Ruckus Zone Director 9.12 (GA) User Guide Rev C 20151222

ZoneDirector 9.12 (GA) User Guide ZoneDirector%209.12%20User%20Guide%20-%20Rev%20C%20-%2020151222

2016-02-05

User Manual: Ruckus ZoneDirector 9.12 (GA) User Guide

Open the PDF directly: View PDF PDF.
Page Count: 465 [warning: Documents this large are best viewed by clicking the View PDF Link!]

Ruckus Wireless
ZoneDirector
Release 9.12 User Guide
Part Number 800-70898-001 Rev C
Published December 2015
www.ruckuswireless.com
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 3
Copyright Notice and Proprietary
Information
Copyright 2015. Ruckus Wireless, Inc. All rights reserved.
No part of this documentation may be used, reproduced, transmitted, or translated, in any form or by any means,
electronic, mechanical, manual, optical, or otherwise, without prior written permission of Ruckus Wireless, Inc.
(“Ruckus”), or as expressly provided by under license from Ruckus.
Destination Control Statement
Technical data contained in this publication may be subject to the export control laws of the United States of America.
Disclosure to nationals of other countries contrary to United States law is prohibited. It is the reader’s responsibility to
determine the applicable regulations and to comply with them.
Disclaimer
THIS DOCUMENTATION AND ALL INFORMATION CONTAINED HEREIN (“MATERIAL”) IS PROVIDED FOR GENERAL
INFORMATION PURPOSES ONLY. RUCKUS AND ITS LICENSORS MAKE NO WARRANTY OF ANY KIND, EXPRESS
OR IMPLIED, WITH REGARD TO THE MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE, OR THAT THE
MATERIAL IS ERROR-FREE, ACCURATE OR RELIABLE. RUCKUS RESERVES THE RIGHT TO MAKE CHANGES OR
UPDATES TO THE MATERIAL AT ANY TIME.
Limitation of Liability
IN NO EVENT SHALL RUCKUS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL OR CONSEQUEN-
TIAL DAMAGES, OR DAMAGES FOR LOSS OF PROFITS, REVENUE, DATA OR USE, INCURRED BY YOU OR ANY
THIRD PARTY, WHETHER IN AN ACTION IN CONTRACT OR TORT, ARISING FROM YOUR ACCESS TO, OR USE
OF, THE MATERIAL.
Trademarks
Ruckus Wireless, Ruckus, the bark logo, ZoneFlex, FlexMaster, ZoneDirector, SmartMesh, Channelfly, Smartcell,
Dynamic PSK, and Simply Better Wireless are trademarks of Ruckus Wireless, Inc. in the United States and other
countries. All other product or company names may be trademarks of their respective owners.
4Ruckus Wireless, Inc.
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 5
Contents
Copyright Notice and Proprietary Information
About This Guide
Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Documentation Feedback. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Online Training Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
1 Introducing Ruckus Wireless ZoneDirector
Overview of ZoneDirector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
ZoneDirector Physical Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
ZoneDirector 1200. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
ZoneDirector 3000. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
ZoneDirector 5000. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Introduction to the Ruckus Wireless Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Ensuring That APs Can Communicate with ZoneDirector . . . . . . . . . . . . . . . . . . . . . . . . 32
How APs Discover ZoneDirector on the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
How to Ensure that APs Can Discover ZoneDirector on the Network . . . . . . . . . . . . . . 34
Firewall Ports that Must be Open for ZoneDirector Communications . . . . . . . . . . . . . . 41
Installing ZoneDirector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Accessing ZoneDirector’s Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Using the ZoneDirector Web Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Navigating the Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Using Indicator Widgets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Real Time Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Stopping and Starting Auto Refresh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Registering Your Product . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
2 Configuring System Settings
System Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Changing the System Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Changing the Network Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
IPv6 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
6Ruckus Wireless, Inc.
Enabling an Additional Management Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Creating Static Route Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Static Route Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Enabling Smart Redundancy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Configuring ZoneDirector for Smart Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Forcing Failover to the Backup ZoneDirector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Managing Smart Redundancy AP License Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Configuring the Built-in DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Enabling the Built-in DHCP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Viewing DHCP Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Controlling ZoneDirector Management Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Setting the System Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Setting the Country Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Channel Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Channel Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Changing the System Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Reviewing the Current Log Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Customizing the Current Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Setting Up Email Alarm Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Customizing Email Alarms that ZoneDirector Sends . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Configuring SMS Settings for Guest Pass Delivery via SMS . . . . . . . . . . . . . . . . . . . . . . 89
Enabling Login Warning Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Enabling Network Management Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Enabling Management via FlexMaster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Enabling Northbound Portal Interface Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Configuring SNMP Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Enabling Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Configuring DHCP Relay. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Enabling Bonjour Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Creating a Bonjour Gateway Rule - ZD Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Creating a Bonjour Gateway Rule - AP Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Applying a Bonjour Policy to an AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Example Network Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Configuring SPoT Location Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
3 Configuring Security and Other Services
Configuring Self Healing Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Automatically Adjust AP Power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Automatic Channel Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 7
Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Band Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Radar Avoidance Pre-Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
AeroScout RFID Tag Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Ekahau Tag Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Active Client Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Packet Inspection Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Configuring Wireless Intrusion Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
DoS Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Intrusion Detection and Prevention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Rogue Access Points. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Rogue DHCP Server Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Controlling Network Access Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Creating Layer 2/MAC Address Access Control Lists. . . . . . . . . . . . . . . . . . . . . . . . . 138
Creating Layer 3/Layer 4/IP Address Access Control Lists . . . . . . . . . . . . . . . . . . . . . 139
Configuring Device Access Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Configuring Precedence Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Blocking Client Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Configuring Client Isolation White Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Application Recognition and Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Using an External AAA Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
RADIUS / RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
4 Managing a Wireless Local Area Network
Overview of Wireless Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
About Ruckus Wireless WLAN Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Creating a WLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
General Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
WLAN Usage Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Authentication Method. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Fast BSS Transition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Encryption Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Advanced Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Creating a Copy of an Existing WLAN for Workgroup Use. . . . . . . . . . . . . . . . . . . . . . . 202
Customizing WLAN Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Reviewing the Initial Security Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
8Ruckus Wireless, Inc.
Fine-Tuning the Current Security Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Switching to a Different Security Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Using the Built-in EAP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Authenticating with an External RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
If You Change the Internal WLAN to WEP or 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . 206
Working with WLAN Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Creating a WLAN Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Assigning a WLAN Group to an AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Viewing a List of APs That Belong to a WLAN Group . . . . . . . . . . . . . . . . . . . . . . . . . 210
Deploying ZoneDirector WLANs in a VLAN Environment . . . . . . . . . . . . . . . . . . . . . . . . 211
Tagging Management Traffic to a VLAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
How Dynamic VLAN Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Working with VLAN Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Working with Hotspot Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Creating a Hotspot Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Assigning a WLAN to Provide Hotspot Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Common WISPr Attribute Abbreviations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Creating a Hotspot 2.0 Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Create a Service Provider Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Working with Dynamic Pre-Shared Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Enabling Dynamic Pre-Shared Keys on a WLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Setting Dynamic Pre-Shared Key Expiration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Generating Multiple Dynamic PSKs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Creating a Batch Dynamic PSK Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Bypass Apple CNA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
5 Managing Access Points
Adding New Access Points to the Network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Connecting the APs to the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Verifying/Approving New APs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Working with Access Point Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Modifying the System Default AP Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Creating a New Access Point Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Modifying Access Point Group Membership. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Modifying Model Specific Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Configuring AP Ethernet Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Viewing AP Ethernet Port Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Reviewing Current Access Point Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Using Limited ZD Discovery for N+1 Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 9
Importing a USB Software Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Managing Access Points Individually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Configuring Hotspot 2.0 Venue Settings for an AP . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Optimizing Access Point Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Assessing Current Performance Using the Map View . . . . . . . . . . . . . . . . . . . . . . . . . 275
Improving AP RF Coverage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Assessing Current Performance Using the Access Point Table. . . . . . . . . . . . . . . . . . 276
Adjusting AP Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Prioritizing WLAN Traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
6 Monitoring Your Wireless Network
Reviewing the ZoneDirector Monitoring Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Importing a Map View Floorplan Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Importing the Floorplan Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Placing the Access Point Markers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Using the Map View Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
AP Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Evaluating and Optimizing Network Coverage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Moving the APs into More Efficient Positions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Reviewing Current Alarms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Reviewing Recent Network Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Clearing Recent Events/Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Moniting WLAN Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Reviewing Current User Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Viewing Application Usage Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Active Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Inactive Clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Events/Activities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Monitoring Individual Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Monitoring Client Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Monitoring Wired Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Monitoring Access Point Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Using the AP Status Overview Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Monitoring Individual APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
RF Pollution FAQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Spectrum Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Neighbor APs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Access Point Sensor Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
10 Ruckus Wireless, Inc.
Monitoring Mesh Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Detecting Rogue Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Monitoring System Ethernet Port Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Monitoring AAA Server Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Monitoring Location Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
7 Managing User Access
Enabling Automatic User Activation with Zero-IT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Clients that Support Zero-IT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Self-Provisioning Clients with Zero-IT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Self-Provisioning Clients without Ethernet Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Provisioning Clients that Do Not Support Zero-IT . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Adding New User Accounts to ZoneDirector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Internal User Database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Managing Current User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Changing an Existing User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Deleting a User Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Creating New User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Role Based Access Control Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Managing Automatically Generated User Certificates and Keys. . . . . . . . . . . . . . . . . . . 330
Using an External Server for User Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Activating Web Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Captive Portal Redirect on Initial Browser HTTPS Request. . . . . . . . . . . . . . . . . . . . . 334
8 Managing Guest Access
Configuring Guest Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Creating a Guest Access Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Using Guest Pass Self-Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Configuring Guest Subnet Restrictions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Creating a Guest WLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Using the BYOD Onboarding Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Working with Guest Passes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Configuring Guest Pass Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Generating and Delivering a Single Guest Pass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Generating and Printing Multiple Guest Passes at Once. . . . . . . . . . . . . . . . . . . . . . . 365
Monitoring Generated Guest Passes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Customizing the Guest Login Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Creating a Custom Guest Pass Printout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Delivering Guest Passes via Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 11
Delivering Guest Passes via SMS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
9 Deploying a Smart Mesh Network
Overview of Smart Mesh Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Smart Mesh Networking Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Supported Mesh Topologies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Standard Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Wireless Bridge Topology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Hybrid Mesh Topology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
Deploying a Wireless Mesh via ZoneDirector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Step 1: Prepare for Wireless Mesh Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Step 2: Enable Mesh Capability on ZoneDirector . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Step 3: Provision and Deploy Mesh Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Step 4: Verify That the Wireless Mesh Network Is Up . . . . . . . . . . . . . . . . . . . . . . . . . 384
Understanding Mesh-related AP Statuses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Using the ZoneFlex LEDs to Determine the Mesh Status. . . . . . . . . . . . . . . . . . . . . . . . 387
On Single-band ZoneFlex APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
On Dual-band ZoneFlex APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
Using Action Icons to Configure and Troubleshoot APs in a Mesh . . . . . . . . . . . . . . . . 389
Setting Mesh Uplinks Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Troubleshooting Isolated Mesh APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Understanding Isolated Mesh AP Statuses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Recovering an Isolated Mesh AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Best Practices and Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
10 Setting Administrator Preferences
Changing the ZoneDirector Administrator User Name and Password . . . . . . . . . . . . . . 398
Setting Administrator Login Session Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Changing the Web Interface Display Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Upgrading ZoneDirector and ZoneFlex APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Performing an Upgrade with Smart Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Working with Backup Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Backing Up a Network Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Restoring Archived Settings to ZoneDirector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Restoring ZoneDirector to Default Factory Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Alternate Factory Default Reset Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Working with SSL Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Basic Certificate Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Generating a Certificate Signing Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
12 Ruckus Wireless, Inc.
Importing an SSL Certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
SSL Certificate Advanced Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Using an External Server for Administrator Authentication . . . . . . . . . . . . . . . . . . . . . . . 416
Upgrading the License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
Support Entitlement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
11 Troubleshooting
Troubleshooting Failed User Logins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Fixing User Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
If WLAN Connection Problems Persist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Measuring Wireless Network Throughput with SpeedFlex . . . . . . . . . . . . . . . . . . . . . . . 424
Using SpeedFlex in a Multi-Hop Smart Mesh Network . . . . . . . . . . . . . . . . . . . . . . . . 428
Allowing Users to Measure Their Own Wireless Throughput. . . . . . . . . . . . . . . . . . . . 430
Diagnosing Poor Network Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Starting a Radio Frequency Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Using the Ping and Traceroute Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
Generating a Debug File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Viewing Current System and AP Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Packet Capture and Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Local Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Streaming Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Importing a Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
Enabling Remote Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
Restarting an Access Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
Restarting ZoneDirector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
12 Smart Mesh Networking Best Practices
Choosing the Right AP Model for Your Mesh Network . . . . . . . . . . . . . . . . . . . . . . . . . 444
Calculating the Number of APs Required . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Placement and Layout Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Signal Quality Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Mounting and Orientation of APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Indoor APs - Typical Case: Horizontal Orientation . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Indoor APs - Vertical Orientation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
Outdoor APs - Typical Horizontal Orientation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
Elevation of RAPs and MAPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
Best Practice Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
Appendix: Zone 2 APs
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 13
Index
14 Ruckus Wireless, Inc.
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 15
About This Guide
This User Guide describes how to install, configure and manage the Ruckus
Wireless™ ZoneDirector™ version 9.12.
This guide is intended for use by those responsible for managing Ruckus Wireless
network equipment. Consequently, it assumes a basic working knowledge of local
area networking, wireless networking and wireless devices.
NOTE: If release notes are shipped with your product and the information there
differs from the information in this guide, follow the instructions in the release notes.
Most user guides and release notes are available in Adobe Acrobat Reader Portable
Document Format (PDF) or HTML on the Ruckus Wireless Support website at
https://support.ruckuswireless.com/documents.
NOTE: By downloading this software and subsequently upgrading the
ZoneDirector to version 9.12, please be advised that the ZoneDirector will
periodically connect to Ruckus and Ruckus will collect the ZoneDirector serial
number, software version and build number. Ruckus will transmit a file back to the
ZoneDirector and this will be used to display the current status of the ZoneDirector
Support Contract. Please also be advised that this information may be transferred
and stored outside of your country of residence where data protection standards
may be different.
Document Conventions
16 Ruckus Wireless, Inc.
Document Conventions
Tab l e 1 and Table 2 list the text and notice conventions that are used throughout
this guide.
Table 1. Text conventions
Convention Description Example
monospace Represents information as it
appears on screen
[Device name]>
monospace bold Represents information that
you enter
[Device name]> set
ipaddr 10.0.0.12
default font bold Keyboard keys, software
buttons, and field names
On the Start menu, click All
Programs.
italics Screen or page names Click Advanced Settings.
The Advanced Settings page
appears.
Table 2. Notice conventions
Notice Type Description
Note Information that describes important features or
instructions
Caution Information that alerts you to potential loss of data or
potential damage to an application, system, or device
Warning Information that alerts you to potential personal injury
Related Documentation
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 17
Related Documentation
In addition to this User Guide, each ZoneDirector documentation set includes the
following:
Online Help: Provides instructions for performing tasks using the web interface.
The online help is accessible from the web interface and is searchable.
Release Notes: Provide information about the current software release, including
new features, enhancements, and known issues.
Documentation Feedback
Ruckus Wireless is interested in improving its documentation and welcomes your
comments and suggestions. You can email your comments to Ruckus Wireless at:
docs@ruckuswireless.com
When contacting us, please include the following information:
Document title
Document part number (on the cover page)
Page number (if appropriate)
For example:
ZoneDirector 9.12 User Guide
Part number: 800-70898-001 Revision C
Page 88
Online Training Resources
To access a variety of online Ruckus Wireless training modules, including free
introductory courses to wireless networking essentials, site surveys, and Ruckus
Wireless products, visit the Ruckus Wireless Training Portal at:
https://training.ruckuswireless.com
Online Training Resources
18 Ruckus Wireless, Inc.
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 19
1
Introducing Ruckus Wireless
ZoneDirector
In this chapter:
Overview of ZoneDirector
ZoneDirector Physical Features
Introduction to the Ruckus Wireless Network
Ensuring That APs Can Communicate with ZoneDirector
Installing ZoneDirector
Accessing ZoneDirector’s Command Line Interface
Using the ZoneDirector Web Interface
Registering Your Product
Overview of ZoneDirector
20 Ruckus Wireless, Inc.
Overview of ZoneDirector
Ruckus Wireless ZoneDirector serves as a central control system for Ruckus
ZoneFlex Access Points (APs). ZoneDirector provides simplified configuration and
updates, wireless LAN security control, RF management, and automatic coordina-
tion of Ethernet-connected and mesh-connected APs.
Using ZoneDirector in combination with Ruckus Wireless ZoneFlex APs allows
deployment of a Smart Mesh network, to extend wireless coverage throughout a
location without having to physically connect each AP to Ethernet. In a Smart Mesh
network, the APs form a wireless mesh topology to route client traffic between any
member of the mesh and the wired network. Meshing significantly reduces the cost
and time requirements of deploying an enterprise-class WLAN, in addition to
providing much greater flexibility in AP placement.
ZoneDirector also integrates network monitoring, sophisticated user access
controls, integrated Wi-Fi client performance tools, highly configurable guest access
features and advanced security features within a single system.
User authentication can be accomplished using an internal user database, or
forwarded to an external Authentication, Authorization and Accounting (AAA) server
such as RADIUS or Active Directory. Once users are authenticated, client traffic is
not required to pass through ZoneDirector, thereby eliminating bottlenecks when
higher speed Wi-Fi technologies, such as 802.11ac, are used.
This user guide provides complete instructions for using the Ruckus Wireless web
interface, the wireless network management interface for ZoneDirector. With the
web interface, you can customize and manage all aspects of ZoneDirector and your
ZoneFlex network.
ZoneDirector Physical Features
ZoneDirector 1200
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 21
ZoneDirector Physical Features
Three models of ZoneDirector are currently available:
ZoneDirector 1200
ZoneDirector 3000
ZoneDirector 5000
This section describes the physical features of these ZoneDirector models.
NOTE: ZoneDirector 1100 is discontinued (EOL) as of release 9.12 and cannot be
upgraded to 9.12 or later.
ZoneDirector 1200
This section describes the following physical features of ZoneDirector 1200:
Buttons, Ports, and Connectors
Front Panel LEDs
Figure 1. ZoneDirector 1200
Buttons, Ports, and Connectors
Tab l e 1 describes the buttons, ports and connectors on ZoneDirector 1200.
Table 1. ZoneDirector 1200 front panel elements
ZoneDirector Physical Features
ZoneDirector 1200
22 Ruckus Wireless, Inc.
Front Panel LEDs
Tab l e 2 describes the LEDs on the front panel of ZoneDirector 1200.
Table 2. ZoneDirector 1200 LED descriptions
Label Description
Reset Use the Reset button to restart ZoneDirector.
10/100/1000 Ethernet Two auto negotiating 10/100/1000Mbps Ethernet ports. For
information on what the two Ethernet LEDs indicate, refer to
Table 2.
Console RJ-45 Console port for accessing the ZoneDirector
command line interface.
F/D Factory Default button. To reset ZoneDirector to factory
default settings, press and hold the F/D button for at least five
(5) seconds. For more information, refer to Alternate Factory
Default Reset Method.
WARNING: Resetting ZoneDirector to factory default settings
will erase all configuration changes that you made, except for
AP licenses and SSL certificates.
LED Label State Meaning
Power Solid Green ZoneDirector is receiving power.
Off ZoneDirector is NOT receiving power. If
the power cable or adapter is connected
to a power source, verify that the power
cable is connected properly to the
power jack on the rear panel of
ZoneDirector.
ZoneDirector Physical Features
ZoneDirector 1200
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 23
Status Solid Green Normal state.
Flashing Green ZoneDirector has not yet been
configured. Log into the web interface,
and then configure ZoneDirector using
the setup wizard.
Red ZoneDirector has shut down (but is still
connected to a power source).
Flashing Red ZoneDirector is starting up or shutting
down.
Ethernet Link Solid Green or
Amber
The port is connected to a device.
Flashing Green or
Amber
The port is transmitting or receiving
traffic.
Off The port has no network cable
connected or is not receiving a link
signal.
Ethernet Rate Green The port is connected to a 1000Mbps
device.
Amber The port is connected to a 100Mbps
device.
Off The port is connected to a 10Mbps
device.
LED Label State Meaning
ZoneDirector Physical Features
ZoneDirector 3000
24 Ruckus Wireless, Inc.
ZoneDirector 3000
This section describes the following physical features of ZoneDirector 3000:
Buttons, Ports, and Connectors
Front Panel LEDs
Figure 2. ZoneDirector 3000
Buttons, Ports, and Connectors
Tab l e 3 describes the buttons, ports and connectors on ZoneDirector 3000.
Table 3. ZoneDirector 3000 front panel elements
Label Meaning
Power (Located on the rear panel)
Press this button to power on ZoneDirector.
F/D To reset ZoneDirector to factory default settings,
press the F/D button for at least five (5) seconds.
For more information, refer to Alternate Factory
Default Reset Method.
WARNING: Resetting ZoneDirector to factory
default settings will erase all configuration
changes that you have made, except for AP
licenses and SSL certificates.
ZoneDirector Physical Features
ZoneDirector 3000
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 25
Front Panel LEDs
Tab l e 4 describes the LEDs on the front panel of ZoneDirector 3000.
Table 4. ZoneDirector 3000 LED descriptions
Reset To restart ZoneDirector, press the Reset button
once for less than two seconds.
USB For Ruckus Wireless Support use only
Console RJ-45 port for accessing the ZoneDirector
command line interface.
10/100/1000 Ethernet Two auto negotiating 10/100/1000Mbps
Ethernet ports. For information on what the two
Ethernet LEDs indicate, refer to Table 4.
LED Label State Meaning
Power Green ZoneDirector is receiving power.
Off ZoneDirector is NOT receiving power. If
the power cable or adapter is
connected to a power source, verify
that the power cable is connected
properly to the power jack on the rear
panel of ZoneDirector.
Status Solid Green Normal state.
Flashing Green ZoneDirector has not yet been
configured. Log into the web interface,
and then configure ZoneDirector using
the setup wizard.
Solid Red ZoneDirector has shut down (but is still
connected to a power source).
Flashing Red ZoneDirector is starting up or shutting
down.
Label Meaning
ZoneDirector Physical Features
ZoneDirector 3000
26 Ruckus Wireless, Inc.
Ethernet Link Solid Green or
Amber
The port is connected to a device.
Flashing Green or
Amber
The port is transmitting or receiving
traffic.
Off The port has no network cable
connected or is not receiving a link
signal.
Ethernet Rate Amber The port is connected to a 1000Mbps
device.
Green The port is connected to a 100Mbps
device.
Off The port is connected to a 10Mbps
device.
LED Label State Meaning
ZoneDirector Physical Features
ZoneDirector 5000
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 27
ZoneDirector 5000
This section describes the following physical features of ZoneDirector 5000:
Front Panel Features
Front Panel (Bezel Removed)
Control Panel
Rear Panel Features
Figure 3. ZoneDirector 5000 Front Panel
Front Panel Features
Table 5. ZoneDirector 5000 front panel features
Feature Description
Control Panel See Control Panel description below.
RJ45 Serial Port COM 2 / Serial B port for accessing the ZoneDirector
command line interface.
USB Port Not used.
Front Bezel Lock Remove this bezel lock to remove the front bezel and gain
access to the hard drive bays.
ZoneDirector Physical Features
ZoneDirector 5000
28 Ruckus Wireless, Inc.
Front Panel (Bezel Removed)
Figure 4. ZoneDirector 5000 front panel (bezel removed)
Table 6. ZoneDirector front panel elements
Control Panel
Figure 5. Control panel buttons and indicators
Number Feature
1 ESD ground strap attachment
2 Hard drive bays (not used)
3 Control panel
4 RJ45 serial port for accessing the ZoneDirector command line
interface.
