Ruckus Zone Director 9.12 (GA) User Guide Rev C 20151222

ZoneDirector 9.12 (GA) User Guide ZoneDirector%209.12%20User%20Guide%20-%20Rev%20C%20-%2020151222

2016-02-05

User Manual: Ruckus ZoneDirector 9.12 (GA) User Guide

Open the PDF directly: View PDF PDF.
Page Count: 465 [warning: Documents this large are best viewed by clicking the View PDF Link!]

Ruckus Wireless
ZoneDirector
Release 9.12 User Guide
Part Number 800-70898-001 Rev C
Published December 2015
www.ruckuswireless.com
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 3
Copyright Notice and Proprietary
Information
Copyright 2015. Ruckus Wireless, Inc. All rights reserved.
No part of this documentation may be used, reproduced, transmitted, or translated, in any form or by any means,
electronic, mechanical, manual, optical, or otherwise, without prior written permission of Ruckus Wireless, Inc.
(“Ruckus”), or as expressly provided by under license from Ruckus.
Destination Control Statement
Technical data contained in this publication may be subject to the export control laws of the United States of America.
Disclosure to nationals of other countries contrary to United States law is prohibited. It is the reader’s responsibility to
determine the applicable regulations and to comply with them.
Disclaimer
THIS DOCUMENTATION AND ALL INFORMATION CONTAINED HEREIN (“MATERIAL”) IS PROVIDED FOR GENERAL
INFORMATION PURPOSES ONLY. RUCKUS AND ITS LICENSORS MAKE NO WARRANTY OF ANY KIND, EXPRESS
OR IMPLIED, WITH REGARD TO THE MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE, OR THAT THE
MATERIAL IS ERROR-FREE, ACCURATE OR RELIABLE. RUCKUS RESERVES THE RIGHT TO MAKE CHANGES OR
UPDATES TO THE MATERIAL AT ANY TIME.
Limitation of Liability
IN NO EVENT SHALL RUCKUS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL OR CONSEQUEN-
TIAL DAMAGES, OR DAMAGES FOR LOSS OF PROFITS, REVENUE, DATA OR USE, INCURRED BY YOU OR ANY
THIRD PARTY, WHETHER IN AN ACTION IN CONTRACT OR TORT, ARISING FROM YOUR ACCESS TO, OR USE
OF, THE MATERIAL.
Trademarks
Ruckus Wireless, Ruckus, the bark logo, ZoneFlex, FlexMaster, ZoneDirector, SmartMesh, Channelfly, Smartcell,
Dynamic PSK, and Simply Better Wireless are trademarks of Ruckus Wireless, Inc. in the United States and other
countries. All other product or company names may be trademarks of their respective owners.
4Ruckus Wireless, Inc.
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 5
Contents
Copyright Notice and Proprietary Information
About This Guide
Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Documentation Feedback. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Online Training Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
1 Introducing Ruckus Wireless ZoneDirector
Overview of ZoneDirector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
ZoneDirector Physical Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
ZoneDirector 1200. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
ZoneDirector 3000. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
ZoneDirector 5000. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Introduction to the Ruckus Wireless Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Ensuring That APs Can Communicate with ZoneDirector . . . . . . . . . . . . . . . . . . . . . . . . 32
How APs Discover ZoneDirector on the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
How to Ensure that APs Can Discover ZoneDirector on the Network . . . . . . . . . . . . . . 34
Firewall Ports that Must be Open for ZoneDirector Communications . . . . . . . . . . . . . . 41
Installing ZoneDirector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Accessing ZoneDirector’s Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Using the ZoneDirector Web Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Navigating the Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Using Indicator Widgets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Real Time Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Stopping and Starting Auto Refresh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Registering Your Product . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
2 Configuring System Settings
System Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Changing the System Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Changing the Network Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
IPv6 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
6Ruckus Wireless, Inc.
Enabling an Additional Management Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Creating Static Route Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Static Route Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Enabling Smart Redundancy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Configuring ZoneDirector for Smart Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Forcing Failover to the Backup ZoneDirector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Managing Smart Redundancy AP License Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Configuring the Built-in DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Enabling the Built-in DHCP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Viewing DHCP Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Controlling ZoneDirector Management Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Setting the System Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Setting the Country Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Channel Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Channel Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Changing the System Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Reviewing the Current Log Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Customizing the Current Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Setting Up Email Alarm Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Customizing Email Alarms that ZoneDirector Sends . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Configuring SMS Settings for Guest Pass Delivery via SMS . . . . . . . . . . . . . . . . . . . . . . 89
Enabling Login Warning Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Enabling Network Management Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Enabling Management via FlexMaster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Enabling Northbound Portal Interface Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Configuring SNMP Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Enabling Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Configuring DHCP Relay. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Enabling Bonjour Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Creating a Bonjour Gateway Rule - ZD Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Creating a Bonjour Gateway Rule - AP Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Applying a Bonjour Policy to an AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Example Network Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Configuring SPoT Location Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
3 Configuring Security and Other Services
Configuring Self Healing Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Automatically Adjust AP Power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Automatic Channel Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 7
Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Band Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Radar Avoidance Pre-Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
AeroScout RFID Tag Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Ekahau Tag Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Active Client Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Packet Inspection Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Configuring Wireless Intrusion Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
DoS Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Intrusion Detection and Prevention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Rogue Access Points. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Rogue DHCP Server Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Controlling Network Access Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Creating Layer 2/MAC Address Access Control Lists. . . . . . . . . . . . . . . . . . . . . . . . . 138
Creating Layer 3/Layer 4/IP Address Access Control Lists . . . . . . . . . . . . . . . . . . . . . 139
Configuring Device Access Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Configuring Precedence Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Blocking Client Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Configuring Client Isolation White Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Application Recognition and Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Using an External AAA Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
RADIUS / RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
4 Managing a Wireless Local Area Network
Overview of Wireless Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
About Ruckus Wireless WLAN Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Creating a WLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
General Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
WLAN Usage Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Authentication Method. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Fast BSS Transition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Encryption Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Advanced Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Creating a Copy of an Existing WLAN for Workgroup Use. . . . . . . . . . . . . . . . . . . . . . . 202
Customizing WLAN Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Reviewing the Initial Security Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
8Ruckus Wireless, Inc.
Fine-Tuning the Current Security Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Switching to a Different Security Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Using the Built-in EAP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Authenticating with an External RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
If You Change the Internal WLAN to WEP or 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . 206
Working with WLAN Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Creating a WLAN Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Assigning a WLAN Group to an AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Viewing a List of APs That Belong to a WLAN Group . . . . . . . . . . . . . . . . . . . . . . . . . 210
Deploying ZoneDirector WLANs in a VLAN Environment . . . . . . . . . . . . . . . . . . . . . . . . 211
Tagging Management Traffic to a VLAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
How Dynamic VLAN Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Working with VLAN Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Working with Hotspot Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Creating a Hotspot Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Assigning a WLAN to Provide Hotspot Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Common WISPr Attribute Abbreviations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Creating a Hotspot 2.0 Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Create a Service Provider Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Working with Dynamic Pre-Shared Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Enabling Dynamic Pre-Shared Keys on a WLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Setting Dynamic Pre-Shared Key Expiration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Generating Multiple Dynamic PSKs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Creating a Batch Dynamic PSK Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Bypass Apple CNA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
5 Managing Access Points
Adding New Access Points to the Network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Connecting the APs to the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Verifying/Approving New APs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Working with Access Point Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Modifying the System Default AP Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Creating a New Access Point Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Modifying Access Point Group Membership. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Modifying Model Specific Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Configuring AP Ethernet Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Viewing AP Ethernet Port Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Reviewing Current Access Point Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Using Limited ZD Discovery for N+1 Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 9
Importing a USB Software Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Managing Access Points Individually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Configuring Hotspot 2.0 Venue Settings for an AP . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Optimizing Access Point Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Assessing Current Performance Using the Map View . . . . . . . . . . . . . . . . . . . . . . . . . 275
Improving AP RF Coverage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Assessing Current Performance Using the Access Point Table. . . . . . . . . . . . . . . . . . 276
Adjusting AP Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Prioritizing WLAN Traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
6 Monitoring Your Wireless Network
Reviewing the ZoneDirector Monitoring Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Importing a Map View Floorplan Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Importing the Floorplan Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Placing the Access Point Markers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Using the Map View Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
AP Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Evaluating and Optimizing Network Coverage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Moving the APs into More Efficient Positions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Reviewing Current Alarms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Reviewing Recent Network Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Clearing Recent Events/Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Moniting WLAN Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Reviewing Current User Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Viewing Application Usage Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Active Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Inactive Clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Events/Activities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Monitoring Individual Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Monitoring Client Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Monitoring Wired Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Monitoring Access Point Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Using the AP Status Overview Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Monitoring Individual APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
RF Pollution FAQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Spectrum Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Neighbor APs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Access Point Sensor Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
10 Ruckus Wireless, Inc.
Monitoring Mesh Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Detecting Rogue Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Monitoring System Ethernet Port Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Monitoring AAA Server Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Monitoring Location Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
7 Managing User Access
Enabling Automatic User Activation with Zero-IT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Clients that Support Zero-IT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Self-Provisioning Clients with Zero-IT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Self-Provisioning Clients without Ethernet Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Provisioning Clients that Do Not Support Zero-IT . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Adding New User Accounts to ZoneDirector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Internal User Database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Managing Current User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Changing an Existing User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Deleting a User Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Creating New User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Role Based Access Control Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Managing Automatically Generated User Certificates and Keys. . . . . . . . . . . . . . . . . . . 330
Using an External Server for User Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Activating Web Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Captive Portal Redirect on Initial Browser HTTPS Request. . . . . . . . . . . . . . . . . . . . . 334
8 Managing Guest Access
Configuring Guest Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Creating a Guest Access Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Using Guest Pass Self-Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Configuring Guest Subnet Restrictions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Creating a Guest WLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Using the BYOD Onboarding Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Working with Guest Passes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Configuring Guest Pass Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Generating and Delivering a Single Guest Pass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Generating and Printing Multiple Guest Passes at Once. . . . . . . . . . . . . . . . . . . . . . . 365
Monitoring Generated Guest Passes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Customizing the Guest Login Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Creating a Custom Guest Pass Printout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Delivering Guest Passes via Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 11
Delivering Guest Passes via SMS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
9 Deploying a Smart Mesh Network
Overview of Smart Mesh Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Smart Mesh Networking Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Supported Mesh Topologies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Standard Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Wireless Bridge Topology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Hybrid Mesh Topology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
Deploying a Wireless Mesh via ZoneDirector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Step 1: Prepare for Wireless Mesh Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Step 2: Enable Mesh Capability on ZoneDirector . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Step 3: Provision and Deploy Mesh Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Step 4: Verify That the Wireless Mesh Network Is Up . . . . . . . . . . . . . . . . . . . . . . . . . 384
Understanding Mesh-related AP Statuses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Using the ZoneFlex LEDs to Determine the Mesh Status. . . . . . . . . . . . . . . . . . . . . . . . 387
On Single-band ZoneFlex APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
On Dual-band ZoneFlex APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
Using Action Icons to Configure and Troubleshoot APs in a Mesh . . . . . . . . . . . . . . . . 389
Setting Mesh Uplinks Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Troubleshooting Isolated Mesh APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Understanding Isolated Mesh AP Statuses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Recovering an Isolated Mesh AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Best Practices and Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
10 Setting Administrator Preferences
Changing the ZoneDirector Administrator User Name and Password . . . . . . . . . . . . . . 398
Setting Administrator Login Session Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Changing the Web Interface Display Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Upgrading ZoneDirector and ZoneFlex APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Performing an Upgrade with Smart Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Working with Backup Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Backing Up a Network Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Restoring Archived Settings to ZoneDirector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Restoring ZoneDirector to Default Factory Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Alternate Factory Default Reset Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Working with SSL Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Basic Certificate Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Generating a Certificate Signing Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
12 Ruckus Wireless, Inc.
Importing an SSL Certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
SSL Certificate Advanced Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Using an External Server for Administrator Authentication . . . . . . . . . . . . . . . . . . . . . . . 416
Upgrading the License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
Support Entitlement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
11 Troubleshooting
Troubleshooting Failed User Logins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Fixing User Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
If WLAN Connection Problems Persist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Measuring Wireless Network Throughput with SpeedFlex . . . . . . . . . . . . . . . . . . . . . . . 424
Using SpeedFlex in a Multi-Hop Smart Mesh Network . . . . . . . . . . . . . . . . . . . . . . . . 428
Allowing Users to Measure Their Own Wireless Throughput. . . . . . . . . . . . . . . . . . . . 430
Diagnosing Poor Network Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Starting a Radio Frequency Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Using the Ping and Traceroute Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
Generating a Debug File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Viewing Current System and AP Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Packet Capture and Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Local Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Streaming Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Importing a Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
Enabling Remote Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
Restarting an Access Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
Restarting ZoneDirector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
12 Smart Mesh Networking Best Practices
Choosing the Right AP Model for Your Mesh Network . . . . . . . . . . . . . . . . . . . . . . . . . 444
Calculating the Number of APs Required . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Placement and Layout Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Signal Quality Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Mounting and Orientation of APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Indoor APs - Typical Case: Horizontal Orientation . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Indoor APs - Vertical Orientation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
Outdoor APs - Typical Horizontal Orientation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
Elevation of RAPs and MAPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
Best Practice Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
Appendix: Zone 2 APs
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 13
Index
14 Ruckus Wireless, Inc.
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 15
About This Guide
This User Guide describes how to install, configure and manage the Ruckus
Wireless™ ZoneDirector™ version 9.12.
This guide is intended for use by those responsible for managing Ruckus Wireless
network equipment. Consequently, it assumes a basic working knowledge of local
area networking, wireless networking and wireless devices.
NOTE: If release notes are shipped with your product and the information there
differs from the information in this guide, follow the instructions in the release notes.
Most user guides and release notes are available in Adobe Acrobat Reader Portable
Document Format (PDF) or HTML on the Ruckus Wireless Support website at
https://support.ruckuswireless.com/documents.
NOTE: By downloading this software and subsequently upgrading the
ZoneDirector to version 9.12, please be advised that the ZoneDirector will
periodically connect to Ruckus and Ruckus will collect the ZoneDirector serial
number, software version and build number. Ruckus will transmit a file back to the
ZoneDirector and this will be used to display the current status of the ZoneDirector
Support Contract. Please also be advised that this information may be transferred
and stored outside of your country of residence where data protection standards
may be different.
Document Conventions
16 Ruckus Wireless, Inc.
Document Conventions
Tab l e 1 and Table 2 list the text and notice conventions that are used throughout
this guide.
Table 1. Text conventions
Convention Description Example
monospace Represents information as it
appears on screen
[Device name]>
monospace bold Represents information that
you enter
[Device name]> set
ipaddr 10.0.0.12
default font bold Keyboard keys, software
buttons, and field names
On the Start menu, click All
Programs.
italics Screen or page names Click Advanced Settings.
The Advanced Settings page
appears.
Table 2. Notice conventions
Notice Type Description
Note Information that describes important features or
instructions
Caution Information that alerts you to potential loss of data or
potential damage to an application, system, or device
Warning Information that alerts you to potential personal injury
Related Documentation
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 17
Related Documentation
In addition to this User Guide, each ZoneDirector documentation set includes the
following:
Online Help: Provides instructions for performing tasks using the web interface.
The online help is accessible from the web interface and is searchable.
Release Notes: Provide information about the current software release, including
new features, enhancements, and known issues.
Documentation Feedback
Ruckus Wireless is interested in improving its documentation and welcomes your
comments and suggestions. You can email your comments to Ruckus Wireless at:
docs@ruckuswireless.com
When contacting us, please include the following information:
Document title
Document part number (on the cover page)
Page number (if appropriate)
For example:
ZoneDirector 9.12 User Guide
Part number: 800-70898-001 Revision C
Page 88
Online Training Resources
To access a variety of online Ruckus Wireless training modules, including free
introductory courses to wireless networking essentials, site surveys, and Ruckus
Wireless products, visit the Ruckus Wireless Training Portal at:
https://training.ruckuswireless.com
Online Training Resources
18 Ruckus Wireless, Inc.
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 19
1
Introducing Ruckus Wireless
ZoneDirector
In this chapter:
Overview of ZoneDirector
ZoneDirector Physical Features
Introduction to the Ruckus Wireless Network
Ensuring That APs Can Communicate with ZoneDirector
Installing ZoneDirector
Accessing ZoneDirector’s Command Line Interface
Using the ZoneDirector Web Interface
Registering Your Product
Overview of ZoneDirector
20 Ruckus Wireless, Inc.
Overview of ZoneDirector
Ruckus Wireless ZoneDirector serves as a central control system for Ruckus
ZoneFlex Access Points (APs). ZoneDirector provides simplified configuration and
updates, wireless LAN security control, RF management, and automatic coordina-
tion of Ethernet-connected and mesh-connected APs.
Using ZoneDirector in combination with Ruckus Wireless ZoneFlex APs allows
deployment of a Smart Mesh network, to extend wireless coverage throughout a
location without having to physically connect each AP to Ethernet. In a Smart Mesh
network, the APs form a wireless mesh topology to route client traffic between any
member of the mesh and the wired network. Meshing significantly reduces the cost
and time requirements of deploying an enterprise-class WLAN, in addition to
providing much greater flexibility in AP placement.
ZoneDirector also integrates network monitoring, sophisticated user access
controls, integrated Wi-Fi client performance tools, highly configurable guest access
features and advanced security features within a single system.
User authentication can be accomplished using an internal user database, or
forwarded to an external Authentication, Authorization and Accounting (AAA) server
such as RADIUS or Active Directory. Once users are authenticated, client traffic is
not required to pass through ZoneDirector, thereby eliminating bottlenecks when
higher speed Wi-Fi technologies, such as 802.11ac, are used.
This user guide provides complete instructions for using the Ruckus Wireless web
interface, the wireless network management interface for ZoneDirector. With the
web interface, you can customize and manage all aspects of ZoneDirector and your
ZoneFlex network.
ZoneDirector Physical Features
ZoneDirector 1200
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 21
ZoneDirector Physical Features
Three models of ZoneDirector are currently available:
ZoneDirector 1200
ZoneDirector 3000
ZoneDirector 5000
This section describes the physical features of these ZoneDirector models.
NOTE: ZoneDirector 1100 is discontinued (EOL) as of release 9.12 and cannot be
upgraded to 9.12 or later.
ZoneDirector 1200
This section describes the following physical features of ZoneDirector 1200:
Buttons, Ports, and Connectors
Front Panel LEDs
Figure 1. ZoneDirector 1200
Buttons, Ports, and Connectors
Tab l e 1 describes the buttons, ports and connectors on ZoneDirector 1200.
Table 1. ZoneDirector 1200 front panel elements
ZoneDirector Physical Features
ZoneDirector 1200
22 Ruckus Wireless, Inc.
Front Panel LEDs
Tab l e 2 describes the LEDs on the front panel of ZoneDirector 1200.
Table 2. ZoneDirector 1200 LED descriptions
Label Description
Reset Use the Reset button to restart ZoneDirector.
10/100/1000 Ethernet Two auto negotiating 10/100/1000Mbps Ethernet ports. For
information on what the two Ethernet LEDs indicate, refer to
Table 2.
Console RJ-45 Console port for accessing the ZoneDirector
command line interface.
F/D Factory Default button. To reset ZoneDirector to factory
default settings, press and hold the F/D button for at least five
(5) seconds. For more information, refer to Alternate Factory
Default Reset Method.
WARNING: Resetting ZoneDirector to factory default settings
will erase all configuration changes that you made, except for
AP licenses and SSL certificates.
LED Label State Meaning
Power Solid Green ZoneDirector is receiving power.
Off ZoneDirector is NOT receiving power. If
the power cable or adapter is connected
to a power source, verify that the power
cable is connected properly to the
power jack on the rear panel of
ZoneDirector.
ZoneDirector Physical Features
ZoneDirector 1200
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 23
Status Solid Green Normal state.
Flashing Green ZoneDirector has not yet been
configured. Log into the web interface,
and then configure ZoneDirector using
the setup wizard.
Red ZoneDirector has shut down (but is still
connected to a power source).
Flashing Red ZoneDirector is starting up or shutting
down.
Ethernet Link Solid Green or
Amber
The port is connected to a device.
Flashing Green or
Amber
The port is transmitting or receiving
traffic.
Off The port has no network cable
connected or is not receiving a link
signal.
Ethernet Rate Green The port is connected to a 1000Mbps
device.
Amber The port is connected to a 100Mbps
device.
Off The port is connected to a 10Mbps
device.
LED Label State Meaning
ZoneDirector Physical Features
ZoneDirector 3000
24 Ruckus Wireless, Inc.
ZoneDirector 3000
This section describes the following physical features of ZoneDirector 3000:
Buttons, Ports, and Connectors
Front Panel LEDs
Figure 2. ZoneDirector 3000
Buttons, Ports, and Connectors
Tab l e 3 describes the buttons, ports and connectors on ZoneDirector 3000.
Table 3. ZoneDirector 3000 front panel elements
Label Meaning
Power (Located on the rear panel)
Press this button to power on ZoneDirector.
F/D To reset ZoneDirector to factory default settings,
press the F/D button for at least five (5) seconds.
For more information, refer to Alternate Factory
Default Reset Method.
