload the certificate

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

Figure 81: Add a certificate to Device Configuration

Best Practices & Design Guide
Configuring Cloudpath for K-12
April 2017

About Ruckus
Headquartered in Sunnyvale, CA, Ruckus Wireless, Inc. is a global supplier of advanced wireless systems for the rapidly expanding mobile
Internet infrastructure market. The company offers a wide range of indoor and outdoor “Smart Wi-Fi” products to mobile carriers, broadband
service providers, and corporate enterprises, and has over 36,000 end-customers worldwide. Ruckus technology addresses Wi-Fi capacity and
coverage challenges caused by the ever-increasing amount of traffic on wireless networks due to accelerated adoption of mobile devices such
as smartphones and tablets. Ruckus invented and has patented state-of-the-art wireless voice, video, and data technology innovations, such as
adaptive antenna arrays that extend signal range, increase client data rates, and avoid interference, providing consistent and reliable
distribution of delay-sensitive multimedia content and services over standard 802.11 Wi-Fi. For more information, visit
http://www.ruckuswireless.com.
Ruckus and Ruckus Wireless are trademarks of Ruckus Wireless, Inc. in the United States and other countries.

Copyright 2017 Ruckus Wireless, Inc. All Rights Reserved.
Copyright Notice and Proprietary Information No part of this documentation may be reproduced, transmitted, or translated, in any form or by any means
without prior written permission of Ruckus Wireless, Inc. (“Ruckus”), or as expressly provided by under license from Ruckus

Destination Control Statement
Technical data contained in this publication may be subject to the export control laws of States law is prohibited. It is the reader’s responsibility to determine
the applicable regulations and to comply with them.

Disclaimer
THIS DOCUMENTATION AND ALL INFORMATION CONTAINED HEREIN (“MATERIAL”) IS PROVIDED FOR GENERAL INFORMATION PURPOSES ONLY.
RUCKUS AND ITS LICENSORS MAKE NO WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, WITH REGARD TO THE MATERIAL, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE, OR THAT THE
MATERIAL IS ERROR-FREE, ACCURATE OR RELIABLE. RUCKUS RESERVES THE RIGHT TO MAKE CHANGES OR UPDATES TO THE MATERIAL AT ANY
TIME.

Limitation of Liability
IN NO EVENT SHALL RUCKUS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES, OR DAMAGES FOR
LOSS OF PROFITS, REVENUE, DATA OR USE, INCURRED BY YOU OR ANY THIRD PARTY, WHETHER IN AN ACTION IN CONTRACT OR TORT, ARISING
FROM YOUR ACCESS TO, OR USE OF, THE MATERIAL

Source Exif Data:

File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
Linearized                      : No
Page Count                      : 72
PDF Version                     : 1.4
Title                           : BPDG_Cloudpath for K-12
Author                          : 
Subject                         : 
Producer                        : Mac OS X 10.11.6 Quartz PDFContext
Creator                         : Word
Create Date                     : 2017:04:04 22:31:08Z
Modify Date                     : 2017:04:04 22:31:08Z

EXIF Metadata provided by EXIF.tools

Ruckus BPDG_Cloudpath For K 12 BPG: Best Practice Guide Cloudpath In Education BPDG

BPG: Best Practice Guide for Cloudpath in Education K-12 BPDG_Cloudpath%20for%20K-12

Navigation menu

Versions of this User Manual:

Views

Navigation