5 USB port (not used).
12345
12 3 4 56
789
10
11 12
ZoneDirector Physical Features
ZoneDirector 5000
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 29
Table 7. ZoneDirector 5000 control panel
Table 8. System status LED definitions
Number Feature
1 Power button
2 System reset button
3 System status LED (see Table 8)
4 Fan status LED
5 Critical alarm (not used)
6 MJR alarm (not used)
7 NMI pin hole button (factory reset button)
8 Chassis ID button
9 NIC 1 / NIC 2 activity LED
10 HDD activity LED (not used)
11 PWR alarm LED (not used)
12 MNR alarm (Amber: system unavailable; OFF: system
available)
LED Status Definition
Off No power supply detected, or two power supplies detected
and system is off
Green On System ready/normal operation, two power supplies
detected
Green Blinking 1. System ready but degraded
2. One power supply connected
3. One fan failure detected
Amber On 1. Critical or non-recoverable condition
2. Power up in progress, only one power source detected
3. More than one fan failure detected
Amber Blinking Non-critical alarm
ZoneDirector Physical Features
ZoneDirector 5000
30 Ruckus Wireless, Inc.
Rear Panel Features
Figure 6. ZoneDirector 5000 rear panel features
Table 9. Rear panel features
Number Feature
1 Alarms cable connector (not used)
2 Two low-profile PCIe add-in cards (not used)
3 Three full-length PCIe add-in cards (not used)
4 Power supply 2 (backup AC power)
5 Power supply 1 (primary AC power)
6 RJ45 serial port (COM2/serial B)
7 Video connector (not used)
8 USB 0 and 1 (#1 on top)
9 USB 2 and 3 (#3 on top)
10 GbE NIC #1 connector
11 GbE NIC #2 connector
12 Two ground studs (used for DC-input system)
1345
679
2
810 11 12
ZoneDirector Physical Features
ZoneDirector 5000
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 31
Table 10. NIC status LEDs
LED Color LED State NIC State
Green/Amber (Left) Off 10Mbps
Green 100Mbps
Amber 1000Mbps
Green (Right) On Active connection
Blinking Transmit / Receive activity
Introduction to the Ruckus Wireless Network
ZoneDirector 5000
32 Ruckus Wireless, Inc.
Introduction to the Ruckus Wireless Network
Your new Ruckus Wireless network starts when you disperse a number of Ruckus
Wireless access points (APs) to efficiently cover your worksite. After connecting the
APs to ZoneDirector (through network hubs or switches), running through the Setup
Wizard and completing the “Zero-IT” setup, you have a secure wireless network for
both registered users and guest users.
NOTE: “Zero-IT” refers to ZoneDirector’s simple setup and ease-of-use features,
which allow end users to automatically self-configure wireless settings on Windows
and Mac OS clients as well as many mobile devices including iOS, Windows Phone
and Android OS devices.
After using the web interface to set up user accounts for staff and other authorized
users, your WLAN can be put to full use, enabling users to share files, print, check
email, and more. And as a bonus, guest workers, contractors and visitors can be
granted limited controlled access to a separate “Guest WLAN” with minimal setup.
You can now fine-tune and monitor your network through the web interface, which
enables you to customize additional WLANs for authorized users, manage your
users, monitor the network's security and performance, and expand your radio
coverage, if needed.
Ensuring That APs Can Communicate with
ZoneDirector
Before ZoneDirector can start managing an AP, the AP must first be able to discover
ZoneDirector on the network when it boots up. This requires that ZoneDirector's IP
address be reachable by the AP (via UDP/IP port numbers 12222 and 12223), even
when they are on different subnets.
This section describes procedures you can perform to ensure that APs can discover
and register with ZoneDirector.
NOTE: This guide assumes that APs on the network are configured to obtain IP
addresses from a DHCP server. If APs are assigned static IP addresses, they must
be using a local DNS server that you can configure to resolve the ZoneDirector IP
address using zonedirector.{DNS domain name} or zonedirector if no
domain name is defined on the DNS server.
Ensuring That APs Can Communicate with ZoneDirector
How APs Discover ZoneDirector on the Network
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 33
How APs Discover ZoneDirector on the Network
1When an AP starts up, it sends out a DHCP discovery packet to obtain an IP
address.
2The DHCP server responds to the AP with the allocated IP address. If you
configured DHCP Option 43 (see Option 2: Customize Your DHCP Server), the
DHCP offer response will also include (among others) the IP addresses of
ZoneDirector devices on the network along with the address of the DNS server
that can help resolve the ZoneDirector IP addresses.
3After the AP obtains an IP address, it first attempts to contact a ZoneDirector
whose IP address has been pre-configured on the AP. If an AP has a pre-
configured ZoneDirector IP address, it will always use an L3 LWAPP (lightweight
access point protocol) discovery message to attempt to discover the pre-
configured primary/secondary ZoneDirector.
An AP with a pre-configured ZoneDirector IP address will only attempt to
discover the pre-configured ZoneDirector(s) and will skip the DHCP/DNS/last
joined ZoneDirector steps. If it is unable to contact its pre-configured Zone-
Director, it will enter “sulk” state, and will remain in an idle/discover/sulk loop
until it receives a response from a pre-configured primary or secondary
ZoneDirector.
4If a primary/secondary ZoneDirector IP address has not been configured on the
AP, the AP next attempts to build a list of candidate ZoneDirectors by sending
an L3 discovery request (IPv4 subnet broadcast/IPv6 multicast packet) to each
candidate address received from DHCP and DNS at the same time, and waits
for a response from any ZoneDirector that can respond.
The AP may receive multiple responses from DHCP and DNS if multiple
ZoneDirector IP addresses have been configured on the DHCP server or DNS
server.
5If the AP receives a response from a single ZoneDirector device, it will attempt
to register with that ZoneDirector device.
6If the AP receives responses from multiple ZoneDirector devices, it will attempt
to register with the ZoneDirector that it previously registered with (if any).
This ZoneDirector can be on the same local IP subnet or a different subnet.
The AP will have a preference for a ZoneDirector device that it previously
registered with (over a locally connected ZoneDirector).
Ensuring That APs Can Communicate with ZoneDirector
How to Ensure that APs Can Discover ZoneDirector on the Network
34 Ruckus Wireless, Inc.
7If this is the first time that the AP is registering with ZoneDirector, it will attempt
to register with the ZoneDirector device that has the lowest AP load. The AP
computes the load by subtracting the current number of APs registered with
ZoneDirector from the maximum number of APs that ZoneDirector is licensed
to support.
If the AP does not receive a response from any ZoneDirector device on the network,
it goes into idle mode. After a short period of time, the AP will attempt to discover
ZoneDirector again by repeating the same discovery cycle. The AP will continue to
repeat this cycle until it successfully registers with a ZoneDirector.
How to Ensure that APs Can Discover ZoneDirector on
the Network
If you are deploying the APs and ZoneDirector on different subnets, you have three
options for ensuring successful communication between these two devices:
Option 1: Perform Auto Discovery on Same Subnet, then Transfer the AP to
Intended Subnet
Option 2: Customize Your DHCP Server
Option 3: Register ZoneDirector with a DNS Server
NOTE: If the AP and ZoneDirector Are on the Same Subnet
If you are deploying the AP and ZoneDirector on the same subnet, you do not need
to perform additional configuration. Simply connect the AP to the same network as
ZoneDirector. When the AP starts up, it will discover and attempt to register with
ZoneDirector. Approve the registration request (if auto approval is disabled).
Option 1: Perform Auto Discovery on Same Subnet, then
Transfer the AP to Intended Subnet
If you are deploying the AP and ZoneDirector on different subnets, let the AP perform
auto discovery on the same subnet as ZoneDirector before moving the AP to another
subnet. To do this, connect the AP to the same network as ZoneDirector. When
the AP starts up, it will discover and attempt to register with ZoneDirector. Approve
the registration request if auto approval is disabled.
After the AP registers with ZoneDirector successfully, transfer it to its intended
subnet. It will be able to find and communicate with ZoneDirector once you
reconnect it to the other subnet.
Ensuring That APs Can Communicate with ZoneDirector
How to Ensure that APs Can Discover ZoneDirector on the Network
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 35
NOTE: If you use this method, make sure that you do not change the IP address
of ZoneDirector after the AP discovers and registers with it. If you change the
ZoneDirector IP address, the AP will no longer be able to communicate with it and
will be unable to rediscover it.
Option 2: Customize Your DHCP Server
NOTE: The following procedure describes how to customize a DHCP server
running on Microsoft Windows. If your DHCP server is running on a different
operating system, the procedure may be different.
Configuring the DHCP Server for ZoneDirector-AP Communication
To customize your DHCP server, you need to configure DHCP Option 43 (043
Vendor Specific Info) with the IP address of the ZoneDirector device on the network.
When an AP requests an IP address, the DHCP server will send a list of ZoneDirector
IP addresses to the AP. If there are multiple ZoneDirector devices on the network,
the AP will automatically select a ZoneDirector to register with from this list of IP
addresses.
RFC 2132 describes DHCP Option 60 and Option 43. DHCP Option 60 is the Vendor
Class Identifier (VCI). The VCI is a text string that identifies a vendor/type of a DHCP
client. All Ruckus Wireless Access Points are configured to send “Ruckus CPE” as
the Vendor Class Identifier in option 60, and expect ZoneDirector IP information to
be provided in DHCP option 43 (Vendor Specific Info), encapsulated with sub-option
code 03 (the sub-option code for ZoneDirector).
The RFC describes how vendors can encapsulate vendor-specific sub-option codes
(ranging from 0 to 255). Sub-options are embedded in option 43 as TLV (type, length,
value) blocks.
Ruckus Wireless Access points support non-TLV format option 43 values with
comma separated IP address strings for discovering ZoneDirectors, and also TLV
based option 43 encapsulation as specified in RFC 2132.
For ZoneDirector information (sub-option code 03)
Type : 0x03
Length: Count of the characters in the ASCII string. (Length must include the
commas if there is more than one ZoneDirector specified.)
Ensuring That APs Can Communicate with ZoneDirector
How to Ensure that APs Can Discover ZoneDirector on the Network
36 Ruckus Wireless, Inc.
Value: A non-null terminated ASCII string that is a comma-separated list of
ZoneDirector IP addresses.
For example: If the there are two ZoneDirectors with IP addresses 192.168.0.10
and 192,168.0.20, then the value will be “192.168.0.10,192.168.0.20
and the length is 25 (hex value 0x19).
For FlexMaster information (sub-option code 01)
Type : 0x01
Length: Count the number of characters in the ASCII string. (Length must
include “http”, plus all colons, slashes and decimals in the complete URL.)
Value: A non-null terminated ASCII string that is a URL.
For example: If the Flex Master URL is http://192.168.10.1/intune/
server, the length is 33 (hex value 0x21).
You will need this information when you configure DHCP Option 43 for both
FlexMaster and ZoneDirector. To calculate the length field conversion from decimal
to hexadecimal, you can use an online conversion website, such as http://
www.easycalculation.com/decimal-converter.php, to perform the conversion.
The table below lists the sub-option code, FlexMaster URL and ZoneDirector IP
address that are used as examples in this procedure, along with their lengths in
decimal and hexadecimal values.
Most commonly used DHCP servers such as Microsoft DHCP and ISC DHCP
servers support vendor class DHCP option spaces and mapping of those option
spaces to option 60. While you can achieve encapsulating TLVs in option 43 by hard
coding the DHCP option 43 value, Ruckus Wireless recommends using vendor class
option spaces - especially when you have more than one vendor type on the network
and need “option 43” to be supported for different vendor type DHCP clients.
The following example describes how you can encapsulate option 43 using DHCP
vendor class option spaces to provide two ZoneDirector IP addresses:
192.168.0.10 and 192.168.0.20.
URL / IP Address Decimal
Length
Hexadecimal
Length
Sub-option
Code
FlexMaster http://192.168.10.1/
intune/server (URL)
33 21 01
ZoneDirector 192.168.10.2 (IP Address) 12 0C 03
Ensuring That APs Can Communicate with ZoneDirector
How to Ensure that APs Can Discover ZoneDirector on the Network
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 37
Configure Vendor Class Identifier and Vendor Specific Info sub-options on
Microsoft DHCP server
Configure vendor class for Ruckus Wireless Access Points:
1In the Server Manager window, right-click the IPv4 icon, and choose Define
Vendor Classes from the menu.
2In the DHCP Vendor Classes dialogue, click Add to create a new vendor class.
3Enter the value to describe the option class/space, (e.g., RuckusWirelessAP).
Optionally, you can also enter a description.
4Add the VCI string in the ASCII field and click OK. The new vendor class is
created and appears in the DHCP Vendor Class dialogue list. Click Close to
close the dialogue.
5Right-click the newly created vendor class and select Set Predefined
Options...
6Predefine the ZoneDirector sub-option type for the newly created vendor class.
This section defines the code and format of the sub-option (code 03 for
ZoneDirector and comma separated IP addresses in ASCII text string).
7Configure the option with a value either at the server level, scope level or at
Reservation, just like any other DHCP option, using Configure Options >
Advanced.
NOTE: You can also optionally configure DHCP Option 12 (Host Name) to specify
host names for APs. Then, when an AP joins ZoneDirector and ZoneDirector does
not already have a device name for this AP, it will take the host name from DHCP
and display this name in events, logs and other web interface elements. See your
DHCP server documentation for instructions on Option 12 configuration.
Option 3: Register ZoneDirector with a DNS Server
If you register ZoneDirector with your DNS server, supported APs that request IP
addresses from your DHCP server will also obtain DNS related information that will
enable them to discover ZoneDirector devices on the network. Using the DNS
information they obtained during the DHCP request, APs will attempt to resolve the
ZoneDirector IP address (or IP addresses) using zonedirector.{DNS domain
name}.
To register ZoneDirector devices with DNS server:
Step 1: Set the DNS Domain Name on the DHCP Server
Ensuring That APs Can Communicate with ZoneDirector
How to Ensure that APs Can Discover ZoneDirector on the Network
38 Ruckus Wireless, Inc.
Step 2: Set the DNS Server IP Address on the DHCP Server
Step 3: Register the ZoneDirector IP Addresses with a DNS Server
NOTE: The following procedures describe how to customize a DHCP server
running on Microsoft Windows Server. If your DHCP server is running on a different
operating system, the procedure may be different.
Step 1: Set the DNS Domain Name on the DHCP Server
1From Windows Administrative Tools, open DHCP, and then select the DHCP
server that you want to configure.
2If the Scope folder is collapsed, click the plus (+) sign to expand it.
3Right-click Scope Options, and then click Configure Options. The General
tab of the Scope Options dialog box appears.
4Under Available Options, look for the 15 DNS Domain Name check box, and
then select it.
5In the String value text box under Data Entry, type your company’s domain
name.
6Click Apply to save your changes.
7Click OK to close the Scope Options dialog box.
Ensuring That APs Can Communicate with ZoneDirector
How to Ensure that APs Can Discover ZoneDirector on the Network
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 39
Figure 7. Select the 015 DNS Domain Name check box, and then type your company domain
name in String value
Step 2: Set the DNS Server IP Address on the DHCP Server
1From Windows Administrative Tools, open DHCP, and then select the DHCP
server you want to configure.
2If the Scope folder is collapsed, click the plus (+) sign to expand it.
3Right-click Scope Options, and then click Configure Options. The General
tab of the Scope Options dialog box appears.
4Under Available Options, look for the 6 DNS Servers check box, and then
select it.
5In the IP address box under Data Entry, type your DNS servers IP address, and
then click Add. If you have multiple DNS servers on the network, repeat the
same procedure to add the other DNS servers.
6Click Apply to save your changes.
7Click OK to close the Scope Options dialog box.
Ensuring That APs Can Communicate with ZoneDirector
How to Ensure that APs Can Discover ZoneDirector on the Network
40 Ruckus Wireless, Inc.
Figure 8. Select the 006 DNS Servers check box, and then type your DNS server’s IP address
in the Data entry section
Step 3: Register the ZoneDirector IP Addresses with a DNS Server
After you complete configuring the DHCP server with DNS related information, you
need to register the IP addresses of ZoneDirector devices on the network with your
DNS server. The procedure for this task depends on the DNS server software that
you are using.
Information on configuring the built-in DNS server on Windows is available at
http://support.microsoft.com/kb/814591.
NOTE: If your DNS server prompts you for the corresponding host name for each
ZoneDirector IP address, you MUST enter zonedirector. This is critical to
ensuring that the APs can resolve the ZoneDirector IP address.
Ensuring That APs Can Communicate with ZoneDirector
Firewall Ports that Must be Open for ZoneDirector Communications
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 41
After you register the ZoneDirector IP addresses with your DNS server, you have
completed this procedure. APs on the network should now be able to discover
ZoneDirector on another subnet.
Firewall Ports that Must be Open for ZoneDirector
Communications
Depending on how your network is designed, you may need to open ports on any
firewalls located between ZoneDirector, FlexMaster or the access points. The
following table lists the ports that need to be open for different types of communi-
cations.
Table 11. Firewall ports that must be open for ZoneDirector communications
NAT Considerations
Beginning with version 9.2, ZoneDirector can be deployed in a private network
behind a NAT (Network Address Translation) device. When ZoneDirector is
deployed on an isolated private network where NAT is used, administrators can
Communication Ports
ZoneDirector Web UI access TCP destination ports 80 and 443 (HTTP and
HTTPS)
AP > ZoneDirector LWAPP UDP destination ports 12222 and 12223
AP > ZoneDirector SpeedFlex UDP port 18301
AP > ZoneDirector (AP)
firmware upgrade
TCP port 21 (the firewall must be stateful for PASV
FTP transfers)
AP > ZoneDirector application
statistics reporting
TCP port 21 (FTP)
TCP port: Random port higher than 1024
ZoneDirector > ZoneDirector
Smart Redundancy
TCP destination port 443 and port 33003
ZoneDirector > FlexMaster
registration/inform/firmware
upgrade
TCP destination port 443
FlexMaster > ZoneDirector
management interface
TCP destination port as specified in FM Inventory
'Device Web Port Number Mapping'
ZoneDirector CLI access TCP destination port 22 (SSH)
TACACS+ server < >
ZoneDirector
TCP destination port 49 (TACACS+) (default)
Ensuring That APs Can Communicate with ZoneDirector
Firewall Ports that Must be Open for ZoneDirector Communications
42 Ruckus Wireless, Inc.
manually configure a port-mapping table on the NAT device to allow remote access
into ZoneDirector. This allows APs to establish an LWAPP connection with Zone-
Director, as well as allowing remote HTTPS and SSH management access to
ZoneDirector. Tab l e 11 lists the ports that must be open for trans-NAT communi-
cations.
Specifically, the following ports must be mapped to ZoneDirector’s private IP
address on the NAT device’s port mapping table: ports 21, 22, 80, 443, 12222,
12223.
Note that there are some limitations with this configuration, including:
SpeedFlex performance test tool will not work (ZoneDirector needs to know the
IP addresses of the APs).
Deploying two ZoneDirectors behind the same NAT in a Smart Redundancy
configuration requires creation of two port forwarding rules (one for each
ZoneDirector physical IP address), and that the APs are configured with both
ZoneDirectors’ public IP addresses as primary and secondary ZD IPs.
An active ZoneDirector behind NAT will be unable to perform upgrades to the
standby ZoneDirector on the other side of the NAT device.
Installing ZoneDirector
Firewall Ports that Must be Open for ZoneDirector Communications
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 43
Installing ZoneDirector
Basic installation instructions are included in the Quick Start Guide that shipped with
your ZoneDirector. The steps are summarized below:
1Connect and discover ZoneDirector using UPnP (Universal Plug and Play).
On Windows 7 and Windows 8, you may need to Turn on network
discovery in the Network and Sharing Center > Advanced Sharing Settings.
2Double-click the ZoneDirector icon when UPnP displays it, or
3Point your web browser to ZoneDirector’s IP address (default: 192.168.0.2).
4Run the Setup Wizard to create an internal and (optionally) a guest WLAN.
5Distribute APs around your worksite, connect them to power and to your LAN.
6Begin using your ZoneFlex network.
Figure 9. Discover ZoneDirector using UPnP
Accessing ZoneDirector’s Command Line Interface
Firewall Ports that Must be Open for ZoneDirector Communications
44 Ruckus Wireless, Inc.
Figure 10. ZoneDirector Setup Wizard
Accessing ZoneDirector’s Command Line
Interface
In general, this User Guide provides instructions for managing ZoneDirector and
your ZoneFlex network using the ZoneDirector web interface. You can also perform
many management and configuration tasks using the ZoneDirector Command Line
Interface (CLI) by connecting directly to the Console port or an Ethernet port.
To access the ZoneDirector CLI:
1Connect an admin PC to the ZoneDirector Console port or any of the LAN ports
(using either a DB-9 serial cable for the console port or an Ethernet cable for
LAN ports).
2Launch a terminal program, such as Hyperterminal, PuTTy, etc.
3Enter the following connection settings:
Bits per second: 115200
Data bits: 8
•Parity: None
Accessing ZoneDirector’s Command Line Interface
Firewall Ports that Must be Open for ZoneDirector Communications
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 45
Stop bits: 1
Flow control: None
Figure 11. Configure a terminal client
4Click OK or Open to connect (depending on your terminal client).
5At the Please Login prompt, enter the admin login name (default: admin) and
password (default: admin).
You are now logged into ZoneDirector with limited privileges. As a user with limited
privileges, you can view a history of previously executed commands and ping a
device. If you want to run more commands, you can switch to privileged mode by
entering enable at the root prompt.
To view a list of commands that are available at the root level, enter help or ?.
For more information on using the CLI, see the Ruckus Wireless ZoneDirector
Command Line Interface Reference Guide, available from http://support.ruck-
uswireless.com/.
Using the ZoneDirector Web Interface
Firewall Ports that Must be Open for ZoneDirector Communications
46 Ruckus Wireless, Inc.
Using the ZoneDirector Web Interface
The ZoneDirector web interface consists of several interactive components that you
can use to manage and monitor your Ruckus Wireless WLANs (including ZoneDi-
rector and all APs).
Dashboard When you first log into your ZoneDirector using the web interface,
the Dashboard appears, displaying a number of widgets containing
indicators and tables that summarize the network and its current
status. Each indicator, gauge or table provides links to more
focused, detailed views on elements of the network.
TIP: You can minimize (hide) any of the tables or indicators on the
Dashboard, then reopen them by means of the Add Widget options
in the lower left corner.
Widgets Widgets are Dashboard components, each containing a separate
indicator or table as part of the active dashboard. Each widget can
be added or removed to enhance your ZoneDirector Dashboard
summary needs.
Tabs Click any of the four tabs (Dashboard, Configure, Monitor, and
Administer) to take advantage of related sets of features and
options. When you click a tab, ZoneDirector displays a collection
of tab-specific buttons. Each tab's buttons are a starting point for
Ruckus Wireless network setup, management, and monitoring.
Buttons The left-side column of buttons varies according to which tab has
been clicked. The buttons provide features that assist you in
managing and monitoring your network. Click a button to see
related options in the workspace to the right.
Workspace The large area to the right of the buttons will display specific sets
of features and options, depending on which tab is open and which
button was clicked.
Toolbox The drop-down menu at the top right corner provides access to
the Real Time Monitoring, Auto-Refresh and Network Connectivity
tools, used for diagnosing and monitoring your ZoneFlex network.
It also provides a tool to stop and start automatically refreshing the
web interface pages.
Help and Log
Out
Clicking Help launches the online Help - which is an HTML-based
subset of the information contained in this User Guide. Click Log
Out to exit the web interface.
Using the ZoneDirector Web Interface
Navigating the Dashboard
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 47
Navigating the Dashboard
The Dashboard offers a number of self-contained indicators and tables that summa-
rize the network and its current status. Some indicators have fields that link to more
focused, detailed views on elements of the network.
Figure 12. The Dashboard
NOTE: Some indicators may not be present upon initial view. The Add Widgets
feature, located at the bottom left area of the screen, enables you to show or hide
indicators. See Using Indicator Widgets.
NOTE: You can sort the information (in ascending or descending order) that
appears on the dashboard by clicking the column headers. Some widgets (such as
Currently Managed APs) can also be customized to hide columns so that the tables
do not run off the page. Click the Edit Columns button to customize the widget
according to your preferences.
Using Indicator Widgets
Dashboard widgets represent the indicators displayed as part of the active dash-
board. Indicator widgets can be added or removed to enhance your ZoneDirector
summary needs.
Using the ZoneDirector Web Interface
Using Indicator Widgets
48 Ruckus Wireless, Inc.
The following indicators are provided:
System Overview: Shows ZoneDirector system information including its IP
address, MAC address, model number, maximum number of licensed APs, serial
number, software version number, and others.
Devices Overview: Shows the number of APs being managed by ZoneDirector,
the number of authorized clients, and the total number of clients connected to
the managed APs (authorized and unauthorized). It also shows the number of
rogue devices that have been detected by ZoneDirector.
Usage Summary: Shows usage statistics for the last hour and the last 24 hours.
Mesh Topology: Shows the mesh status and topology of all APs connected via
mesh uplinks or downlinks.
Most Active Client Devices: Identifies the most active clients by MAC address,
IP address, and user name. Bandwidth usage is calculated in megabytes (MB)
and is based on the total number of bytes sent (Tx) and received (Rx) by each
client from the time it associated with the managed AP.