WARNING: Resetting ZoneDirector to factory
default settings will erase all configuration
changes that you have made, except for AP
licenses and SSL certificates.
ZoneDirector Physical Features
ZoneDirector 3000
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 25
Front Panel LEDs
Tab l e 4 describes the LEDs on the front panel of ZoneDirector 3000.
Table 4. ZoneDirector 3000 LED descriptions
Reset To restart ZoneDirector, press the Reset button
once for less than two seconds.
USB For Ruckus Wireless Support use only
Console RJ-45 port for accessing the ZoneDirector
command line interface.
10/100/1000 Ethernet Two auto negotiating 10/100/1000Mbps
Ethernet ports. For information on what the two
Ethernet LEDs indicate, refer to Table 4.
LED Label State Meaning
Power Green ZoneDirector is receiving power.
Off ZoneDirector is NOT receiving power. If
the power cable or adapter is
connected to a power source, verify
that the power cable is connected
properly to the power jack on the rear
panel of ZoneDirector.
Status Solid Green Normal state.
Flashing Green ZoneDirector has not yet been
configured. Log into the web interface,
and then configure ZoneDirector using
the setup wizard.
Solid Red ZoneDirector has shut down (but is still
connected to a power source).
Flashing Red ZoneDirector is starting up or shutting
down.
Label Meaning
ZoneDirector Physical Features
ZoneDirector 3000
26 Ruckus Wireless, Inc.
Ethernet Link Solid Green or
Amber
The port is connected to a device.
Flashing Green or
Amber
The port is transmitting or receiving
traffic.
Off The port has no network cable
connected or is not receiving a link
signal.
Ethernet Rate Amber The port is connected to a 1000Mbps
device.
Green The port is connected to a 100Mbps
device.
Off The port is connected to a 10Mbps
device.
LED Label State Meaning
ZoneDirector Physical Features
ZoneDirector 5000
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 27
ZoneDirector 5000
This section describes the following physical features of ZoneDirector 5000:
Front Panel Features
Front Panel (Bezel Removed)
Control Panel
Rear Panel Features
Figure 3. ZoneDirector 5000 Front Panel
Front Panel Features
Table 5. ZoneDirector 5000 front panel features
Feature Description
Control Panel See Control Panel description below.
RJ45 Serial Port COM 2 / Serial B port for accessing the ZoneDirector
command line interface.
USB Port Not used.
Front Bezel Lock Remove this bezel lock to remove the front bezel and gain
access to the hard drive bays.
ZoneDirector Physical Features
ZoneDirector 5000
28 Ruckus Wireless, Inc.
Front Panel (Bezel Removed)
Figure 4. ZoneDirector 5000 front panel (bezel removed)
Table 6. ZoneDirector front panel elements
Control Panel
Figure 5. Control panel buttons and indicators
Number Feature
1 ESD ground strap attachment
2 Hard drive bays (not used)
3 Control panel
4 RJ45 serial port for accessing the ZoneDirector command line
interface.
5 USB port (not used).
12345
12 3 4 56
789
10
11 12
ZoneDirector Physical Features
ZoneDirector 5000
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 29
Table 7. ZoneDirector 5000 control panel
Table 8. System status LED definitions
Number Feature
1 Power button
2 System reset button
3 System status LED (see Table 8)
4 Fan status LED
5 Critical alarm (not used)
6 MJR alarm (not used)
7 NMI pin hole button (factory reset button)
8 Chassis ID button
9 NIC 1 / NIC 2 activity LED
10 HDD activity LED (not used)
11 PWR alarm LED (not used)
12 MNR alarm (Amber: system unavailable; OFF: system
available)
LED Status Definition
Off No power supply detected, or two power supplies detected
and system is off
Green On System ready/normal operation, two power supplies
detected
Green Blinking 1. System ready but degraded
2. One power supply connected
3. One fan failure detected
Amber On 1. Critical or non-recoverable condition
2. Power up in progress, only one power source detected
3. More than one fan failure detected
Amber Blinking Non-critical alarm
ZoneDirector Physical Features
ZoneDirector 5000
30 Ruckus Wireless, Inc.
Rear Panel Features
Figure 6. ZoneDirector 5000 rear panel features
Table 9. Rear panel features
Number Feature
1 Alarms cable connector (not used)
2 Two low-profile PCIe add-in cards (not used)
3 Three full-length PCIe add-in cards (not used)
4 Power supply 2 (backup AC power)
5 Power supply 1 (primary AC power)
6 RJ45 serial port (COM2/serial B)
7 Video connector (not used)
8 USB 0 and 1 (#1 on top)
9 USB 2 and 3 (#3 on top)
10 GbE NIC #1 connector
11 GbE NIC #2 connector
12 Two ground studs (used for DC-input system)
1345
679
2
810 11 12
ZoneDirector Physical Features
ZoneDirector 5000
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 31
Table 10. NIC status LEDs
LED Color LED State NIC State
Green/Amber (Left) Off 10Mbps
Green 100Mbps
Amber 1000Mbps
Green (Right) On Active connection
Blinking Transmit / Receive activity
Introduction to the Ruckus Wireless Network
ZoneDirector 5000
32 Ruckus Wireless, Inc.
Introduction to the Ruckus Wireless Network
Your new Ruckus Wireless network starts when you disperse a number of Ruckus
Wireless access points (APs) to efficiently cover your worksite. After connecting the
APs to ZoneDirector (through network hubs or switches), running through the Setup
Wizard and completing the “Zero-IT” setup, you have a secure wireless network for
both registered users and guest users.
NOTE: “Zero-IT” refers to ZoneDirector’s simple setup and ease-of-use features,
which allow end users to automatically self-configure wireless settings on Windows
and Mac OS clients as well as many mobile devices including iOS, Windows Phone
and Android OS devices.
After using the web interface to set up user accounts for staff and other authorized
users, your WLAN can be put to full use, enabling users to share files, print, check
email, and more. And as a bonus, guest workers, contractors and visitors can be
granted limited controlled access to a separate “Guest WLAN” with minimal setup.
You can now fine-tune and monitor your network through the web interface, which
enables you to customize additional WLANs for authorized users, manage your
users, monitor the network's security and performance, and expand your radio
coverage, if needed.
Ensuring That APs Can Communicate with
ZoneDirector
Before ZoneDirector can start managing an AP, the AP must first be able to discover
ZoneDirector on the network when it boots up. This requires that ZoneDirector's IP
address be reachable by the AP (via UDP/IP port numbers 12222 and 12223), even
when they are on different subnets.
This section describes procedures you can perform to ensure that APs can discover
and register with ZoneDirector.
NOTE: This guide assumes that APs on the network are configured to obtain IP
addresses from a DHCP server. If APs are assigned static IP addresses, they must
be using a local DNS server that you can configure to resolve the ZoneDirector IP
address using zonedirector.{DNS domain name} or zonedirector if no
domain name is defined on the DNS server.
Ensuring That APs Can Communicate with ZoneDirector
How APs Discover ZoneDirector on the Network
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 33
How APs Discover ZoneDirector on the Network
1When an AP starts up, it sends out a DHCP discovery packet to obtain an IP
address.
2The DHCP server responds to the AP with the allocated IP address. If you
configured DHCP Option 43 (see Option 2: Customize Your DHCP Server), the
DHCP offer response will also include (among others) the IP addresses of
ZoneDirector devices on the network along with the address of the DNS server
that can help resolve the ZoneDirector IP addresses.
3After the AP obtains an IP address, it first attempts to contact a ZoneDirector
whose IP address has been pre-configured on the AP. If an AP has a pre-
configured ZoneDirector IP address, it will always use an L3 LWAPP (lightweight
access point protocol) discovery message to attempt to discover the pre-
configured primary/secondary ZoneDirector.
An AP with a pre-configured ZoneDirector IP address will only attempt to
discover the pre-configured ZoneDirector(s) and will skip the DHCP/DNS/last
joined ZoneDirector steps. If it is unable to contact its pre-configured Zone-
Director, it will enter “sulk” state, and will remain in an idle/discover/sulk loop
until it receives a response from a pre-configured primary or secondary
ZoneDirector.
4If a primary/secondary ZoneDirector IP address has not been configured on the
AP, the AP next attempts to build a list of candidate ZoneDirectors by sending
an L3 discovery request (IPv4 subnet broadcast/IPv6 multicast packet) to each
candidate address received from DHCP and DNS at the same time, and waits
for a response from any ZoneDirector that can respond.
The AP may receive multiple responses from DHCP and DNS if multiple
ZoneDirector IP addresses have been configured on the DHCP server or DNS
server.
5If the AP receives a response from a single ZoneDirector device, it will attempt
to register with that ZoneDirector device.
6If the AP receives responses from multiple ZoneDirector devices, it will attempt
to register with the ZoneDirector that it previously registered with (if any).
This ZoneDirector can be on the same local IP subnet or a different subnet.
The AP will have a preference for a ZoneDirector device that it previously
registered with (over a locally connected ZoneDirector).
Ensuring That APs Can Communicate with ZoneDirector
How to Ensure that APs Can Discover ZoneDirector on the Network
34 Ruckus Wireless, Inc.
7If this is the first time that the AP is registering with ZoneDirector, it will attempt
to register with the ZoneDirector device that has the lowest AP load. The AP
computes the load by subtracting the current number of APs registered with
ZoneDirector from the maximum number of APs that ZoneDirector is licensed
to support.
If the AP does not receive a response from any ZoneDirector device on the network,
it goes into idle mode. After a short period of time, the AP will attempt to discover
ZoneDirector again by repeating the same discovery cycle. The AP will continue to
repeat this cycle until it successfully registers with a ZoneDirector.
How to Ensure that APs Can Discover ZoneDirector on
the Network
If you are deploying the APs and ZoneDirector on different subnets, you have three
options for ensuring successful communication between these two devices:
Option 1: Perform Auto Discovery on Same Subnet, then Transfer the AP to
Intended Subnet
Option 2: Customize Your DHCP Server
Option 3: Register ZoneDirector with a DNS Server
NOTE: If the AP and ZoneDirector Are on the Same Subnet
If you are deploying the AP and ZoneDirector on the same subnet, you do not need
to perform additional configuration. Simply connect the AP to the same network as
ZoneDirector. When the AP starts up, it will discover and attempt to register with
ZoneDirector. Approve the registration request (if auto approval is disabled).
Option 1: Perform Auto Discovery on Same Subnet, then
Transfer the AP to Intended Subnet
If you are deploying the AP and ZoneDirector on different subnets, let the AP perform
auto discovery on the same subnet as ZoneDirector before moving the AP to another
subnet. To do this, connect the AP to the same network as ZoneDirector. When
the AP starts up, it will discover and attempt to register with ZoneDirector. Approve
the registration request if auto approval is disabled.
After the AP registers with ZoneDirector successfully, transfer it to its intended
subnet. It will be able to find and communicate with ZoneDirector once you
reconnect it to the other subnet.
Ensuring That APs Can Communicate with ZoneDirector
How to Ensure that APs Can Discover ZoneDirector on the Network
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 35
NOTE: If you use this method, make sure that you do not change the IP address
of ZoneDirector after the AP discovers and registers with it. If you change the
ZoneDirector IP address, the AP will no longer be able to communicate with it and
will be unable to rediscover it.
Option 2: Customize Your DHCP Server
NOTE: The following procedure describes how to customize a DHCP server
running on Microsoft Windows. If your DHCP server is running on a different
operating system, the procedure may be different.
Configuring the DHCP Server for ZoneDirector-AP Communication
To customize your DHCP server, you need to configure DHCP Option 43 (043
Vendor Specific Info) with the IP address of the ZoneDirector device on the network.
When an AP requests an IP address, the DHCP server will send a list of ZoneDirector
IP addresses to the AP. If there are multiple ZoneDirector devices on the network,
the AP will automatically select a ZoneDirector to register with from this list of IP
addresses.
RFC 2132 describes DHCP Option 60 and Option 43. DHCP Option 60 is the Vendor
Class Identifier (VCI). The VCI is a text string that identifies a vendor/type of a DHCP
client. All Ruckus Wireless Access Points are configured to send “Ruckus CPE” as
the Vendor Class Identifier in option 60, and expect ZoneDirector IP information to
be provided in DHCP option 43 (Vendor Specific Info), encapsulated with sub-option
code 03 (the sub-option code for ZoneDirector).
The RFC describes how vendors can encapsulate vendor-specific sub-option codes
(ranging from 0 to 255). Sub-options are embedded in option 43 as TLV (type, length,
value) blocks.
Ruckus Wireless Access points support non-TLV format option 43 values with
comma separated IP address strings for discovering ZoneDirectors, and also TLV
based option 43 encapsulation as specified in RFC 2132.
For ZoneDirector information (sub-option code 03)
Type : 0x03
Length: Count of the characters in the ASCII string. (Length must include the
commas if there is more than one ZoneDirector specified.)
Ensuring That APs Can Communicate with ZoneDirector
How to Ensure that APs Can Discover ZoneDirector on the Network
36 Ruckus Wireless, Inc.
Value: A non-null terminated ASCII string that is a comma-separated list of
ZoneDirector IP addresses.
For example: If the there are two ZoneDirectors with IP addresses 192.168.0.10
and 192,168.0.20, then the value will be “192.168.0.10,192.168.0.20
and the length is 25 (hex value 0x19).
For FlexMaster information (sub-option code 01)
Type : 0x01
Length: Count the number of characters in the ASCII string. (Length must
include “http”, plus all colons, slashes and decimals in the complete URL.)
Value: A non-null terminated ASCII string that is a URL.
For example: If the Flex Master URL is http://192.168.10.1/intune/
server, the length is 33 (hex value 0x21).
You will need this information when you configure DHCP Option 43 for both
FlexMaster and ZoneDirector. To calculate the length field conversion from decimal
to hexadecimal, you can use an online conversion website, such as http://
www.easycalculation.com/decimal-converter.php, to perform the conversion.
The table below lists the sub-option code, FlexMaster URL and ZoneDirector IP
address that are used as examples in this procedure, along with their lengths in
decimal and hexadecimal values.
Most commonly used DHCP servers such as Microsoft DHCP and ISC DHCP
servers support vendor class DHCP option spaces and mapping of those option
spaces to option 60. While you can achieve encapsulating TLVs in option 43 by hard
coding the DHCP option 43 value, Ruckus Wireless recommends using vendor class
option spaces - especially when you have more than one vendor type on the network
and need “option 43” to be supported for different vendor type DHCP clients.
The following example describes how you can encapsulate option 43 using DHCP
vendor class option spaces to provide two ZoneDirector IP addresses:
192.168.0.10 and 192.168.0.20.
URL / IP Address Decimal
Length
Hexadecimal
Length
Sub-option
Code
FlexMaster http://192.168.10.1/
intune/server (URL)
33 21 01
ZoneDirector 192.168.10.2 (IP Address) 12 0C 03
Ensuring That APs Can Communicate with ZoneDirector
How to Ensure that APs Can Discover ZoneDirector on the Network
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 37
Configure Vendor Class Identifier and Vendor Specific Info sub-options on
Microsoft DHCP server
Configure vendor class for Ruckus Wireless Access Points:
1In the Server Manager window, right-click the IPv4 icon, and choose Define
Vendor Classes from the menu.
2In the DHCP Vendor Classes dialogue, click Add to create a new vendor class.
3Enter the value to describe the option class/space, (e.g., RuckusWirelessAP).
Optionally, you can also enter a description.
4Add the VCI string in the ASCII field and click OK. The new vendor class is
created and appears in the DHCP Vendor Class dialogue list. Click Close to
close the dialogue.
5Right-click the newly created vendor class and select Set Predefined
Options...
6Predefine the ZoneDirector sub-option type for the newly created vendor class.
This section defines the code and format of the sub-option (code 03 for
ZoneDirector and comma separated IP addresses in ASCII text string).
7Configure the option with a value either at the server level, scope level or at
Reservation, just like any other DHCP option, using Configure Options >
Advanced.
NOTE: You can also optionally configure DHCP Option 12 (Host Name) to specify
host names for APs. Then, when an AP joins ZoneDirector and ZoneDirector does
not already have a device name for this AP, it will take the host name from DHCP
and display this name in events, logs and other web interface elements. See your
DHCP server documentation for instructions on Option 12 configuration.
Option 3: Register ZoneDirector with a DNS Server
If you register ZoneDirector with your DNS server, supported APs that request IP
addresses from your DHCP server will also obtain DNS related information that will
enable them to discover ZoneDirector devices on the network. Using the DNS
information they obtained during the DHCP request, APs will attempt to resolve the
ZoneDirector IP address (or IP addresses) using zonedirector.{DNS domain
name}.
To register ZoneDirector devices with DNS server:
Step 1: Set the DNS Domain Name on the DHCP Server
Ensuring That APs Can Communicate with ZoneDirector
How to Ensure that APs Can Discover ZoneDirector on the Network
38 Ruckus Wireless, Inc.
Step 2: Set the DNS Server IP Address on the DHCP Server
Step 3: Register the ZoneDirector IP Addresses with a DNS Server
NOTE: The following procedures describe how to customize a DHCP server
running on Microsoft Windows Server. If your DHCP server is running on a different
operating system, the procedure may be different.
Step 1: Set the DNS Domain Name on the DHCP Server
1From Windows Administrative Tools, open DHCP, and then select the DHCP
server that you want to configure.
2If the Scope folder is collapsed, click the plus (+) sign to expand it.
3Right-click Scope Options, and then click Configure Options. The General
tab of the Scope Options dialog box appears.
4Under Available Options, look for the 15 DNS Domain Name check box, and
then select it.
5In the String value text box under Data Entry, type your company’s domain
name.
6Click Apply to save your changes.
7Click OK to close the Scope Options dialog box.
Ensuring That APs Can Communicate with ZoneDirector
How to Ensure that APs Can Discover ZoneDirector on the Network
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 39
Figure 7. Select the 015 DNS Domain Name check box, and then type your company domain
name in String value
Step 2: Set the DNS Server IP Address on the DHCP Server
1From Windows Administrative Tools, open DHCP, and then select the DHCP
server you want to configure.
2If the Scope folder is collapsed, click the plus (+) sign to expand it.
3Right-click Scope Options, and then click Configure Options. The General
tab of the Scope Options dialog box appears.
4Under Available Options, look for the 6 DNS Servers check box, and then
select it.
5In the IP address box under Data Entry, type your DNS servers IP address, and
then click Add. If you have multiple DNS servers on the network, repeat the
same procedure to add the other DNS servers.
6Click Apply to save your changes.
7Click OK to close the Scope Options dialog box.
Ensuring That APs Can Communicate with ZoneDirector
How to Ensure that APs Can Discover ZoneDirector on the Network
40 Ruckus Wireless, Inc.
Figure 8. Select the 006 DNS Servers check box, and then type your DNS server’s IP address
in the Data entry section
Step 3: Register the ZoneDirector IP Addresses with a DNS Server
After you complete configuring the DHCP server with DNS related information, you
need to register the IP addresses of ZoneDirector devices on the network with your
DNS server. The procedure for this task depends on the DNS server software that
you are using.
Information on configuring the built-in DNS server on Windows is available at
http://support.microsoft.com/kb/814591.
NOTE: If your DNS server prompts you for the corresponding host name for each
ZoneDirector IP address, you MUST enter zonedirector. This is critical to
ensuring that the APs can resolve the ZoneDirector IP address.
Ensuring That APs Can Communicate with ZoneDirector
Firewall Ports that Must be Open for ZoneDirector Communications
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 41
After you register the ZoneDirector IP addresses with your DNS server, you have
completed this procedure. APs on the network should now be able to discover
ZoneDirector on another subnet.
Firewall Ports that Must be Open for ZoneDirector
Communications
Depending on how your network is designed, you may need to open ports on any
firewalls located between ZoneDirector, FlexMaster or the access points. The
following table lists the ports that need to be open for different types of communi-
cations.
Table 11. Firewall ports that must be open for ZoneDirector communications
NAT Considerations
Beginning with version 9.2, ZoneDirector can be deployed in a private network
behind a NAT (Network Address Translation) device. When ZoneDirector is
deployed on an isolated private network where NAT is used, administrators can
Communication Ports
ZoneDirector Web UI access TCP destination ports 80 and 443 (HTTP and
HTTPS)
AP > ZoneDirector LWAPP UDP destination ports 12222 and 12223
AP > ZoneDirector SpeedFlex UDP port 18301
AP > ZoneDirector (AP)
firmware upgrade
TCP port 21 (the firewall must be stateful for PASV
FTP transfers)
AP > ZoneDirector application
statistics reporting
TCP port 21 (FTP)
TCP port: Random port higher than 1024
ZoneDirector > ZoneDirector
Smart Redundancy
TCP destination port 443 and port 33003
ZoneDirector > FlexMaster
registration/inform/firmware
upgrade
TCP destination port 443
FlexMaster > ZoneDirector
management interface
TCP destination port as specified in FM Inventory
'Device Web Port Number Mapping'
ZoneDirector CLI access TCP destination port 22 (SSH)
TACACS+ server < >
ZoneDirector
TCP destination port 49 (TACACS+) (default)
Ensuring That APs Can Communicate with ZoneDirector
Firewall Ports that Must be Open for ZoneDirector Communications
42 Ruckus Wireless, Inc.
manually configure a port-mapping table on the NAT device to allow remote access
into ZoneDirector. This allows APs to establish an LWAPP connection with Zone-
Director, as well as allowing remote HTTPS and SSH management access to
ZoneDirector. Tab l e 11 lists the ports that must be open for trans-NAT communi-
cations.
Specifically, the following ports must be mapped to ZoneDirector’s private IP
address on the NAT device’s port mapping table: ports 21, 22, 80, 443, 12222,
12223.
Note that there are some limitations with this configuration, including:
SpeedFlex performance test tool will not work (ZoneDirector needs to know the
IP addresses of the APs).
Deploying two ZoneDirectors behind the same NAT in a Smart Redundancy
configuration requires creation of two port forwarding rules (one for each
ZoneDirector physical IP address), and that the APs are configured with both
ZoneDirectors’ public IP addresses as primary and secondary ZD IPs.
An active ZoneDirector behind NAT will be unable to perform upgrades to the
standby ZoneDirector on the other side of the NAT device.
Installing ZoneDirector
Firewall Ports that Must be Open for ZoneDirector Communications
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 43
Installing ZoneDirector
Basic installation instructions are included in the Quick Start Guide that shipped with
your ZoneDirector. The steps are summarized below:
1Connect and discover ZoneDirector using UPnP (Universal Plug and Play).
On Windows 7 and Windows 8, you may need to Turn on network
discovery in the Network and Sharing Center > Advanced Sharing Settings.
2Double-click the ZoneDirector icon when UPnP displays it, or
3Point your web browser to ZoneDirector’s IP address (default: 192.168.0.2).
4Run the Setup Wizard to create an internal and (optionally) a guest WLAN.
5Distribute APs around your worksite, connect them to power and to your LAN.
6Begin using your ZoneFlex network.
Figure 9. Discover ZoneDirector using UPnP
Accessing ZoneDirector’s Command Line Interface
Firewall Ports that Must be Open for ZoneDirector Communications
44 Ruckus Wireless, Inc.
Figure 10. ZoneDirector Setup Wizard
Accessing ZoneDirector’s Command Line
Interface
In general, this User Guide provides instructions for managing ZoneDirector and
your ZoneFlex network using the ZoneDirector web interface. You can also perform
many management and configuration tasks using the ZoneDirector Command Line
Interface (CLI) by connecting directly to the Console port or an Ethernet port.
To access the ZoneDirector CLI:
1Connect an admin PC to the ZoneDirector Console port or any of the LAN ports
(using either a DB-9 serial cable for the console port or an Ethernet cable for
LAN ports).
2Launch a terminal program, such as Hyperterminal, PuTTy, etc.
3Enter the following connection settings:
Bits per second: 115200
Data bits: 8
•Parity: None
Accessing ZoneDirector’s Command Line Interface
Firewall Ports that Must be Open for ZoneDirector Communications
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 45
Stop bits: 1
Flow control: None
Figure 11. Configure a terminal client
4Click OK or Open to connect (depending on your terminal client).
5At the Please Login prompt, enter the admin login name (default: admin) and
password (default: admin).
You are now logged into ZoneDirector with limited privileges. As a user with limited
privileges, you can view a history of previously executed commands and ping a
device. If you want to run more commands, you can switch to privileged mode by
entering enable at the root prompt.
To view a list of commands that are available at the root level, enter help or ?.
For more information on using the CLI, see the Ruckus Wireless ZoneDirector
Command Line Interface Reference Guide, available from http://support.ruck-
uswireless.com/.
Using the ZoneDirector Web Interface
Firewall Ports that Must be Open for ZoneDirector Communications
46 Ruckus Wireless, Inc.
Using the ZoneDirector Web Interface
The ZoneDirector web interface consists of several interactive components that you
can use to manage and monitor your Ruckus Wireless WLANs (including ZoneDi-
rector and all APs).
Dashboard When you first log into your ZoneDirector using the web interface,
the Dashboard appears, displaying a number of widgets containing
indicators and tables that summarize the network and its current
status. Each indicator, gauge or table provides links to more
focused, detailed views on elements of the network.
TIP: You can minimize (hide) any of the tables or indicators on the
Dashboard, then reopen them by means of the Add Widget options
in the lower left corner.
Widgets Widgets are Dashboard components, each containing a separate
indicator or table as part of the active dashboard. Each widget can
be added or removed to enhance your ZoneDirector Dashboard
summary needs.
Tabs Click any of the four tabs (Dashboard, Configure, Monitor, and
Administer) to take advantage of related sets of features and
options. When you click a tab, ZoneDirector displays a collection
of tab-specific buttons. Each tab's buttons are a starting point for
Ruckus Wireless network setup, management, and monitoring.
Buttons The left-side column of buttons varies according to which tab has
been clicked. The buttons provide features that assist you in
managing and monitoring your network. Click a button to see
related options in the workspace to the right.
Workspace The large area to the right of the buttons will display specific sets
of features and options, depending on which tab is open and which
button was clicked.
Toolbox The drop-down menu at the top right corner provides access to
the Real Time Monitoring, Auto-Refresh and Network Connectivity
tools, used for diagnosing and monitoring your ZoneFlex network.
It also provides a tool to stop and start automatically refreshing the
web interface pages.
Help and Log
Out
Clicking Help launches the online Help - which is an HTML-based
subset of the information contained in this User Guide. Click Log
Out to exit the web interface.
Using the ZoneDirector Web Interface
Navigating the Dashboard
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 47
Navigating the Dashboard
The Dashboard offers a number of self-contained indicators and tables that summa-
rize the network and its current status. Some indicators have fields that link to more
focused, detailed views on elements of the network.
Figure 12. The Dashboard
NOTE: Some indicators may not be present upon initial view. The Add Widgets
feature, located at the bottom left area of the screen, enables you to show or hide
indicators. See Using Indicator Widgets.
NOTE: You can sort the information (in ascending or descending order) that
appears on the dashboard by clicking the column headers. Some widgets (such as
Currently Managed APs) can also be customized to hide columns so that the tables
do not run off the page. Click the Edit Columns button to customize the widget
according to your preferences.
Using Indicator Widgets
Dashboard widgets represent the indicators displayed as part of the active dash-
board. Indicator widgets can be added or removed to enhance your ZoneDirector
summary needs.
Using the ZoneDirector Web Interface
Using Indicator Widgets
48 Ruckus Wireless, Inc.
The following indicators are provided:
System Overview: Shows ZoneDirector system information including its IP
address, MAC address, model number, maximum number of licensed APs, serial
number, software version number, and others.
Devices Overview: Shows the number of APs being managed by ZoneDirector,
the number of authorized clients, and the total number of clients connected to
the managed APs (authorized and unauthorized). It also shows the number of
rogue devices that have been detected by ZoneDirector.
Usage Summary: Shows usage statistics for the last hour and the last 24 hours.
Mesh Topology: Shows the mesh status and topology of all APs connected via
mesh uplinks or downlinks.
Most Active Client Devices: Identifies the most active clients by MAC address,
IP address, and user name. Bandwidth usage is calculated in megabytes (MB)
and is based on the total number of bytes sent (Tx) and received (Rx) by each
client from the time it associated with the managed AP.
Most Recent User Activities: Shows activities performed by users on client
machines.
Most Recent System Activities: Shows system activities related to ZoneDirector
operation.
Most Frequently Used Access Points: Lists the access points that are serving
the most client requests.
Currently Active WLANs: Shows details of currently active WLANs.
Currently Active WLAN Groups: Shows details of available WLAN groups. If you
have not created any WLAN groups, only the Default WLAN group appears.
Currently Managed APs: Shows details of access points that ZoneDirector is
currently managing.
Currently Managed AP Groups: Shows details of the System Default and user-
defined AP groups. Click the + button next to an AP group to expand the group
to display all members of the AP group.
Support: Shows contact information for Ruckus Wireless support, product
registration and support account activation.
Smart Redundancy: Displays the status of primary and backup ZoneDirector
devices, if configured.
AP Activities: Shows a list of recent log events from APs.
Using the ZoneDirector Web Interface
Using Indicator Widgets
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 49
Client Device Type: Displays a pie chart of currently connected client devices by
OS type as a percentage of the total.
Top 10 Applications by Usage: Lists the top 10 applications, their total usage in
KB and percent of the total.
Top 10 APs by Usage: Lists the top 10 APs, their total usage in KB and percent
of the total.
Top 10 Clients by Usage: Lists the top 10 clients, their total usage in KB and
percent of the total.
Top 10 SSIDs by Usage: Lists the top 10 SSIDs, their total usage in KB and
percent of the total.
• Applications: Displays a pie chart of the top applications as a percent of the total
traffic volume.
LBS Venue Info: Displays status of Location Based Services (SPoT) venues
configured for this ZoneDirector.
Adding a Widget
To add a widget:
1Go to the Dashboard.
2Click the Add Widgets link located at the bottom left corner of the Dashboard
page.
Using the ZoneDirector Web Interface
Using Indicator Widgets
50 Ruckus Wireless, Inc.
Figure 13. The Add Widgets link is at the bottom-left corner of the Dashboard
The Widgets pane opens at the upper-left corner of the Dashboard.
3Select any widget icon and drag and drop it onto the Dashboard to add the
widget. If you have closed a widget, it appears in this pane.
Figure 14. The widget icons appear at the top-left corner of the Dashboard
The Add
Widgets
Link
Using the ZoneDirector Web Interface
Real Time Monitoring
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 51
4Click Finish in the Widgets pane to close it.
Removing a Widget
To remove a widget from the Dashboard, click the icon for any of the widgets
currently open on the Dashboard. The Dashboard refreshes and the widget that you
removed disappears from the page.
Figure 15. To remove a widget, click the corresponding red X icon
Real Time Monitoring
The Real Time Monitoring tool provides a convenient at-a-glance overview of
performance statistics such as CPU and memory utilization, number of APs and
clients on the network, and number of packets transmitted.
To view the Real Time Monitoring page, locate the Too lbox link at the top of the
page and select Real Time Monitoring from the pull-down menu. You can also
access the Real Time Monitoring page from the Monitor > Real Time Monitoring
tab.
Using the ZoneDirector Web Interface
Real Time Monitoring
52 Ruckus Wireless, Inc.
Figure 16. Select Real Time Monitoring from the Toolbox
Like the Dashboard, you can drag and drop Widgets onto the Real Time Monitoring
page to customize the information you want to see.
Figure 17. The Real Time Monitoring screen
Select a time increment to monitor statistics by (5 minutes, 1 hour or 1 day) and
click Start Monitoring to begin.
Using the ZoneDirector Web Interface
Stopping and Starting Auto Refresh
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 53
Real Time Monitoring Widgets
CPU Util: Displays the % utilization of ZoneDirector’s CPU.
Memory Util: Displays the % utilization of ZoneDirector’s memory.
# of APs: Displays the number of APs being managed by ZoneDirector.
# of Client Devices: Displays the number of client devices associated to APs
being managed by ZoneDirector.
Bytes Received: Total bytes received by all APs being managed by ZoneDirector.
Bytes Transmitted: Total bytes received by all APs being managed by ZoneDi-
rector.
Packets Received: Total packets received by all APs being managed by Zone-
Director.
Packets Transmitted: Total packets transmitted by all APs being managed by
ZoneDirector.
Stopping and Starting Auto Refresh
By default, ZoneDirector web interface pages automatically refresh themselves
periodically depending on activity. You can pause auto-refresh on any page in the
web interface from the Toolbox. After clicking Stop Auto Refresh, ZoneDirector
pauses automatic updating of all widgets on the current page and the refresh icons
on the widgets are disabled (greyed out). To restart auto refresh, click Start Auto
Refresh from the Toolbox.
Figure 18. Stopping and starting automatic page refreshing
Registering Your Product
Stopping and Starting Auto Refresh
54 Ruckus Wireless, Inc.
Figure 19. The Refresh icon on all widgets is disabled when auto refresh is stopped
Registering Your Product
NOTE: Ruckus Wireless encourages you to register your ZoneDirector product to
receive updates and important notifications, and to make it easier to receive support
in case you need to contact Ruckus for customer assistance. You can register your
ZoneDirector along with all of your APs in one step using ZoneDirector’s Registration
form.
NOTE: To ensure that all registration information for all of your APs is included, be
sure to register after all APs have been installed. If you register ZoneDirector before
installing the APs, the registration will not include AP information.
To register your ZoneDirector:
1Click the Product Registration link in the Support widget on the Dashboard, or
2Go to Administer > Registration.
3Enter your contact information on the Registration page, and click Apply.
4The information is sent to a CSV file that opens in a spreadsheet program (if you
have one installed). This file includes the serial numbers and MAC addresses of
your ZoneDirector and all known APs, and your contact information.
5Save the CSV file to a convenient location on your local computer.
6Click the link on the Registration page to upload the CSV file (https://
support.ruckuswireless.com/register). If you do not already have a Support
account login, first click the https://support.ruckuswireless.com/
get_access_now link to create a support account, and then click the register link
to upload the CSV file to Ruckus Support.
Registering Your Product
Stopping and Starting Auto Refresh
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 55
Figure 20. Support Widget on the Dashboard
Figure 21. The Product Registration page
Your ZoneDirector is now registered with Ruckus Wireless.
Registering Your Product
Stopping and Starting Auto Refresh
56 Ruckus Wireless, Inc.
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 57
2
Configuring System Settings
In this chapter:
System Configuration Overview
Changing the Network Addressing
Creating Static Route Entries
Enabling Smart Redundancy
Configuring the Built-in DHCP Server
Controlling ZoneDirector Management Access
Setting the System Time
Setting the Country Code
Changing the System Log Settings
Setting Up Email Alarm Notifications
Configuring SMS Settings for Guest Pass Delivery via SMS
Enabling Login Warning Messages
Enabling Network Management Systems
Configuring DHCP Relay
Enabling Bonjour Gateway
Configuring SPoT Location Services
System Configuration Overview
Changing the System Name
58 Ruckus Wireless, Inc.
System Configuration Overview
The majority of ZoneDirector’s general system settings can be accessed from the
Configure > System page in the web interface. A basic set of parameters is
configured during the Setup Wizard process. These parameters and others can be
customized on this page.
NOTE: When making any changes in the web interface, you must click Apply before
you navigate away from the page or your changes will not be saved.
Changing the System Name
When you first worked through the Setup Wizard, you were prompted for a network-
recognizable system name for ZoneDirector. If needed, you can change that name
by following these steps:
1Go to Configure > System.
2In System Name (under Identity), delete the text, and then type a new name.
The name should be between 1 and 32 characters in length, using letters,
numbers, underscores (_) and hyphens (-). Do not use spaces or other special
characters. Do not start with a hyphen (-) or underscore (_). System names are
case sensitive.
3Click Apply to save your settings. The change goes into effect immediately.
Changing the Network Addressing
Changing the System Name
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 59
Figure 22. The Identity section on the Configure > System page
Changing the Network Addressing
If you need to update the IP address and DNS server settings of ZoneDirector, follow
the steps outlined below.
CAUTION! As soon as the IP address has been changed (applied), you will be
disconnected from your web interface connection to ZoneDirector. You can log into
the web interface again by using the new IP address in your web browser.
1Go to Configure > System.
2Review the Device IP Settings options.
Changing the Network Addressing
IPv6 Configuration
60 Ruckus Wireless, Inc.
Figure 23. The Device IP options
3Select one of the following:
Enable IPv6 Support: By default, ZoneDirector operates in IPv4 mode. If your
network uses IPv6, select Enable IPv6 Support and enter configuration
settings for either IPv6 only or dual IPv4/IPv6 support. See IPv6 Configuration
below for more information.
Manual: If you select Manual, enter the correct information in the now-active
fields (IP Address, Netmask, and Gateway are required).
DHCP: If you select DHCP, no further information is required.
4Click Apply to save your settings. You will lose connection to ZoneDirector.
5To log back into the web interface, use the newly assigned IP address in your
web browser or use the UPnP application to rediscover ZoneDirector.
IPv6 Configuration
ZoneDirector supports IPv6 and dual IPv4/IPv6 operation modes. If both IPv4 and
IPv6 are used, ZoneDirector will keep both IP addresses. Ruckus ZoneFlex APs
operate in dual IPv4/v6 mode by default, so you do not need to manually set the
mode for each AP.
Changing the Network Addressing
IPv6 Configuration
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 61
If you enable IPv6, you have the option to manually configure an IP address in IPv6
format (128 bits separated by colons instead of decimals) or to choose Auto
Configuration. If you choose Manual, you will need to enter IP Address, Prefix
Length and Gateway.
DNS Address can be configured manually or obtained automatically by the DHCPv6
client.
NOTE: If you switch from IPv4 to IPv6, you will need to manually change a number
of settings that may have previously been configured, such as Access Control Lists
(ACLs), AAA server addresses, Syslog server, SNMP trap receiver, etc.
When IPv6 is enabled, the other fields where IP addresses are entered (such as
Additional Management Interface) automatically change to allow entry of IPv6 format
addresses, as shown in Figure 24.
Note that some features are not supported when in IPv6 mode. Specifically, internal
DHCP server, LAN rogue AP detection, DHCPv6 vendor specific options, Aeroscout
RFID tag detection, SSL certificate generation, UPnP, remote access to ZD, and
L2TP and WISPr in standalone APs are not supported when in IPv6 mode.
Table 12. Default static IPv4 and IPv6 addresses
AP default IP address ZoneDirector default IP address
IPv4 192.168.0.1 192.168.0.2
IPv6 fc00::1 fc00::2
Changing the Network Addressing
Enabling an Additional Management Interface
62 Ruckus Wireless, Inc.
Figure 24. Enabling IPv6 automatically changes other fields to allow IPv6 addresses
Enabling an Additional Management Interface
The additional management interface is created for receiving and transmitting
management traffic only. The management IP address can be configured to allow
an administrator to manage ZoneDirector from its management VLAN, thereby
separating management traffic from LWAPP traffic between the controller and the
access points. The Management IP can be reached from anywhere on the network
as long as it is routable via the default Gateway configured in Device IP Settings.
It can also be used for Smart Redundancy -- when two redundant ZoneDirectors
are deployed, you can create a separate management interface to be shared by
both devices. Then, you only have to remember one IP address that you can log
into regardless of which ZoneDirector is the active unit. This shared management
IP address must be configured identically on both ZoneDirectors (see Configuring
ZoneDirector for Smart Redundancy).
To enable an additional management interface:
1Go to Configure > System.
2Locate the Management Interface section and click the check box next to
Enable IPv4 Management Interface or Enable IPv6 Management Interface.
Changing the Network Addressing
Enabling an Additional Management Interface
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 63
3Enter the IP Address, Netmask and Access VLAN information for the additional
interface. (If IPv6, enter Prefix Length instead of Netmask).
4(Optional) If you want to configure this management interface with a different
gateway from the gateway configured under “Device IP Settings”, select Default
gateway is connected with this interface, and enter the gateway IP address
in the field provided. Enable this option if you want to change the default gateway
of the ZoneDirector to be in your management subnet. Changing the default
gateway to be in the management subnet will cause all traffic to be routed via
this gateway.
5Click Apply to save your settings.
NOTE: If the Management Interface is to be shared by two Smart Redundancy
ZoneDirectors, repeat these steps for the other ZoneDirector.
Figure 25. Enabling an additional management interface
Creating Static Route Entries
Enabling an Additional Management Interface
64 Ruckus Wireless, Inc.
NOTE: If a management interface is used for web UI management, the actual IP
address must still be used when configuring ZoneDirector as a client for a backend
RADIUS server, FlexMaster server or in any SNMP systems. If two ZoneDirectors
are deployed in a Smart Redundancy configuration, both of the actual IP addresses
must be used rather than the management IP address.
Creating Static Route Entries
Static routes can be created to allow ZoneDirector to reach remote networks which
can only be reached via a gateway other than default gateway. The gateway you
use must be in the same subnet as either the ZoneDirector primary IP address or
the Management IP address.
To create a static route to an additional gateway
1Go to Configure > System and locate the Static Route section.
2Click Create New to create a new static route.
3Enter a Name for this access route.
4Enter a Subnet (in the format A.B.C.D/M (where M is the netmask).
5Enter the Gateway address.
6Click OK to save your changes. You can create up to 4 static route entries.
Figure 26. Creating a static route entry
Enabling Smart Redundancy
Static Route Example
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 65
Static Route Example
As an example, in a network where the APs are connected to ZoneDirector via a
cable modem termination system, the APs are in a different subnet and not found
via the default gateway. A static route would therefore be needed to allow ZoneDi-
rector to AP connectivity. (See Figure 27).
Figure 27. A static route is needed when APs are reachable only through a non-default
gateway
Enabling Smart Redundancy
ZoneDirector’s Smart Redundancy feature allows two ZoneDirectors to be config-
ured as a redundant pair, with one unit actively managing your ZoneFlex network
while the other serves as a backup in standby mode, ready to take over if the first
unit fails or loses power.