Most Recent User Activities: Shows activities performed by users on client
machines.
Most Recent System Activities: Shows system activities related to ZoneDirector
operation.
Most Frequently Used Access Points: Lists the access points that are serving
the most client requests.
Currently Active WLANs: Shows details of currently active WLANs.
Currently Active WLAN Groups: Shows details of available WLAN groups. If you
have not created any WLAN groups, only the Default WLAN group appears.
Currently Managed APs: Shows details of access points that ZoneDirector is
currently managing.
Currently Managed AP Groups: Shows details of the System Default and user-
defined AP groups. Click the + button next to an AP group to expand the group
to display all members of the AP group.
Support: Shows contact information for Ruckus Wireless support, product
registration and support account activation.
Smart Redundancy: Displays the status of primary and backup ZoneDirector
devices, if configured.
AP Activities: Shows a list of recent log events from APs.
Using the ZoneDirector Web Interface
Using Indicator Widgets
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 49
Client Device Type: Displays a pie chart of currently connected client devices by
OS type as a percentage of the total.
Top 10 Applications by Usage: Lists the top 10 applications, their total usage in
KB and percent of the total.
Top 10 APs by Usage: Lists the top 10 APs, their total usage in KB and percent
of the total.
Top 10 Clients by Usage: Lists the top 10 clients, their total usage in KB and
percent of the total.
Top 10 SSIDs by Usage: Lists the top 10 SSIDs, their total usage in KB and
percent of the total.
• Applications: Displays a pie chart of the top applications as a percent of the total
traffic volume.
LBS Venue Info: Displays status of Location Based Services (SPoT) venues
configured for this ZoneDirector.
Adding a Widget
To add a widget:
1Go to the Dashboard.
2Click the Add Widgets link located at the bottom left corner of the Dashboard
page.
Using the ZoneDirector Web Interface
Using Indicator Widgets
50 Ruckus Wireless, Inc.
Figure 13. The Add Widgets link is at the bottom-left corner of the Dashboard
The Widgets pane opens at the upper-left corner of the Dashboard.
3Select any widget icon and drag and drop it onto the Dashboard to add the
widget. If you have closed a widget, it appears in this pane.
Figure 14. The widget icons appear at the top-left corner of the Dashboard
The Add
Widgets
Link
Using the ZoneDirector Web Interface
Real Time Monitoring
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 51
4Click Finish in the Widgets pane to close it.
Removing a Widget
To remove a widget from the Dashboard, click the icon for any of the widgets
currently open on the Dashboard. The Dashboard refreshes and the widget that you
removed disappears from the page.
Figure 15. To remove a widget, click the corresponding red X icon
Real Time Monitoring
The Real Time Monitoring tool provides a convenient at-a-glance overview of
performance statistics such as CPU and memory utilization, number of APs and
clients on the network, and number of packets transmitted.
To view the Real Time Monitoring page, locate the Too lbox link at the top of the
page and select Real Time Monitoring from the pull-down menu. You can also
access the Real Time Monitoring page from the Monitor > Real Time Monitoring
tab.
Using the ZoneDirector Web Interface
Real Time Monitoring
52 Ruckus Wireless, Inc.
Figure 16. Select Real Time Monitoring from the Toolbox
Like the Dashboard, you can drag and drop Widgets onto the Real Time Monitoring
page to customize the information you want to see.
Figure 17. The Real Time Monitoring screen
Select a time increment to monitor statistics by (5 minutes, 1 hour or 1 day) and
click Start Monitoring to begin.
Using the ZoneDirector Web Interface
Stopping and Starting Auto Refresh
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 53
Real Time Monitoring Widgets
CPU Util: Displays the % utilization of ZoneDirector’s CPU.
Memory Util: Displays the % utilization of ZoneDirector’s memory.
# of APs: Displays the number of APs being managed by ZoneDirector.
# of Client Devices: Displays the number of client devices associated to APs
being managed by ZoneDirector.
Bytes Received: Total bytes received by all APs being managed by ZoneDirector.
Bytes Transmitted: Total bytes received by all APs being managed by ZoneDi-
rector.
Packets Received: Total packets received by all APs being managed by Zone-
Director.
Packets Transmitted: Total packets transmitted by all APs being managed by
ZoneDirector.
Stopping and Starting Auto Refresh
By default, ZoneDirector web interface pages automatically refresh themselves
periodically depending on activity. You can pause auto-refresh on any page in the
web interface from the Toolbox. After clicking Stop Auto Refresh, ZoneDirector
pauses automatic updating of all widgets on the current page and the refresh icons
on the widgets are disabled (greyed out). To restart auto refresh, click Start Auto
Refresh from the Toolbox.
Figure 18. Stopping and starting automatic page refreshing
Registering Your Product
Stopping and Starting Auto Refresh
54 Ruckus Wireless, Inc.
Figure 19. The Refresh icon on all widgets is disabled when auto refresh is stopped
Registering Your Product
NOTE: Ruckus Wireless encourages you to register your ZoneDirector product to
receive updates and important notifications, and to make it easier to receive support
in case you need to contact Ruckus for customer assistance. You can register your
ZoneDirector along with all of your APs in one step using ZoneDirector’s Registration
form.
NOTE: To ensure that all registration information for all of your APs is included, be
sure to register after all APs have been installed. If you register ZoneDirector before
installing the APs, the registration will not include AP information.
To register your ZoneDirector:
1Click the Product Registration link in the Support widget on the Dashboard, or
2Go to Administer > Registration.
3Enter your contact information on the Registration page, and click Apply.
4The information is sent to a CSV file that opens in a spreadsheet program (if you
have one installed). This file includes the serial numbers and MAC addresses of
your ZoneDirector and all known APs, and your contact information.
5Save the CSV file to a convenient location on your local computer.
6Click the link on the Registration page to upload the CSV file (https://
support.ruckuswireless.com/register). If you do not already have a Support
account login, first click the https://support.ruckuswireless.com/
get_access_now link to create a support account, and then click the register link
to upload the CSV file to Ruckus Support.
Registering Your Product
Stopping and Starting Auto Refresh
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 55
Figure 20. Support Widget on the Dashboard
Figure 21. The Product Registration page
Your ZoneDirector is now registered with Ruckus Wireless.
Registering Your Product
Stopping and Starting Auto Refresh
56 Ruckus Wireless, Inc.
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 57
2
Configuring System Settings
In this chapter:
System Configuration Overview
Changing the Network Addressing
Creating Static Route Entries
Enabling Smart Redundancy
Configuring the Built-in DHCP Server
Controlling ZoneDirector Management Access
Setting the System Time
Setting the Country Code
Changing the System Log Settings
Setting Up Email Alarm Notifications
Configuring SMS Settings for Guest Pass Delivery via SMS
Enabling Login Warning Messages
Enabling Network Management Systems
Configuring DHCP Relay
Enabling Bonjour Gateway
Configuring SPoT Location Services
System Configuration Overview
Changing the System Name
58 Ruckus Wireless, Inc.
System Configuration Overview
The majority of ZoneDirector’s general system settings can be accessed from the
Configure > System page in the web interface. A basic set of parameters is
configured during the Setup Wizard process. These parameters and others can be
customized on this page.
NOTE: When making any changes in the web interface, you must click Apply before
you navigate away from the page or your changes will not be saved.
Changing the System Name
When you first worked through the Setup Wizard, you were prompted for a network-
recognizable system name for ZoneDirector. If needed, you can change that name
by following these steps:
1Go to Configure > System.
2In System Name (under Identity), delete the text, and then type a new name.
The name should be between 1 and 32 characters in length, using letters,
numbers, underscores (_) and hyphens (-). Do not use spaces or other special
characters. Do not start with a hyphen (-) or underscore (_). System names are
case sensitive.
3Click Apply to save your settings. The change goes into effect immediately.
Changing the Network Addressing
Changing the System Name
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 59
Figure 22. The Identity section on the Configure > System page
Changing the Network Addressing
If you need to update the IP address and DNS server settings of ZoneDirector, follow
the steps outlined below.
CAUTION! As soon as the IP address has been changed (applied), you will be
disconnected from your web interface connection to ZoneDirector. You can log into
the web interface again by using the new IP address in your web browser.
1Go to Configure > System.
2Review the Device IP Settings options.
Changing the Network Addressing
IPv6 Configuration
60 Ruckus Wireless, Inc.
Figure 23. The Device IP options
3Select one of the following:
Enable IPv6 Support: By default, ZoneDirector operates in IPv4 mode. If your
network uses IPv6, select Enable IPv6 Support and enter configuration
settings for either IPv6 only or dual IPv4/IPv6 support. See IPv6 Configuration
below for more information.
Manual: If you select Manual, enter the correct information in the now-active
fields (IP Address, Netmask, and Gateway are required).
DHCP: If you select DHCP, no further information is required.
4Click Apply to save your settings. You will lose connection to ZoneDirector.
5To log back into the web interface, use the newly assigned IP address in your
web browser or use the UPnP application to rediscover ZoneDirector.
IPv6 Configuration
ZoneDirector supports IPv6 and dual IPv4/IPv6 operation modes. If both IPv4 and
IPv6 are used, ZoneDirector will keep both IP addresses. Ruckus ZoneFlex APs
operate in dual IPv4/v6 mode by default, so you do not need to manually set the
mode for each AP.
Changing the Network Addressing
IPv6 Configuration
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 61
If you enable IPv6, you have the option to manually configure an IP address in IPv6
format (128 bits separated by colons instead of decimals) or to choose Auto
Configuration. If you choose Manual, you will need to enter IP Address, Prefix
Length and Gateway.
DNS Address can be configured manually or obtained automatically by the DHCPv6
client.
NOTE: If you switch from IPv4 to IPv6, you will need to manually change a number
of settings that may have previously been configured, such as Access Control Lists
(ACLs), AAA server addresses, Syslog server, SNMP trap receiver, etc.
When IPv6 is enabled, the other fields where IP addresses are entered (such as
Additional Management Interface) automatically change to allow entry of IPv6 format
addresses, as shown in Figure 24.
Note that some features are not supported when in IPv6 mode. Specifically, internal
DHCP server, LAN rogue AP detection, DHCPv6 vendor specific options, Aeroscout
RFID tag detection, SSL certificate generation, UPnP, remote access to ZD, and
L2TP and WISPr in standalone APs are not supported when in IPv6 mode.
Table 12. Default static IPv4 and IPv6 addresses
AP default IP address ZoneDirector default IP address
IPv4 192.168.0.1 192.168.0.2
IPv6 fc00::1 fc00::2
Changing the Network Addressing
Enabling an Additional Management Interface
62 Ruckus Wireless, Inc.
Figure 24. Enabling IPv6 automatically changes other fields to allow IPv6 addresses
Enabling an Additional Management Interface
The additional management interface is created for receiving and transmitting
management traffic only. The management IP address can be configured to allow
an administrator to manage ZoneDirector from its management VLAN, thereby
separating management traffic from LWAPP traffic between the controller and the
access points. The Management IP can be reached from anywhere on the network
as long as it is routable via the default Gateway configured in Device IP Settings.
It can also be used for Smart Redundancy -- when two redundant ZoneDirectors
are deployed, you can create a separate management interface to be shared by
both devices. Then, you only have to remember one IP address that you can log
into regardless of which ZoneDirector is the active unit. This shared management
IP address must be configured identically on both ZoneDirectors (see Configuring
ZoneDirector for Smart Redundancy).
To enable an additional management interface:
1Go to Configure > System.
2Locate the Management Interface section and click the check box next to
Enable IPv4 Management Interface or Enable IPv6 Management Interface.
Changing the Network Addressing
Enabling an Additional Management Interface
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 63
3Enter the IP Address, Netmask and Access VLAN information for the additional
interface. (If IPv6, enter Prefix Length instead of Netmask).
4(Optional) If you want to configure this management interface with a different
gateway from the gateway configured under “Device IP Settings”, select Default
gateway is connected with this interface, and enter the gateway IP address
in the field provided. Enable this option if you want to change the default gateway
of the ZoneDirector to be in your management subnet. Changing the default
gateway to be in the management subnet will cause all traffic to be routed via
this gateway.
5Click Apply to save your settings.
NOTE: If the Management Interface is to be shared by two Smart Redundancy
ZoneDirectors, repeat these steps for the other ZoneDirector.
Figure 25. Enabling an additional management interface
Creating Static Route Entries
Enabling an Additional Management Interface
64 Ruckus Wireless, Inc.
NOTE: If a management interface is used for web UI management, the actual IP
address must still be used when configuring ZoneDirector as a client for a backend
RADIUS server, FlexMaster server or in any SNMP systems. If two ZoneDirectors
are deployed in a Smart Redundancy configuration, both of the actual IP addresses
must be used rather than the management IP address.
Creating Static Route Entries
Static routes can be created to allow ZoneDirector to reach remote networks which
can only be reached via a gateway other than default gateway. The gateway you
use must be in the same subnet as either the ZoneDirector primary IP address or
the Management IP address.
To create a static route to an additional gateway
1Go to Configure > System and locate the Static Route section.
2Click Create New to create a new static route.
3Enter a Name for this access route.
4Enter a Subnet (in the format A.B.C.D/M (where M is the netmask).
5Enter the Gateway address.
6Click OK to save your changes. You can create up to 4 static route entries.
Figure 26. Creating a static route entry
Enabling Smart Redundancy
Static Route Example
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 65
Static Route Example
As an example, in a network where the APs are connected to ZoneDirector via a
cable modem termination system, the APs are in a different subnet and not found
via the default gateway. A static route would therefore be needed to allow ZoneDi-
rector to AP connectivity. (See Figure 27).
Figure 27. A static route is needed when APs are reachable only through a non-default
gateway
Enabling Smart Redundancy
ZoneDirector’s Smart Redundancy feature allows two ZoneDirectors to be config-
ured as a redundant pair, with one unit actively managing your ZoneFlex network
while the other serves as a backup in standby mode, ready to take over if the first
unit fails or loses power.
Each ZoneDirector will either be in active or standby state. If the active ZoneDirector
fails, the standby device becomes active. When the original active device recovers,
it automatically assumes the standby state as it discovers an already active
ZoneDirector on the network.
The ZoneDirector in active state manages all APs and client connections. The
ZoneDirector in standby state is responsible for monitoring the health of the active
unit and periodically synchronizing its settings to match those of the active device.
The ZoneDirector in standby state will not respond to Discovery requests from APs
and changing from active to standby state will release all associated APs.
Enabling Smart Redundancy
Configuring ZoneDirector for Smart Redundancy
66 Ruckus Wireless, Inc.
When failover occurs, all associated APs will continue to provide wireless service to
clients during the transition, and will associate to the newly active ZoneDirector
within approximately one minute.
When two ZoneDirectors are connected in a Smart Redundancy configuration, the
standby ZD will send heartbeats and the active will send discover messages at 6
second intervals. If after 15 seconds no reply is seen, each controller will assume
disconnection from its peer, and the standby ZD will change to active state. At this
point both devices are in active state and will accept join requests from APs.
When the two ZoneDirectors are communicating again, one active ZD will change
to standby state and an auto-synchronization process will be started. A timestamp
is used to determine which ZD should sync its latest configuration changes to those
of its peer. They will continue trying to communicate, sending discover messages
every 6 seconds, until the ZDs are communicating again, at which point they will
determine active/standby roles based on: 1) most managed APs, and/or 2) lower
MAC address.
Configuring ZoneDirector for Smart Redundancy
For management convenience, both ZoneDirectors in a Smart Redundancy deploy-
ment can be managed via a single shared IP address. In this situation, three IP
addresses would need to be configured:
Primary ZoneDirector’s real address
Backup ZoneDirector’s real address
Management address
All configuration changes are made to the active ZoneDirector and synchronized to
the standby unit. The user can access the web interface from any of the three IP
addresses, however not all configuration options are available from the standby
device.
NOTE: If you will be deploying the two ZoneDirectors on different Layer 3 networks,
you must ensure that Port 443 and Port 33003 are open in any routers and firewalls
located between the two ZoneDirectors.
To enable Smart Redundancy:
1Log in to the web interface of the ZoneDirector you will initially designate as the
primary unit.
Enabling Smart Redundancy
Configuring ZoneDirector for Smart Redundancy
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 67
2Go to Configure > System, and set a static IP address under Device IP Settings,
if not already configured.
3Click Apply. You will need to log in again using the new IP address (if changed).
4On the same Configure > System page, locate the Smart Redundancy section.
Figure 28. Enable Smart Redundancy
5Enable the check box next to Enable Smart Redundancy.
6Enter the IP address of the backup unit under Peer Device IP Address.
NOTE: If you have configured Limited ZD Discovery under Configure > Access
Points > Access Point Policies, you must identify the IP address of both
ZoneDirectors that the APs should connect to when Smart Redundancy is active.
If the Limited ZD Discovery and Smart Redundancy information you enter is
inconsistent, a warning message will be displayed asking you to confirm. Note that
Ruckus recommends using the Smart Redundancy feature instead of the Limited
ZD Discovery feature whenever possible.
7Enter a Shared Secret for two-way communication between the two
ZoneDirectors (up to 15 alphanumeric characters).
8Click Apply to save your changes and prompt ZoneDirector to immediately
attempt to discover its peer on the network.
Enabling Smart Redundancy
Configuring ZoneDirector for Smart Redundancy
68 Ruckus Wireless, Inc.
9If discovery is successful, the details of the peer device will be displayed to the
right.
10 If discovery is unsuccessful, you will be prompted to retry discovery or continue
configuring the current ZoneDirector.
11 Install the second ZoneDirector and complete the Setup Wizard.
12 Go to Configure > System, enable Smart Redundancy and enter the primary
ZoneDirector’s IP address in Peer Device IP address.
13 Click Apply. If an active ZoneDirector is discovered, the second ZoneDirector
will assume the standby state. If an active device is not discovered, you will be
prompted to retry discovery or to continue configuring the current device.
Once Smart Redundancy has been enabled, a status link is displayed at the top of
the web interface.
Figure 29. Smart Redundancy status link
NOTE: If you want to use the same SSL certificate for both devices in a Smart
Redundancy pair, you can back up the certificate/private key from one device and
import it into the other. See Working with SSL Certificates for more information.
NOTE: If you disable Smart Redundancy after it has been enabled, both
ZoneDirectors will revert to active state, which could result in unpredictable network
topologies. Therefore, Ruckus Wireless recommends first factory resetting the
standby ZoneDirector before disabling Smart Redundancy.
Enabling Smart Redundancy
Forcing Failover to the Backup ZoneDirector
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 69
NOTE: If the active and standby ZoneDirector are on different IP subnets, APs need
to know the IP addresses of both ZoneDirectors to quickly find the active
ZoneDirector after a Smart Redundancy failover. You can do this by configuring the
IP addresses of both devices on the Configure > Access Points > Limited ZD
Discovery page. Specify one ZoneDirector as Primary, the other as Secondary.
Alternatively you can specify the IP addresses of both ZoneDirectors through DHCP
Option 43 (see Option 2: Customize Your DHCP Server).
Forcing Failover to the Backup ZoneDirector
After Smart Redundancy has been enabled, you can view the status of both the
primary and backup units from the Dashboard by dragging the Smart Redundancy
widget onto the workspace.
Figure 30. The Smart Redundancy widget
The Failover button can be used to force a role reversal making the standby
ZoneDirector the active unit. This widget also displays the state (active, standby or
disconnected) of both devices, as well as their IP addresses and the Management
IP address, if configured.
Managing Smart Redundancy AP License Pools
If two Smart Redundancy ZoneDirectors have different license levels (number of
licensed APs), the total number of licenses is displayed in the Smart Redundancy
dashboard widget, in the “License Pool” entry. When one device is disconnected,
the remaining active ZD will continue to use the previous total license pool and start
a 60-day timer. When the timer expires, the ZD will use its own license number (the
license pool is reduced to the number of APs licensed for the currently active device
only) until its Smart Redundancy peer comes back online.
Need new
Need New
Enabling Smart Redundancy
Managing Smart Redundancy AP License Pools
70 Ruckus Wireless, Inc.
If a third ZoneDirector connects, the license pool will reflect the new total license
pool if the sum of the two licenses is higher than the original pair. If the sum is less
than the previous license pool (within the 60-day timer), the user will be prompted
to choose whether the license pool will be derived from the active + original
disconnected device, or from the currently active + current standby device. License
pools cannot exceed the maximum individual ZD license limit. ZoneDirectors with
temporary licenses cannot be configured as part of a Smart Redundancy pair.
Figure 31. Smart Redundancy status degraded (peer is disconnected, license pool remains
valid for 60 days
Figure 32. After 60 day grace period expires, license pool is revoked and AP license count
reverts to active device license level only
Configuring the Built-in DHCP Server
Enabling the Built-in DHCP server
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 71
Figure 33. If a third ZD connects with a lower license level than the 2nd (disconnected) ZD,
the user can choose to use the original license pool for up to 60 days
Configuring the Built-in DHCP Server
ZoneDirector comes with a built-in DHCP server that you can enable to assign IP
addresses to devices that are connected to it. ZoneDirector’s DHCP server will only
assign addresses to devices that are on its own subnet and part of the same VLAN.
Note that before you can enable the built-in DHCP server, ZoneDirector must be
assigned a manual (static) IP address. If you configured ZoneDirector to obtain its
IP address from another DHCP server on the network, the options for the built-in
DHCP server will not be visible on the System Configuration page.
Enabling the Built-in DHCP server
NOTE: Ruckus Wireless recommends that you only enable the built-in DHCP server
if there are no other DHCP servers on the network. ZoneDirector’s internal DHCP
server can service only a single subnet (the one it’s in) and not other VLANs that
Table 13. Max AP Licenses by ZoneDirector Model
Model Max AP Licenses
ZoneDirector 1200 75
ZoneDirector 3000 500
ZoneDirector 5000 1,000
Configuring the Built-in DHCP Server
Enabling the Built-in DHCP server
72 Ruckus Wireless, Inc.
may be associated with client WLANs. If you enable the built-in DCHP server,
Ruckus Wireless also recommends enabling the rogue DHCP server detector. For
more information, refer to Rogue DHCP Server Detection.
1Click the Configure tab. The System page appears.
2Under the DHCP Server section, select the Enable DHCP check box.
3In Starting IP Address, type the first IP address that the built-in DHCP server
will allocate to DHCP clients. The starting IP address must be on the same subnet
as the IP address assigned to ZoneDirector. If the value that you typed is invalid,
an error message appears and prompts you to let ZoneDirector automatically
correct the value. Click OK to automatically correct the entry.
4In Number of IPs, type the maximum number of IP addresses that you want to
allocate to requesting clients. The built-in DHCP server can allocate up to 512
IP addresses including the one assigned to ZoneDirector. The default value is
200.
5In Lease Time, select a time period for which IP addresses will be allocated to
DHCP clients. Options range from six hours to two weeks (default is one week).
6If your APs are on different subnets from ZoneDirector, click the check box next
to DHCP Option 43 to enable Layer 3 discovery of ZoneDirector by the APs.
7Click Apply.
NOTE: If you typed an invalid value in any of the text boxes, an error message
appears and prompts you to let ZoneDirector automatically correct the value. Click
OK to change it to a correct value.
Configuring the Built-in DHCP Server
Viewing DHCP Clients
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 73
Figure 34. The DHCP Server options
Viewing DHCP Clients
To view a list of current DHCP clients, click the click here link at the end of the “To
view all currently assigned IP addresses that have been assigned by the DHCP
server...” sentence. A table appears and lists all current DHCP clients with their MAC
address, assigned IP address, and the remaining lease time.
You can clear DHCP leases on ZoneDirector by disabling and re-enabling the DHCP
service.
Controlling ZoneDirector Management Access
Viewing DHCP Clients
74 Ruckus Wireless, Inc.
Figure 35. To view current DHCP clients, click the “click here” link
Controlling ZoneDirector Management
Access
The Management Access Control option can be used to control access to ZoneDi-
rector’s management interface. The Management Access Control interface is
located on the Configure > System screen. Options include limiting access by
subnet, single IP address and IP address range.
NOTE: When you create a management access control rule, all IP addresses and
subnets other than those specifically listed will be blocked from accessing
ZoneDirector’s web interface.
To restrict access to ZoneDirector’s web interface:
1Go to Configure > System.
2Locate the Management Access Control section, and click the Create New link.
Controlling ZoneDirector Management Access
Viewing DHCP Clients
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 75
3In the Create New menu that appears, enter a name for the user(s) that you want
to allow access to ZoneDirector’s web interface.
4Enter an IP address, address range or subnet.