Each ZoneDirector will either be in active or standby state. If the active ZoneDirector
fails, the standby device becomes active. When the original active device recovers,
it automatically assumes the standby state as it discovers an already active
ZoneDirector on the network.
The ZoneDirector in active state manages all APs and client connections. The
ZoneDirector in standby state is responsible for monitoring the health of the active
unit and periodically synchronizing its settings to match those of the active device.
The ZoneDirector in standby state will not respond to Discovery requests from APs
and changing from active to standby state will release all associated APs.
Enabling Smart Redundancy
Configuring ZoneDirector for Smart Redundancy
66 Ruckus Wireless, Inc.
When failover occurs, all associated APs will continue to provide wireless service to
clients during the transition, and will associate to the newly active ZoneDirector
within approximately one minute.
When two ZoneDirectors are connected in a Smart Redundancy configuration, the
standby ZD will send heartbeats and the active will send discover messages at 6
second intervals. If after 15 seconds no reply is seen, each controller will assume
disconnection from its peer, and the standby ZD will change to active state. At this
point both devices are in active state and will accept join requests from APs.
When the two ZoneDirectors are communicating again, one active ZD will change
to standby state and an auto-synchronization process will be started. A timestamp
is used to determine which ZD should sync its latest configuration changes to those
of its peer. They will continue trying to communicate, sending discover messages
every 6 seconds, until the ZDs are communicating again, at which point they will
determine active/standby roles based on: 1) most managed APs, and/or 2) lower
MAC address.
Configuring ZoneDirector for Smart Redundancy
For management convenience, both ZoneDirectors in a Smart Redundancy deploy-
ment can be managed via a single shared IP address. In this situation, three IP
addresses would need to be configured:
Primary ZoneDirector’s real address
Backup ZoneDirector’s real address
Management address
All configuration changes are made to the active ZoneDirector and synchronized to
the standby unit. The user can access the web interface from any of the three IP
addresses, however not all configuration options are available from the standby
device.
NOTE: If you will be deploying the two ZoneDirectors on different Layer 3 networks,
you must ensure that Port 443 and Port 33003 are open in any routers and firewalls
located between the two ZoneDirectors.
To enable Smart Redundancy:
1Log in to the web interface of the ZoneDirector you will initially designate as the
primary unit.
Enabling Smart Redundancy
Configuring ZoneDirector for Smart Redundancy
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 67
2Go to Configure > System, and set a static IP address under Device IP Settings,
if not already configured.
3Click Apply. You will need to log in again using the new IP address (if changed).
4On the same Configure > System page, locate the Smart Redundancy section.
Figure 28. Enable Smart Redundancy
5Enable the check box next to Enable Smart Redundancy.
6Enter the IP address of the backup unit under Peer Device IP Address.
NOTE: If you have configured Limited ZD Discovery under Configure > Access
Points > Access Point Policies, you must identify the IP address of both
ZoneDirectors that the APs should connect to when Smart Redundancy is active.
If the Limited ZD Discovery and Smart Redundancy information you enter is
inconsistent, a warning message will be displayed asking you to confirm. Note that
Ruckus recommends using the Smart Redundancy feature instead of the Limited
ZD Discovery feature whenever possible.
7Enter a Shared Secret for two-way communication between the two
ZoneDirectors (up to 15 alphanumeric characters).
8Click Apply to save your changes and prompt ZoneDirector to immediately
attempt to discover its peer on the network.
Enabling Smart Redundancy
Configuring ZoneDirector for Smart Redundancy
68 Ruckus Wireless, Inc.
9If discovery is successful, the details of the peer device will be displayed to the
right.
10 If discovery is unsuccessful, you will be prompted to retry discovery or continue
configuring the current ZoneDirector.
11 Install the second ZoneDirector and complete the Setup Wizard.
12 Go to Configure > System, enable Smart Redundancy and enter the primary
ZoneDirector’s IP address in Peer Device IP address.
13 Click Apply. If an active ZoneDirector is discovered, the second ZoneDirector
will assume the standby state. If an active device is not discovered, you will be
prompted to retry discovery or to continue configuring the current device.
Once Smart Redundancy has been enabled, a status link is displayed at the top of
the web interface.
Figure 29. Smart Redundancy status link
NOTE: If you want to use the same SSL certificate for both devices in a Smart
Redundancy pair, you can back up the certificate/private key from one device and
import it into the other. See Working with SSL Certificates for more information.
NOTE: If you disable Smart Redundancy after it has been enabled, both
ZoneDirectors will revert to active state, which could result in unpredictable network
topologies. Therefore, Ruckus Wireless recommends first factory resetting the
standby ZoneDirector before disabling Smart Redundancy.
Enabling Smart Redundancy
Forcing Failover to the Backup ZoneDirector
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 69
NOTE: If the active and standby ZoneDirector are on different IP subnets, APs need
to know the IP addresses of both ZoneDirectors to quickly find the active
ZoneDirector after a Smart Redundancy failover. You can do this by configuring the
IP addresses of both devices on the Configure > Access Points > Limited ZD
Discovery page. Specify one ZoneDirector as Primary, the other as Secondary.
Alternatively you can specify the IP addresses of both ZoneDirectors through DHCP
Option 43 (see Option 2: Customize Your DHCP Server).
Forcing Failover to the Backup ZoneDirector
After Smart Redundancy has been enabled, you can view the status of both the
primary and backup units from the Dashboard by dragging the Smart Redundancy
widget onto the workspace.
Figure 30. The Smart Redundancy widget
The Failover button can be used to force a role reversal making the standby
ZoneDirector the active unit. This widget also displays the state (active, standby or
disconnected) of both devices, as well as their IP addresses and the Management
IP address, if configured.
Managing Smart Redundancy AP License Pools
If two Smart Redundancy ZoneDirectors have different license levels (number of
licensed APs), the total number of licenses is displayed in the Smart Redundancy
dashboard widget, in the “License Pool” entry. When one device is disconnected,
the remaining active ZD will continue to use the previous total license pool and start
a 60-day timer. When the timer expires, the ZD will use its own license number (the
license pool is reduced to the number of APs licensed for the currently active device
only) until its Smart Redundancy peer comes back online.
Need new
Need New
Enabling Smart Redundancy
Managing Smart Redundancy AP License Pools
70 Ruckus Wireless, Inc.
If a third ZoneDirector connects, the license pool will reflect the new total license
pool if the sum of the two licenses is higher than the original pair. If the sum is less
than the previous license pool (within the 60-day timer), the user will be prompted
to choose whether the license pool will be derived from the active + original
disconnected device, or from the currently active + current standby device. License
pools cannot exceed the maximum individual ZD license limit. ZoneDirectors with
temporary licenses cannot be configured as part of a Smart Redundancy pair.
Figure 31. Smart Redundancy status degraded (peer is disconnected, license pool remains
valid for 60 days
Figure 32. After 60 day grace period expires, license pool is revoked and AP license count
reverts to active device license level only
Configuring the Built-in DHCP Server
Enabling the Built-in DHCP server
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 71
Figure 33. If a third ZD connects with a lower license level than the 2nd (disconnected) ZD,
the user can choose to use the original license pool for up to 60 days
Configuring the Built-in DHCP Server
ZoneDirector comes with a built-in DHCP server that you can enable to assign IP
addresses to devices that are connected to it. ZoneDirector’s DHCP server will only
assign addresses to devices that are on its own subnet and part of the same VLAN.
Note that before you can enable the built-in DHCP server, ZoneDirector must be
assigned a manual (static) IP address. If you configured ZoneDirector to obtain its
IP address from another DHCP server on the network, the options for the built-in
DHCP server will not be visible on the System Configuration page.
Enabling the Built-in DHCP server
NOTE: Ruckus Wireless recommends that you only enable the built-in DHCP server
if there are no other DHCP servers on the network. ZoneDirector’s internal DHCP
server can service only a single subnet (the one it’s in) and not other VLANs that
Table 13. Max AP Licenses by ZoneDirector Model
Model Max AP Licenses
ZoneDirector 1200 75
ZoneDirector 3000 500
ZoneDirector 5000 1,000
Configuring the Built-in DHCP Server
Enabling the Built-in DHCP server
72 Ruckus Wireless, Inc.
may be associated with client WLANs. If you enable the built-in DCHP server,
Ruckus Wireless also recommends enabling the rogue DHCP server detector. For
more information, refer to Rogue DHCP Server Detection.
1Click the Configure tab. The System page appears.
2Under the DHCP Server section, select the Enable DHCP check box.
3In Starting IP Address, type the first IP address that the built-in DHCP server
will allocate to DHCP clients. The starting IP address must be on the same subnet
as the IP address assigned to ZoneDirector. If the value that you typed is invalid,
an error message appears and prompts you to let ZoneDirector automatically
correct the value. Click OK to automatically correct the entry.
4In Number of IPs, type the maximum number of IP addresses that you want to
allocate to requesting clients. The built-in DHCP server can allocate up to 512
IP addresses including the one assigned to ZoneDirector. The default value is
200.
5In Lease Time, select a time period for which IP addresses will be allocated to
DHCP clients. Options range from six hours to two weeks (default is one week).
6If your APs are on different subnets from ZoneDirector, click the check box next
to DHCP Option 43 to enable Layer 3 discovery of ZoneDirector by the APs.
7Click Apply.
NOTE: If you typed an invalid value in any of the text boxes, an error message
appears and prompts you to let ZoneDirector automatically correct the value. Click
OK to change it to a correct value.
Configuring the Built-in DHCP Server
Viewing DHCP Clients
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 73
Figure 34. The DHCP Server options
Viewing DHCP Clients
To view a list of current DHCP clients, click the click here link at the end of the “To
view all currently assigned IP addresses that have been assigned by the DHCP
server...” sentence. A table appears and lists all current DHCP clients with their MAC
address, assigned IP address, and the remaining lease time.
You can clear DHCP leases on ZoneDirector by disabling and re-enabling the DHCP
service.
Controlling ZoneDirector Management Access
Viewing DHCP Clients
74 Ruckus Wireless, Inc.
Figure 35. To view current DHCP clients, click the “click here” link
Controlling ZoneDirector Management
Access
The Management Access Control option can be used to control access to ZoneDi-
rector’s management interface. The Management Access Control interface is
located on the Configure > System screen. Options include limiting access by
subnet, single IP address and IP address range.
NOTE: When you create a management access control rule, all IP addresses and
subnets other than those specifically listed will be blocked from accessing
ZoneDirector’s web interface.
To restrict access to ZoneDirector’s web interface:
1Go to Configure > System.
2Locate the Management Access Control section, and click the Create New link.
Controlling ZoneDirector Management Access
Viewing DHCP Clients
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 75
3In the Create New menu that appears, enter a name for the user(s) that you want
to allow access to ZoneDirector’s web interface.
4Enter an IP address, address range or subnet.
The administrator’s current IP address is shown for convenience--be sure
not to create an ACL that prevents the admin’s own IP address from
accessing the web interface.
5Click OK to confirm. You can create up to 16 entries to the Management ACL.
Figure 36. Management Access Control
Setting the System Time
Viewing DHCP Clients
76 Ruckus Wireless, Inc.
Figure 37. Creating a new ZoneDirector management ACL
Setting the System Time
The internal clock in ZoneDirector is automatically synchronized with the clock on
your administration PC during the initial setup. You can use the web interface to
check the current time on the internal clock, which shows up as a static notation in
the Configure tab workspace. If this notation is incorrect, you can re-synchronize
the internal clock to your PC clock immediately by clicking the Sync Time with Your
PC button.
A preferable option is to link your ZoneDirector to an NTP server (as detailed below),
which provides continual updating with the latest time.
1Go to Configure > System.
2In the System Time features you have the following options:
Refresh: Click this to update the ZoneDirector display (a static snapshot) from
the internal clock.
Synch Time with your PC Now: If needed, click this to update the internal
clock with the current time settings from your administration PC.
Setting the Country Code
Viewing DHCP Clients
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 77
Use NTP... (Enabled by default): Clear this check box to disable this option,
or enter the DNS name or IP address of your preferred NTP server to use a
different one.
Select time zone for your location: Choose your time zone from the drop-
down menu. Setting the proper time zone ensures that timestamps on log
files are in the proper time zone.
3Click Apply to save the results of any resynchronization or NTP links.
Figure 38. The System Time options
Setting the Country Code
Different countries and regions maintain different rules that govern which channels
can be used for wireless communications. Setting the Country Code to the proper
regulatory region ensures that your ZoneFlex network does not violate local and
national regulatory restrictions. ZoneDirector’s web interface can be used to define
the country code for all APs under its control.
To set the Country Code to the proper location:
1Go to Configure > System.
2Locate the Country Code section, and choose your location from the pull-down
menu.
3Click Apply to save your settings.
Setting the Country Code
Channel Optimization
78 Ruckus Wireless, Inc.
Figure 39. The Country Code settings
Channel Optimization
If your Country Code is set to “United States,” an additional configuration option,
Channel Optimization, is shown. This feature allows you to choose whether addi-
tional DFS (Dynamic Frequency Selection) channels in the 5 GHz band should be
available for use by your APs.
Note that these settings only affect Ruckus Wireless APs that support the extended
DFS channel list. Channel Optimization settings are described in the following table.
Table 14. Channel Optimization settings for US Country Code
Setting Description Use this setting when
Optimize for
Compatibility
DFS-capable ZoneFlex APs
are limited to the same
channels as all other APs (non-
DFS channels only).
You have a mixture of APs that
support DFS channels and
other Ruckus APs that do not
support DFS channels in a
Smart Mesh configuration.
Setting the Country Code
Channel Mode
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 79
NOTE: If you are located in the United States and have a DFS-capable ZoneFlex
AP that is expected to serve as a Root AP (or eMAP), with a non-DFS-capable Mesh
AP as its downlink, you will need to set the Channel Optimization setting to "Optimize
for Compatibility." This is due to the DFS-capable AP's ability to use more channels
than the non-DFS-capable APs, which could result in the RAP choosing a channel
that is not available to the MAP. Alternatively, manually set the channel for the Root
AP to one of the non-DFS channels. Specifically, choose one of the following
channels: 36, 40, 44, 48, 149, 153, 157, 161, 165.
The channels available for AP use are the following:
Optimize for Compatibility: 36, 40, 44, 48, 149, 153, 157, 161, 165 (non-DFS
channels).
Optimize for Interoperability: non-DFS channels plus channels 52, 56, 58, 60.
Optimize for Performance: all DFS/non-DFS channels, including 100, 104, 108,
112, 116, 120, 124, 128, 132, 136, 140.
Channel Mode
Some countries restrict certain 5 GHz channels to indoor use only. For instance,
Germany restricts channels in the 5.15 GHz to 5.25 GHz band to indoor use. When
ZoneFlex Outdoor APs and Bridges with 5 GHz radios (ZoneFlex 7762, 7782, 7761-
CM and 7731) are set to a country code where these restrictions apply, the AP or
Optimize for
Interoperability
ZoneFlex APs are limited to
non-DFS channels, plus four
DFS channels supported by
Centrino systems (may not be
compatible with other wireless
NICs).
You have only DFS-capable APs
in your network, or Smart Mesh
is not enabled, and you are
confident that all wireless
clients support DFS channels.
Optimize for
Performance
ZoneFlex APs can use all
available DFS and non-DFS
channels, without regard for
compatibility or
interoperability.
You have only DFS-capable APs
in your network, you are not
concerned with DFS
compatibility of client devices,
and you want to make the
maximum use of all possible
available channels.
Table 14. Channel Optimization settings for US Country Code
Setting Description Use this setting when
Changing the System Log Settings
Reviewing the Current Log Contents
80 Ruckus Wireless, Inc.
Bridge can no longer be set to an indoor-only channel and will no longer select from
amongst a channel set that includes these indoor-only channels when SmartSelect
or Auto Channel selection is used, unless the administrator configures the AP to
allow use of these channels.
For instance, if the AP is installed in a challenging indoor environment such as a
warehouse, the administrator may want to allow the AP to use an indoor-only
channel. These channels can be enabled for use through the AP CLI or ZoneDirector
web interface by configuring Configure > System > Country Code > Channel Mode
and checking Allow indoor channels (allows ZoneFlex Outdoor APs to use
channels regulated as indoor use only. If you have a dual-band ZoneFlex Indoor
AP functioning as a RAP with dual-band ZoneFlex Outdoor APs functioning as
MAPs, the mesh backhaul link must initially use a non-indoor-only channel. Your
ZoneFlex Outdoor MAPs may fail to join if the mesh backhaul link is using a restricted
indoor-only channel.
Changing the System Log Settings
ZoneDirector maintains an internal log of current events and alarms. This file has a
fixed capacity; at a certain level, ZoneDirector will start deleting the oldest entries to
make room for the newest. This log is volatile, and the contents will be deleted if
ZoneDirector is powered down. If you want a permanent record of all logging
activities, you can set up your syslog server to receive log contents from ZoneDi-
rector, and then use the web interface to direct all logging to the syslog server—as
detailed in this topic.
Reviewing the Current Log Contents
1Go to Monitor > All Events/Activities.
2Review the events and alarms listed below.
NOTE: Log entries are listed in reverse chronological order (with the latest logs at
the top of the list).
3Click a column header to sort the contents by that category.
4Click any column twice to switch chronological or alphanumeric sorting modes.
Changing the System Log Settings
Customizing the Current Log Settings
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 81
Figure 40. The All Events/Activities page
Customizing the Current Log Settings
You can review and customize the log settings by following these steps:
1Go to Configure > System.
2Scroll down to Log Settings.
3Make your selections from these syslog server options:
Event Log Level: Select one of the three logging levels: “Show More,”
“Warning and Critical Events,” or “Critical Events Only.”
Remote Syslog: To enable syslog logging, select the “Enable reporting to
remote syslog server at” check box, and then type the IP address in the box
provided.
Inherit remote syslog server for APs __ (IP Address): Enabling this feature
allows ZoneDirector to supply client association information to a third party
application that can then deploy ACL policies to a firewall based on client
association information such as user name, IP, MAC address, etc. First,
ZoneDirector retrieves client association information, then reorganizes the
Changing the System Log Settings
Customizing the Current Log Settings
82 Ruckus Wireless, Inc.
information and sends it to the syslog server, from which it can be collected
by the third party software and sent it to the firewall for access restriction
based on client association information.
4Click Apply to save your settings. The changes go into effect immediately.
Figure 41. The Log Settings options
Configuring Syslogs for Firewall Integration
Starting with release 9.8, ZoneDirector will generate syslog messages upon acqui-
sition, update or deletion of an IP address by a wireless station. This feature allows
enhanced integration with popular firewalls from vendors including Barracuda and
Palo Alto Networks for implementing client-specific security rules.
Station information is conveyed through a syslog message containing the following
information: IPv4/v6 address, User name, MAC address, Operation Type (Add,
Update, Del), AP/ZD MAC, OS Type.
To enable inclusion of client association logs in syslog messages:
1Go to Administer > Diagnostics.
2In Debug Logs, select the Client Association check box.
3Click Apply to save your changes.
Changing the System Log Settings
Customizing the Current Log Settings
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 83
4You must also ensure that syslog delivery is enabled on the Configure > System
page and that the Priority level in Remote Syslog Advanced Settings is set
to Info or All.
Figure 42. Enable client association logs in syslog for firewall integration
The flow of user data from the end point to the firewall will use the following path:
1The user authenticates to an authentication server via AP.
2ZoneDirector verifies the user’s identity.
3After the station authenticates successfully and gets an IP address, ZoneDirector
generates a syslog message.
4The log is sent to a syslog server in real time.
5The script on the syslog server extracts user information from the log message
and sends it to the firewall.
A similar flow can be used to remove user mappings if the station sends a disconnect
message.
Log format
The log format consists of the following fields:
Changing the System Log Settings
Customizing the Current Log Settings
84 Ruckus Wireless, Inc.
operation: Indicates whether to add, delete or update client association infor-
mation.
sta_ip: Indicates the IP address of station.
sta_name: Indicates the station’s account name supplied by the client when
being authenticated. The user name is used for 802.1X and Web Auth WLANs.
The MAC address of the client will be used as the user name for Open, MAC
Address and 802.1X + MAC Address WLAN types.
sta_mac: The station’s MAC address.
sta_oriip: Only takes effect when the operation is “update” in order to indicate
the original IP of the station.
ap_mac: Shows the MAC address of the AP to which the station is currently
connected.
seq: Indicates the sequence number of the log message. It is increased by one
after a log is sent. The UDP packet can be adjusted to the right order by this
field in the log server.
sta_ostype: Indicates the station’s OS type. Will be filled with “unknown” if the
OS type is unobtainable.
Examples
Add:
operation=add;seq=1;sta_ip=192.168.120.16;sta_mac=60:36:dd:19:17:ac;zd/
ap=00:0c:29:11:5a:0b/58:93:96:29:4c:60;sta_ostype=Windows7/
Vista;sta_name=60:36:dd:19:17:ac;stamgr_handle_remote_ipc
Delete:
operation=del;seq=4;sta_ip=192.168.120.30;sta_mac=60:36:dd:19:17:ac;zd/
ap=00:0c:29:11:5a:0b/58:93:96:29:4c:60;sta_ostype=Windows 7/
Vista;sta_name=60:36:dd:19:17:ac;stamgr_sta_log_disconnect
Update:
operation=update;seq=2;sta_ip=192.168.120.30;sta_o-
riip=192.168.120.16;sta_mac=60:36:dd:19:17:ac;zd/ap=00:0c:29:11:5a:0b/
58:93:96:29:4c:60;sta_ostype=Windows 7/
Vista;sta_name=60:36:dd:19:17:ac;stamgr_handle_remote_ipc
Changing the System Log Settings
Customizing the Current Log Settings
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 85
Configuring Remote Syslog Advanced Settings
Advanced Syslog settings allow you to override the default Facility Name and Priority
Level of messages sent to the syslog server. In this way, users can separate different
kinds of syslogs according to the facility name on the syslog server side.
To configure remote syslog advanced settings:
1Go to Configure > System.
2Scroll down to Log Settings, and expand the Remote Syslog Advanced
Settings section.
3In ZoneDirector Settings, set the facility name as follows:
Keep Original: Retain the original facility name.
local0 - local7: Specify facility name.
4Set the priority level as follows:
All: Include all syslog messages.
0(emerg), 1(alert), 2(crit), 3(err), 4(warning), 5(notice), 6(info), 7(debug): Lower
numbers indicate higher priority. The syslog server will only receive logs
whose priority levels are the same as or higher than the configured level.
5Repeat step 4 for Managed AP Settings. ZoneDirector and Access Points can
use different facility and priority settings. All managed APs share the same facility
and priority settings.
Setting Up Email Alarm Notifications
Customizing the Current Log Settings
86 Ruckus Wireless, Inc.
Figure 43. Remote Syslog Advanced Settings
Setting Up Email Alarm Notifications
If an alarm condition is detected, ZoneDirector will record it in the event log. If you
prefer, an email notification can be sent to a configured email address of your
choosing.
To activate this option, follow these steps:
1Go to Configure > Alarm Settings.
2To enable email notification, select the Send an email message when an alarm
is triggered check box.
3Enter the recipient email address in the Email Address box provided, and click
Apply.
4Go to Configure > System, and scroll down to the Email Server section.
5Configure the settings listed in Tab l e 15 .
Setting Up Email Alarm Notifications
Customizing the Current Log Settings
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 87
Table 15. SMTP settings for email notification
SMTP Setting Description
From email address Type the email address from which ZoneDirector
will send alarm messages.
SMTP Server Name Type the full name of the server provided by your
ISP or mail administrator. Often, the SMTP server
name is in the format smtp.company.com..
For Hotmail addresses, the SMTP server name
is smtp.live.com.
SMTP Server Port Type the SMTP port number provided by your
ISP or mail administrator. Often, the SMTP port
number is 25 or 587. The default SMTP port
value is 587.
SMTP Authentication Username Type the user name provided by your ISP or mail
administrator. This might be just the part of your
email address before the @ symbol, or it might
be your complete email address. If you are using
a free email service (such as Hotmail or Gmail),
you typically have to type your complete email
address.
SMTP Authentication Password Type the password that is associated with the
user name above.
Confirm SMTP Authentication
Password
Retype the password you typed above to
confirm.
SMTP Encryption Options If your mail server uses TLS encryption, click the
SMTP Encryption Options link, and then select
the TLS check box. Additionally, select the
STARTTLS check box that appears after you
select the TLS check box. Check with your ISP
or mail administrator for the correct encryption
settings that you need to set.
If using a Yahoo! email account, STARTTLS must
be disabled.
If using a Hotmail account, both TLS and
STARTTLS must be enabled.
Setting Up Email Alarm Notifications
Customizing the Current Log Settings
88 Ruckus Wireless, Inc.
6To verify that ZoneDirector can send alarm messages using the SMTP settings
you configured, click the Test button.
If ZoneDirector is able to send the test message, the message Success!
appears at the bottom of the Email Notification page. Continue to Step 7
If ZoneDirector is unable to send the test message, the message Failed!
appears at the bottom of the Email Notification page. Go back to Step 5, and
then verify that the SMTP settings are correct.
7Click Apply. The email notification settings you configured become active
immediately.
Figure 44. The Alarm Settings page
NOTE: If the Test button is clicked, ZoneDirector will attempt to connect to the mail
server for 10 seconds. If it is unable to connect to the mail server, it will stop trying
and quit.
NOTE: When the alarm email is first enabled, the alarm recipient may receive a flood
of alarm notifications. This may cause the mail server to treat the email notifications
as spam and to temporarily block the account.
Configuring SMS Settings for Guest Pass Delivery via SMS
Customizing Email Alarms that ZoneDirector Sends
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 89
NOTE: ZoneDirector sends email notifications for a particular alert only once, unless
(1) it is a new alert of the same type but for a different device, or (2) existing alert
logs are cleared.
Customizing Email Alarms that ZoneDirector Sends
Using the Alarm Event section of the Configure > Alarm Settings page, you can
choose which types of events will trigger ZoneDirector to send an email notification.
1Click Alarm Event to select/deselect all alarm types.
2Select or deselect those for which you want or don’t want to receive emails.
3Click Apply to save your changes.
When any of the selected events occur, ZoneDirector sends an email notification to
the email address that you specified in the Email Notification section.
NOTE: With the exception of the Lost contact with AP event, ZoneDirector only
sends one email alarm notification for each event. If the same event happens again,
no alarm will be sent until you clear the alarm on the Monitor > All Alarms page.
On the other hand, ZoneDirector sends a new alarm notification each time the Lost
contact with AP event occurs.
Configuring SMS Settings for Guest Pass
Delivery via SMS
If you want to deliver Guest Passes to your guests via SMS, you can configure
ZoneDirector to use an existing Twilio or Clickatell account for SMS delivery. The
first step is to inform ZoneDirector of your Twilio or Clickatell account information.
1Go to Configure > System.
2Locate the SMS Settings section, and select either Twilio account information
or Clickatell account information.
3Enter your Account SID, Auth Token and From Phone Number (Twilio) or your
User Name, Password and API ID (Clickatell).
4Click the Test button to test your settings.
5Once confirmed, click Apply to save your changes.
Enabling Login Warning Messages
Customizing Email Alarms that ZoneDirector Sends
90 Ruckus Wireless, Inc.
You can now allow guest pass generators to deliver guest pass codes to guests
using the SMS button when generating a new guest pass. (You must also enter a
phone number for receiving the SMS messages for each guest pass created.)
Figure 45. Configuring SMS Settings
Enabling Login Warning Messages
If you want to display a warning message upon login to the ZoneDirector web UI or
CLI, you can do so using the following procedure:
1Go to Configure > System, and scroll down to the Login Warning section.
2Click Enable login warning, and replace the text in the Customize warning
content text box according to your preferences.
3Click Apply to save your changes. The next time a user attempts to login to
ZoneDirector, they will be presented with the warning message you configured.
Enabling Login Warning Messages
Customizing Email Alarms that ZoneDirector Sends
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 91
Figure 46. Enabling and configuring a login warning message
Enabling Network Management Systems
Enabling Management via FlexMaster
92 Ruckus Wireless, Inc.
Enabling Network Management Systems
ZoneDirector supports several external network management systems including
Ruckus Wireless FlexMaster server, SNMPv2, SNMPv3 and Telnet server. These
options are configured from the Configure > System page by expanding the Network
Management link. The following section describes how to enable these network
management systems.
Enabling Management via FlexMaster
If you have a Ruckus Wireless FlexMaster server installed on the network, you can
enable FlexMaster management to centralize monitoring and administration of
ZoneDirector and other supported Ruckus Wireless devices. This version of Zone-
Director supports the following FlexMaster-deployed tasks:
Firmware upgrade for both ZoneDirector and the APs that report to them
•Reboot
Backup of ZoneDirector settings
Performance monitoring
When the FlexMaster management option is enabled, you will still be able to access
the ZoneDirector web interface to perform other management tasks. By default,
FlexMaster management is disabled.
To enable FlexMaster management:
1Click Configure > System.
2Scroll down to the bottom of the page.
3If you see + Network Management (section is collapsed) at the bottom of the
page, click the Network Management link to expand the section.
4Under FlexMaster Management, select the Enable management by
FlexMaster check box.
5In URL, type the FlexMaster DNS host name or IP address of the FlexMaster
server.
6In Interval, type the time interval (in minutes) at which ZoneDirector will send
status updates to the FlexMaster server. The default interval is 15 minutes.
7Click Apply. The message Setting Applied appears.
You have completed enabling FlexMaster management on ZoneDirector. For more
information on how to configure ZoneDirector from the FlexMaster web interface,
refer to the FlexMaster documentation.
Enabling Network Management Systems
Enabling Northbound Portal Interface Support
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 93
Figure 47. The FlexMaster Management options
Monitoring ZoneDirector Performance from FlexMaster
If you want to monitor ZoneDirector’s performance statistics from FlexMaster, select
Enable Performance Monitoring, enter an update interval, and click Apply. This
option is disabled by default.
Enabling Northbound Portal Interface Support
The Northbound Portal interface allows the use of DPSKs on open authentication
WLANs meant for public access.
By enabling the Northbound Portal Interface, a wireless service provider can provide
simple but secure Wi-Fi access without pre-registration, account setup or authen-
tication. ZoneDirector redirects authentication requests to an outside portal. If
access is granted, ZoneDirector provides a unique dynamic PSK. The DPSK can
be delivered in a prov.exe file, which automatically configures the user’s device with
the relevant wireless settings or displayed on the portal screen for manual entry.
To enable Northbound Portal interface support
1Go to Configure > System > Network Management.
2Click Enable northbound portal interface support.
3Enter a Password for API to portal communication.
Enabling Network Management Systems
Configuring SNMP Support
94 Ruckus Wireless, Inc.
4Click Apply in the same section to save changes.
5Configure the portal to display the key to the user or to push the prov.exe file to
the client.
Figure 48. Enabling Northbound Portal interface
Configuring SNMP Support
ZoneDirector provides support for Simple Network Management Protocol (SNMP
v2 and v3), which allows you to query ZoneDirector information such as system
status, WLAN list, AP list, and clients list, and to set a number of system settings
using a Network Management System (NMS) or SNMP MIB browser.
You can also enable SNMP traps to receive immediate notifications for possible AP
and client issues.
Enabling the SNMP Agent
The procedure for enabling ZoneDirector’s internal SNMP agent depends on
whether your network is using SNMPv2 or SNMPv3. SNMPv3 mainly provides
security enhancements over the earlier version, and therefore requires you to enter
authorization passwords and encryption settings instead of simple clear text
community strings.
Enabling Network Management Systems
Configuring SNMP Support
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 95
Both SNMPv2 and SNMPv3 can be enabled at the same time. The SNMPv3
framework provides backward compatibility for SNMPv1 and SNMPv2c manage-
ment applications so that existing management applications can still be used to
manage ZoneDirector with SNMPv3 enabled.
NOTE: For a list of the MIB variables that you can get and set using SNMP, check
the related SNMP documentation on the Ruckus Wireless Support Web site at
http://support.ruckuswireless.com/documents.
If your network uses SNMPv2
To enable SNMPv2 management:
1Go to Configure > System. Scroll down to the bottom of the page and click
the Network Management link to open the Network Management section.
2Under the SNMPv2 Agent section, select the Enable SNMP Agent check box.
3Enter the following information:
•In SNMP RO community (required), set the read-only community string.
Applications that send SNMP Get-Requests to ZoneDirector (to retrieve
information) will need to send this string along with the request before they
will be allowed access. The default value is public.
•In SNMP RW community (required), set the read-write community string.
Applications that send SNMP Set-Requests to ZoneDirector (to set certain
SNMP MIB variables) will need to send this string along with the request
before they will be allowed access. The default value is private.
•In System Contact, type your email address (optional).
In System Location, type the location of the ZoneDirector device (optional).
4Click Apply to save your changes.
Enabling Network Management Systems
Configuring SNMP Support
96 Ruckus Wireless, Inc.
Figure 49. Enabling the SNMPv2 agent
If your network uses SNMPv3
To enable SNMPv3 management:
1Go to Configure > System. Scroll down to the bottom of the page and click
the Network Management link to open the Network Management section.
2Under the SNMPv3 Agent section, select the Enable SNMP Agent check box.
3Enter the following information for both the Read Only and Read-Write privileges:
User: Enter a user name between 1 and 31 characters.
Authentication: Choose MD5 or SHA authentication method (default is
MD5).
-MD5: Message-Digest algorithm 5, message hash function with 128-bit
output.
-SHA: Secure Hash Algorithm, message hash function with 160-bit output.
Auth Pass Phrase: Enter a passphrase between 8 and 32 characters in
length.
Privacy: Choose DES, AES or None.
-DES: Data Encryption Standard, data block cipher.
-AES: Advanced Encryption Standard, data block cipher.
-None: No Privacy passphrase is required.
Enabling Network Management Systems
Configuring SNMP Support
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 97
Privacy Phrase: If either DES or AES is selected, enter a Privacy phrase
between 8 and 32 characters in length.
4Click Apply to save your changes.
Figure 50. Enabling the SNMPv3 agent
Enabling SNMP Trap Notifications
If you have an SNMP trap receiver on the network, you can configure ZoneDirector
to send SNMP trap notifications to the server. Enable this feature if you want to
automatically receive notifications for AP and client events that indicate possible
network issues (see Trap Notifications That ZoneDirector Sends).
To enable SNMP trap notifications
1In the Network Management section of the System page, scroll down to the
bottom of the page.
2Under SNMP Trap, select the Enable SNMP Trap check box.
3In SNMP Trap format, select either SNMPv2 or SNMPv3. You can select only
one type of trap receiver.
If you select SNMPv2, you only need to enter the IP addresses of up to four
SNMP trap receivers on your network.
Enabling Network Management Systems
Configuring SNMP Support
98 Ruckus Wireless, Inc.
If you select SNMPv3, enter up to four trap receiver IP addresses along with
authentication method passphrase and privacy (encryption) settings.
4Click Apply to save your changes.
Figure 51. Enabling SNMPv2 trap notifications
Enabling Network Management Systems
Configuring SNMP Support
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 99
Figure 52. Enabling SNMP trap notifications with SNMPv3
Trap Notifications That ZoneDirector Sends
There are several events for which ZoneDirector will send trap notifications to the
SNMP server that you specified. Ta b l e 16 lists the trap notifications that ZoneDirector
sends and when they are sent.
Table 16. Trap notifications
Trap Name Description
ruckusZDEventAPJoinTrap An AP has joined ZoneDirector. The AP’s
MAC address is included in the trap
notification.
ruckusZDEventSSIDSpoofTrap An SSID-spoofing rogue AP has been
detected on the network. The rogue AP’s
MAC address and SSID are included in the
trap notification.
ruckusZDEventMACSpoofTrap A MAC-spoofing rogue AP has been
detected on the network. The rogue AP’s
MAC address and SSID are included in the
trap notification.
Enabling Network Management Systems
Configuring SNMP Support
100 Ruckus Wireless, Inc.
ruckusZDEventRogueAPTrap A rogue AP has been detected on the
network. The rogue AP’s MAC address and
SSID are included in the trap notification.
ruckusZDEventAPLostTrap An AP has lost contact with ZoneDirector.
The AP’s MAC address is included in the trap
notification.
ruckusZDEventAPLostHeartbeatTrap An AP’s heartbeat has been lost. The AP’s
MAC address is included in the trap
notification.
ruckusZDEventClientAuthFailBlock
Trap
A wireless client repeatedly failed to
authenticate with an AP. The client's MAC
address, AP's MAC address and SSID are
included in the trap notification.
ruckusZDEventClientJoin A client has successfully joined an AP. The
client’s MAC address, the AP’s MAC address
and SSID are included in the trap notification.
ruckusZDEventClientJoinFailed A client has attempted and failed to join an
AP. The client’s MAC address, the AP’s MAC
address and SSID are included in the trap
notification.
ruckusZDEventClientJoinFailedAPB
usy
A client attempt to join an AP failed because
the AP was busy. The client's MAC address,
AP's MAC address and SSID are included.
ruckusZDEventClientDisconnect A client has disconnected from the AP. The
client's MAC address, AP's MAC address
and SSID are included.
ruckusZDEventClientRoamOut A client has roamed away from an AP. The
client's MAC address, AP's MAC address
and SSID are included.
ruckusZDEventClientRoamIn A client has roamed in to an AP. The client's
MAC address, AP's MAC address and SSID
are included.
Table 16. Trap notifications
Trap Name Description
Enabling Network Management Systems
Configuring SNMP Support
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 101
ruckusZDEventClientAuthFailed A client authentication attempt has failed.
The client's MAC address, AP's MAC
address, SSID and failure reason are
included.
ruckusZDEventClientAuthorization
Failed
A client authorization attempt to join an AP
has failed. The client's MAC address, AP's
MAC address and SSID are included.
ruckusZDEventAPcoldstart An AP has been cold started.
ruckusZDEventAPwarmstart An AP has been warm started.
ruckusZDEventAPclientValve Triggered when an AP’s online client limit has
been exceeded.
ruckusZDEventAPCPUvalve An AP's CPU utilization has exceeded the set
value.
ruckusZDEventAPMEMvalve An AP's memory utilization has exceeded the
set value.
ruckusZDEventSmartRedundancyChan
getoActive
The standby Smart Redundancy
ZoneDirector has failed to detect its active
peer, system changed to active state.
ruckusZDEventSmartRedundancyActi
veConnected
The active Smart Redundancy ZoneDirector
has detected its peer and is in active/
connected state.
ruckusZDEventSmartRedundancyActi
veDisconnected
The active Smart Redundancy ZoneDirector
has not detected its peer and is in active/
disconnected state.
ruckusZDEventSmartRedundancyStan
dbyConnected
The standby ZoneDirector has detected its
peer and is in standby/connected state.
ruckusZDEventSmartRedundancyStan
dbyDisconnected
The standby ZoneDirector has not detected
its peer and is in standby/disconnected
state.
Table 16. Trap notifications
Trap Name Description
Configuring DHCP Relay
Enabling Telnet
102 Ruckus Wireless, Inc.
Enabling Telnet
By default, Telnet is disabled due to security considerations, as SSH is the preferred
method if you need to access the ZoneDirector CLI. In some situations however,
you may want to enable Telnet.
To enable Telnet:
1Go to Configure > System.
2Scroll down to the bottom of the page and expand the Network Management
section.
3Locate the Telnet Server section, and click the box next to Enable Telnet Server.
4Click Apply to save your changes.
Figure 53. Enabling Telnet server
Configuring DHCP Relay
ZoneDirector’s DHCP Relay agent improves network performance by converting
DHCP broadcast traffic to unicast to prevent flooding the Layer 2 network (when
Layer 3 Tunnel Mode is enabled -- DHCP Relay only applies to Tunnel Mode WLANs.)
Configuring DHCP Relay
Enabling Telnet
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 103
Typically, when mobile stations acquire IP addresses through DHCP, the DHCP
request and acknowledgment traffic is broadcast to any devices in the same Layer
2 environment. With Tunnel Mode WLANs, this traffic flood is wasteful in terms of
bandwidth and computing power.
When DHCP Relay is enabled on a WLAN, the ZoneDirector relay agent converts
DHCP Discover / Request traffic to unicast UDP packets and sends them to the
DHCP servers, then delivers DHCP Offer / Ack messages from the DHCP server
back to the client.
The traffic flow is as follows:
1Client sends DHCP discover broadcast.
2AP tunnels this DHCP discover frame to ZoneDirector.
3DHCP Relay Agent sends unicast DHCP discover packet to DHCP server.
4DHCP server sends DHCP offer to Relay Agent on ZoneDirector.
5ZoneDirector sends DHCP Offer back to the AP.
6AP sends this Offer to client.
By reducing broadcast flooding, this option allows for higher client capacity in
tunneled WLANs designed for VoIP phones, for example. It also allows for DHCP
discovery across multiple subnets and limits DHCP broadcasts to the client’s AP
tunnel and radio.
To configure DHCP Relay for tunneled WLANs:
1Go to Configure > DHCP Relay.
2Click Create New.
3Enter a Name and IP address for the server.
4Click OK to save your changes. The new server appears in the list.
Configuring DHCP Relay
Enabling Telnet
104 Ruckus Wireless, Inc.
Figure 54. Creating a DHCP Relay server
To enable DHCP Relay for a WLAN:
1Go to Configure > WLANs.
2If creating a new WLAN, click Create New. Otherwise, click Edit for the WLAN
you want to configure.
3Under Advanced Options, when Tunnel Mode is enabled, the DHCP Relay
option becomes available.
4Under DHCP Relay, select Enable DHCP relay agent with __ DHCP server
and select the server you created earlier from the list.