The administrator’s current IP address is shown for convenience--be sure
not to create an ACL that prevents the admin’s own IP address from
accessing the web interface.
5Click OK to confirm. You can create up to 16 entries to the Management ACL.
Figure 36. Management Access Control
Setting the System Time
Viewing DHCP Clients
76 Ruckus Wireless, Inc.
Figure 37. Creating a new ZoneDirector management ACL
Setting the System Time
The internal clock in ZoneDirector is automatically synchronized with the clock on
your administration PC during the initial setup. You can use the web interface to
check the current time on the internal clock, which shows up as a static notation in
the Configure tab workspace. If this notation is incorrect, you can re-synchronize
the internal clock to your PC clock immediately by clicking the Sync Time with Your
PC button.
A preferable option is to link your ZoneDirector to an NTP server (as detailed below),
which provides continual updating with the latest time.
1Go to Configure > System.
2In the System Time features you have the following options:
Refresh: Click this to update the ZoneDirector display (a static snapshot) from
the internal clock.
Synch Time with your PC Now: If needed, click this to update the internal
clock with the current time settings from your administration PC.
Setting the Country Code
Viewing DHCP Clients
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 77
Use NTP... (Enabled by default): Clear this check box to disable this option,
or enter the DNS name or IP address of your preferred NTP server to use a
different one.
Select time zone for your location: Choose your time zone from the drop-
down menu. Setting the proper time zone ensures that timestamps on log
files are in the proper time zone.
3Click Apply to save the results of any resynchronization or NTP links.
Figure 38. The System Time options
Setting the Country Code
Different countries and regions maintain different rules that govern which channels
can be used for wireless communications. Setting the Country Code to the proper
regulatory region ensures that your ZoneFlex network does not violate local and
national regulatory restrictions. ZoneDirector’s web interface can be used to define
the country code for all APs under its control.
To set the Country Code to the proper location:
1Go to Configure > System.
2Locate the Country Code section, and choose your location from the pull-down
menu.
3Click Apply to save your settings.
Setting the Country Code
Channel Optimization
78 Ruckus Wireless, Inc.
Figure 39. The Country Code settings
Channel Optimization
If your Country Code is set to “United States,” an additional configuration option,
Channel Optimization, is shown. This feature allows you to choose whether addi-
tional DFS (Dynamic Frequency Selection) channels in the 5 GHz band should be
available for use by your APs.
Note that these settings only affect Ruckus Wireless APs that support the extended
DFS channel list. Channel Optimization settings are described in the following table.
Table 14. Channel Optimization settings for US Country Code
Setting Description Use this setting when
Optimize for
Compatibility
DFS-capable ZoneFlex APs
are limited to the same
channels as all other APs (non-
DFS channels only).
You have a mixture of APs that
support DFS channels and
other Ruckus APs that do not
support DFS channels in a
Smart Mesh configuration.
Setting the Country Code
Channel Mode
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 79
NOTE: If you are located in the United States and have a DFS-capable ZoneFlex
AP that is expected to serve as a Root AP (or eMAP), with a non-DFS-capable Mesh
AP as its downlink, you will need to set the Channel Optimization setting to "Optimize
for Compatibility." This is due to the DFS-capable AP's ability to use more channels
than the non-DFS-capable APs, which could result in the RAP choosing a channel
that is not available to the MAP. Alternatively, manually set the channel for the Root
AP to one of the non-DFS channels. Specifically, choose one of the following
channels: 36, 40, 44, 48, 149, 153, 157, 161, 165.
The channels available for AP use are the following:
Optimize for Compatibility: 36, 40, 44, 48, 149, 153, 157, 161, 165 (non-DFS
channels).
Optimize for Interoperability: non-DFS channels plus channels 52, 56, 58, 60.
Optimize for Performance: all DFS/non-DFS channels, including 100, 104, 108,
112, 116, 120, 124, 128, 132, 136, 140.
Channel Mode
Some countries restrict certain 5 GHz channels to indoor use only. For instance,
Germany restricts channels in the 5.15 GHz to 5.25 GHz band to indoor use. When
ZoneFlex Outdoor APs and Bridges with 5 GHz radios (ZoneFlex 7762, 7782, 7761-
CM and 7731) are set to a country code where these restrictions apply, the AP or
Optimize for
Interoperability
ZoneFlex APs are limited to
non-DFS channels, plus four
DFS channels supported by
Centrino systems (may not be
compatible with other wireless
NICs).
You have only DFS-capable APs
in your network, or Smart Mesh
is not enabled, and you are
confident that all wireless
clients support DFS channels.
Optimize for
Performance
ZoneFlex APs can use all
available DFS and non-DFS
channels, without regard for
compatibility or
interoperability.
You have only DFS-capable APs
in your network, you are not
concerned with DFS
compatibility of client devices,
and you want to make the
maximum use of all possible
available channels.
Table 14. Channel Optimization settings for US Country Code
Setting Description Use this setting when
Changing the System Log Settings
Reviewing the Current Log Contents
80 Ruckus Wireless, Inc.
Bridge can no longer be set to an indoor-only channel and will no longer select from
amongst a channel set that includes these indoor-only channels when SmartSelect
or Auto Channel selection is used, unless the administrator configures the AP to
allow use of these channels.
For instance, if the AP is installed in a challenging indoor environment such as a
warehouse, the administrator may want to allow the AP to use an indoor-only
channel. These channels can be enabled for use through the AP CLI or ZoneDirector
web interface by configuring Configure > System > Country Code > Channel Mode
and checking Allow indoor channels (allows ZoneFlex Outdoor APs to use
channels regulated as indoor use only. If you have a dual-band ZoneFlex Indoor
AP functioning as a RAP with dual-band ZoneFlex Outdoor APs functioning as
MAPs, the mesh backhaul link must initially use a non-indoor-only channel. Your
ZoneFlex Outdoor MAPs may fail to join if the mesh backhaul link is using a restricted
indoor-only channel.
Changing the System Log Settings
ZoneDirector maintains an internal log of current events and alarms. This file has a
fixed capacity; at a certain level, ZoneDirector will start deleting the oldest entries to
make room for the newest. This log is volatile, and the contents will be deleted if
ZoneDirector is powered down. If you want a permanent record of all logging
activities, you can set up your syslog server to receive log contents from ZoneDi-
rector, and then use the web interface to direct all logging to the syslog server—as
detailed in this topic.
Reviewing the Current Log Contents
1Go to Monitor > All Events/Activities.
2Review the events and alarms listed below.
NOTE: Log entries are listed in reverse chronological order (with the latest logs at
the top of the list).
3Click a column header to sort the contents by that category.
4Click any column twice to switch chronological or alphanumeric sorting modes.
Changing the System Log Settings
Customizing the Current Log Settings
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 81
Figure 40. The All Events/Activities page
Customizing the Current Log Settings
You can review and customize the log settings by following these steps:
1Go to Configure > System.
2Scroll down to Log Settings.
3Make your selections from these syslog server options:
Event Log Level: Select one of the three logging levels: “Show More,”
“Warning and Critical Events,” or “Critical Events Only.”
Remote Syslog: To enable syslog logging, select the “Enable reporting to
remote syslog server at” check box, and then type the IP address in the box
provided.
Inherit remote syslog server for APs __ (IP Address): Enabling this feature
allows ZoneDirector to supply client association information to a third party
application that can then deploy ACL policies to a firewall based on client
association information such as user name, IP, MAC address, etc. First,
ZoneDirector retrieves client association information, then reorganizes the
Changing the System Log Settings
Customizing the Current Log Settings
82 Ruckus Wireless, Inc.
information and sends it to the syslog server, from which it can be collected
by the third party software and sent it to the firewall for access restriction
based on client association information.
4Click Apply to save your settings. The changes go into effect immediately.
Figure 41. The Log Settings options
Configuring Syslogs for Firewall Integration
Starting with release 9.8, ZoneDirector will generate syslog messages upon acqui-
sition, update or deletion of an IP address by a wireless station. This feature allows
enhanced integration with popular firewalls from vendors including Barracuda and
Palo Alto Networks for implementing client-specific security rules.
Station information is conveyed through a syslog message containing the following
information: IPv4/v6 address, User name, MAC address, Operation Type (Add,
Update, Del), AP/ZD MAC, OS Type.
To enable inclusion of client association logs in syslog messages:
1Go to Administer > Diagnostics.
2In Debug Logs, select the Client Association check box.
3Click Apply to save your changes.
Changing the System Log Settings
Customizing the Current Log Settings
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 83
4You must also ensure that syslog delivery is enabled on the Configure > System
page and that the Priority level in Remote Syslog Advanced Settings is set
to Info or All.
Figure 42. Enable client association logs in syslog for firewall integration
The flow of user data from the end point to the firewall will use the following path:
1The user authenticates to an authentication server via AP.
2ZoneDirector verifies the user’s identity.
3After the station authenticates successfully and gets an IP address, ZoneDirector
generates a syslog message.
4The log is sent to a syslog server in real time.
5The script on the syslog server extracts user information from the log message
and sends it to the firewall.
A similar flow can be used to remove user mappings if the station sends a disconnect
message.
Log format
The log format consists of the following fields:
Changing the System Log Settings
Customizing the Current Log Settings
84 Ruckus Wireless, Inc.
operation: Indicates whether to add, delete or update client association infor-
mation.
sta_ip: Indicates the IP address of station.
sta_name: Indicates the station’s account name supplied by the client when
being authenticated. The user name is used for 802.1X and Web Auth WLANs.
The MAC address of the client will be used as the user name for Open, MAC
Address and 802.1X + MAC Address WLAN types.
sta_mac: The station’s MAC address.
sta_oriip: Only takes effect when the operation is “update” in order to indicate
the original IP of the station.
ap_mac: Shows the MAC address of the AP to which the station is currently
connected.
seq: Indicates the sequence number of the log message. It is increased by one
after a log is sent. The UDP packet can be adjusted to the right order by this
field in the log server.
sta_ostype: Indicates the station’s OS type. Will be filled with “unknown” if the
OS type is unobtainable.
Examples
Add:
operation=add;seq=1;sta_ip=192.168.120.16;sta_mac=60:36:dd:19:17:ac;zd/
ap=00:0c:29:11:5a:0b/58:93:96:29:4c:60;sta_ostype=Windows7/
Vista;sta_name=60:36:dd:19:17:ac;stamgr_handle_remote_ipc
Delete:
operation=del;seq=4;sta_ip=192.168.120.30;sta_mac=60:36:dd:19:17:ac;zd/
ap=00:0c:29:11:5a:0b/58:93:96:29:4c:60;sta_ostype=Windows 7/
Vista;sta_name=60:36:dd:19:17:ac;stamgr_sta_log_disconnect
Update:
operation=update;seq=2;sta_ip=192.168.120.30;sta_o-
riip=192.168.120.16;sta_mac=60:36:dd:19:17:ac;zd/ap=00:0c:29:11:5a:0b/
58:93:96:29:4c:60;sta_ostype=Windows 7/
Vista;sta_name=60:36:dd:19:17:ac;stamgr_handle_remote_ipc
Changing the System Log Settings
Customizing the Current Log Settings
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 85
Configuring Remote Syslog Advanced Settings
Advanced Syslog settings allow you to override the default Facility Name and Priority
Level of messages sent to the syslog server. In this way, users can separate different
kinds of syslogs according to the facility name on the syslog server side.
To configure remote syslog advanced settings:
1Go to Configure > System.
2Scroll down to Log Settings, and expand the Remote Syslog Advanced
Settings section.
3In ZoneDirector Settings, set the facility name as follows:
Keep Original: Retain the original facility name.
local0 - local7: Specify facility name.
4Set the priority level as follows:
All: Include all syslog messages.
0(emerg), 1(alert), 2(crit), 3(err), 4(warning), 5(notice), 6(info), 7(debug): Lower
numbers indicate higher priority. The syslog server will only receive logs
whose priority levels are the same as or higher than the configured level.
5Repeat step 4 for Managed AP Settings. ZoneDirector and Access Points can
use different facility and priority settings. All managed APs share the same facility
and priority settings.
Setting Up Email Alarm Notifications
Customizing the Current Log Settings
86 Ruckus Wireless, Inc.
Figure 43. Remote Syslog Advanced Settings
Setting Up Email Alarm Notifications
If an alarm condition is detected, ZoneDirector will record it in the event log. If you
prefer, an email notification can be sent to a configured email address of your
choosing.
To activate this option, follow these steps:
1Go to Configure > Alarm Settings.
2To enable email notification, select the Send an email message when an alarm
is triggered check box.
3Enter the recipient email address in the Email Address box provided, and click
Apply.
4Go to Configure > System, and scroll down to the Email Server section.
5Configure the settings listed in Tab l e 15 .
Setting Up Email Alarm Notifications
Customizing the Current Log Settings
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 87
Table 15. SMTP settings for email notification
SMTP Setting Description
From email address Type the email address from which ZoneDirector
will send alarm messages.
SMTP Server Name Type the full name of the server provided by your
ISP or mail administrator. Often, the SMTP server
name is in the format smtp.company.com..
For Hotmail addresses, the SMTP server name
is smtp.live.com.
SMTP Server Port Type the SMTP port number provided by your
ISP or mail administrator. Often, the SMTP port
number is 25 or 587. The default SMTP port
value is 587.
SMTP Authentication Username Type the user name provided by your ISP or mail
administrator. This might be just the part of your
email address before the @ symbol, or it might
be your complete email address. If you are using
a free email service (such as Hotmail or Gmail),
you typically have to type your complete email
address.
SMTP Authentication Password Type the password that is associated with the
user name above.
Confirm SMTP Authentication
Password
Retype the password you typed above to
confirm.
SMTP Encryption Options If your mail server uses TLS encryption, click the
SMTP Encryption Options link, and then select
the TLS check box. Additionally, select the
STARTTLS check box that appears after you
select the TLS check box. Check with your ISP
or mail administrator for the correct encryption
settings that you need to set.
If using a Yahoo! email account, STARTTLS must
be disabled.
If using a Hotmail account, both TLS and
STARTTLS must be enabled.
Setting Up Email Alarm Notifications
Customizing the Current Log Settings
88 Ruckus Wireless, Inc.
6To verify that ZoneDirector can send alarm messages using the SMTP settings
you configured, click the Test button.
If ZoneDirector is able to send the test message, the message Success!
appears at the bottom of the Email Notification page. Continue to Step 7
If ZoneDirector is unable to send the test message, the message Failed!
appears at the bottom of the Email Notification page. Go back to Step 5, and
then verify that the SMTP settings are correct.
7Click Apply. The email notification settings you configured become active
immediately.
Figure 44. The Alarm Settings page
NOTE: If the Test button is clicked, ZoneDirector will attempt to connect to the mail
server for 10 seconds. If it is unable to connect to the mail server, it will stop trying
and quit.
NOTE: When the alarm email is first enabled, the alarm recipient may receive a flood
of alarm notifications. This may cause the mail server to treat the email notifications
as spam and to temporarily block the account.
Configuring SMS Settings for Guest Pass Delivery via SMS
Customizing Email Alarms that ZoneDirector Sends
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 89
NOTE: ZoneDirector sends email notifications for a particular alert only once, unless
(1) it is a new alert of the same type but for a different device, or (2) existing alert
logs are cleared.
Customizing Email Alarms that ZoneDirector Sends
Using the Alarm Event section of the Configure > Alarm Settings page, you can
choose which types of events will trigger ZoneDirector to send an email notification.
1Click Alarm Event to select/deselect all alarm types.
2Select or deselect those for which you want or don’t want to receive emails.
3Click Apply to save your changes.
When any of the selected events occur, ZoneDirector sends an email notification to
the email address that you specified in the Email Notification section.
NOTE: With the exception of the Lost contact with AP event, ZoneDirector only
sends one email alarm notification for each event. If the same event happens again,
no alarm will be sent until you clear the alarm on the Monitor > All Alarms page.
On the other hand, ZoneDirector sends a new alarm notification each time the Lost
contact with AP event occurs.
Configuring SMS Settings for Guest Pass
Delivery via SMS
If you want to deliver Guest Passes to your guests via SMS, you can configure
ZoneDirector to use an existing Twilio or Clickatell account for SMS delivery. The
first step is to inform ZoneDirector of your Twilio or Clickatell account information.
1Go to Configure > System.
2Locate the SMS Settings section, and select either Twilio account information
or Clickatell account information.
3Enter your Account SID, Auth Token and From Phone Number (Twilio) or your
User Name, Password and API ID (Clickatell).
4Click the Test button to test your settings.
5Once confirmed, click Apply to save your changes.
Enabling Login Warning Messages
Customizing Email Alarms that ZoneDirector Sends
90 Ruckus Wireless, Inc.
You can now allow guest pass generators to deliver guest pass codes to guests
using the SMS button when generating a new guest pass. (You must also enter a
phone number for receiving the SMS messages for each guest pass created.)
Figure 45. Configuring SMS Settings
Enabling Login Warning Messages
If you want to display a warning message upon login to the ZoneDirector web UI or
CLI, you can do so using the following procedure:
1Go to Configure > System, and scroll down to the Login Warning section.
2Click Enable login warning, and replace the text in the Customize warning
content text box according to your preferences.
3Click Apply to save your changes. The next time a user attempts to login to
ZoneDirector, they will be presented with the warning message you configured.
Enabling Login Warning Messages
Customizing Email Alarms that ZoneDirector Sends
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 91
Figure 46. Enabling and configuring a login warning message
Enabling Network Management Systems
Enabling Management via FlexMaster
92 Ruckus Wireless, Inc.
Enabling Network Management Systems
ZoneDirector supports several external network management systems including
Ruckus Wireless FlexMaster server, SNMPv2, SNMPv3 and Telnet server. These
options are configured from the Configure > System page by expanding the Network
Management link. The following section describes how to enable these network
management systems.
Enabling Management via FlexMaster
If you have a Ruckus Wireless FlexMaster server installed on the network, you can
enable FlexMaster management to centralize monitoring and administration of
ZoneDirector and other supported Ruckus Wireless devices. This version of Zone-
Director supports the following FlexMaster-deployed tasks:
Firmware upgrade for both ZoneDirector and the APs that report to them
•Reboot
Backup of ZoneDirector settings
Performance monitoring
When the FlexMaster management option is enabled, you will still be able to access
the ZoneDirector web interface to perform other management tasks. By default,
FlexMaster management is disabled.
To enable FlexMaster management:
1Click Configure > System.
2Scroll down to the bottom of the page.
3If you see + Network Management (section is collapsed) at the bottom of the
page, click the Network Management link to expand the section.
4Under FlexMaster Management, select the Enable management by
FlexMaster check box.
5In URL, type the FlexMaster DNS host name or IP address of the FlexMaster
server.
6In Interval, type the time interval (in minutes) at which ZoneDirector will send
status updates to the FlexMaster server. The default interval is 15 minutes.
7Click Apply. The message Setting Applied appears.
You have completed enabling FlexMaster management on ZoneDirector. For more
information on how to configure ZoneDirector from the FlexMaster web interface,
refer to the FlexMaster documentation.
Enabling Network Management Systems
Enabling Northbound Portal Interface Support
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 93
Figure 47. The FlexMaster Management options
Monitoring ZoneDirector Performance from FlexMaster
If you want to monitor ZoneDirector’s performance statistics from FlexMaster, select
Enable Performance Monitoring, enter an update interval, and click Apply. This
option is disabled by default.
Enabling Northbound Portal Interface Support
The Northbound Portal interface allows the use of DPSKs on open authentication
WLANs meant for public access.
By enabling the Northbound Portal Interface, a wireless service provider can provide
simple but secure Wi-Fi access without pre-registration, account setup or authen-
tication. ZoneDirector redirects authentication requests to an outside portal. If
access is granted, ZoneDirector provides a unique dynamic PSK. The DPSK can
be delivered in a prov.exe file, which automatically configures the user’s device with
the relevant wireless settings or displayed on the portal screen for manual entry.
To enable Northbound Portal interface support
1Go to Configure > System > Network Management.
2Click Enable northbound portal interface support.
3Enter a Password for API to portal communication.
Enabling Network Management Systems
Configuring SNMP Support
94 Ruckus Wireless, Inc.
4Click Apply in the same section to save changes.
5Configure the portal to display the key to the user or to push the prov.exe file to
the client.
Figure 48. Enabling Northbound Portal interface
Configuring SNMP Support
ZoneDirector provides support for Simple Network Management Protocol (SNMP
v2 and v3), which allows you to query ZoneDirector information such as system
status, WLAN list, AP list, and clients list, and to set a number of system settings
using a Network Management System (NMS) or SNMP MIB browser.
You can also enable SNMP traps to receive immediate notifications for possible AP
and client issues.
Enabling the SNMP Agent
The procedure for enabling ZoneDirector’s internal SNMP agent depends on
whether your network is using SNMPv2 or SNMPv3. SNMPv3 mainly provides
security enhancements over the earlier version, and therefore requires you to enter
authorization passwords and encryption settings instead of simple clear text
community strings.
Enabling Network Management Systems
Configuring SNMP Support
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 95
Both SNMPv2 and SNMPv3 can be enabled at the same time. The SNMPv3
framework provides backward compatibility for SNMPv1 and SNMPv2c manage-
ment applications so that existing management applications can still be used to
manage ZoneDirector with SNMPv3 enabled.
NOTE: For a list of the MIB variables that you can get and set using SNMP, check
the related SNMP documentation on the Ruckus Wireless Support Web site at
http://support.ruckuswireless.com/documents.
If your network uses SNMPv2
To enable SNMPv2 management:
1Go to Configure > System. Scroll down to the bottom of the page and click
the Network Management link to open the Network Management section.
2Under the SNMPv2 Agent section, select the Enable SNMP Agent check box.
3Enter the following information:
•In SNMP RO community (required), set the read-only community string.
Applications that send SNMP Get-Requests to ZoneDirector (to retrieve
information) will need to send this string along with the request before they
will be allowed access. The default value is public.
•In SNMP RW community (required), set the read-write community string.
Applications that send SNMP Set-Requests to ZoneDirector (to set certain
SNMP MIB variables) will need to send this string along with the request
before they will be allowed access. The default value is private.
•In System Contact, type your email address (optional).
In System Location, type the location of the ZoneDirector device (optional).
4Click Apply to save your changes.
Enabling Network Management Systems
Configuring SNMP Support
96 Ruckus Wireless, Inc.
Figure 49. Enabling the SNMPv2 agent
If your network uses SNMPv3
To enable SNMPv3 management:
1Go to Configure > System. Scroll down to the bottom of the page and click
the Network Management link to open the Network Management section.
2Under the SNMPv3 Agent section, select the Enable SNMP Agent check box.
3Enter the following information for both the Read Only and Read-Write privileges:
User: Enter a user name between 1 and 31 characters.
Authentication: Choose MD5 or SHA authentication method (default is
MD5).
-MD5: Message-Digest algorithm 5, message hash function with 128-bit
output.
-SHA: Secure Hash Algorithm, message hash function with 160-bit output.
Auth Pass Phrase: Enter a passphrase between 8 and 32 characters in
length.
Privacy: Choose DES, AES or None.
-DES: Data Encryption Standard, data block cipher.
-AES: Advanced Encryption Standard, data block cipher.
-None: No Privacy passphrase is required.
Enabling Network Management Systems
Configuring SNMP Support
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 97
Privacy Phrase: If either DES or AES is selected, enter a Privacy phrase
between 8 and 32 characters in length.
4Click Apply to save your changes.
Figure 50. Enabling the SNMPv3 agent
Enabling SNMP Trap Notifications
If you have an SNMP trap receiver on the network, you can configure ZoneDirector
to send SNMP trap notifications to the server. Enable this feature if you want to
automatically receive notifications for AP and client events that indicate possible
network issues (see Trap Notifications That ZoneDirector Sends).
To enable SNMP trap notifications
1In the Network Management section of the System page, scroll down to the
bottom of the page.
2Under SNMP Trap, select the Enable SNMP Trap check box.
3In SNMP Trap format, select either SNMPv2 or SNMPv3. You can select only
one type of trap receiver.
If you select SNMPv2, you only need to enter the IP addresses of up to four
SNMP trap receivers on your network.
Enabling Network Management Systems
Configuring SNMP Support
98 Ruckus Wireless, Inc.
If you select SNMPv3, enter up to four trap receiver IP addresses along with
authentication method passphrase and privacy (encryption) settings.
4Click Apply to save your changes.
Figure 51. Enabling SNMPv2 trap notifications
Enabling Network Management Systems
Configuring SNMP Support
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 99
Figure 52. Enabling SNMP trap notifications with SNMPv3
Trap Notifications That ZoneDirector Sends
There are several events for which ZoneDirector will send trap notifications to the
SNMP server that you specified. Ta b l e 16 lists the trap notifications that ZoneDirector
sends and when they are sent.