5Click OK to save your changes.
Enabling Bonjour Gateway
Enabling Telnet
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 105
Figure 55. Enabling DHCP Relay agent for a Tunnel Mode WLAN
Enabling Bonjour Gateway
BonjourTM is Apple’s implementation of a zero-configuration networking protocol
for Apple devices over IP. It allows OS X and iOS devices to locate other devices
such as printers, file servers and other clients on the same broadcast domain and
use the services offered without any network configuration required.
Multicast applications such as Bonjour require special consideration when being
deployed over wireless networks. Bonjour only works within a single broadcast
domain, which is usually a small area. This is by design to prevent flooding a large
network with multicast traffic. However, in some situations, a user may want to offer
Bonjour services from one VLAN to another.
ZoneDirector’s Bonjour Gateway feature addresses this requirement by providing
an mDNS proxy service configurable from the web interface to allow administrators
to specify which types of Bonjour services can be accessed from/to which VLANs.
Enabling Bonjour Gateway
Creating a Bonjour Gateway Rule - ZD Site
106 Ruckus Wireless, Inc.
In order for the Bonjour Gateway to function, the following network configuration
requirements must be met:
1The target networks must be segmented into VLANs.
2VLANs must be mapped to different SSIDs.
3The controller must be connected to a VLAN trunk port.
Additionally, if the VLANs to be bridged by the gateway are on separate subnets the
network has to be configured to route traffic between them.
Creating a Bonjour Gateway Rule - ZD Site
The Bonjour Gateway service on ZoneDirector is essentially a list of rules for mapping
services from one VLAN to another. Using the ZD Site Bonjour Gateway feature,
ZoneDirector serves as the Bonjour proxy for forwarding Bonjour packets to the
designated VLANs.
Requirements:
Layer 2 switch between ZoneDirector and APs
The maximum number of ZD site Bonjour Gateway rules is as follows:
To configure rules for bridging Bonjour services across VLANs:
1Go to Configure > Bonjour Gateway.
2Click Create New in the ZD Site table to create a new Bonjour service rule.
3In the Create New form, configure the following options:
Bridge Service: Select the Bonjour service from the list.
- Selecting “Other” allows you to create custom rules, for example, creating
a rule for “_googlecast._tcp” would allow you to bridge Chromecast
services across VLANs.
From VLAN: Select the VLAN from which the Bonjour service will be
advertised.
Table 17. Max Bonjour rules per controller
ZoneDirector Model Max Rules
ZoneDirector 1200 256
ZoneDirector 3000 256
ZoneDirector 5000 256
Enabling Bonjour Gateway
Creating a Bonjour Gateway Rule - AP Site
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 107
To VL A N: Select the VLAN to which the service should be made available.
Notes: Add optional notes for this rule.
4Click OK to save your changes.
5Repeat for any additional rules.
6Select the check box next to Enable Bonjour gateway on ZD and click the
Apply button.
Figure 56. Creating a ZD Site Bonjour Gateway rule
Creating a Bonjour Gateway Rule - AP Site
Using the AP Site Bonjour Gateway feature, Bonjour bridging service is performed
on a designated AP rather than on ZoneDirector. Offloading the Bonjour policy to
an AP is necessary if a Layer 3 switch or router exists between ZoneDirector and
the APs. ZoneDirector identifies a single AP that meets the memory/processor
requirements (this feature is only supported on certain APs), and delivers a set of
service rules - a Bonjour policy - to the AP to perform the VLAN bridging.
Enabling Bonjour Gateway
Creating a Bonjour Gateway Rule - AP Site
108 Ruckus Wireless, Inc.
NOTE: This feature is only supported on the following access points: zf7762-AC,
7762-S-AC, T300, R300, H500, R500, R600, R700, 7982, 7372/52, 7055, 7782/
81, SC-8800 series.
Requirements and limitations:
Bonjour policy deployment to an AP takes effect after the AP joins ZoneDirector.
Some APs of one local area link must be in one subnet. The switch interfaces
connected to these APs in a local area link to must be configured in VLAN-trunk
mode. Only by doing so can the designated AP can receive all the multicast
Bonjour protocol packets from other VLANs.
Dynamic VLANs are not supported.
Some AP models are incompatible with this feature due to memory requirements.
To configure rules for AP site bridging Bonjour services across VLANs:
1Go to Configure > Bonjour Gateway.
2Click Create New in the AP Site table to create a new Bonjour service policy.
3Typ e a Name for the policy, then click Create New to create a new rule.
4In the Create New form, configure the following options:
Name: Enter a name for the proxy.
Description: Optionally, enter a description for the rule.
Order: Choose the order in which to apply rules.
Bridge Service: Select the Bonjour service from the list.
From VLAN: Select the VLAN from which the Bonjour service will be
advertised.
To VL A N: Select the VLAN to which the service should be made available.
Notes: Add optional notes for this rule.
5Click OK to save your changes.
6Repeat for any additional rules.
7Select the check box next to Enable Bonjour gateway on AP and click the
Apply button.
Enabling Bonjour Gateway
Applying a Bonjour Policy to an AP
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 109
Figure 57. Create an AP site Bonjour policy
Applying a Bonjour Policy to an AP
Once you have created an AP site Bonjour policy, you will need to designate the
AP that will be responsible for implementing this policy.
To enable Bonjour policy on an AP:
1Go to Configure > Access Points.
2Click Edit next to the AP you want to configure.
3in Bonjour Gateway, enable the check box and select a Bonjour policy that you
created on the Configure > Bonjour Gateway page from the list.
4Click OK to save your changes.
Enabling Bonjour Gateway
Example Network Setup
110 Ruckus Wireless, Inc.
Figure 58. Designate an AP as a Bonjour Gateway
Example Network Setup
The following example illustrates how ZoneDirector’s Bonjour Gateway can be used
to allow users to access Bonjour resources on different VLANs in a school setting,
where access to certain resources must generally be separated between teachers
and students, but where sharing may sometimes be necessary.
Assume a network with three VLANs mapped to separate SSIDs, all on separate
subnets or multicast domains. The three segments host different devices for
different users:
Classroom SSID (VLAN 100): WEP authentication, includes an iMac desktop for
file sharing and iOS Sync for backup, and an Apple TV attached to a projector.
Teachers SSID (VLAN 200): 802.1X authentication for a MacBook and iPad,
needs to have access to all classroom resources.
Students SSID (VLAN 300): Students have a separate SSID with no authentica-
tion, they must be able to backup their iPads to the classroom iMac but should
not have access to the Apple TV or File Sharing services.
Configuring SPoT Location Services
Example Network Setup
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 111
Figure 59. Sample Bonjour Gateway configuration for a classroom scenario
In this example, the teacher gains access to AirPlay, AirPrint, iCloud Sync and File
Sharing, while students are given access to iCloud Sync and AirPrint only.
Configuring SPoT Location Services
To take advantage of Ruckus Wireless SmartPositioning Technology (SPoT) location
services, ZoneDirector must be configured with the Venue information that is
displayed in the SPoT Administration Portal. After completing purchase of the SPoT
location service, you will be given account login information that you can use to log
into the SPoT Administration Portal. The Admin Portal provides tools for configuring
and managing all of your “Venues” (the physical locations in which SPoT service is
deployed). After a Venue is successfully set up, you will need to enter the same
Venue information in ZoneDirector.
The following section lists the steps required for configuring ZoneDirector to
communicate with the SPoT Location Server.
Configuring SPoT Location Services
Example Network Setup
112 Ruckus Wireless, Inc.
To configure ZoneDirector for SPoT communication:
1Log in to the SPoT Administration Portal.
2On the Venues page, click Config next to the venue for which you want to
configure ZoneDirector Location Services.
3Take note of the four values in Controller Settings.
4In the ZoneDirector web interface, go to Configure > Location Services.
5In Location Services, click Create New.
6Enter the information from the SPot Admin Portal into the four fields provided.
7Click OK to save your changes.
8Go to Configure > Access Points, and in Access Point Groups, click Create
New or Edit to configure one or more AP groups for SPoT location services.
9Configure the AP group for SPoT communications.
NOTE: You will need to select 1 channel per radio for calibration, then after
calibration is complete, select 3 channels per radio for normal operation (see SPoT
User Guide for details).
10 In Location Services, click Enable, then select the Venue you created on the
Configure > Location Services page.
11 Click OK to save the AP group. ZoneDirector will begin trying to communicate
with the SPoT Location Server.
12 Once the APs have successfully connected to the SPoT server, you can view
the status of your SPoT-enabled APs on the Monitor > Location Services page.
For more information on configuration and management of your SPoT service, see
the SPoT User Guide, available from support.ruckuswireless.com.
Configuring SPoT Location Services
Example Network Setup
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 113
Figure 60. SPoT Administration Portal Venue Config page
Figure 61. Enter the venue information in ZoneDirector’s Configure > Location Services page
Configuring SPoT Location Services
Example Network Setup
114 Ruckus Wireless, Inc.
Figure 62. Configure an AP Group for SPoT location services
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 115
3
Configuring Security and Other
Services
In this chapter:
Configuring Self Healing Options
Configuring Wireless Intrusion Prevention
Controlling Network Access Permissions
Using an External AAA Server
Configuring Self Healing Options
Automatically Adjust AP Power
116 Ruckus Wireless, Inc.
Configuring Self Healing Options
ZoneDirector has the capability to perform automatic network adjustments to
enhance performance and improve coverage by dynamically modifying power
output and channel selection settings for each AP, depending on the actual RF
environment. These features are called “Self Healing.”
Automatically Adjust AP Power
ZoneDirector provides a feature to automatically adjust AP radio power to optimize
coverage when interference is present. This feature is designed to turn down the
power of an access point if the following conditions are met:
1The power is set to Auto in the AP configuration.
2The AP can hear another AP that is on the same channel and same ZoneDirector.
3The AP can hear the other AP at a minimum of 50dB which means the Access
Points are very close to each other.
Note that the 2.4G and 5G radio bands are considered independently. If all
conditions are met, the AP will reduce its power by half. The other AP may or may
not necessarily reduce its power simultaneously.
NOTE: In general, Ruckus does NOT recommend enabling this feature as it can
lead to non-optimal AP power levels. With BeamFlex access points, Ruckus' general
guidelines are to run access points at full power to maximize the throughput and
SINR levels, thus maximizing data rates and performance.
Automatic Channel Selection
ZoneDirector offers two methods of automatic channel selection for spectrum
utilization and performance optimization:
ChannelFly
Background Scanning
While Background Scanning must be enabled for rogue AP detection, AP location
detection and radio power adjustment, either can be used for automatic channel
optimization.
Configuring Self Healing Options
Automatic Channel Selection
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 117
ChannelFly
The main difference between ChannelFly and Background Scanning is that Chan-
nelFly determines the optimal channel based on real-time statistical analysis of actual
throughput measurements, while Background Scanning uses channel measure-
ment and other techniques to estimate the impact of interference on Wi-Fi capacity
based on progressive scans of all available channels.
NOTE: If you enable ChannelFly, Background Scanning can still be used for
adjusting radio power and rogue detection while ChannelFly manages the channel
assignment. Both cannot be used at the same time for channel management.
Benefits of ChannelFly
With ChannelFly, the AP intelligently samples different channels while using them for
service. ChannelFly assesses channel capacity every 15 seconds and changes
channel when, based on historical data, a different channel is likely to offer higher
capacity than the current channel. Each AP makes channel decisions based on this
historical data and maintains an internal log of channel performance individually.
When ChannelFly changes channels, it utilizes 802.11h channel change announce-
ments to seamlessly change channels with no packet loss and minimal impact to
performance. The 802.11h channel change announcements affect both wireless
clients and Ruckus mesh nodes in the 2.4 GHz and/or 5 GHz bands.
Initially (in the first 30-60 minutes) there will be more frequent channel changes as
ChannelFly learns the environment. However, once an AP has learned about the
environment and which channels are most likely to offer the best throughput
potential, channel changes will occur less frequently unless a large measured drop
in throughput occurs.
ChannelFly can react to large measured drops in throughput capacity in as little as
15 seconds, while smaller drops in capacity may take longer to react to.
Disadvantages of ChannelFly
Compared to Background Scanning, ChannelFly takes considerably longer for the
network to settle down. If you will be adding and removing APs to your network
frequently, Background Scanning may be preferable. Additionally, if you have clients
that do not support the 802.11h standard, ChannelFly may cause significant
connectivity issues during the initial capacity assessment stage.
Configuring Self Healing Options
Automatic Channel Selection
118 Ruckus Wireless, Inc.
You can enable/disable ChannelFly per band. If you have 2.4 GHz clients that do
not support 802.11h, Ruckus recommends disabling ChannelFly for 2.4 GHz but
leaving it enabled for the 5 GHz band.
To configure the self healing options:
1Go to Configure > Services.
2Review and change the following self-healing options:
Automatically adjust AP radio power to optimize coverage where
interference is present: Enable automatic radio power adjustment based
on Background Scanning.
Automatically adjust 2.4 GHz channels using
- Background Scanning
- ChannelFly
Automatically adjust 5 GHz channels using
- Background Scanning
- ChannelFly
3Click the Apply button in the same section to save your changes.
Figure 63. Self Healing options
Configuring Self Healing Options
Automatic Channel Selection
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 119
NOTE: ChannelFly channel selection data is persistent across reboots for the
following APs only: 7982, 7782, 7782-x, 7781-CM, SC-8800-S. It is not persistent
across power cycles for any AP.
Background Scanning
Using Background Scanning, ZoneDirector regularly samples the activity in all
Access Points to assess RF usage, to detect rogue APs and to determine which
APs are near each other for mesh optimization.
These scans sample one channel at a time in each AP so as not to interfere with
network use. This information is then applied in AP Monitoring and other ZoneDi-
rector monitoring features. You can, if you prefer, customize the automatic scanning
of RF activity, deactivate it if you feel it's not helpful, or adjust the frequency, if you
want scans at greater or fewer intervals. Note that Background Scanning must be
enabled for ZoneDirector to detect rogue APs on the network.
To configure Background Scanning:
1Go to Configure > Services.
2In the Background Scanning section, configure the following options:
Run a background scan on the 2.4 GHz radio every [ ]: Select this check
box enter the time interval (1~65535 seconds, default is 20) that you want to
set between each scan.
Run a background scan on the 5 GHz radio every [ ]: Select this check
box enter the time interval (1~65535 seconds, default is 20) that you want to
set between each scan.
NOTE: If you want to disable Background Scanning, clear the check box; this
should result in a minor increase in AP performance, but removes the detection of
rogue APs from ZoneDirector monitoring. You can also decrease the scan frequency,
as less frequent scanning improves overall AP performance.
3Click the Apply button in the same section to save your settings.
Configuring Self Healing Options
Automatic Channel Selection
120 Ruckus Wireless, Inc.
Figure 64. Background scanning options
NOTE: You can also disable Background Scanning on a per-WLAN basis from the
Configure > WLANS page. To disable scanning for a particular WLAN, click the
Edit link next to the WLAN for which you want to disable scanning, open Advanced
Options, and click the check box next to Disable Background Scanning.
To see whether Background Scanning is enabled or disabled for a particular AP, go
to Monitor > Access Points, and click on the AP’s MAC address. The access point
detail screen displays the Background Scanning status for each radio.
Configuring Self Healing Options
Load Balancing
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 121
Figure 65. Viewing whether Background Scanning is enabled for an AP
Load Balancing
Enabling load balancing can improve WLAN performance by helping to spread the
client load between nearby access points, so that one AP does not get overloaded
while another sits idle. The load balancing feature can be controlled from within
ZoneDirector’s web interface to balance the number of clients per radio on adjacent
APs. “Adjacent APs” are determined by ZoneDirector at startup by measuring the
RSSI during channel scans. After startup, ZoneDirector uses subsequent scans to
update the list of adjacent radios periodically and when a new AP sends its first scan
report. When an AP leaves, ZoneDirector immediately updates the list of adjacent
radios and refreshes the client limits at each affected AP.
Once ZoneDirector is aware of which APs are adjacent to each other, it begins
managing the client load by sending desired client limits to the APs. These limits are
“soft values” that can be exceeded in several scenarios, including: (1) when a client’s
signal is so weak that it may not be able to support a link with another AP, and (2)
when a client’s signal is so strong that it really belongs on this AP.
The APs maintain these desired client limits and enforce them once they reach the
limits by withholding probe responses and authentication responses on any radio
that has reached its limit.
Configuring Self Healing Options
Load Balancing
122 Ruckus Wireless, Inc.
Key points on load balancing:
These rules apply only to client devices; the AP always responds to another AP
that is attempting to set up or maintain a mesh network.
Load balancing does not disassociate clients already connected.
Load balancing takes action before a client association request, reducing the
chance of client misbehavior.
The process does not require any time-critical interaction between APs and
ZoneDirector.
Provides control of adjacent AP distance with safeguards against abandoning
clients.
Can be disabled on a per-WLAN basis; for instance, in a voice WLAN, load
balancing may not be desired due to voice roaming considerations.
Background scanning must be enabled on the WLAN for load balancing to work.
To enable Load Balancing globally:
1Go to Configure > Services.
2In Load Balancing, choose to perform load balancing on either the 2.4 or 5 GHz
radio.
3Enter Adjacent Radio Threshold (in dB), and click Apply.
Configuring Self Healing Options
Load Balancing
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 123
Figure 66. Enable Load Balancing across adjacent APs by radio type
To disable Load Balancing on a per-WLAN basis:
1Go to Configure > WLANs.
2Click the Edit link beside the WLAN for which you want to disable load balancing.
3Click the Advanced Options link to expand the options.
4Select Do not perform load balancing for this WLAN service next to Load
Balancing.
Configuring Self Healing Options
Band Balancing
124 Ruckus Wireless, Inc.
Figure 67. Disable load balancing on a specific WLAN
Band Balancing
Band balancing balances the client load on radios by distributing clients between
the 2.4 GHz and 5 GHz radios. This feature is enabled by default and set to a target
of 25% of clients connecting to the 2.4 GHz band. To balance the load on a radio,
the AP encourages dual-band clients to connect to the 5 GHz band when the
configured percentage threshold is reached.
Configuring Self Healing Options
Radar Avoidance Pre-Scanning
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 125
Figure 68. Distributing clients between the 2.4 and 5 GHz radios
Radar Avoidance Pre-Scanning
The Radar Avoidance Pre-Scanning (RAPS) setting allows pre-scanning of DFS
channels in the 5 GHz band to ensure the channel is clear of radar signals prior to
transmitting on the channel. If a channel is blocked by this feature, it will be listed
as “DFS Block Radar” in the AP monitoring page. This setting affects select outdoor
dual band 802.11n AP models only and has no impact on APs that do not support
the feature. The option will also only be available if the Country Code settings are
configured to allow use of DFS channels (see Setting the Country Code).
Configuring Self Healing Options
AeroScout RFID Tag Detection
126 Ruckus Wireless, Inc.
Figure 69. Enabling Radar Avoidance Pre-Scanning
AeroScout RFID Tag Detection
AeroScout Tags are lightweight, battery-powered wireless devices that accurately
locate and track people and assets. AeroScout Tags, which can be mounted on
valuable equipment or carried by personnel, send periodic data to the AeroScout
Engine, the software component of the AeroScout visibility system that produces
accurate location and presence data.
If you are using AeroScout Tags in your organization, you can use the APs that are
being managed by ZoneDirector to relay data from the AeroScout Tags to the
AeroScout Engine. You only need to enable AeroScout tag detection on ZoneDi-
rector to enable APs to relay data to the AeroScout engine.
To enable AeroScout RFID tag detection on ZoneDirector:
1Go to Configure > Services.
2Scroll down to the AeroScout RFID section (near the bottom of the page).
3Select the Enable AeroScout RFID tag detection check box.
4Click the Apply button in the same section to save your changes.
ZoneDirector enables AeroScout RFID tag detection on all its managed APs that
support this feature.
Configuring Self Healing Options
Ekahau Tag Detection
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 127
Figure 70. Enabling AeroScout Tag detection
NOTE: Tag locations are not accurate if the 2.4 GHz band is noisy or if the AP setup
is not optimal (according to AeroScout documents). For more information on
AeroScout Tags and the AeroScout Engine, refer to your AeroScout documentation.
Ekahau Tag Detection
Utilizing Wi-Fi wireless network as an infrastructure, the Ekahau Real Time Location
System locates and tracks assets with attached Ekahau Tags. Ekahau Tags are
small, battery-powered devices that can be mounted on equipment or carried by
personnel, and send out periodic Ekahau Blink frames. Wi-Fi Access Points receive
and forward the Ekahau Blink frames to the Ekahau RTLS Controller, which
calculates accurate locations for the tags.
To enable Ekahau tag detection on ZoneDirector:
1Go to Configure > Services.
2Scroll down to the Ekahau Settings section (near the bottom of the page).
3Select the Enable Ekahau tag detection check box.
4Enter the Ekahau Controller IP address and Ekahau Controller Port.