Table 16. Trap notifications
Trap Name Description
ruckusZDEventAPJoinTrap An AP has joined ZoneDirector. The AP’s
MAC address is included in the trap
notification.
ruckusZDEventSSIDSpoofTrap An SSID-spoofing rogue AP has been
detected on the network. The rogue AP’s
MAC address and SSID are included in the
trap notification.
ruckusZDEventMACSpoofTrap A MAC-spoofing rogue AP has been
detected on the network. The rogue AP’s
MAC address and SSID are included in the
trap notification.
Enabling Network Management Systems
Configuring SNMP Support
100 Ruckus Wireless, Inc.
ruckusZDEventRogueAPTrap A rogue AP has been detected on the
network. The rogue AP’s MAC address and
SSID are included in the trap notification.
ruckusZDEventAPLostTrap An AP has lost contact with ZoneDirector.
The AP’s MAC address is included in the trap
notification.
ruckusZDEventAPLostHeartbeatTrap An AP’s heartbeat has been lost. The AP’s
MAC address is included in the trap
notification.
ruckusZDEventClientAuthFailBlock
Trap
A wireless client repeatedly failed to
authenticate with an AP. The client's MAC
address, AP's MAC address and SSID are
included in the trap notification.
ruckusZDEventClientJoin A client has successfully joined an AP. The
client’s MAC address, the AP’s MAC address
and SSID are included in the trap notification.
ruckusZDEventClientJoinFailed A client has attempted and failed to join an
AP. The client’s MAC address, the AP’s MAC
address and SSID are included in the trap
notification.
ruckusZDEventClientJoinFailedAPB
usy
A client attempt to join an AP failed because
the AP was busy. The client's MAC address,
AP's MAC address and SSID are included.
ruckusZDEventClientDisconnect A client has disconnected from the AP. The
client's MAC address, AP's MAC address
and SSID are included.
ruckusZDEventClientRoamOut A client has roamed away from an AP. The
client's MAC address, AP's MAC address
and SSID are included.
ruckusZDEventClientRoamIn A client has roamed in to an AP. The client's
MAC address, AP's MAC address and SSID
are included.
Table 16. Trap notifications
Trap Name Description
Enabling Network Management Systems
Configuring SNMP Support
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 101
ruckusZDEventClientAuthFailed A client authentication attempt has failed.
The client's MAC address, AP's MAC
address, SSID and failure reason are
included.
ruckusZDEventClientAuthorization
Failed
A client authorization attempt to join an AP
has failed. The client's MAC address, AP's
MAC address and SSID are included.
ruckusZDEventAPcoldstart An AP has been cold started.
ruckusZDEventAPwarmstart An AP has been warm started.
ruckusZDEventAPclientValve Triggered when an AP’s online client limit has
been exceeded.
ruckusZDEventAPCPUvalve An AP's CPU utilization has exceeded the set
value.
ruckusZDEventAPMEMvalve An AP's memory utilization has exceeded the
set value.
ruckusZDEventSmartRedundancyChan
getoActive
The standby Smart Redundancy
ZoneDirector has failed to detect its active
peer, system changed to active state.
ruckusZDEventSmartRedundancyActi
veConnected
The active Smart Redundancy ZoneDirector
has detected its peer and is in active/
connected state.
ruckusZDEventSmartRedundancyActi
veDisconnected
The active Smart Redundancy ZoneDirector
has not detected its peer and is in active/
disconnected state.
ruckusZDEventSmartRedundancyStan
dbyConnected
The standby ZoneDirector has detected its
peer and is in standby/connected state.
ruckusZDEventSmartRedundancyStan
dbyDisconnected
The standby ZoneDirector has not detected
its peer and is in standby/disconnected
state.
Table 16. Trap notifications
Trap Name Description
Configuring DHCP Relay
Enabling Telnet
102 Ruckus Wireless, Inc.
Enabling Telnet
By default, Telnet is disabled due to security considerations, as SSH is the preferred
method if you need to access the ZoneDirector CLI. In some situations however,
you may want to enable Telnet.
To enable Telnet:
1Go to Configure > System.
2Scroll down to the bottom of the page and expand the Network Management
section.
3Locate the Telnet Server section, and click the box next to Enable Telnet Server.
4Click Apply to save your changes.
Figure 53. Enabling Telnet server
Configuring DHCP Relay
ZoneDirector’s DHCP Relay agent improves network performance by converting
DHCP broadcast traffic to unicast to prevent flooding the Layer 2 network (when
Layer 3 Tunnel Mode is enabled -- DHCP Relay only applies to Tunnel Mode WLANs.)
Configuring DHCP Relay
Enabling Telnet
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 103
Typically, when mobile stations acquire IP addresses through DHCP, the DHCP
request and acknowledgment traffic is broadcast to any devices in the same Layer
2 environment. With Tunnel Mode WLANs, this traffic flood is wasteful in terms of
bandwidth and computing power.
When DHCP Relay is enabled on a WLAN, the ZoneDirector relay agent converts
DHCP Discover / Request traffic to unicast UDP packets and sends them to the
DHCP servers, then delivers DHCP Offer / Ack messages from the DHCP server
back to the client.
The traffic flow is as follows:
1Client sends DHCP discover broadcast.
2AP tunnels this DHCP discover frame to ZoneDirector.
3DHCP Relay Agent sends unicast DHCP discover packet to DHCP server.
4DHCP server sends DHCP offer to Relay Agent on ZoneDirector.
5ZoneDirector sends DHCP Offer back to the AP.
6AP sends this Offer to client.
By reducing broadcast flooding, this option allows for higher client capacity in
tunneled WLANs designed for VoIP phones, for example. It also allows for DHCP
discovery across multiple subnets and limits DHCP broadcasts to the client’s AP
tunnel and radio.
To configure DHCP Relay for tunneled WLANs:
1Go to Configure > DHCP Relay.
2Click Create New.
3Enter a Name and IP address for the server.
4Click OK to save your changes. The new server appears in the list.
Configuring DHCP Relay
Enabling Telnet
104 Ruckus Wireless, Inc.
Figure 54. Creating a DHCP Relay server
To enable DHCP Relay for a WLAN:
1Go to Configure > WLANs.
2If creating a new WLAN, click Create New. Otherwise, click Edit for the WLAN
you want to configure.
3Under Advanced Options, when Tunnel Mode is enabled, the DHCP Relay
option becomes available.
4Under DHCP Relay, select Enable DHCP relay agent with __ DHCP server
and select the server you created earlier from the list.
5Click OK to save your changes.
Enabling Bonjour Gateway
Enabling Telnet
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 105
Figure 55. Enabling DHCP Relay agent for a Tunnel Mode WLAN
Enabling Bonjour Gateway
BonjourTM is Apple’s implementation of a zero-configuration networking protocol
for Apple devices over IP. It allows OS X and iOS devices to locate other devices
such as printers, file servers and other clients on the same broadcast domain and
use the services offered without any network configuration required.
Multicast applications such as Bonjour require special consideration when being
deployed over wireless networks. Bonjour only works within a single broadcast
domain, which is usually a small area. This is by design to prevent flooding a large
network with multicast traffic. However, in some situations, a user may want to offer
Bonjour services from one VLAN to another.
ZoneDirector’s Bonjour Gateway feature addresses this requirement by providing
an mDNS proxy service configurable from the web interface to allow administrators
to specify which types of Bonjour services can be accessed from/to which VLANs.
Enabling Bonjour Gateway
Creating a Bonjour Gateway Rule - ZD Site
106 Ruckus Wireless, Inc.
In order for the Bonjour Gateway to function, the following network configuration
requirements must be met:
1The target networks must be segmented into VLANs.
2VLANs must be mapped to different SSIDs.
3The controller must be connected to a VLAN trunk port.
Additionally, if the VLANs to be bridged by the gateway are on separate subnets the
network has to be configured to route traffic between them.
Creating a Bonjour Gateway Rule - ZD Site
The Bonjour Gateway service on ZoneDirector is essentially a list of rules for mapping
services from one VLAN to another. Using the ZD Site Bonjour Gateway feature,
ZoneDirector serves as the Bonjour proxy for forwarding Bonjour packets to the
designated VLANs.
Requirements:
Layer 2 switch between ZoneDirector and APs
The maximum number of ZD site Bonjour Gateway rules is as follows:
To configure rules for bridging Bonjour services across VLANs:
1Go to Configure > Bonjour Gateway.
2Click Create New in the ZD Site table to create a new Bonjour service rule.
3In the Create New form, configure the following options:
Bridge Service: Select the Bonjour service from the list.
- Selecting “Other” allows you to create custom rules, for example, creating
a rule for “_googlecast._tcp” would allow you to bridge Chromecast
services across VLANs.
From VLAN: Select the VLAN from which the Bonjour service will be
advertised.
Table 17. Max Bonjour rules per controller
ZoneDirector Model Max Rules
ZoneDirector 1200 256
ZoneDirector 3000 256
ZoneDirector 5000 256
Enabling Bonjour Gateway
Creating a Bonjour Gateway Rule - AP Site
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 107
To VL A N: Select the VLAN to which the service should be made available.
Notes: Add optional notes for this rule.
4Click OK to save your changes.
5Repeat for any additional rules.
6Select the check box next to Enable Bonjour gateway on ZD and click the
Apply button.
Figure 56. Creating a ZD Site Bonjour Gateway rule
Creating a Bonjour Gateway Rule - AP Site
Using the AP Site Bonjour Gateway feature, Bonjour bridging service is performed
on a designated AP rather than on ZoneDirector. Offloading the Bonjour policy to
an AP is necessary if a Layer 3 switch or router exists between ZoneDirector and
the APs. ZoneDirector identifies a single AP that meets the memory/processor
requirements (this feature is only supported on certain APs), and delivers a set of
service rules - a Bonjour policy - to the AP to perform the VLAN bridging.
Enabling Bonjour Gateway
Creating a Bonjour Gateway Rule - AP Site
108 Ruckus Wireless, Inc.
NOTE: This feature is only supported on the following access points: zf7762-AC,
7762-S-AC, T300, R300, H500, R500, R600, R700, 7982, 7372/52, 7055, 7782/
81, SC-8800 series.
Requirements and limitations:
Bonjour policy deployment to an AP takes effect after the AP joins ZoneDirector.
Some APs of one local area link must be in one subnet. The switch interfaces
connected to these APs in a local area link to must be configured in VLAN-trunk
mode. Only by doing so can the designated AP can receive all the multicast
Bonjour protocol packets from other VLANs.
Dynamic VLANs are not supported.
Some AP models are incompatible with this feature due to memory requirements.
To configure rules for AP site bridging Bonjour services across VLANs:
1Go to Configure > Bonjour Gateway.
2Click Create New in the AP Site table to create a new Bonjour service policy.
3Typ e a Name for the policy, then click Create New to create a new rule.
4In the Create New form, configure the following options:
Name: Enter a name for the proxy.
Description: Optionally, enter a description for the rule.
Order: Choose the order in which to apply rules.
Bridge Service: Select the Bonjour service from the list.
From VLAN: Select the VLAN from which the Bonjour service will be
advertised.
To VL A N: Select the VLAN to which the service should be made available.
Notes: Add optional notes for this rule.
5Click OK to save your changes.
6Repeat for any additional rules.
7Select the check box next to Enable Bonjour gateway on AP and click the
Apply button.
Enabling Bonjour Gateway
Applying a Bonjour Policy to an AP
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 109
Figure 57. Create an AP site Bonjour policy
Applying a Bonjour Policy to an AP
Once you have created an AP site Bonjour policy, you will need to designate the
AP that will be responsible for implementing this policy.
To enable Bonjour policy on an AP:
1Go to Configure > Access Points.
2Click Edit next to the AP you want to configure.
3in Bonjour Gateway, enable the check box and select a Bonjour policy that you
created on the Configure > Bonjour Gateway page from the list.
4Click OK to save your changes.
Enabling Bonjour Gateway
Example Network Setup
110 Ruckus Wireless, Inc.
Figure 58. Designate an AP as a Bonjour Gateway
Example Network Setup
The following example illustrates how ZoneDirector’s Bonjour Gateway can be used
to allow users to access Bonjour resources on different VLANs in a school setting,
where access to certain resources must generally be separated between teachers
and students, but where sharing may sometimes be necessary.
Assume a network with three VLANs mapped to separate SSIDs, all on separate
subnets or multicast domains. The three segments host different devices for
different users:
Classroom SSID (VLAN 100): WEP authentication, includes an iMac desktop for
file sharing and iOS Sync for backup, and an Apple TV attached to a projector.
Teachers SSID (VLAN 200): 802.1X authentication for a MacBook and iPad,
needs to have access to all classroom resources.
Students SSID (VLAN 300): Students have a separate SSID with no authentica-
tion, they must be able to backup their iPads to the classroom iMac but should
not have access to the Apple TV or File Sharing services.
Configuring SPoT Location Services
Example Network Setup
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 111
Figure 59. Sample Bonjour Gateway configuration for a classroom scenario
In this example, the teacher gains access to AirPlay, AirPrint, iCloud Sync and File
Sharing, while students are given access to iCloud Sync and AirPrint only.
Configuring SPoT Location Services
To take advantage of Ruckus Wireless SmartPositioning Technology (SPoT) location
services, ZoneDirector must be configured with the Venue information that is
displayed in the SPoT Administration Portal. After completing purchase of the SPoT
location service, you will be given account login information that you can use to log
into the SPoT Administration Portal. The Admin Portal provides tools for configuring
and managing all of your “Venues” (the physical locations in which SPoT service is
deployed). After a Venue is successfully set up, you will need to enter the same
Venue information in ZoneDirector.
The following section lists the steps required for configuring ZoneDirector to
communicate with the SPoT Location Server.
Configuring SPoT Location Services
Example Network Setup
112 Ruckus Wireless, Inc.
To configure ZoneDirector for SPoT communication:
1Log in to the SPoT Administration Portal.
2On the Venues page, click Config next to the venue for which you want to
configure ZoneDirector Location Services.
3Take note of the four values in Controller Settings.
4In the ZoneDirector web interface, go to Configure > Location Services.
5In Location Services, click Create New.
6Enter the information from the SPot Admin Portal into the four fields provided.
7Click OK to save your changes.
8Go to Configure > Access Points, and in Access Point Groups, click Create
New or Edit to configure one or more AP groups for SPoT location services.
9Configure the AP group for SPoT communications.
NOTE: You will need to select 1 channel per radio for calibration, then after
calibration is complete, select 3 channels per radio for normal operation (see SPoT
User Guide for details).
10 In Location Services, click Enable, then select the Venue you created on the
Configure > Location Services page.
11 Click OK to save the AP group. ZoneDirector will begin trying to communicate
with the SPoT Location Server.
12 Once the APs have successfully connected to the SPoT server, you can view
the status of your SPoT-enabled APs on the Monitor > Location Services page.
For more information on configuration and management of your SPoT service, see
the SPoT User Guide, available from support.ruckuswireless.com.
Configuring SPoT Location Services
Example Network Setup
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 113
Figure 60. SPoT Administration Portal Venue Config page
Figure 61. Enter the venue information in ZoneDirector’s Configure > Location Services page
Configuring SPoT Location Services
Example Network Setup
114 Ruckus Wireless, Inc.
Figure 62. Configure an AP Group for SPoT location services
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 115
3
Configuring Security and Other
Services
In this chapter:
Configuring Self Healing Options
Configuring Wireless Intrusion Prevention
Controlling Network Access Permissions
Using an External AAA Server
Configuring Self Healing Options
Automatically Adjust AP Power
116 Ruckus Wireless, Inc.
Configuring Self Healing Options
ZoneDirector has the capability to perform automatic network adjustments to
enhance performance and improve coverage by dynamically modifying power
output and channel selection settings for each AP, depending on the actual RF
environment. These features are called “Self Healing.”
Automatically Adjust AP Power
ZoneDirector provides a feature to automatically adjust AP radio power to optimize
coverage when interference is present. This feature is designed to turn down the
power of an access point if the following conditions are met:
1The power is set to Auto in the AP configuration.
2The AP can hear another AP that is on the same channel and same ZoneDirector.
3The AP can hear the other AP at a minimum of 50dB which means the Access
Points are very close to each other.
Note that the 2.4G and 5G radio bands are considered independently. If all
conditions are met, the AP will reduce its power by half. The other AP may or may
not necessarily reduce its power simultaneously.
NOTE: In general, Ruckus does NOT recommend enabling this feature as it can
lead to non-optimal AP power levels. With BeamFlex access points, Ruckus' general
guidelines are to run access points at full power to maximize the throughput and
SINR levels, thus maximizing data rates and performance.
Automatic Channel Selection
ZoneDirector offers two methods of automatic channel selection for spectrum
utilization and performance optimization:
ChannelFly
Background Scanning
While Background Scanning must be enabled for rogue AP detection, AP location
detection and radio power adjustment, either can be used for automatic channel
optimization.
Configuring Self Healing Options
Automatic Channel Selection
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 117
ChannelFly
The main difference between ChannelFly and Background Scanning is that Chan-
nelFly determines the optimal channel based on real-time statistical analysis of actual
throughput measurements, while Background Scanning uses channel measure-
ment and other techniques to estimate the impact of interference on Wi-Fi capacity
based on progressive scans of all available channels.
NOTE: If you enable ChannelFly, Background Scanning can still be used for
adjusting radio power and rogue detection while ChannelFly manages the channel
assignment. Both cannot be used at the same time for channel management.
Benefits of ChannelFly
With ChannelFly, the AP intelligently samples different channels while using them for
service. ChannelFly assesses channel capacity every 15 seconds and changes
channel when, based on historical data, a different channel is likely to offer higher
capacity than the current channel. Each AP makes channel decisions based on this
historical data and maintains an internal log of channel performance individually.
When ChannelFly changes channels, it utilizes 802.11h channel change announce-
ments to seamlessly change channels with no packet loss and minimal impact to
performance. The 802.11h channel change announcements affect both wireless
clients and Ruckus mesh nodes in the 2.4 GHz and/or 5 GHz bands.
Initially (in the first 30-60 minutes) there will be more frequent channel changes as
ChannelFly learns the environment. However, once an AP has learned about the
environment and which channels are most likely to offer the best throughput
potential, channel changes will occur less frequently unless a large measured drop
in throughput occurs.
ChannelFly can react to large measured drops in throughput capacity in as little as
15 seconds, while smaller drops in capacity may take longer to react to.
Disadvantages of ChannelFly
Compared to Background Scanning, ChannelFly takes considerably longer for the
network to settle down. If you will be adding and removing APs to your network
frequently, Background Scanning may be preferable. Additionally, if you have clients
that do not support the 802.11h standard, ChannelFly may cause significant
connectivity issues during the initial capacity assessment stage.
Configuring Self Healing Options
Automatic Channel Selection
118 Ruckus Wireless, Inc.
You can enable/disable ChannelFly per band. If you have 2.4 GHz clients that do
not support 802.11h, Ruckus recommends disabling ChannelFly for 2.4 GHz but
leaving it enabled for the 5 GHz band.
To configure the self healing options:
1Go to Configure > Services.
2Review and change the following self-healing options:
Automatically adjust AP radio power to optimize coverage where
interference is present: Enable automatic radio power adjustment based
on Background Scanning.
Automatically adjust 2.4 GHz channels using
- Background Scanning
- ChannelFly
Automatically adjust 5 GHz channels using
- Background Scanning
- ChannelFly
3Click the Apply button in the same section to save your changes.
Figure 63. Self Healing options
Configuring Self Healing Options
Automatic Channel Selection
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 119
NOTE: ChannelFly channel selection data is persistent across reboots for the
following APs only: 7982, 7782, 7782-x, 7781-CM, SC-8800-S. It is not persistent
across power cycles for any AP.
Background Scanning
Using Background Scanning, ZoneDirector regularly samples the activity in all
Access Points to assess RF usage, to detect rogue APs and to determine which
APs are near each other for mesh optimization.
These scans sample one channel at a time in each AP so as not to interfere with
network use. This information is then applied in AP Monitoring and other ZoneDi-
rector monitoring features. You can, if you prefer, customize the automatic scanning
of RF activity, deactivate it if you feel it's not helpful, or adjust the frequency, if you
want scans at greater or fewer intervals. Note that Background Scanning must be
enabled for ZoneDirector to detect rogue APs on the network.
To configure Background Scanning:
1Go to Configure > Services.
2In the Background Scanning section, configure the following options:
Run a background scan on the 2.4 GHz radio every [ ]: Select this check
box enter the time interval (1~65535 seconds, default is 20) that you want to
set between each scan.
Run a background scan on the 5 GHz radio every [ ]: Select this check
box enter the time interval (1~65535 seconds, default is 20) that you want to
set between each scan.
NOTE: If you want to disable Background Scanning, clear the check box; this
should result in a minor increase in AP performance, but removes the detection of
rogue APs from ZoneDirector monitoring. You can also decrease the scan frequency,
as less frequent scanning improves overall AP performance.
3Click the Apply button in the same section to save your settings.
Configuring Self Healing Options
Automatic Channel Selection
120 Ruckus Wireless, Inc.
Figure 64. Background scanning options
NOTE: You can also disable Background Scanning on a per-WLAN basis from the
Configure > WLANS page. To disable scanning for a particular WLAN, click the
Edit link next to the WLAN for which you want to disable scanning, open Advanced
Options, and click the check box next to Disable Background Scanning.
To see whether Background Scanning is enabled or disabled for a particular AP, go
to Monitor > Access Points, and click on the AP’s MAC address. The access point
detail screen displays the Background Scanning status for each radio.
Configuring Self Healing Options
Load Balancing
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 121
Figure 65. Viewing whether Background Scanning is enabled for an AP
Load Balancing
Enabling load balancing can improve WLAN performance by helping to spread the
client load between nearby access points, so that one AP does not get overloaded
while another sits idle. The load balancing feature can be controlled from within
ZoneDirector’s web interface to balance the number of clients per radio on adjacent
APs. “Adjacent APs” are determined by ZoneDirector at startup by measuring the
RSSI during channel scans. After startup, ZoneDirector uses subsequent scans to
update the list of adjacent radios periodically and when a new AP sends its first scan
report. When an AP leaves, ZoneDirector immediately updates the list of adjacent
radios and refreshes the client limits at each affected AP.
Once ZoneDirector is aware of which APs are adjacent to each other, it begins
managing the client load by sending desired client limits to the APs. These limits are
“soft values” that can be exceeded in several scenarios, including: (1) when a client’s
signal is so weak that it may not be able to support a link with another AP, and (2)
when a client’s signal is so strong that it really belongs on this AP.
The APs maintain these desired client limits and enforce them once they reach the
limits by withholding probe responses and authentication responses on any radio
that has reached its limit.
Configuring Self Healing Options
Load Balancing
122 Ruckus Wireless, Inc.
Key points on load balancing:
These rules apply only to client devices; the AP always responds to another AP
that is attempting to set up or maintain a mesh network.
Load balancing does not disassociate clients already connected.
Load balancing takes action before a client association request, reducing the
chance of client misbehavior.
The process does not require any time-critical interaction between APs and
ZoneDirector.
Provides control of adjacent AP distance with safeguards against abandoning
clients.
Can be disabled on a per-WLAN basis; for instance, in a voice WLAN, load
balancing may not be desired due to voice roaming considerations.
Background scanning must be enabled on the WLAN for load balancing to work.
To enable Load Balancing globally:
1Go to Configure > Services.
2In Load Balancing, choose to perform load balancing on either the 2.4 or 5 GHz
radio.
3Enter Adjacent Radio Threshold (in dB), and click Apply.
Configuring Self Healing Options
Load Balancing
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 123
Figure 66. Enable Load Balancing across adjacent APs by radio type
To disable Load Balancing on a per-WLAN basis:
1Go to Configure > WLANs.
2Click the Edit link beside the WLAN for which you want to disable load balancing.
3Click the Advanced Options link to expand the options.
4Select Do not perform load balancing for this WLAN service next to Load
Balancing.
Configuring Self Healing Options
Band Balancing
124 Ruckus Wireless, Inc.
Figure 67. Disable load balancing on a specific WLAN
Band Balancing
Band balancing balances the client load on radios by distributing clients between
the 2.4 GHz and 5 GHz radios. This feature is enabled by default and set to a target
of 25% of clients connecting to the 2.4 GHz band. To balance the load on a radio,
the AP encourages dual-band clients to connect to the 5 GHz band when the
configured percentage threshold is reached.
Configuring Self Healing Options
Radar Avoidance Pre-Scanning
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 125
Figure 68. Distributing clients between the 2.4 and 5 GHz radios
Radar Avoidance Pre-Scanning
The Radar Avoidance Pre-Scanning (RAPS) setting allows pre-scanning of DFS
channels in the 5 GHz band to ensure the channel is clear of radar signals prior to
transmitting on the channel. If a channel is blocked by this feature, it will be listed
as “DFS Block Radar” in the AP monitoring page. This setting affects select outdoor
dual band 802.11n AP models only and has no impact on APs that do not support
the feature. The option will also only be available if the Country Code settings are
configured to allow use of DFS channels (see Setting the Country Code).
Configuring Self Healing Options
AeroScout RFID Tag Detection
126 Ruckus Wireless, Inc.
Figure 69. Enabling Radar Avoidance Pre-Scanning
AeroScout RFID Tag Detection
AeroScout Tags are lightweight, battery-powered wireless devices that accurately
locate and track people and assets. AeroScout Tags, which can be mounted on
valuable equipment or carried by personnel, send periodic data to the AeroScout
Engine, the software component of the AeroScout visibility system that produces
accurate location and presence data.
If you are using AeroScout Tags in your organization, you can use the APs that are
being managed by ZoneDirector to relay data from the AeroScout Tags to the
AeroScout Engine. You only need to enable AeroScout tag detection on ZoneDi-
rector to enable APs to relay data to the AeroScout engine.
To enable AeroScout RFID tag detection on ZoneDirector:
1Go to Configure > Services.
2Scroll down to the AeroScout RFID section (near the bottom of the page).
3Select the Enable AeroScout RFID tag detection check box.
4Click the Apply button in the same section to save your changes.
ZoneDirector enables AeroScout RFID tag detection on all its managed APs that
support this feature.
Configuring Self Healing Options
Ekahau Tag Detection
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 127
Figure 70. Enabling AeroScout Tag detection
NOTE: Tag locations are not accurate if the 2.4 GHz band is noisy or if the AP setup
is not optimal (according to AeroScout documents). For more information on
AeroScout Tags and the AeroScout Engine, refer to your AeroScout documentation.
Ekahau Tag Detection
Utilizing Wi-Fi wireless network as an infrastructure, the Ekahau Real Time Location
System locates and tracks assets with attached Ekahau Tags. Ekahau Tags are
small, battery-powered devices that can be mounted on equipment or carried by
personnel, and send out periodic Ekahau Blink frames. Wi-Fi Access Points receive
and forward the Ekahau Blink frames to the Ekahau RTLS Controller, which
calculates accurate locations for the tags.
To enable Ekahau tag detection on ZoneDirector:
1Go to Configure > Services.
2Scroll down to the Ekahau Settings section (near the bottom of the page).
3Select the Enable Ekahau tag detection check box.
4Enter the Ekahau Controller IP address and Ekahau Controller Port.
Configuring Self Healing Options
Active Client Detection
128 Ruckus Wireless, Inc.
5Click the Apply button in the same section to save your changes.
ZoneDirector enables Ekahau tag detection on all its managed APs that support
this feature.
Figure 71. Enabling Ekahau tag detection
Active Client Detection
Enabling active client detection allows ZoneDirector to trigger an event when a client
with a low signal strength joins the network.
To enable active client detection:
1Go to Configure > Services, and scroll down to the Active Client Detection
section.
2Click the check box next to Enable client detection ... and enter an RSSI
threshold, below which an event will be triggered.
3Click Apply to save your changes.
Configuring Self Healing Options
Tunnel Configuration
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 129
Figure 72. Enabling active client detection
A low severity event is now triggered each time a client connects with an RSSI lower
than the threshold value entered. Go to Monitor > All Events/Activities to monitor
these events.
Tunnel Configuration
Only WLANs with Tunnel Mode enabled are affected. See Advanced Options in the
WLAN configuration section for information on enabling Tunnel Mode.
To configure data encryption and filtering for tunneled WLANs:
1Go to Configure > Services.
2Scroll down to the bottom of the page and locate the Tunnel Configuration
section.
3Enable the check boxes next to the features you want to enable:
Enable tunnel encryption for tunneled traffic: By default, when WLAN
traffic is tunneled to ZoneDirector, only the control traffic is encrypted while
data traffic is unencrypted. When this option is enabled, the Access Point will
decrypt 802.11 packets and then use an AES-encrypted tunnel to send them
to ZoneDirector.
Block multicast traffic from network to tunnel: Prevents [all/non-well-
known] multicast traffic from propagating on the tunnel.
Configuring Self Healing Options
Tunnel Configuration
130 Ruckus Wireless, Inc.
Block broadcast traffic from network to tunnel except ARP and DHCP:
Prevents all broadcast traffic other than Address Resolution Protocol and
DHCP packets.
Enable Proxy ARP of tunnel WLAN with rate limit threshold __.:
Reduces broadcast neighbor discovery packets (ARP and ICMPv6 Neighbor
Solicit) over tunnels. When ZoneDirector receives a broadcast ARP request
for a known host, it acts on behalf of the known host to send out unicast
ARP replies at the rate limit specified. If ZoneDirector receives a broadcast
ARP request for an unknown host, it will forward it to the tunnel to all APs
according to the rate limit threshold set in the Packet Inspection Filter (see
Packet Inspection Filter).
4Click Apply in the same section to save your changes.
Figure 73. Set tunnel configuration parameters for all WLANs with tunnel mode enabled.
Configuring Self Healing Options
Packet Inspection Filter
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 131
Packet Inspection Filter
The Packet Inspection Filter (PIF) allows configuration of rate limits for broadcast
neighbor discovery (IPv4 Address Resolution Protocol and IPv6 Neighbor Solicit)
packets. The PIF rate limiting threshold affects the following services:
ARP Broadcast Filter for Mesh links (see Optional Mesh Configuration Features).
Proxy ARP for WLAN interfaces (see Advanced Options under Creating a WLAN).
Proxy ARP for Tunneled WLANs (see Tunnel Configuration).
When Proxy ARP or ARP Broadcast Filter services are enabled, the AP attempts to
reduce neighbor discovery traffic over the air by replacing broadcast messages with
unicast messages for known hosts. When these packets are received for an
unknown host, the Packet Inspection Filter supplements this functionality by limiting
the rate at which these packets are delivered.
Figure 74. Packet Inspection Filter
Configuring Wireless Intrusion Prevention
DoS Protection
132 Ruckus Wireless, Inc.
Configuring Wireless Intrusion Prevention
ZoneDirector provides several built-in intrusion prevention features designed to
protect the wireless network from security threats such as Denial of Service (DoS)
attacks and intrusion attempts. These features, called Wireless Intrusion Prevention
System (WIPS), allow you to customize the actions to take and the notifications you
would like to receive when each of the different threat types is detected.
DoS Protection
Two options are provided to protect the wireless network from Denial of Service
attacks.
To configure the DoS protection options:
1Go to Configure > WIPS.
2In the Denial of Service (DoS) section, configure the following settings:
Protect my wireless network against excessive wireless requests: If this
capability is activated, excessive 802.11 probe request frames and manage-
ment frames launched by malicious attackers will be discarded.
Temporarily block wireless clients with repeated authentication fail-
ures for [ ] seconds: If this capability is activated, any clients that repeatedly
fail in attempting authentication will be temporarily blocked for a period of
time (10~1200 seconds, default is 30). Clients temporarily blocked by the
Intrusion Prevention feature are not added to the Blocked Clients list on the
Configure > Access Control page, Blocked Clients section.
3Click Apply to save your changes.
Configuring Wireless Intrusion Prevention
Intrusion Detection and Prevention
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 133
Figure 75. Denial of Service (DoS) prevention options
Intrusion Detection and Prevention
ZoneDirector’s intrusion detection and prevention features rely on background
scanning results to detect rogue access points connected to the network and
optionally, prevent clients from connecting to malicious rogue APs.
Rogue Access Points
A “Rogue Access Point” is any access point detected by a ZoneDirector-managed
access point that is not part of the ZoneFlex network managed by ZoneDirector.
Rogue devices are detected during off channel scans (background scanning) and
are simply other access points that are not being managed by ZoneDirector (e.g.,
an access point at a nearby coffee shop, a neighbor’s apartment or shopping mall).
Typically, rogue access points are not a threat, however there are certain types that
do pose a threat that will be automatically identified by ZoneDirector as “malicious
rogue APs”. The three automatically identified malicious access point categories are
as follows:
Configuring Wireless Intrusion Prevention
Rogue Access Points
134 Ruckus Wireless, Inc.
SSID-Spoofing: These are rogue access points that are beaconing the same
SSID name as a ZoneDirector-managed access point. They pose a threat as
someone may be attempting to use them as a honey pot to attract your clients
into their network to attempt hacking or man-in-the-middle attacks to exploit
passwords and other sensitive data.
Same-Network: These are rogue access points that are detected by other
access points as transmitting traffic on your internal network. They are detected
by ZoneDirector-managed access points seeing packets coming from a 'similar'
MAC address to one of those detected from an over the air rogue AP. Similar
MAC addresses are +-5 MAC addresses lower or higher than the detected over
the air MAC address.
MAC-spoofing: These are rogue access points that are beaconing the same
MAC address as a ZoneDirector-managed access point. They pose a threat as
someone may be attempting to use them as a honey pot to attract your clients
into their network to attempt hacking or man-in-the-middle attacks to exploit
passwords and other sensitive data.
The last type of malicious rogue device is “User Marked.” These are devices that
are manually marked as malicious rogues by a ZoneDirector administrator using the
Mark as Malicious button on the Monitor > Rogue Devices page.
To configure intrusion detection and prevention options:
1In the Intrusion Detection and Prevention section, configure the following
settings:
Enable report rogue devices: Enabling this check box allows ZoneDirector
to include rogue device detection in logs and email alarm event notifications.
-Report all rogue devices: Send alerts for all rogue AP events.
-Report only malicious rogue devices of type: Select which event types to
report.
Protect the network from malicious rogue access points: Enable this
feature to automatically protect your network from network connected rogue
APs, SSID-spoofing APs and MAC-spoofing APs. When one of these rogue
APs is detected (and this check box is enabled), the Ruckus AP automatically
begins sending broadcast de-authentication messages spoofing the rogue’s
BSSID (MAC) to prevent wireless clients from connecting to the malicious
rogue AP. This option is disabled by default.
2Click the Apply button that is in the same section to save your changes.
Configuring Wireless Intrusion Prevention
Rogue DHCP Server Detection
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 135
Figure 76. Intrusion Prevention options
See Detecting Rogue Access Points for more information on monitoring and
handling rogue devices.
Rogue DHCP Server Detection
A rogue DHCP server is a DHCP server that is not under the control of network
administrators and is therefore unauthorized. When a rogue DHCP server is intro-
duced to the network, it could start assigning invalid IP addresses, disrupting
network connections or preventing client devices from accessing network services.
It could also be used by hackers to compromise network security. Typically, rogue
DHCP servers are network devices (such as routers) with built-in DHCP server
capability that has been enabled (often, unknowingly) by users.
ZoneDirector has a rogue DHCP server detection feature that can help you prevent
connectivity and security issues that rogue DHCP servers may cause. When this
feature is enabled, ZoneDirector scans the network every five seconds for unautho-
rized DHCP servers and generates an event every time it detects a rogue DHCP
server.
The conditions for detecting rogue DHCP servers depend on whether ZoneDi-
rector's own DHCP server is enabled:
Configuring Wireless Intrusion Prevention
Rogue DHCP Server Detection
136 Ruckus Wireless, Inc.
If the built-in DHCP server is enabled, ZoneDirector will generate an event when
it detects any other DHCP server on the network.
If the built-in DHCP server is disabled, ZoneDirector will generate events when
it detects two or more DHCP servers on the network. You will need to find these
DHCP servers on the network, determine which ones are rogue, and then
disconnect them or shut down the DHCP service on them.
The Rogue DHCP Server Detection feature is enabled by default. If it is disabled,
use the following procedure to re-enable:
To enable rogue DHCP server detection on ZoneDirector (enabled by default)
1Go to Configure > WIPS.
2In the Rogue DHCP Server Detection section, select the Enable rogue DHCP
server detection check box.
3Click the Apply button that is in the same section.
You have completed enabling rogue DHCP server detection. Ruckus Wireless
recommends checking the Monitor > All Events/Activities page periodically to
determine if ZoneDirector has detected any rogue DHCP servers. When a rogue
DHCP server is detected, the following event appears on the All Events/Activities
page:
Rogue DHCP server on [IP_address] has been detected
If the check box is cleared, ZoneDirector will not generate these events.
NOTE: Rogue DHCP server detection only works on the ZoneDirector’s
management IP subnet.
Configuring Wireless Intrusion Prevention
Rogue DHCP Server Detection
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 137
Figure 77. Enabling Rogue DHCP server detection
Controlling Network Access Permissions
Creating Layer 2/MAC Address Access Control Lists
138 Ruckus Wireless, Inc.
Controlling Network Access Permissions
ZoneDirector provides several options for controlling client access to your wireless
networks and to other wired/wireless network resources. This section is divided into
the following subsections according to the features on the Configure > Access
Control page:
Creating Layer 2/MAC Address Access Control Lists
Creating Layer 3/Layer 4/IP Address Access Control Lists
Configuring Device Access Policies
Configuring Precedence Policies
Blocking Client Devices
Configuring Client Isolation White Lists
Application Recognition and Filtering
Creating Layer 2/MAC Address Access Control Lists
Using the Access Controls configuration options, you can define Layer 2/MAC
address ACLs, which can then be applied to one or more WLANs (upon WLAN
creation or edit). ACLs are either allow-only or deny-only; that is, an ACL can be set
up to allow only specified clients or to deny only specified clients. MAC addresses
that are in the deny list are blocked at the AP, not at ZoneDirector.
To configure an L2/MAC ACL:
1Go to Configure > Access Control.
2Expand the L2-L7 Access Control section.
3In L2/MAC Access Control, click Create New.
4Typ e a Name for the ACL.
5Typ e a Description of the ACL.
6Select the Restriction mode as either allow or deny.
7Type a MAC address in the MAC Address text box, and then click Create New
to save the address. The new MAC address that you added appears next to the
Stations field. You can enter up to 128 MAC addresses per ACL.
8Click OK to save the L2/MAC based ACL.
You can create up to 32 L2/MAC ACL rules and each rule can contain up to 128
MAC addresses. Each WLAN can be configured with one L2 ACL.
Controlling Network Access Permissions
Creating Layer 3/Layer 4/IP Address Access Control Lists
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 139
Figure 78. Configuring an L2/MAC access control list
Creating Layer 3/Layer 4/IP Address Access Control
Lists
In addition to L2/MAC based ACLs, ZoneDirector also provides access control
options at Layer 3 and Layer 4. This means that you can configure the access control
options based on a set of criteria, including:
Destination Address
• Application
•Protocol
Destination Port
To create an L3/L4/IP address based ACL:
1Go to Configure > Access Control.
2Expand the L2-L7 Access Control section.
3In L3/4/IP address Access Control, click Create New.
4Typ e a Name for the ACL.
5Typ e a Description for the ACL.
6In Default Mode, set the default access privilege (allow all or deny all) that you
want to grant all users by default.
Controlling Network Access Permissions
Creating Layer 3/Layer 4/IP Address Access Control Lists
140 Ruckus Wireless, Inc.
7In Rules, click Create New or click Edit to edit an existing rule.
8Define each access policy by configuring a combination of the following:
Type: The access privilege (allow or deny) that this policy grants.
Destination Address: Enter an IP subnet and netmask of the network target
to which you want to allow or deny access. (IP address must be in the format
A.B.C.D/M, where M is the subnet mask.) Otherwise, select Any. For
example, if you enter 192.168.0.1/24, the rule would allow or deny the entire
Class C subnet. To allow/deny a single host, use /32 as the netmask.
Application: If you select a specific application from the menu, the Protocol
and Destination Port options are automatically filled with the relevant values
and are not configurable.
Protocol: Enter a network protocol number (0-254), as defined by the IANA
(http://www.iana.org/assignments/protocol-numbers/protocol-
numbers.xhtml) to allow or deny. Otherwise, select Any.
Destination Port: Enter a valid port number (1-65534) or port range (e.g., 80-
443).
9Click OK to save the ACL.
10 Repeat these steps to create up to 32 L3/L4/IP address-based access control
rules.
Controlling Network Access Permissions
Configuring Device Access Policies
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 141
Figure 79. Configuring an L3/L4 access control list
Configuring Device Access Policies
In response to the growing numbers of personally owned mobile devices such as
smart phones and tablets being brought into the network, IT departments are
requiring more sophisticated control over how devices connect, what types of
devices can connect, and what they are allowed to do once connected.
Using the Device Access Policy settings, ZoneDirector can identify the type of client
attempting to connect, and perform control actions such as permit/deny, rate limiting
and VLAN tagging based on the device type.
Once a Device Access Policy has been created, you can apply the policy to any
WLANs for which you want to control access by device type. You could, for example,
allow only Apple OS devices on one WLAN and only Linux devices on another.
To create a Device Access Policy:
1Go to Configure > Access Control.
2Expand the Device Access Policy section, and click Create New.
3Enter a Name and optionally a description for the access policy.
4In Default Mode, select Deny all by default or Allow all by default.
Controlling Network Access Permissions
Configuring Device Access Policies
142 Ruckus Wireless, Inc.
5In Rules, you can create multiple OS-specific rules for each access policy.
Description: Description of the rule.
OS/Type: Select from any of the supported client types.
Typ e : Select rule type (allow or deny).
Uplink/Downlink: Set rate limiting for this client type.
VLAN: Segment this client type into a specified VLAN (1~4094; if no value
entered, this policy does not impact device VLAN assignment).
6Click Save to save the rule you created. You can create up to nine rules per
access policy (one for each OS/Type).
7To change the order in which rules are implemented, click the up or down arrows
in the Action column. You can also Edit or Clone rules from the Action column.
To delete a rule, select the box next to the rule and click Delete.
8Click OK to save the access policy. You can create up to 32 access policies (one
access policy per WLAN).
Figure 80. Creating a Device Access Policy
To apply a Device Access Policy to a WLAN:
1Go to Configure > WLANs.
Controlling Network Access Permissions
Configuring Precedence Policies
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 143
2To edit an existing WLAN, click Edit next to the WLAN you want to edit.
3Expand the Advanced Options, and locate the Access Control section.
4In Device Policy, select the policy you created from the list.
5Click OK to save your changes.
Figure 81. Applying a device access policy for a WLAN
Configuring Precedence Policies
Use the Precedence Policy settings to define the priority order in which rate limiting
and VLAN policies are applied to a WLAN.
To configure Precedence Policies:
1Go to Configure > Access Control.
2In the Precedence Policy section, click Edit to modify the default policy or click
Create New to create a new policy to be selectable from the WLAN
configuration dialog.
3Under Rules, click Create New to create a new rule for this policy.
4Select an Attribute (VLAN or Rate Limiting) to apply a precedence policy.
Controlling Network Access Permissions
Blocking Client Devices
144 Ruckus Wireless, Inc.
5Select a Precedence Policy (AAA Server, Device Policy or WLAN Configuration)
and click up and down arrows to set the order in which policies will take
precedence.
6Click Save to save the rule. You can create up to two rules per policy. The rules
will be applied in the order shown in the Order column.
7Click OK to save the precedence policy. This policy is now available for selection
in WLAN configuration.
Figure 82. Precedence Policy settings
Blocking Client Devices
When users log into a ZoneDirector network, their client devices are recorded and
tracked. If, for any reason, you need to block a client device from network use, you
can do so from the web interface. The following subtopics describe various tasks
that you can perform to monitor, block and unblock client devices manually from
the ZoneDirector web interface.
Note the following considerations when managing the Blocked Clients list:
Controlling Network Access Permissions
Blocking Client Devices
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 145
The block list is system-wide and is applied to all WLANs in addition to any per-
WLAN ACLs. If a MAC address is listed in the system-wide block list, it will be
blocked even if it is an allowed entry in an ACL. Thus, the block list takes
precedence over an ACL.
MAC addresses that are in the deny list are blocked at the AP, not at ZoneDirector.
Monitoring Client Devices
1Go to the Dashboard, if it's not already in view.
2Under Devices Overview, look at # of Total Client Devices.
Figure 83. The Device Overview widget
3Click the current number, which is also a link. The Wireless Clients page (on the
Monitor tab) appears, showing the first 15 clients that are currently connected
to ZoneDirector. If there are more than 15 currently active clients, the Show More
button at the bottom of the page will be active. To display more clients in the list,
click Show More. When all active clients are displayed on the page, the Show
More button disappears.
4To block any listed client devices, follow the next set of steps.
Temporarily Disconnecting Specific Client Devices
Follow these steps to temporarily disconnect a client device from your WLAN. (The
user can simply reconnect manually, if they prefer.) This is helpful as a trouble-
shooting tip for problematic network connections.
1Look at the Status column to identify any “Unauthorized” users.
2Click the Delete button in the Action column in a specific user row. The entry is
deleted from the Active/Current Client list, and the listed device is disconnected
from your Ruckus Wireless WLAN.
Controlling Network Access Permissions
Blocking Client Devices
146 Ruckus Wireless, Inc.
Figure 84. Click the Delete button to temporarily delete a client. The client will be able to
reconnect.
NOTE: The user can reconnect at any time, which, if this proves to be a problem,
may prompt you to consider Permanently Blocking Specific Client Devices.
Permanently Blocking Specific Client Devices
Follow these steps to permanently block a client device from WLAN connections.
1Look at the Status column to identify any unauthorized users.
2Click the Block button in the Action column in a specific user row.
The status is changed to Blocked. This will prevent the listed device from using your
Ruckus Wireless WLANs.
Controlling Network Access Permissions
Blocking Client Devices
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 147
Figure 85. Click the Block button to permanently delete a client
Reviewing a List of Previously Blocked Clients
1Go to Configure > Access Control.
2Review the Blocked Clients table.
3You can unblock any listed MAC address by clicking the Unblock button for that
address.
Controlling Network Access Permissions
Configuring Client Isolation White Lists
148 Ruckus Wireless, Inc.
Figure 86. Unblocking a previously blocked client
Configuring Client Isolation White Lists
When Wireless Client Isolation is enabled on a WLAN, all communication between
clients and other local devices is blocked at the Access Point. To prevent clients
from communicating with other nodes, the Access Point drops all ARP packets from
stations on the WLAN where client isolation is enabled and which are destined to
IP addresses that are not part of a per-WLAN white list.
You can create exceptions to client isolation (such as allowing access to a local
printer, for example) by creating Client Isolation White Lists.
To create a Client Isolation White List:
1Go to Configure > Access Control.
2Expand the Client Isolation White List section, and click Create New.
3Enter a Name and optionally a description for the access policy.
4In Rules, you can create multiple device-specific rules for each device to be white
listed.
Description: Description of the device.
MAC Address: Enter the MAC address of the device.
IPv4 Address: Enter the IP address of the device.
5Click Save to save the rule you created.
Controlling Network Access Permissions
Configuring Client Isolation White Lists
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 149
6To change the order in which rules are implemented, select the order from the
drop-down menu in the Order column. You can also Edit or Clone rules from
the Action column. To delete a rule, select the box next to the rule and click
Delete.
7Click OK to save the white list.
Figure 87. Creating a Client Isolation White List
To apply a Client Isolation White List to a WLAN:
1Go to Configure > WLANs.
2Click Edit next to the WLAN you want to edit.
3In Wireless Client Isolation (under Options), select the level of client isolation you
want to enforce:
Isolate wireless client traffic from other clients on the same AP: Enable
client isolation on the same Access Point (clients on the same subnet but
connected to other APs will still be able to communicate).
Controlling Network Access Permissions
Application Recognition and Filtering
150 Ruckus Wireless, Inc.
Isolate wireless client traffic from all hosts on the same VLAN/subnet:
Prevent clients from communicating with any other hosts on the same subnet
or VLAN other than those listed on the Client Isolation Whitelist. If this option
is chosen, you must select a Whitelist from the drop-down list of those you
created on the Configure > Access Control page.
4Click OK to save your changes.
Figure 88. Selecting a Client Isolation White List
Application Recognition and Filtering
The Application Recognition and Filtering features allow administrators to enhance
ZoneDirector’s built-in application identification capabilities and apply filtering poli-
cies to prevent users from accessing certain applications. These features allow
administrators to perform the following tasks:
Configure User Defined Applications
Configure Application Port Mapping
Configure Application Denial Policies
Controlling Network Access Permissions
Application Recognition and Filtering
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 151
Configure User Defined Applications
When an application is unrecognized and generically (or incorrectly) categorized,
you can configure an explicit application identification policy by IP Address/Mask,
Port and Protocol. Wireless traffic that matches a configured policy will be displayed
using the policy’s name on the Top 10 Applications widget on the Dashboard and
the Applications pie charts/tables on the Wireless Clients monitoring page.