Configuring Self Healing Options
Active Client Detection
128 Ruckus Wireless, Inc.
5Click the Apply button in the same section to save your changes.
ZoneDirector enables Ekahau tag detection on all its managed APs that support
this feature.
Figure 71. Enabling Ekahau tag detection
Active Client Detection
Enabling active client detection allows ZoneDirector to trigger an event when a client
with a low signal strength joins the network.
To enable active client detection:
1Go to Configure > Services, and scroll down to the Active Client Detection
section.
2Click the check box next to Enable client detection ... and enter an RSSI
threshold, below which an event will be triggered.
3Click Apply to save your changes.
Configuring Self Healing Options
Tunnel Configuration
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 129
Figure 72. Enabling active client detection
A low severity event is now triggered each time a client connects with an RSSI lower
than the threshold value entered. Go to Monitor > All Events/Activities to monitor
these events.
Tunnel Configuration
Only WLANs with Tunnel Mode enabled are affected. See Advanced Options in the
WLAN configuration section for information on enabling Tunnel Mode.
To configure data encryption and filtering for tunneled WLANs:
1Go to Configure > Services.
2Scroll down to the bottom of the page and locate the Tunnel Configuration
section.
3Enable the check boxes next to the features you want to enable:
Enable tunnel encryption for tunneled traffic: By default, when WLAN
traffic is tunneled to ZoneDirector, only the control traffic is encrypted while
data traffic is unencrypted. When this option is enabled, the Access Point will
decrypt 802.11 packets and then use an AES-encrypted tunnel to send them
to ZoneDirector.
Block multicast traffic from network to tunnel: Prevents [all/non-well-
known] multicast traffic from propagating on the tunnel.
Configuring Self Healing Options
Tunnel Configuration
130 Ruckus Wireless, Inc.
Block broadcast traffic from network to tunnel except ARP and DHCP:
Prevents all broadcast traffic other than Address Resolution Protocol and
DHCP packets.
Enable Proxy ARP of tunnel WLAN with rate limit threshold __.:
Reduces broadcast neighbor discovery packets (ARP and ICMPv6 Neighbor
Solicit) over tunnels. When ZoneDirector receives a broadcast ARP request
for a known host, it acts on behalf of the known host to send out unicast
ARP replies at the rate limit specified. If ZoneDirector receives a broadcast
ARP request for an unknown host, it will forward it to the tunnel to all APs
according to the rate limit threshold set in the Packet Inspection Filter (see
Packet Inspection Filter).
4Click Apply in the same section to save your changes.
Figure 73. Set tunnel configuration parameters for all WLANs with tunnel mode enabled.
Configuring Self Healing Options
Packet Inspection Filter
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 131
Packet Inspection Filter
The Packet Inspection Filter (PIF) allows configuration of rate limits for broadcast
neighbor discovery (IPv4 Address Resolution Protocol and IPv6 Neighbor Solicit)
packets. The PIF rate limiting threshold affects the following services:
ARP Broadcast Filter for Mesh links (see Optional Mesh Configuration Features).
Proxy ARP for WLAN interfaces (see Advanced Options under Creating a WLAN).
Proxy ARP for Tunneled WLANs (see Tunnel Configuration).
When Proxy ARP or ARP Broadcast Filter services are enabled, the AP attempts to
reduce neighbor discovery traffic over the air by replacing broadcast messages with
unicast messages for known hosts. When these packets are received for an
unknown host, the Packet Inspection Filter supplements this functionality by limiting
the rate at which these packets are delivered.
Figure 74. Packet Inspection Filter
Configuring Wireless Intrusion Prevention
DoS Protection
132 Ruckus Wireless, Inc.
Configuring Wireless Intrusion Prevention
ZoneDirector provides several built-in intrusion prevention features designed to
protect the wireless network from security threats such as Denial of Service (DoS)
attacks and intrusion attempts. These features, called Wireless Intrusion Prevention
System (WIPS), allow you to customize the actions to take and the notifications you
would like to receive when each of the different threat types is detected.
DoS Protection
Two options are provided to protect the wireless network from Denial of Service
attacks.
To configure the DoS protection options:
1Go to Configure > WIPS.
2In the Denial of Service (DoS) section, configure the following settings:
Protect my wireless network against excessive wireless requests: If this
capability is activated, excessive 802.11 probe request frames and manage-
ment frames launched by malicious attackers will be discarded.
Temporarily block wireless clients with repeated authentication fail-
ures for [ ] seconds: If this capability is activated, any clients that repeatedly
fail in attempting authentication will be temporarily blocked for a period of
time (10~1200 seconds, default is 30). Clients temporarily blocked by the
Intrusion Prevention feature are not added to the Blocked Clients list on the
Configure > Access Control page, Blocked Clients section.
3Click Apply to save your changes.
Configuring Wireless Intrusion Prevention
Intrusion Detection and Prevention
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 133
Figure 75. Denial of Service (DoS) prevention options
Intrusion Detection and Prevention
ZoneDirector’s intrusion detection and prevention features rely on background
scanning results to detect rogue access points connected to the network and
optionally, prevent clients from connecting to malicious rogue APs.
Rogue Access Points
A “Rogue Access Point” is any access point detected by a ZoneDirector-managed
access point that is not part of the ZoneFlex network managed by ZoneDirector.
Rogue devices are detected during off channel scans (background scanning) and
are simply other access points that are not being managed by ZoneDirector (e.g.,
an access point at a nearby coffee shop, a neighbor’s apartment or shopping mall).
Typically, rogue access points are not a threat, however there are certain types that
do pose a threat that will be automatically identified by ZoneDirector as “malicious
rogue APs”. The three automatically identified malicious access point categories are
as follows:
Configuring Wireless Intrusion Prevention
Rogue Access Points
134 Ruckus Wireless, Inc.
SSID-Spoofing: These are rogue access points that are beaconing the same
SSID name as a ZoneDirector-managed access point. They pose a threat as
someone may be attempting to use them as a honey pot to attract your clients
into their network to attempt hacking or man-in-the-middle attacks to exploit
passwords and other sensitive data.
Same-Network: These are rogue access points that are detected by other
access points as transmitting traffic on your internal network. They are detected
by ZoneDirector-managed access points seeing packets coming from a 'similar'
MAC address to one of those detected from an over the air rogue AP. Similar
MAC addresses are +-5 MAC addresses lower or higher than the detected over
the air MAC address.
MAC-spoofing: These are rogue access points that are beaconing the same
MAC address as a ZoneDirector-managed access point. They pose a threat as
someone may be attempting to use them as a honey pot to attract your clients
into their network to attempt hacking or man-in-the-middle attacks to exploit
passwords and other sensitive data.
The last type of malicious rogue device is “User Marked.” These are devices that
are manually marked as malicious rogues by a ZoneDirector administrator using the
Mark as Malicious button on the Monitor > Rogue Devices page.
To configure intrusion detection and prevention options:
1In the Intrusion Detection and Prevention section, configure the following
settings:
Enable report rogue devices: Enabling this check box allows ZoneDirector
to include rogue device detection in logs and email alarm event notifications.
-Report all rogue devices: Send alerts for all rogue AP events.
-Report only malicious rogue devices of type: Select which event types to
report.
Protect the network from malicious rogue access points: Enable this
feature to automatically protect your network from network connected rogue
APs, SSID-spoofing APs and MAC-spoofing APs. When one of these rogue
APs is detected (and this check box is enabled), the Ruckus AP automatically
begins sending broadcast de-authentication messages spoofing the rogue’s
BSSID (MAC) to prevent wireless clients from connecting to the malicious
rogue AP. This option is disabled by default.
2Click the Apply button that is in the same section to save your changes.
Configuring Wireless Intrusion Prevention
Rogue DHCP Server Detection
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 135
Figure 76. Intrusion Prevention options
See Detecting Rogue Access Points for more information on monitoring and
handling rogue devices.
Rogue DHCP Server Detection
A rogue DHCP server is a DHCP server that is not under the control of network
administrators and is therefore unauthorized. When a rogue DHCP server is intro-
duced to the network, it could start assigning invalid IP addresses, disrupting
network connections or preventing client devices from accessing network services.
It could also be used by hackers to compromise network security. Typically, rogue
DHCP servers are network devices (such as routers) with built-in DHCP server
capability that has been enabled (often, unknowingly) by users.
ZoneDirector has a rogue DHCP server detection feature that can help you prevent
connectivity and security issues that rogue DHCP servers may cause. When this
feature is enabled, ZoneDirector scans the network every five seconds for unautho-
rized DHCP servers and generates an event every time it detects a rogue DHCP
server.
The conditions for detecting rogue DHCP servers depend on whether ZoneDi-
rector's own DHCP server is enabled:
Configuring Wireless Intrusion Prevention
Rogue DHCP Server Detection
136 Ruckus Wireless, Inc.
If the built-in DHCP server is enabled, ZoneDirector will generate an event when
it detects any other DHCP server on the network.
If the built-in DHCP server is disabled, ZoneDirector will generate events when
it detects two or more DHCP servers on the network. You will need to find these
DHCP servers on the network, determine which ones are rogue, and then
disconnect them or shut down the DHCP service on them.
The Rogue DHCP Server Detection feature is enabled by default. If it is disabled,
use the following procedure to re-enable:
To enable rogue DHCP server detection on ZoneDirector (enabled by default)
1Go to Configure > WIPS.
2In the Rogue DHCP Server Detection section, select the Enable rogue DHCP
server detection check box.
3Click the Apply button that is in the same section.
You have completed enabling rogue DHCP server detection. Ruckus Wireless
recommends checking the Monitor > All Events/Activities page periodically to
determine if ZoneDirector has detected any rogue DHCP servers. When a rogue
DHCP server is detected, the following event appears on the All Events/Activities
page:
Rogue DHCP server on [IP_address] has been detected
If the check box is cleared, ZoneDirector will not generate these events.
NOTE: Rogue DHCP server detection only works on the ZoneDirector’s
management IP subnet.
Configuring Wireless Intrusion Prevention
Rogue DHCP Server Detection
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 137
Figure 77. Enabling Rogue DHCP server detection
Controlling Network Access Permissions
Creating Layer 2/MAC Address Access Control Lists
138 Ruckus Wireless, Inc.
Controlling Network Access Permissions
ZoneDirector provides several options for controlling client access to your wireless
networks and to other wired/wireless network resources. This section is divided into
the following subsections according to the features on the Configure > Access
Control page:
Creating Layer 2/MAC Address Access Control Lists
Creating Layer 3/Layer 4/IP Address Access Control Lists
Configuring Device Access Policies
Configuring Precedence Policies
Blocking Client Devices
Configuring Client Isolation White Lists
Application Recognition and Filtering
Creating Layer 2/MAC Address Access Control Lists
Using the Access Controls configuration options, you can define Layer 2/MAC
address ACLs, which can then be applied to one or more WLANs (upon WLAN
creation or edit). ACLs are either allow-only or deny-only; that is, an ACL can be set
up to allow only specified clients or to deny only specified clients. MAC addresses
that are in the deny list are blocked at the AP, not at ZoneDirector.
To configure an L2/MAC ACL:
1Go to Configure > Access Control.
2Expand the L2-L7 Access Control section.
3In L2/MAC Access Control, click Create New.
4Typ e a Name for the ACL.
5Typ e a Description of the ACL.
6Select the Restriction mode as either allow or deny.
7Type a MAC address in the MAC Address text box, and then click Create New
to save the address. The new MAC address that you added appears next to the
Stations field. You can enter up to 128 MAC addresses per ACL.
8Click OK to save the L2/MAC based ACL.
You can create up to 32 L2/MAC ACL rules and each rule can contain up to 128
MAC addresses. Each WLAN can be configured with one L2 ACL.
Controlling Network Access Permissions
Creating Layer 3/Layer 4/IP Address Access Control Lists
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 139
Figure 78. Configuring an L2/MAC access control list
Creating Layer 3/Layer 4/IP Address Access Control
Lists
In addition to L2/MAC based ACLs, ZoneDirector also provides access control
options at Layer 3 and Layer 4. This means that you can configure the access control
options based on a set of criteria, including:
Destination Address
• Application
•Protocol
Destination Port
To create an L3/L4/IP address based ACL:
1Go to Configure > Access Control.
2Expand the L2-L7 Access Control section.
3In L3/4/IP address Access Control, click Create New.
4Typ e a Name for the ACL.
5Typ e a Description for the ACL.
6In Default Mode, set the default access privilege (allow all or deny all) that you
want to grant all users by default.
Controlling Network Access Permissions
Creating Layer 3/Layer 4/IP Address Access Control Lists
140 Ruckus Wireless, Inc.
7In Rules, click Create New or click Edit to edit an existing rule.
8Define each access policy by configuring a combination of the following:
Type: The access privilege (allow or deny) that this policy grants.
Destination Address: Enter an IP subnet and netmask of the network target
to which you want to allow or deny access. (IP address must be in the format
A.B.C.D/M, where M is the subnet mask.) Otherwise, select Any. For
example, if you enter 192.168.0.1/24, the rule would allow or deny the entire
Class C subnet. To allow/deny a single host, use /32 as the netmask.
Application: If you select a specific application from the menu, the Protocol
and Destination Port options are automatically filled with the relevant values
and are not configurable.
Protocol: Enter a network protocol number (0-254), as defined by the IANA
(http://www.iana.org/assignments/protocol-numbers/protocol-
numbers.xhtml) to allow or deny. Otherwise, select Any.
Destination Port: Enter a valid port number (1-65534) or port range (e.g., 80-
443).
9Click OK to save the ACL.
10 Repeat these steps to create up to 32 L3/L4/IP address-based access control
rules.
Controlling Network Access Permissions
Configuring Device Access Policies
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 141
Figure 79. Configuring an L3/L4 access control list
Configuring Device Access Policies
In response to the growing numbers of personally owned mobile devices such as
smart phones and tablets being brought into the network, IT departments are
requiring more sophisticated control over how devices connect, what types of
devices can connect, and what they are allowed to do once connected.
Using the Device Access Policy settings, ZoneDirector can identify the type of client
attempting to connect, and perform control actions such as permit/deny, rate limiting
and VLAN tagging based on the device type.
Once a Device Access Policy has been created, you can apply the policy to any
WLANs for which you want to control access by device type. You could, for example,
allow only Apple OS devices on one WLAN and only Linux devices on another.
To create a Device Access Policy:
1Go to Configure > Access Control.
2Expand the Device Access Policy section, and click Create New.
3Enter a Name and optionally a description for the access policy.
4In Default Mode, select Deny all by default or Allow all by default.
Controlling Network Access Permissions
Configuring Device Access Policies
142 Ruckus Wireless, Inc.
5In Rules, you can create multiple OS-specific rules for each access policy.
Description: Description of the rule.
OS/Type: Select from any of the supported client types.
Typ e : Select rule type (allow or deny).
Uplink/Downlink: Set rate limiting for this client type.
VLAN: Segment this client type into a specified VLAN (1~4094; if no value
entered, this policy does not impact device VLAN assignment).
6Click Save to save the rule you created. You can create up to nine rules per
access policy (one for each OS/Type).
7To change the order in which rules are implemented, click the up or down arrows
in the Action column. You can also Edit or Clone rules from the Action column.
To delete a rule, select the box next to the rule and click Delete.
8Click OK to save the access policy. You can create up to 32 access policies (one
access policy per WLAN).
Figure 80. Creating a Device Access Policy
To apply a Device Access Policy to a WLAN:
1Go to Configure > WLANs.
Controlling Network Access Permissions
Configuring Precedence Policies
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 143
2To edit an existing WLAN, click Edit next to the WLAN you want to edit.
3Expand the Advanced Options, and locate the Access Control section.
4In Device Policy, select the policy you created from the list.
5Click OK to save your changes.
Figure 81. Applying a device access policy for a WLAN
Configuring Precedence Policies
Use the Precedence Policy settings to define the priority order in which rate limiting
and VLAN policies are applied to a WLAN.
To configure Precedence Policies:
1Go to Configure > Access Control.
2In the Precedence Policy section, click Edit to modify the default policy or click
Create New to create a new policy to be selectable from the WLAN
configuration dialog.
3Under Rules, click Create New to create a new rule for this policy.
4Select an Attribute (VLAN or Rate Limiting) to apply a precedence policy.
Controlling Network Access Permissions
Blocking Client Devices
144 Ruckus Wireless, Inc.
5Select a Precedence Policy (AAA Server, Device Policy or WLAN Configuration)
and click up and down arrows to set the order in which policies will take
precedence.
6Click Save to save the rule. You can create up to two rules per policy. The rules
will be applied in the order shown in the Order column.
7Click OK to save the precedence policy. This policy is now available for selection
in WLAN configuration.
Figure 82. Precedence Policy settings
Blocking Client Devices
When users log into a ZoneDirector network, their client devices are recorded and
tracked. If, for any reason, you need to block a client device from network use, you
can do so from the web interface. The following subtopics describe various tasks
that you can perform to monitor, block and unblock client devices manually from
the ZoneDirector web interface.
Note the following considerations when managing the Blocked Clients list:
Controlling Network Access Permissions
Blocking Client Devices
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 145
The block list is system-wide and is applied to all WLANs in addition to any per-
WLAN ACLs. If a MAC address is listed in the system-wide block list, it will be
blocked even if it is an allowed entry in an ACL. Thus, the block list takes
precedence over an ACL.
MAC addresses that are in the deny list are blocked at the AP, not at ZoneDirector.
Monitoring Client Devices
1Go to the Dashboard, if it's not already in view.
2Under Devices Overview, look at # of Total Client Devices.
Figure 83. The Device Overview widget
3Click the current number, which is also a link. The Wireless Clients page (on the
Monitor tab) appears, showing the first 15 clients that are currently connected
to ZoneDirector. If there are more than 15 currently active clients, the Show More
button at the bottom of the page will be active. To display more clients in the list,
click Show More. When all active clients are displayed on the page, the Show
More button disappears.
4To block any listed client devices, follow the next set of steps.
Temporarily Disconnecting Specific Client Devices
Follow these steps to temporarily disconnect a client device from your WLAN. (The
user can simply reconnect manually, if they prefer.) This is helpful as a trouble-
shooting tip for problematic network connections.
1Look at the Status column to identify any “Unauthorized” users.
2Click the Delete button in the Action column in a specific user row. The entry is
deleted from the Active/Current Client list, and the listed device is disconnected
from your Ruckus Wireless WLAN.
Controlling Network Access Permissions
Blocking Client Devices
146 Ruckus Wireless, Inc.
Figure 84. Click the Delete button to temporarily delete a client. The client will be able to
reconnect.
NOTE: The user can reconnect at any time, which, if this proves to be a problem,
may prompt you to consider Permanently Blocking Specific Client Devices.
Permanently Blocking Specific Client Devices
Follow these steps to permanently block a client device from WLAN connections.
1Look at the Status column to identify any unauthorized users.
2Click the Block button in the Action column in a specific user row.
The status is changed to Blocked. This will prevent the listed device from using your
Ruckus Wireless WLANs.
Controlling Network Access Permissions
Blocking Client Devices
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 147
Figure 85. Click the Block button to permanently delete a client
Reviewing a List of Previously Blocked Clients
1Go to Configure > Access Control.
2Review the Blocked Clients table.
3You can unblock any listed MAC address by clicking the Unblock button for that
address.
Controlling Network Access Permissions
Configuring Client Isolation White Lists
148 Ruckus Wireless, Inc.
Figure 86. Unblocking a previously blocked client
Configuring Client Isolation White Lists
When Wireless Client Isolation is enabled on a WLAN, all communication between
clients and other local devices is blocked at the Access Point. To prevent clients
from communicating with other nodes, the Access Point drops all ARP packets from
stations on the WLAN where client isolation is enabled and which are destined to
IP addresses that are not part of a per-WLAN white list.
You can create exceptions to client isolation (such as allowing access to a local
printer, for example) by creating Client Isolation White Lists.
To create a Client Isolation White List:
1Go to Configure > Access Control.
2Expand the Client Isolation White List section, and click Create New.
3Enter a Name and optionally a description for the access policy.
4In Rules, you can create multiple device-specific rules for each device to be white
listed.
Description: Description of the device.
MAC Address: Enter the MAC address of the device.
IPv4 Address: Enter the IP address of the device.
5Click Save to save the rule you created.
Controlling Network Access Permissions
Configuring Client Isolation White Lists
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 149
6To change the order in which rules are implemented, select the order from the
drop-down menu in the Order column. You can also Edit or Clone rules from
the Action column. To delete a rule, select the box next to the rule and click
Delete.
7Click OK to save the white list.
Figure 87. Creating a Client Isolation White List
To apply a Client Isolation White List to a WLAN:
1Go to Configure > WLANs.
2Click Edit next to the WLAN you want to edit.
3In Wireless Client Isolation (under Options), select the level of client isolation you
want to enforce:
Isolate wireless client traffic from other clients on the same AP: Enable
client isolation on the same Access Point (clients on the same subnet but
connected to other APs will still be able to communicate).