In case of a conflict, application identification policies are implemented according
to the following priority order:
1User Defined Applications
2ZoneDirector embedded applications
3Port Mapping application policies
Figure 89 shows how to configure a policy to identify a corporate accounting
application. ZoneDirector identifies wireless traffic matching this policy as “Well Paid
Accounting” and displays this name in the application recognition pie charts and
tables.
Figure 89. Defining custom applications for ZoneDirector identification
Controlling Network Access Permissions
Application Recognition and Filtering
152 Ruckus Wireless, Inc.
Configure Application Port Mapping
When an application is unrecognized and generically (or incorrectly) categorized you
can configure an application identification policy by IP Port and Protocol. Wireless
traffic that matches a configured policy will be displayed using the policy’s Descrip-
tion text in the Applications widget on the Dashboard and Applications pie charts/
tables on the Wireless Clients monitoring page. You can create new port-to-
application name mappings individually, or you can batch upload a list in .csv format.
Click the click here link to download a sample of the .csv file format.
This type of policy is the least granular in configuration and hence it has the lowest
priority as a means of application identification. If for example you configure an
Application Port Mapping Policy for port 80/TCP, any such matching wireless traffic
not identified by either a User Defined Applications policy or ZoneDirector’s
embedded policies will be identified as belonging to this policy.
Figure 90 shows how an Application Port Mapping policy could be used to identify
all port 8081 wireless traffic as “HTTP Proxy” traffic and display this name in
application recognition pie charts and tables.
Figure 90. Application Port Mapping
Controlling Network Access Permissions
Application Recognition and Filtering
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 153
Well-Known Service and Destination Port Mappings Defined in Application
Visibility
ZoneDirector automatically identifies several hundred applications for use in appli-
cation recognition and denial policies. The following links provide lists of many the
most common applications and ports that are included:
IANA list of Service Names and Port Numbers
• SpeedGuide.net
Well known TCP and UDP ports used by Apple software products
• Bitcoin
Google Cloud Messaging
• PlayStation
•TiVo
•Wii
•Xbox
Configure Application Denial Policies
This option allows the administrator to deny application access by blocking any
HTTP host name or L4 port. Using application denial policies, administrators can
block specific applications if they are seen to be consuming excessive network
resources, or enforce network usage policies such as blocking social media sites.
The following usage guidelines need to be taken into consideration when defining
Application Denial Policies:
“www.corporate.com” – This will block access to the host web server at the
organization “corporate.com” i.e. the FQDN. It will not block access to any other
hosts such as ftp, ntp, smtp, etc. at the organization “corporate.com”.
“corporate.com” – this will block access to all hosts at the domain “corpo-
rate.com” i.e. it will block access to www.corporate.com, ftp.corporate.com,
smtp.corporate.com, etc.
“corporate” – This will block access to any FQDN containing the text “corporate”
in any part of the FQDN. Care should be taken to use as long as possible string
for matching to prevent inadvertently blocking sites that may contain a shorter
string match i.e. if the rule is “net” then this will block access to any sites that
have the text “net” in any part of the FQDN or “.net” as the FQDN suffix.
*.corporate.com – This is an invalid rule. Wildcard “*” and other regular expres-
sions cannot be used in any part of the FQDN.
Controlling Network Access Permissions
Application Recognition and Filtering
154 Ruckus Wireless, Inc.
“www.corporate.com/games” - This is an invalid rule. The filter cannot parse and
block access on text after the FQDN, i.e., in this example it cannot filter the micro-
site “/games”.
Notes:
Many global organizations have both a “.com” suffix and country specific suffix
such as “.co.uk”, “.fr”, “.au”.etc. To block access to, for example, the host web
server in all regional specific web sites for an organization, a rule like “www.corpo-
rate” could be used.
Many global organizations use distributed content delivery networks such as
Akamai. In such cases creating a rule such as “www.corporate.com” may not
prevent access to the entire site. Further investigation of the content network
behavior may need to be undertaken to fully prevent access.
When using Port based rules:
There is no distinction between the TCP and UDP protocols, so care should be
taken if wishing to block a specific application port as that will apply to both IP
protocols and may inadvertently block another application using the other protocol.
To create an Application Denial Policy:
1Go to Configure > Access Control.
2Expand the Application Recognition and Filtering section.
3In Application Denial Policy, click Create New to create a new policy.
4Enter a Name and optionally a Description for the policy.
5In Rules, click Create New to create a new rule for this policy.
6In Application, Select HTTP Domain Name or Port.
7In Description, enter the domain name or port number for the application you
want to block.
8Click Save to save the rule, and click OK to save the policy.
Controlling Network Access Permissions
Application Recognition and Filtering
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 155
Figure 91. Blocking an application by HTTP host name
Applying an Application Denial Policy to a WLAN
Once an Application Denial Policy is created, use the following procedure to apply
it to one or more WLANs:
1Go to Configure > WLANs, and click Edit next to the WLAN you want to
configure.
2Expand the Advanced Options section, and locate the Application Visibility
section.
3Ensure that the Enable check box is enabled.
4Select the policy you created from the Apply Policy Group list.
5Click OK to save your changes.
Controlling Network Access Permissions
Application Recognition and Filtering
156 Ruckus Wireless, Inc.
Figure 92. Apply an Application Denial Policy to a WLAN
Using an External AAA Server
Active Directory
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 157
Using an External AAA Server
If you want to authenticate users against an external Authentication, Authorization
and Accounting (AAA) server, you will need to first configure your AAA server, then
point ZoneDirector to the AAA server so that requests will be passed through
ZoneDirector before access is granted. This section describes the tasks that you
need to perform on ZoneDirector to ensure ZoneDirector can communicate with
your AAA server.
NOTE: For specific instructions on AAA server configuration, refer to the
documentation that is supplied with your server.
ZoneDirector supports four types of AAA server:
Active Directory
LDAP
RADIUS / RADIUS Accounting
TACACS+
A maximum of 32 AAA server entries can be created, regardless of server type.
Active Directory
In Active Directory, objects are organized in a number of levels such as domains,
trees and forests. At the top of the structure is the forest. A forest is a collection of
multiple trees that share a common global catalog, directory schema, logical
structure, and directory configuration. In a multi-domain forest, each domain
contains only those items that belong in that domain. Global Catalog servers provide
a global list of all objects in a forest.
ZoneDirector support for Active Directory authentication includes the ability to query
multiple Domain Controllers using Global Catalog searches. To enable this feature,
you will need to enable Global Catalog support and enter an Admin DN (distin-
guished name) and password.
Depending on your network structure, you can configure ZoneDirector to authenti-
cate users against an Active Directory server in one of two ways:
Single Domain Active Directory Authentication
Multi-Domain Active Directory Authentication
Single Domain Active Directory Authentication
To enable Active Directory authentication for a single domain:
Using an External AAA Server
Active Directory
158 Ruckus Wireless, Inc.
1Go to Configure > AAA Servers, and click Create New under Authentication/
Accounting Servers. The Create New form appears.
2In Type, Select Active Directory.
•In Encryption, select Enable TLS encryption if you want to encrypt all
authentication traffic between the client and the Active Directory server. The
AD server must support TLS1.0/TLS1.1/TLS1.2.
3Do not enable Global Catalog support.
4Enter the IP address and Port of the AD server. The default Port number (389,
or 636 if you have enabled TLS encryption) should not be changed unless you
have configured your AD server to use a different port.
5Enter the Windows Domain Name (e.g., domain.ruckuswireless.com).
6Click OK.
Figure 93. Enable Active Directory for a single domain
For single domain authentication, admin name and password are not required.
Multi-Domain Active Directory Authentication
For multi-domain AD authentication, an Admin account name and password must
be entered so that ZoneDirector can query the Global Catalog.
To enable Active Directory authentication for multiple domains:
Using an External AAA Server
Active Directory
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 159
1Go to Configure > AAA Servers, and click Create New under Authentication/
Accounting Servers. The Create New form appears.
2In Type, Select Active Directory.
•In Encryption, select Enable TLS encryption if you want to encrypt all
authentication traffic between the client and the Active Directory server. The
AD server must support TLS1.0/TLS1.1/TLS1.2.
NOTE: Note that Secure Active Directory requires the import of a root CA for TLS
encryption. The import option is provided on the Configure > Certificate > Advanced
Options page.
3Select the Global Catalog check box next to Enable Global Catalog support.
4The default port changes to 3268, and the fields for Admin DN and password
appear. The default port number (3268, or 636 if you have enabled TLS
encryption) should not be changed unless you have configured your AD server
to use a different port.
5Leave the Windows Domain Name field empty to search all domains in the
forest.
NOTE: Do NOT enter anything in the Windows Domain Name field. If you enter a
Windows Domain Name, the search will be limited to that domain, rather than the
whole forest.
6Enter an Admin DN (distinguished name) in Active Directory format
(name@xxx.yyy).
7Enter the admin Password, and re-enter the same password for confirmation.
NOTE: The Admin account need not have write privileges, but must able to read
and search all users in the database.
8Click OK to save changes.
9To test your authentication settings, see Testing Authentication Settings.
Using an External AAA Server
LDAP
160 Ruckus Wireless, Inc.
Figure 94. Active Directory with Global Catalog enabled
LDAP
In addition to Microsoft Active Directory, ZoneDirector supports several of the most
commonly used LDAP servers, including:
•OpenLDAP
Apple Open Directory
Novell eDirectory
Sun JES (limited support)
To configure an LDAP server for user authentication:
1Go to Configure > AAA Servers, and click Create New under Authentication/
Accounting Servers. The Create New form appears.
2In Type, Select LDAP.
•In Encryption, select Enable TLS encryption if you want to encrypt all LDAP
authentication traffic between the LDAP client and the LDAP server. The
LDAP server must support TLS1.0/TLS1.1/TLS1.2.
Using an External AAA Server
LDAP
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 161
NOTE: Note that Secure LDAP requires the import of a root CA for TLS encryption.
The import option is provided on the Configure > Certificate > Advanced Options
page.
3Enter the IP address and Port of your LDAP server. The default port (389 for
unencrypted, 636 for encrypted) should not be changed unless you have
configured your LDAP server to use a different port.
4Enter a Base DN in LDAP format for all user accounts.
5Format: cn=Users;dc=<Your Domain>,dc=com
6Enter an Admin DN in LDAP format.
•Format: cn=Admin;dc=<Your Domain>,dc=com
7Enter the Admin Password, and reenter to confirm.
8Enter a Key Attribute to denote users (default: uid).
9Click OK to save your changes.
10 If you want to filter more specific settings, see Advanced LDAP Filtering.
NOTE: The Admin account need not have write privileges, but must able to read
and search all users in the database.
Using an External AAA Server
LDAP
162 Ruckus Wireless, Inc.
Figure 95. Creating a new LDAP server object in ZoneDirector
Advanced LDAP Filtering
A search string in LDAP format conforming to RFC 4515 can be used to limit search
results. For example, objectClass=Person limits the search to those whose
“objectClass” attribute is equal to “Person”.
More complicated examples are shown when you mouse over the “show more”
section, as shown in Figure 96 below.
Using an External AAA Server
LDAP
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 163
Figure 96. LDAP search filter syntax examples
Group Extraction
By using the Search Filter, you can extract the groups to which a user belongs, as
categorized in your LDAP server. Using these groups, you can attribute Roles within
ZoneDirector to members of specific groups.
For example, in a school setting, if you want to assign members of the group
“students” to a Student role, you can enter a known student’s name in the Test
Authentication Settings section, click Test, and return the groups that the user
belongs to. If everything is configured correctly, the result will display the groups
associated with the student, which should include a group called “student” (or
whatever was configured on your LDAP server).
Next, go to the Configure > Roles page, create a Role named “Student,” and enter
“student” in the Group Attributes field. Then you can select which WLANs you want
this Role to have access to, and decide whether this Role should have Guest Pass
generation privileges and ZoneDirector administration privileges. From here on, any
user associated to the Group “student” will be given the same privileges when he/
she is authenticated against your LDAP server.
To configure user roles based on LDAP group:
1Point ZoneDirector to your LDAP server:
•Go to Configure > AAA Servers
Click Edit next to LDAP
Mouse over
“show more”
Using an External AAA Server
RADIUS / RADIUS Accounting
164 Ruckus Wireless, Inc.
•Enter IP address, Port number, Admin DN and Password
2Enter the Key Attribute (default: uid).
3Click OK to save this LDAP server.
4In Test Authentication Settings, enter the User Name and Password for a known
member of the relevant group.
5Click Tes t .
6Note the Groups associated with this user.
Figure 97. Test authentication settings
7Go to Configure > Roles, and create a Role based on this User Group (see
Creating New User Roles).
Click the Create New link in the Roles section.
In the Group Attributes field, enter Group attributes exactly as they were
returned from the Test Authentication Settings dialog.
Specify WLAN access, Guest Pass generation and ZoneDirector administra-
tion privileges as desired for this Role.
At this point, any user who logs in and is authenticated against your LDAP server
with the same Group credentials will automatically be assigned to this Role.
RADIUS / RADIUS Accounting
Remote Authentication Dial In User Service (RADIUS) user authentication requires
that ZoneDirector know the IP address, port number and Shared Secret of the
RADIUS/RADIUS Accounting server. When an external RADIUS/RADIUS
Accounting server is used for authentication or accounting, user credentials can be
entered as a standard username / password combination, or client devices can be
limited by MAC address. If using MAC address as the authentication method, you
Using an External AAA Server
RADIUS / RADIUS Accounting
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 165
must enter the MAC addresses of each client on the AAA server, and any clients
attempting to access your WLAN with a MAC address not listed will be denied
access.
A RADIUS/RADIUS Accounting server can be used with 802.1X, MAC authentica-
tion, Web authentication (captive portal) and Hotspot WLAN types.
To configure a RADIUS / RADIUS Accounting server entry in ZoneDirector:
1Go to Configure > AAA Servers.
2Click the Create New link under Authentication/Accounting Servers.
3Select Radius or Radius Accounting for the AAA server type.
If you want to enable encryption of RADIUS packets using Transport Layer
Security (TLS), select the TLS check box next to Encryption. This allows
RADIUS authentication and accounting data to be passed safely across
insecure networks such as the Internet.
NOTE: Note that Secure RADIUS requires the import of a root CA for TLS
encryption. The RADIUS or RADIUS Accounting server must support TLS1.1/
TLS1.2. The import option is provided on the Configure > Certificate > Advanced
Options page.
4Choose PAP or CHAP according to the authentication protocol used by your
RADIUS server.
5Enter the IP Address, Port number and Shared Secret.
6Click OK to save changes.
Configuring a Backup RADIUS / RADIUS Accounting
Server
If a backup RADIUS or RADIUS Accounting server is available, enable the check
box next to Backup RADIUS and additional fields appear. Enter the relevant
information for the backup server and click OK. When you have configured both a
primary and backup RADIUS server, an additional option will be available in the Test
Authentication Settings section to choose to test against the primary or the backup
RADIUS server.
To configure a backup RADIUS / RADIUS Accounting server:
1Click the check box next to Enable Backup RADIUS support.
Using an External AAA Server
RADIUS / RADIUS Accounting
166 Ruckus Wireless, Inc.
2Enter the IP Address, Port number and Shared Secret for the backup server
(these fields can neither be left empty nor be the same values as those of the
primary server).
3In Request Timeout, enter the timeout period (in seconds) after which an
expected RADIUS response message is considered to have failed.
4In Max Number of Retries, enter the number of failed connection attempts
after which ZoneDirector will failover to the backup RADIUS server.
5In Max Number of Consecutive Drop Packets, enter a value from 1-10
consecutive dropped packets, after which ZoneDirector will failover to the
backup RADIUS server.
6In Reconnect Primary, enter the number of minutes after which ZoneDirector
will attempt to reconnect to the primary RADIUS server after failover to the
backup server.
Figure 98. Enable backup RADIUS server
Using an External AAA Server
RADIUS / RADIUS Accounting
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 167
Figure 99. Test authentication settings against backup RADIUS server
MAC Authentication with an External RADIUS Server
To begin using MAC authentication:
1Ensure that a RADIUS server is configured in ZoneDirector (Configure > AAA
Servers > RADIUS Server). See Using an External AAA Server.
2Create a user on the RADIUS server using the MAC address of the client as both
the user name and password. The MAC address format can be configured in
one of the following formats:
A single string of characters without punctuation: aabbccddeeff
Colon separated: aa:bb:cc:dd:ee:ff
Hyphen separated: aa-bb-cc-dd-ee-ff
All caps: AABBCCDDEEFF
All caps hyphenated: AA-BB-CC-DD-EE-FF
All caps colon separated: AA:BB:CC:DD:EE:FF
3Log in to the ZoneDirector web interface, and go to Configure > WLANs.
4Click the Edit link next to the WLAN you would like to configure.
5Under Authentication Options: Method, select MAC Address.
6Under Authentication Server, select your RADIUS Server.
Using an External AAA Server
RADIUS / RADIUS Accounting
168 Ruckus Wireless, Inc.
7Select the MAC Address Format according to your RADIUS server’s
requirements.
8Click OK to save your changes.
Figure 100. RADIUS authentication using MAC address
You have completed configuring the WLAN to authenticate users by MAC address
from a RADIUS server.
Using 802.1X EAP + MAC Address Authentication
With the 802.1X EAP + MAC Address authentication method, clients configured
with either “open” or EAP-MD5 authentication methods are both supported on the
same WLAN. The encryption method is limited to “none,” and an external RADIUS
server is required.
NOTE: This option will only work if you have a supplicant that supports this behavior,
and currently no known public domain supplicants support this behavior.
Using an External AAA Server
RADIUS / RADIUS Accounting
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 169
When ZoneDirector authenticates a client, MAC authentication is checked first,
followed by the EAP process. When the client tries to associate, if MAC authenti-
cation succeeds, the client is authorized directly and allowed to pass traffic without
any further EAP authentication required.
If MAC authentication fails, the EAP authentication process begins and the client
must provide a valid EAP account before access is granted.
You can view the actual authentication method used (MAC address or EAP) from
the Monitor > Wireless Clients page.
Figure 101. The Monitor > Wireless Clients page shows the actual authentication method
used for clients in an 802.1X EAP + MAC Address authentication WLAN
Using 802.1X with EAP-MD5
EAP-MD5 differs from other EAP methods in that it only provides authentication of
the EAP peer to the EAP server but not mutual authentication. ZoneDirector
supports 802.1X authentication with EAP-MD5 using either ZoneDirector’s internal
database or an external RADIUS server.
To configure a WLAN for EAP-MD5 authentication:
1Go to Configure > WLANs and click the Edit link next to the WLAN you would
like to configure.
2Under Authentication Options: Method, select 802.1X EAP.
3Under Encryption Options: Method, select None.
4Under Authentication Server, select either Local Database or a previously
configured RADIUS server from the list.
5Click OK to save your changes.
Using an External AAA Server
RADIUS / RADIUS Accounting
170 Ruckus Wireless, Inc.
RADIUS Attributes
Ruckus products communicate with an external RADIUS server as a RADIUS client.
Packets from Ruckus products are called “access-request” or “accounting-request”
messages. The RADIUS server, in turn, sends an “access-challenge“, “access-
accept” or “access-reject” message in response to an access-request, and an
“accounting-response” message in response to an accounting-request.
RADIUS Attribute Value Pairs (AVP) carry data in both the request and the response
messages. The RADIUS protocol also allows vendor specific attributes (VSA) to
extend the functionality of the protocol. The following tables list the RADIUS
attributes used in these messages between ZoneDirector and the RADIUS/RADIUS
Accounting server based on which type of authentication is used for the WLAN.
Tab l e 102 lists the attributes used in authentication, and Ta b l e 1 8 lists those used
in accounting.
ZoneDirector will terminate a user session if it receives a Change of Authorization-
Disconnect Message (COA-DM) from the RADIUS server. The COA-DM message
may be used when a client changes service levels. For instance, a new user may
initially connect to a free, low-rate service on one WLAN. When they purchase
access on a higher-rate service, RADIUS will send a COA-DM message to ZoneDi-
rector, causing the user to re-connect to an alternative WLAN. COA-DM may also
be used to remove a client if a user exceeds their total bandwidth allowance or time
on the network.
Notation “==>” below indicates this value is generated external to AP/ZoneDirector.
In the case of EAP payload, this is generated by a wireless client and encapsu-
lated in the RADIUS access-request packet.
In the case of a “state” attribute, it indicates that an access-request packet is a
response to the last received access-challenge packet by copying the “state”
AVP unmodified.
As for the “class” attribute, it is parsed and stored from an access-accept packet
and then subsequently used in accounting-request packets.
Using an External AAA Server
RADIUS / RADIUS Accounting
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 171
RADIUS Authentication attributes
Figure 102. RADIUS attributes used in authentication
WLAN Type Attributes
802.1X / MAC
Auth
Sent from ZoneDirector in Access Request messages:
(1) User name
(4) NAS IP Address (optional; prefer sending NAS ID)
(5) NAS Port
(6) Service Type: hard-coded to be Framed-User(2)
(12) Framed MTU: hard-coded to be 1400
(30) Called Station ID: user configurable
(31) Calling Station ID: format is sta's mac
(32) NAS Identifier: user configurable
(61) NAS Port Type: hard-coded to be 802.11 port (19)
(77) Connection Info: indicates client radio type
==> (79) EAP payload
==> (24) State: if radius access-challenge in last received radius msg
from AAA
(80) Message Authenticator
(95) NAS IPv6 address (if using/talking to an IPv6 RADIUS server)
Ruckus private attribute:
Vendor ID: 25053
Vendor Type / Attribute Number: 3 (Ruckus-SSID)
Using an External AAA Server
RADIUS / RADIUS Accounting
172 Ruckus Wireless, Inc.
802.1X / MAC
Auth
Sent from RADIUS server in Access Accept messages:
(1) User name
(7) WISPr Bandwidth-Max-Up: Maximum transmit rate (bits/second)
(8) WISPr Bandwidth-Max-Down: Maximum receive rate (bits/second)
(25) Class
(27) Session-timeout & (29) Termination-action: Session-timeout event
becomes a disconnect event or re-authentication event if termination-
action indicates "(1) radius-request"
(85) Acct-interim-interval
For Dynamic VLAN application:
(64) Tunnel-Type: value only relevant if it is (13) VLAN
(65) Tunnel-Medium-Type: value only relevant if it is (6) 802 (as in all 802
media plus ethernet)
(81) Tunnel-Private-Group-ID: this is the VLAN ID assignment (per RFC,
this is between 1 and 4094)
Administrator Authentication:
Ruckus private attribute:
Vendor ID: 25053
Vendor Type / Attribute Number: 1 (Ruckus-User-Groups)
Value Format: group_attr1, group_attr2, group_attr3, ...
Cisco private attribute:
Vendor ID: 9
Vendor Type/ Attribute Number: 1 (Cisco-AVPair)
Value Format: shell:roles="group_attr1 group_attr2 group_attr3 ..."
Figure 102. RADIUS attributes used in authentication
WLAN Type Attributes
Using an External AAA Server
RADIUS / RADIUS Accounting
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 173
RADIUS Accounting attributes
The following table lists attributes used in RADIUS accounting messages.