Controlling Network Access Permissions
Application Recognition and Filtering
150 Ruckus Wireless, Inc.
Isolate wireless client traffic from all hosts on the same VLAN/subnet:
Prevent clients from communicating with any other hosts on the same subnet
or VLAN other than those listed on the Client Isolation Whitelist. If this option
is chosen, you must select a Whitelist from the drop-down list of those you
created on the Configure > Access Control page.
4Click OK to save your changes.
Figure 88. Selecting a Client Isolation White List
Application Recognition and Filtering
The Application Recognition and Filtering features allow administrators to enhance
ZoneDirector’s built-in application identification capabilities and apply filtering poli-
cies to prevent users from accessing certain applications. These features allow
administrators to perform the following tasks:
Configure User Defined Applications
Configure Application Port Mapping
Configure Application Denial Policies
Controlling Network Access Permissions
Application Recognition and Filtering
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 151
Configure User Defined Applications
When an application is unrecognized and generically (or incorrectly) categorized,
you can configure an explicit application identification policy by IP Address/Mask,
Port and Protocol. Wireless traffic that matches a configured policy will be displayed
using the policy’s name on the Top 10 Applications widget on the Dashboard and
the Applications pie charts/tables on the Wireless Clients monitoring page.
In case of a conflict, application identification policies are implemented according
to the following priority order:
1User Defined Applications
2ZoneDirector embedded applications
3Port Mapping application policies
Figure 89 shows how to configure a policy to identify a corporate accounting
application. ZoneDirector identifies wireless traffic matching this policy as “Well Paid
Accounting” and displays this name in the application recognition pie charts and
tables.
Figure 89. Defining custom applications for ZoneDirector identification
Controlling Network Access Permissions
Application Recognition and Filtering
152 Ruckus Wireless, Inc.
Configure Application Port Mapping
When an application is unrecognized and generically (or incorrectly) categorized you
can configure an application identification policy by IP Port and Protocol. Wireless
traffic that matches a configured policy will be displayed using the policy’s Descrip-
tion text in the Applications widget on the Dashboard and Applications pie charts/
tables on the Wireless Clients monitoring page. You can create new port-to-
application name mappings individually, or you can batch upload a list in .csv format.
Click the click here link to download a sample of the .csv file format.
This type of policy is the least granular in configuration and hence it has the lowest
priority as a means of application identification. If for example you configure an
Application Port Mapping Policy for port 80/TCP, any such matching wireless traffic
not identified by either a User Defined Applications policy or ZoneDirector’s
embedded policies will be identified as belonging to this policy.
Figure 90 shows how an Application Port Mapping policy could be used to identify
all port 8081 wireless traffic as “HTTP Proxy” traffic and display this name in
application recognition pie charts and tables.
Figure 90. Application Port Mapping
Controlling Network Access Permissions
Application Recognition and Filtering
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 153
Well-Known Service and Destination Port Mappings Defined in Application
Visibility
ZoneDirector automatically identifies several hundred applications for use in appli-
cation recognition and denial policies. The following links provide lists of many the
most common applications and ports that are included:
IANA list of Service Names and Port Numbers
• SpeedGuide.net
Well known TCP and UDP ports used by Apple software products
• Bitcoin
Google Cloud Messaging
• PlayStation
•TiVo
•Wii
•Xbox
Configure Application Denial Policies
This option allows the administrator to deny application access by blocking any
HTTP host name or L4 port. Using application denial policies, administrators can
block specific applications if they are seen to be consuming excessive network
resources, or enforce network usage policies such as blocking social media sites.
The following usage guidelines need to be taken into consideration when defining
Application Denial Policies:
“www.corporate.com” – This will block access to the host web server at the
organization “corporate.com” i.e. the FQDN. It will not block access to any other
hosts such as ftp, ntp, smtp, etc. at the organization “corporate.com”.
“corporate.com” – this will block access to all hosts at the domain “corpo-
rate.com” i.e. it will block access to www.corporate.com, ftp.corporate.com,
smtp.corporate.com, etc.
“corporate” – This will block access to any FQDN containing the text “corporate”
in any part of the FQDN. Care should be taken to use as long as possible string
for matching to prevent inadvertently blocking sites that may contain a shorter
string match i.e. if the rule is “net” then this will block access to any sites that
have the text “net” in any part of the FQDN or “.net” as the FQDN suffix.
*.corporate.com – This is an invalid rule. Wildcard “*” and other regular expres-
sions cannot be used in any part of the FQDN.
Controlling Network Access Permissions
Application Recognition and Filtering
154 Ruckus Wireless, Inc.
“www.corporate.com/games” - This is an invalid rule. The filter cannot parse and
block access on text after the FQDN, i.e., in this example it cannot filter the micro-
site “/games”.
Notes:
Many global organizations have both a “.com” suffix and country specific suffix
such as “.co.uk”, “.fr”, “.au”.etc. To block access to, for example, the host web
server in all regional specific web sites for an organization, a rule like “www.corpo-
rate” could be used.
Many global organizations use distributed content delivery networks such as
Akamai. In such cases creating a rule such as “www.corporate.com” may not
prevent access to the entire site. Further investigation of the content network
behavior may need to be undertaken to fully prevent access.
When using Port based rules:
There is no distinction between the TCP and UDP protocols, so care should be
taken if wishing to block a specific application port as that will apply to both IP
protocols and may inadvertently block another application using the other protocol.
To create an Application Denial Policy:
1Go to Configure > Access Control.
2Expand the Application Recognition and Filtering section.
3In Application Denial Policy, click Create New to create a new policy.
4Enter a Name and optionally a Description for the policy.
5In Rules, click Create New to create a new rule for this policy.
6In Application, Select HTTP Domain Name or Port.
7In Description, enter the domain name or port number for the application you
want to block.
8Click Save to save the rule, and click OK to save the policy.
Controlling Network Access Permissions
Application Recognition and Filtering
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 155
Figure 91. Blocking an application by HTTP host name
Applying an Application Denial Policy to a WLAN
Once an Application Denial Policy is created, use the following procedure to apply
it to one or more WLANs:
1Go to Configure > WLANs, and click Edit next to the WLAN you want to
configure.
2Expand the Advanced Options section, and locate the Application Visibility
section.
3Ensure that the Enable check box is enabled.
4Select the policy you created from the Apply Policy Group list.
5Click OK to save your changes.
Controlling Network Access Permissions
Application Recognition and Filtering
156 Ruckus Wireless, Inc.
Figure 92. Apply an Application Denial Policy to a WLAN
Using an External AAA Server
Active Directory
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 157
Using an External AAA Server
If you want to authenticate users against an external Authentication, Authorization
and Accounting (AAA) server, you will need to first configure your AAA server, then
point ZoneDirector to the AAA server so that requests will be passed through
ZoneDirector before access is granted. This section describes the tasks that you
need to perform on ZoneDirector to ensure ZoneDirector can communicate with
your AAA server.
NOTE: For specific instructions on AAA server configuration, refer to the
documentation that is supplied with your server.
ZoneDirector supports four types of AAA server:
Active Directory
LDAP
RADIUS / RADIUS Accounting
TACACS+
A maximum of 32 AAA server entries can be created, regardless of server type.
Active Directory
In Active Directory, objects are organized in a number of levels such as domains,
trees and forests. At the top of the structure is the forest. A forest is a collection of
multiple trees that share a common global catalog, directory schema, logical
structure, and directory configuration. In a multi-domain forest, each domain
contains only those items that belong in that domain. Global Catalog servers provide
a global list of all objects in a forest.
ZoneDirector support for Active Directory authentication includes the ability to query
multiple Domain Controllers using Global Catalog searches. To enable this feature,
you will need to enable Global Catalog support and enter an Admin DN (distin-
guished name) and password.
Depending on your network structure, you can configure ZoneDirector to authenti-
cate users against an Active Directory server in one of two ways:
Single Domain Active Directory Authentication
Multi-Domain Active Directory Authentication
Single Domain Active Directory Authentication
To enable Active Directory authentication for a single domain:
Using an External AAA Server
Active Directory
158 Ruckus Wireless, Inc.
1Go to Configure > AAA Servers, and click Create New under Authentication/
Accounting Servers. The Create New form appears.
2In Type, Select Active Directory.
•In Encryption, select Enable TLS encryption if you want to encrypt all
authentication traffic between the client and the Active Directory server. The
AD server must support TLS1.0/TLS1.1/TLS1.2.
3Do not enable Global Catalog support.
4Enter the IP address and Port of the AD server. The default Port number (389,
or 636 if you have enabled TLS encryption) should not be changed unless you
have configured your AD server to use a different port.
5Enter the Windows Domain Name (e.g., domain.ruckuswireless.com).
6Click OK.
Figure 93. Enable Active Directory for a single domain
For single domain authentication, admin name and password are not required.
Multi-Domain Active Directory Authentication
For multi-domain AD authentication, an Admin account name and password must
be entered so that ZoneDirector can query the Global Catalog.
To enable Active Directory authentication for multiple domains:
Using an External AAA Server
Active Directory
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 159
1Go to Configure > AAA Servers, and click Create New under Authentication/
Accounting Servers. The Create New form appears.
2In Type, Select Active Directory.
•In Encryption, select Enable TLS encryption if you want to encrypt all
authentication traffic between the client and the Active Directory server. The
AD server must support TLS1.0/TLS1.1/TLS1.2.
NOTE: Note that Secure Active Directory requires the import of a root CA for TLS
encryption. The import option is provided on the Configure > Certificate > Advanced
Options page.
3Select the Global Catalog check box next to Enable Global Catalog support.
4The default port changes to 3268, and the fields for Admin DN and password
appear. The default port number (3268, or 636 if you have enabled TLS
encryption) should not be changed unless you have configured your AD server
to use a different port.
5Leave the Windows Domain Name field empty to search all domains in the
forest.
NOTE: Do NOT enter anything in the Windows Domain Name field. If you enter a
Windows Domain Name, the search will be limited to that domain, rather than the
whole forest.
6Enter an Admin DN (distinguished name) in Active Directory format
(name@xxx.yyy).
7Enter the admin Password, and re-enter the same password for confirmation.
NOTE: The Admin account need not have write privileges, but must able to read
and search all users in the database.
8Click OK to save changes.
9To test your authentication settings, see Testing Authentication Settings.
Using an External AAA Server
LDAP
160 Ruckus Wireless, Inc.
Figure 94. Active Directory with Global Catalog enabled
LDAP
In addition to Microsoft Active Directory, ZoneDirector supports several of the most
commonly used LDAP servers, including:
•OpenLDAP
Apple Open Directory
Novell eDirectory
Sun JES (limited support)
To configure an LDAP server for user authentication:
1Go to Configure > AAA Servers, and click Create New under Authentication/
Accounting Servers. The Create New form appears.
2In Type, Select LDAP.
•In Encryption, select Enable TLS encryption if you want to encrypt all LDAP
authentication traffic between the LDAP client and the LDAP server. The
LDAP server must support TLS1.0/TLS1.1/TLS1.2.
Using an External AAA Server
LDAP
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 161
NOTE: Note that Secure LDAP requires the import of a root CA for TLS encryption.
The import option is provided on the Configure > Certificate > Advanced Options
page.
3Enter the IP address and Port of your LDAP server. The default port (389 for
unencrypted, 636 for encrypted) should not be changed unless you have
configured your LDAP server to use a different port.
4Enter a Base DN in LDAP format for all user accounts.
5Format: cn=Users;dc=<Your Domain>,dc=com
6Enter an Admin DN in LDAP format.
•Format: cn=Admin;dc=<Your Domain>,dc=com
7Enter the Admin Password, and reenter to confirm.
8Enter a Key Attribute to denote users (default: uid).
9Click OK to save your changes.
10 If you want to filter more specific settings, see Advanced LDAP Filtering.
NOTE: The Admin account need not have write privileges, but must able to read
and search all users in the database.
Using an External AAA Server
LDAP
162 Ruckus Wireless, Inc.
Figure 95. Creating a new LDAP server object in ZoneDirector
Advanced LDAP Filtering
A search string in LDAP format conforming to RFC 4515 can be used to limit search
results. For example, objectClass=Person limits the search to those whose
“objectClass” attribute is equal to “Person”.
More complicated examples are shown when you mouse over the “show more”
section, as shown in Figure 96 below.
Using an External AAA Server
LDAP
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 163
Figure 96. LDAP search filter syntax examples
Group Extraction
By using the Search Filter, you can extract the groups to which a user belongs, as
categorized in your LDAP server. Using these groups, you can attribute Roles within
ZoneDirector to members of specific groups.
For example, in a school setting, if you want to assign members of the group
“students” to a Student role, you can enter a known student’s name in the Test
Authentication Settings section, click Test, and return the groups that the user
belongs to. If everything is configured correctly, the result will display the groups
associated with the student, which should include a group called “student” (or
whatever was configured on your LDAP server).
Next, go to the Configure > Roles page, create a Role named “Student,” and enter
“student” in the Group Attributes field. Then you can select which WLANs you want
this Role to have access to, and decide whether this Role should have Guest Pass
generation privileges and ZoneDirector administration privileges. From here on, any
user associated to the Group “student” will be given the same privileges when he/
she is authenticated against your LDAP server.
To configure user roles based on LDAP group:
1Point ZoneDirector to your LDAP server:
•Go to Configure > AAA Servers
Click Edit next to LDAP
Mouse over
“show more”
Using an External AAA Server
RADIUS / RADIUS Accounting
164 Ruckus Wireless, Inc.
•Enter IP address, Port number, Admin DN and Password
2Enter the Key Attribute (default: uid).
3Click OK to save this LDAP server.
4In Test Authentication Settings, enter the User Name and Password for a known
member of the relevant group.
5Click Tes t .
6Note the Groups associated with this user.
Figure 97. Test authentication settings
7Go to Configure > Roles, and create a Role based on this User Group (see
Creating New User Roles).
Click the Create New link in the Roles section.
In the Group Attributes field, enter Group attributes exactly as they were
returned from the Test Authentication Settings dialog.
Specify WLAN access, Guest Pass generation and ZoneDirector administra-
tion privileges as desired for this Role.
At this point, any user who logs in and is authenticated against your LDAP server
with the same Group credentials will automatically be assigned to this Role.
RADIUS / RADIUS Accounting
Remote Authentication Dial In User Service (RADIUS) user authentication requires
that ZoneDirector know the IP address, port number and Shared Secret of the
RADIUS/RADIUS Accounting server. When an external RADIUS/RADIUS
Accounting server is used for authentication or accounting, user credentials can be
entered as a standard username / password combination, or client devices can be
limited by MAC address. If using MAC address as the authentication method, you
Using an External AAA Server
RADIUS / RADIUS Accounting
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 165
must enter the MAC addresses of each client on the AAA server, and any clients
attempting to access your WLAN with a MAC address not listed will be denied
access.
A RADIUS/RADIUS Accounting server can be used with 802.1X, MAC authentica-
tion, Web authentication (captive portal) and Hotspot WLAN types.
To configure a RADIUS / RADIUS Accounting server entry in ZoneDirector:
1Go to Configure > AAA Servers.
2Click the Create New link under Authentication/Accounting Servers.
3Select Radius or Radius Accounting for the AAA server type.
If you want to enable encryption of RADIUS packets using Transport Layer
Security (TLS), select the TLS check box next to Encryption. This allows
RADIUS authentication and accounting data to be passed safely across
insecure networks such as the Internet.
NOTE: Note that Secure RADIUS requires the import of a root CA for TLS
encryption. The RADIUS or RADIUS Accounting server must support TLS1.1/
TLS1.2. The import option is provided on the Configure > Certificate > Advanced
Options page.
4Choose PAP or CHAP according to the authentication protocol used by your
RADIUS server.
5Enter the IP Address, Port number and Shared Secret.
6Click OK to save changes.
Configuring a Backup RADIUS / RADIUS Accounting
Server
If a backup RADIUS or RADIUS Accounting server is available, enable the check
box next to Backup RADIUS and additional fields appear. Enter the relevant
information for the backup server and click OK. When you have configured both a
primary and backup RADIUS server, an additional option will be available in the Test
Authentication Settings section to choose to test against the primary or the backup
RADIUS server.
To configure a backup RADIUS / RADIUS Accounting server:
1Click the check box next to Enable Backup RADIUS support.
Using an External AAA Server
RADIUS / RADIUS Accounting
166 Ruckus Wireless, Inc.
2Enter the IP Address, Port number and Shared Secret for the backup server
(these fields can neither be left empty nor be the same values as those of the
primary server).
3In Request Timeout, enter the timeout period (in seconds) after which an
expected RADIUS response message is considered to have failed.
4In Max Number of Retries, enter the number of failed connection attempts
after which ZoneDirector will failover to the backup RADIUS server.
5In Max Number of Consecutive Drop Packets, enter a value from 1-10
consecutive dropped packets, after which ZoneDirector will failover to the
backup RADIUS server.
6In Reconnect Primary, enter the number of minutes after which ZoneDirector
will attempt to reconnect to the primary RADIUS server after failover to the
backup server.
Figure 98. Enable backup RADIUS server
Using an External AAA Server
RADIUS / RADIUS Accounting
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 167
Figure 99. Test authentication settings against backup RADIUS server
MAC Authentication with an External RADIUS Server
To begin using MAC authentication:
1Ensure that a RADIUS server is configured in ZoneDirector (Configure > AAA
Servers > RADIUS Server). See Using an External AAA Server.
2Create a user on the RADIUS server using the MAC address of the client as both
the user name and password. The MAC address format can be configured in
one of the following formats:
A single string of characters without punctuation: aabbccddeeff
Colon separated: aa:bb:cc:dd:ee:ff
Hyphen separated: aa-bb-cc-dd-ee-ff
All caps: AABBCCDDEEFF
All caps hyphenated: AA-BB-CC-DD-EE-FF
All caps colon separated: AA:BB:CC:DD:EE:FF
3Log in to the ZoneDirector web interface, and go to Configure > WLANs.
4Click the Edit link next to the WLAN you would like to configure.
5Under Authentication Options: Method, select MAC Address.
6Under Authentication Server, select your RADIUS Server.
Using an External AAA Server
RADIUS / RADIUS Accounting
168 Ruckus Wireless, Inc.
7Select the MAC Address Format according to your RADIUS server’s
requirements.
8Click OK to save your changes.
Figure 100. RADIUS authentication using MAC address
You have completed configuring the WLAN to authenticate users by MAC address
from a RADIUS server.
Using 802.1X EAP + MAC Address Authentication
With the 802.1X EAP + MAC Address authentication method, clients configured
with either “open” or EAP-MD5 authentication methods are both supported on the
same WLAN. The encryption method is limited to “none,” and an external RADIUS
server is required.
NOTE: This option will only work if you have a supplicant that supports this behavior,
and currently no known public domain supplicants support this behavior.
Using an External AAA Server
RADIUS / RADIUS Accounting
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 169
When ZoneDirector authenticates a client, MAC authentication is checked first,
followed by the EAP process. When the client tries to associate, if MAC authenti-
cation succeeds, the client is authorized directly and allowed to pass traffic without
any further EAP authentication required.
If MAC authentication fails, the EAP authentication process begins and the client
must provide a valid EAP account before access is granted.
You can view the actual authentication method used (MAC address or EAP) from
the Monitor > Wireless Clients page.
Figure 101. The Monitor > Wireless Clients page shows the actual authentication method
used for clients in an 802.1X EAP + MAC Address authentication WLAN
Using 802.1X with EAP-MD5
EAP-MD5 differs from other EAP methods in that it only provides authentication of
the EAP peer to the EAP server but not mutual authentication. ZoneDirector
supports 802.1X authentication with EAP-MD5 using either ZoneDirector’s internal
database or an external RADIUS server.
To configure a WLAN for EAP-MD5 authentication:
1Go to Configure > WLANs and click the Edit link next to the WLAN you would
like to configure.
2Under Authentication Options: Method, select 802.1X EAP.
3Under Encryption Options: Method, select None.
4Under Authentication Server, select either Local Database or a previously
configured RADIUS server from the list.
5Click OK to save your changes.
Using an External AAA Server
RADIUS / RADIUS Accounting
170 Ruckus Wireless, Inc.
RADIUS Attributes
Ruckus products communicate with an external RADIUS server as a RADIUS client.
Packets from Ruckus products are called “access-request” or “accounting-request”
messages. The RADIUS server, in turn, sends an “access-challenge“, “access-
accept” or “access-reject” message in response to an access-request, and an
“accounting-response” message in response to an accounting-request.
RADIUS Attribute Value Pairs (AVP) carry data in both the request and the response
messages. The RADIUS protocol also allows vendor specific attributes (VSA) to
extend the functionality of the protocol. The following tables list the RADIUS
attributes used in these messages between ZoneDirector and the RADIUS/RADIUS
Accounting server based on which type of authentication is used for the WLAN.
Tab l e 102 lists the attributes used in authentication, and Ta b l e 1 8 lists those used
in accounting.
ZoneDirector will terminate a user session if it receives a Change of Authorization-
Disconnect Message (COA-DM) from the RADIUS server. The COA-DM message