WISPr / Web
Auth / Guest
Access
Additional attributes supported in WISPr WLANs (**generic attributes
NOT the same as non-WISPr/802.1X)
(1) User name
(2) Password or (3) CHAP-Password
(4) NAS IP Address
(6) Service Type: hardcoded to be Framed-User(2)
(8) Framed IP address
(30) Called Station ID: user configurable
(31) Calling Station ID: format is sta's mac
(32) NAS Identifier: user configurable
(44) Account session ID
Ruckus private attribute:
Vendor ID: 25053
Vendor Type / Attribute Number: 3 (Ruckus-SSID)
WISPr vendor specific attribute (vendor id = 14122)
(1) WISPr location id
(2) WISPr location name
(4) WISPr redirection URL
(7) WISPr Bandwidth-Max-Up: Maximum transmit rate (bits/second)
(8) WISPr Bandwidth-Max-Down: Maximum receive rate (bits/second)
(80) Message Authenticator
Figure 102. RADIUS attributes used in authentication
WLAN Type Attributes
Using an External AAA Server
RADIUS / RADIUS Accounting
174 Ruckus Wireless, Inc.
Table 18. RADIUS attributes used in Accounting
WLAN Type Attribute
802.1X / MAC
Auth
Common to Start, Interim Update, and Stop messages
(1) User Name
(4) NAS IP Address
(5) NAS Port
(8) Framed IP
(30) Called Station ID: user configurable
(31) Calling Station ID: format is sta's mac
(32) NAS Identifier: user configurable
(40) Status Type: start, stop, interim-update
(45) Authentic: radius-auth (1)
(50) Acct-Multi-Session-ID
(61) NAS Port Type: hard-coded to be 802.11 port (19)
(77) Connection Info: indicates client radio type
==> (25) Class: if received in radius-accept message from AAA
Ruckus private attribute:
Vendor ID: 25053
Vendor Type / Attribute Number: 3 (Ruckus-SSID)
802.1X / MAC
Auth
Specific to Interim Update and Stop messages:
(8) Ruckus private attribute:
Vendor ID: 25053
Vendor Type / Attribute Number: 2 (Ruckus-Sta-RSSI)
(42) Input Octets
(43) Output Octets
(44) Session ID
(46) Session Time
(47) Input Packets
(48) Output Packets
(52) Input Gigawords (only appears when received bytes > 4 GB)
(53) Output Gigawords (only appears when transmitted bytes > 4 GB)
(55) Event Timestamp
Using an External AAA Server
RADIUS / RADIUS Accounting
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 175
802.1X / MAC
Auth
Specific to Stop messages:
(49) Terminate Cause: user-request, lost-carrier, lost-service, session-
timeout, admin-reset, admin-reboot, supplicant-restart, idle timeout
802.1X / MAC
Auth
Sent from RADIUS server in Accept messages:
(1) User name
(25) Class
(85) Acct-interim-interval
(27) Session-timeout & (29) Termination-action: Session-timeout event
becomes a disconnect event or re-authentication event if termination-
action indicates "(1) radius-request"
For Dynamic VLAN application:
(64) Tunnel-Type: value only relevant if it is (13) VLAN
(65) Tunnel-Medium-Type: value only relevant if it is (6) 802 (as in all 802
media plus Ethernet)
(81) Tunnel-Private-Group-ID: this is the VLAN ID assignment (per RFC,
this is between 1 and 4094)
Table 18. RADIUS attributes used in Accounting
WLAN Type Attribute
Using an External AAA Server
RADIUS / RADIUS Accounting
176 Ruckus Wireless, Inc.
WISPr / Web
Auth / Guest
Access
Common to Start, Interim Update, and Stop messages:
(1) User name
(2) Password
(4) NAS IP address
(5) NAS port
(8) Framed-IP
(30) Called station ID: user configurable
(31) Calling station ID
(32) NAS Identifier: user configurable
(45) Acct authentic
(50) Acct-Multi-Session-Id
(61) NAS port type
(77) Connection Info: indicates client radio type
Ruckus private attribute:
Vendor ID: 25053
Vendor Type / Attribute Number: 3 (Ruckus-SSID)
Additional attributes supported in WISPr WLANs:
WISPr vendor specific attributes (vendor id = 14122)
(1) WISPr location id
(2) WISPr location name
(4) WISPr redirection URL
(7) WISPr Bandwidth-Max-Up: Maximum transmit rate (bits/second)
(8) WISPr Bandwidth-Max-Down: Maximum receive rate (bits/second)
Table 18. RADIUS attributes used in Accounting
WLAN Type Attribute
Using an External AAA Server
RADIUS / RADIUS Accounting
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 177
Configuring Microsoft IAS for PAP Authentication
If you are using Microsoft Internet Authentication Service (IAS) as your RADIUS
server and PAP authentication, you will need to configure your user/group profiles
to use only PAP authentication rather than the default (MS-CHAP). If you selected
CHAP under “RADIUS / RADIUS Accounting”, you do not need to configure IAS for
PAP authentication.
To configure user/group profiles for PAP authentication:
1From the Internet Authentication Service main page, select the user or group for
which you want to configure PAP authentication.
2Right-click the user or group and select Properties to open the [user/group
name] Properties dialog box.
3On the Properties dialog box, click Edit Profile.... The Edit Dial-in Profile dialog
box opens.
4Click the Authentication tab at the top of the screen.
5Select Unencrypted authentication (PAP, SPAP).
WISPr / Web
Auth / Guest
Access
Specific to Interim Update and Stop messages:
(42) Acct input octets
(43) Acct output octets
(44) Acct session ID
(46) Acct session time
(47) Acct input packets
(48) Acct output packets
(52) Acct input giga words
(53) Acct output giga words
(55) Event timestamp
Ruckus private attribute:
Vendor ID: 25053
Vendor Type / Attribute Number: 2 (Ruckus-Sta-RSSI)
Additional attributes supported in WISPr WLANs:
WISPr vendor specific attributes (vendor id = 14122)
(1) WISPr location id
(2) WISPr location name
Table 18. RADIUS attributes used in Accounting
WLAN Type Attribute
Using an External AAA Server
RADIUS / RADIUS Accounting
178 Ruckus Wireless, Inc.
6Click OK.
7Repeat this procedure for additional users or groups.
Figure 103. On the Microsoft IAS page, right-click the user/group and select Properties.
Using an External AAA Server
RADIUS / RADIUS Accounting
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 179
Figure 104. On the Properties page, click Edit Profile...
Figure 105. On the Authentication tab of the Edit Dial-in Profile dialog, select Unencrypted
authentication (PAP, SPAP)
Using an External AAA Server
RADIUS / RADIUS Accounting
180 Ruckus Wireless, Inc.
You have completed configuring Microsoft IAS for PAP authentication.
TACACS+
Terminal Access Controller Access-Control System Plus (TACACS+) is an Authen-
tication, Authorization and Accounting protocol used to authenticate ZoneDirector
administrators. ZoneDirector admins can be assigned any of the same three
administration privilege levels that can be set manually on the Configure > Roles
page:
Super Admin (Perform all configuration and management tasks)
Operator Admin (Change settings affecting single AP's only)
Monitoring Admin (Monitoring and viewing operation status only)
TACACS+ is an extensible AAA protocol that provides customization and future
development features, and uses TCP to ensure reliable delivery. The daemon should
listen at port 49 which is the "login" port assigned for the TACACS protocol.
To authenticate ZoneDirector admins using a TACACS+ AAA server:
1Go to Configure > AAA Servers.
2In Authentication/Accounting Servers, click Create New.
3Enter a Name for the TACACS+ server, and select TACACS+ for Type.
4Enter the server’s IP address and do not change the Port setting from the default
port 49 (in general).
5In TACACS+ Service, enter a string of up to 64 characters. This name must
match the name of the service configuration table on the TACACS+ server. Click
OK to save your changes.
Using an External AAA Server
RADIUS / RADIUS Accounting
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 181
Figure 106. Configuring a TACACS+ AAA server
Once your TACACS+ server is configured on the AAA Servers page, you can select
it from the list of servers used to authenticate ZoneDirector administrators on the
Administer > Preferences page.
Using an External AAA Server
RADIUS / RADIUS Accounting
182 Ruckus Wireless, Inc.
Figure 107. Select TACACS+ for ZoneDirector administrator authentication
Testing Authentication Settings
The Test Authentication Settings feature allows you to query an AAA server for a
known authorized user, and return Groups associated with the user that can be
used for configuring Roles within ZoneDirector.
After you have configured one or more authentication servers in ZoneDirector,
perform this task to ensure that ZoneDirector can connect to the authentication
server and retrieve the groups/attributes that you have configured for each user
account.
NOTE: If testing against a RADIUS server, this feature uses PAP or CHAP depending
on the RADIUS server configuration and the choice you made in “RADIUS / RADIUS
Accounting” above. Make sure that either PAP or CHAP is enabled on the Remote
Access Policy (assuming Microsoft IAS as the RADIUS server) before continuing
with testing authentication settings.
Using an External AAA Server
RADIUS / RADIUS Accounting
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 183
1On the Configure > AAA Servers page, locate the Test Authentication Settings
section.
2Select the authentication server that you want to use from the Test Aga i n st
drop-down menu.
3In User Name and Password, enter an Active Directory, LDAP or RADIUS user
name and password.
4Click Tes t .
If ZoneDirector was able to connect to the authentication server and retrieve the
configured groups/attributes, the information appears at the bottom of the page.
The following is an example of the message that will appear when ZoneDirector
authenticates successfully with the server:
Success! Groups associated with this user are
“{group_name}”. This user will be assigned a role of
{role}.
If the test was unsuccessful, there are three possible results (other than success)
that will be displayed to inform you if you have entered information incorrectly:
Admin invalid
User name or password invalid
Search filter syntax invalid (LDAP only)
These results can be used to troubleshoot the reasons for failure to authenticate
users from an AAA server through ZoneDirector.
Using an External AAA Server
RADIUS / RADIUS Accounting
184 Ruckus Wireless, Inc.
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 185
4
Managing a Wireless Local Area
Network
In this chapter:
Overview of Wireless Networks
About Ruckus Wireless WLAN Security
Creating a WLAN
Creating a Copy of an Existing WLAN for Workgroup Use
Customizing WLAN Security
Working with WLAN Groups
Deploying ZoneDirector WLANs in a VLAN Environment
Working with Hotspot Services
Creating a Hotspot 2.0 Service
Working with Dynamic Pre-Shared Keys
Bypass Apple CNA
Overview of Wireless Networks
186 Ruckus Wireless, Inc.
Overview of Wireless Networks
Once you have completed the ZoneDirector Setup Wizard, you have a fully functional
wireless network, based on two secure WLANs (if you enabled the optional guest
WLAN) with access for authorized users and guests. The default WLAN provides
Zero-IT connectivity to allow users to automatically provision their client devices with
WLAN settings the first time they connect. The guest WLAN provides visitors to your
organization with a connection to the Internet, but not to your internal corporate
network.
There are several scenarios in which you will want to create additional WLANs, in
addition to the default internal and guest WLANs:
To limit certain WLANs to groups of qualified users, to enhance security and
efficiency (for example, an “Engineering” WLAN with a closed roster of users).
To configure a specific WLAN with different security settings. For example, you
may need a WLAN that utilizes WEP encryption for wireless devices that only
support WEP-key encryption.
To create special WLANs with different settings for specific purposes. For
example, a VoIP WLAN for voice traffic with Background Scanning and load
balancing disabled, or a student WLAN that is only available during school hours.
In the first scenario, specific WLANs (esp. regarding authentication and encryption
algorithm) can be set up that support specific groups of users. This requires a two-
step process: (1) create the custom WLAN and link it to qualified user accounts by
“roles,” and (2) assist all qualified users to prepare their client devices for custom
WLAN connection.
As a result, you will have the default WLAN for authorized internal users, a guest
WLAN for visitors and any needed WLANs that fulfill different wireless security or
user segmentation requirements.
The maximum number of WLANs configurable per ZoneDirector controller are as
follows:
Figure 108. Max WLANs by ZoneDirector model
Model Max WLANs
ZoneDirector 1200 256
ZoneDirector 3000 1024
ZoneDirector 5000 2048
About Ruckus Wireless WLAN Security
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 187
On single and dual-band 802.11n APs, the maximum number of service WLANs
deployable per AP radio is 27. These APs support maximum 32 SSIDs per radio,
but five are reserved (two mesh SSIDs and one each for monitor, recovery and scan).
802.11ac APs support up to 27 service WLANs on the 2.4 GHz radio and 13 service
WLANs on the 5 GHz radio.
CAUTION! Deploying a large number of WLANs per AP will have a performance
impact. Ruckus Wireless recommends deploying no more than eight WLANs per
AP radio.
About Ruckus Wireless WLAN Security
One of the first things you should decide for each WLAN you create is which methods
of authentication and encryption to use for both internal users and guests.
Authentication options include:
•Open
802.1X EAP
MAC Address
802.1X EAP + MAC Address
Encryption options depend on which type of authentication is chosen. Open
authentication allows the use of WPA2, WEP or no encryption. Open authentication/
WPA2 encryption WLANs (also known as WPA-Personal) are the most common
type of WLAN and should be the default configuration if there are no special
requirements for authentication or encryption.
The 802.1X EAP (WPA-Enterprise) authentication method provides effective authen-
tication regardless of whether you deploy WEP, WPA2 or no encryption, and requires
a back-end authentication server.
You can also choose to authenticate clients by MAC address. MAC address
authentication requires a RADIUS server and uses the MAC address as the user
login name and password.
The 802.1X EAP + MAC Address authentication option allows clients to authenticate
to the same WLAN using either MAC address or 802.1X authentication. (However,
this requires that the supplicant support this feature, which no public domain
supplicants currently do.)
Creating a WLAN
188 Ruckus Wireless, Inc.
All client authentication options (Open, 802.1X, MAC, and 802.1X+MAC) are
detailed in Creating a WLAN, and you can learn how to apply them to your WLANs
in the same section.
Creating a WLAN
To create a new WLAN:
1Go to Configure > WLANs. The first table displays all WLANs that have already
been created in ZoneDirector.
2In the top section (WLANs), click Create New. The Create New workspace
displays the following:
Figure 109. Creating a new WLAN
The WLAN Create New workspace includes the following configuration options
used to customize your new WLAN. The individual options are explained in detail in
the next section, beginning with General Options.
Table 19. Create new WLAN options
Option Description
General Options Enter WLAN name and description.
Creating a WLAN
General Options
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 189
3When you finish, click OK to save the entries. This WLAN is ready for use.
4You can now select from these WLANs when assigning roles to users, as detailed
in Creating New User Roles.
General Options
Name/ESSID: Type a short name for this WLAN. The SSID must contain between
1 and 32 characters. Allowable characters include printable ASCII characters
from space (char 32) to ~ (char 126). A space can be used in the name, but the
name cannot begin or end with a space character. If a space is included at the
beginning or end of the ESSID, it will be automatically removed. If a disallowed
ASCII character (not within the range 32-126) is included, an error message will
appear.
WLAN Usages Select usage type (standard, guest access,
hotspot, autonomous).
Authentication Options Select an authentication method for this WLAN
(open, 802.1X EAP, MAC address, 802.1X EAP +
MAC Address).
Encryption Options Select encryption method (WPA2, WPA-Mixed,
WEP, or None), encryption algorithm (AES or Auto
AES+TKIP) and enter a WPA passphrase/WEP key.
Options Select whether web-based authentication (captive
portal) will be used, and which type of
authentication server will be used to host
credentials (local database, Active Directory,
RADIUS, LDAP).
Also, enable or disable Wireless Client Isolation,
Zero-IT Activation, Dynamic PSK and Priority for
this WLAN.
Advanced Options Select accounting server, ACLs, rate limiting,
VLAN/dynamic VLAN settings, tunneling,
Background Scanning, maximum client threshold,
and service schedule.
Table 19. Create new WLAN options
Option Description
Creating a WLAN
WLAN Usage Types
190 Ruckus Wireless, Inc.
In general, the WLAN name is the same as the advertised SSID (the name of
the wireless network as displayed in the client’s wireless configuration
program). However, you can also separate the ESSID from the WLAN name
by entering a name for the WLAN in the first field, and a broadcast SSID in
the second field. In this way, you can advertise the same SSID in multiple
locations (controlled by the same ZoneDirector) while still being able to
manage the different WLANs independently. Each WLAN “name” must be
unique within ZoneDirector, while the broadcast SSID can be the same for
multiple WLANs.
Description: Enter a brief description of the qualifications/purpose for this WLAN,
e.g., “Engineering” or “Voice.”
WLAN Usage Types
Each WLAN must be configured as one of the following five usage types:
Standard Usage: To create a WLAN with specific options, choose “Standard
Usage.”
Guest Access: Select a default “Guest Access” WLAN with open access and
customizable encryption (see Configuring Guest Access). Guest WLANs are
subject to guest access policies, such as redirection and subnet access restric-
tions.
CAUTION! When Guest Access or Wireless Client Isolation (below) is enabled, the
SpeedFlex Wireless Performance tool may not function properly. For example,
SpeedFlex may be inaccessible to users at http://{zonedirector-ip-
address}/perf or SpeedFlex may prompt you to install the SpeedFlex
application on the target client, even when it is already installed. Before using
SpeedFlex, verify that both Guest Usage and Wireless Client Isolation options are
disabled. For more information on SpeedFlex, refer to Measuring Wireless Network
Throughput with SpeedFlex.
Hotspot Service (WISPr): Create a Hotspot WLAN. A Hotspot service must
first have been created (Configure > Hotspot Services) before it will be available
for selection. See Creating a Hotspot Service.
Hotspot 2.0: Create a Hotspot 2.0 WLAN. A Hotspot 2.0 Operator must first
have been created (Configure > Hotspot 2.0 Services) before it will be available
for selection. See Creating a Hotspot 2.0 Service.
Creating a WLAN
Authentication Method
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 191
Autonomous: Autonomous WLANs are special WLANs designed to continue
providing service to clients when APs are disconnected from ZoneDirector. See
Autonomous WLANs.
Autonomous WLANs
The Autonomous WLAN usage type supports Open authentication and WPA2
(WPA2/WPA-Mixed), WEP or no encryption only. In this configuration, client authen-
tication/association requests are processed at the access point and are not
forwarded to ZoneDirector. The AP maintains connections to authorized clients and
continues providing wireless service after disconnection from ZoneDirector.
NOTE: If AP Auto Recovery is enabled (Configure > Access Points > Access Point
Policies), the APs will reboot after the specified time. Therefore Auto Recovery
should be disabled if at least one Autonomous WLAN is configured.
There are several limitations of autonomous WLANs, including:
ZoneDirector displayed client statistics may be incorrect.
Stations may be disconnected when an unreachable ZoneDirector becomes
reachable again, as ZoneDirector will re-deploy all WLAN services to AP radios.
Client capacity limits defined on ZoneDirector will not be applied on Autonomous
WLAN APs, and clients may be disconnected upon reconnecting to ZoneDi-
rector if those limits are reached.
The following features are not supported with Autonomous WLANs:
Zero-IT, Dynamic PSK, Dynamic VLAN, Web Auth, Accounting server, Tunnel
Mode, Grace Period, Force DHCP, Client Fingerprinting, Auto Proxy, Service
Schedules.
ZoneDirector’s Blocked Clients list will not be enforced on Autonomous
WLANs when a Layer 2 ACL is assigned. To force blocking of these clients,
copy individual clients to the assigned L2 ACL.
Authentication Method
Authentication Method defines the method by which users are authenticated prior
to gaining access to the WLAN. The authentication method is only configurable for
“Standard Usage” type WLANs. For other WLAN types, the authentication method
is dictated by the WLAN type.
ZoneDirector provides the following authentication method options:
Creating a WLAN
Fast BSS Transition
192 Ruckus Wireless, Inc.
Open [Default]: No authentication mechanism is applied to connections. Any
encryption method can be used.
802.1X/EAP: Uses 802.1X authentication against a user database.
MAC Address: Uses the device’s MAC address for both the user name and
password.
802.1X EAP + MAC Address: Allows the use of both authentication methods on
the same WLAN. See Using 802.1X EAP + MAC Address Authentication.
Fast BSS Transition
The Fast BSS Transition feature uses messages and procedures defined in 802.11r
to allow continuous connectivity for wireless devices in motion, with fast and secure
handoffs from one AP to another. A fast BSS transition is a BSS transition in the
same mobility domain that establishes the state necessary for data connectivity
before the re-association rather than after the re-association. In this way, clients that
support the 11r standard (including iOS devices) can achieve significantly faster
roaming between APs.
Encryption Options
Encryption choices include WPA2, WPA-Mixed, WEP-64, WEP-128 and None.
WPA2 is the only encryption method certified by the Wi-Fi Alliance and is the
recommended method.
WEP has been proven to be easily circumvented, and Ruckus Wireless recommends
against using WEP if possible.
Method
WPA2: Enhanced WPA encryption that complies with the 802.11i security
standard.
WPA-Mixed: Allows mixed networks of WPA and WPA2 compliant devices. Use
this setting if your network has a mixture of older clients that only support WPA
and TKIP, and newer client devices that support WPA2 and AES. **Note that
selection of WPA-Mixed disables the ability to use Zero-IT for this WLAN.
WEP-64: Provides a lower level of encryption, and is less secure, using shared
key 40-bit WEP encryption.
WEP-128: Provides a higher level of encryption than WEP-64, using a shared
104-bit key for WEP encryption. However, WEP is inherently less secure than
WPA2.
Creating a WLAN
Encryption Options
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 193
None: No encryption; communications are sent in clear text.
CAUTION! If you set the encryption method to WEP-64 (40 bit) or WEP-128 (104
bit) and you are using an 802.11n or 802.11ac AP for the WLAN, the WLAN will
operate in 802.11g mode.
Algorithm (Only for WPA2 or WPA-Mixed encryption methods)
AES: This algorithm provides enhanced security over TKIP, and is the only
encryption algorithm supported by the 802.11i standard. Choose AES encryp-
tion if you are confident that all of your clients will be using 802.11i-compliant
NICs.
Auto: Automatically selects TKIP or AES encryption based on the client’s
capabilities. Note that since it is possible to have clients using both TKIP and
AES on the same WLAN, only unicast traffic is affected (broadcast traffic must
fall back to TKIP; therefore, transmit rates of broadcast packets from 11n APs
will be at lower 11g rates).
CAUTION! If you set the encryption algorithm to TKIP and you are using an 802.11n
or 802.11ac AP for the WLAN, the WLAN will operate in 802.11g mode.
CAUTION! If you set the encryption algorithm to TKIP, the AP will only be able to
support up to 26 clients. When this limit is reached, additional clients will be unable
to associate with the AP.
WEP Key/Passphrase
WEP Key: WEP methods only. Click in the Hex field and type the required key
text. If the key is for WEP-64 encryption, the key text must consist of 10
hexadecimal characters. If it is for WEP-128 encryption, enter a key 26 charac-
ters in length. Alternatively, click Generate to have ZoneDirector automatically
generate a WEP key.
Passphrase: WPA-PSK methods only. Click in this field and type the text of the
passphrase used for authentication.
Creating a WLAN
Encryption Options
194 Ruckus Wireless, Inc.
Options
Web Authentication: [Available only with “Open” authentication.] Click the check
box to require all WLAN users to complete a web-based login to this network
each time they attempt to connect (see Activating Web Authentication).
Authentication Server: When “Web Authentication” is active, use this option to
designate the server used to authenticate web-based user login. When “802.1X”
or “MAC Address” authentication is active, use this option to designate the server
used to authenticate users (without web authentication). Options include Local
Database, RADIUS server, Active Directory and LDAP. When one of these
authentication server types is selected (other than “Local Database”), you will
need to point ZoneDirector to the proper authentication server configured on the
Configure > AAA Servers page (see Using an External Server for User
Authentication).
Wireless Client Isolation: Enable Wireless Client Isolation to prevent communi-
cation between WLAN clients and other local network resources.
Isolate wireless client traffic from other clients on the same AP: Prevents
clients connected to the same AP from communicating with each other, but
does not prevent clients from communicating with other hosts connected to
different APs on the same subnet.
Isolate wireless client traffic from all hosts on the same VLAN/subnet:
Enable this option to prevent clients from communicating with any other host
on the network, unless they are specifically allowed in a white list. A Client
Isolation White List must first be created on the Configure > Access Control
page before appearing here (see Configuring Client Isolation White Lists).
Zero-IT Activation: Enable this option to activate ZoneDirector's share in the
automatic “new user” process, in which the new user's PC is easily and quickly
configured for WLAN use. For more information, see Enabling Automatic User
Activation with Zero-IT.
Dynamic PSK: Dynamic PSK is available when you have enabled Zero-IT
Activation. When a client is activated, ZoneDirector provisions the user with a
pre-shared key. This per-user key does not expire by default. If you want to set
an expiration for Dynamic PSKs, you can do so from the drop-down menu further
down the page. For more information, see Working with Dynamic Pre-Shared
Keys.
Creating a WLAN
Advanced Options
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 195
Priority: Set the priority of this WLAN to Low if you would prefer that other WLAN
traffic takes priority. For example, if you want to prioritize internal traffic over guest
WLAN traffic, you can set the priority in the guest WLAN configuration settings
to “Low.” By default all WLANs are set to high priority.
Advanced Options
The advanced options can be used to configure special WLANs; for example, you
might want to create a special WLAN for VoIP phone use only, or create a student
WLAN that should be time-controlled to provide access only during school hours.
Accounting Server: If you added a RADIUS Accounting server on the AAA servers
page, select the RADIUS Accounting server from the drop-down list, and then
set the accounting update interval in Send Interim-Update every x minutes.
Valid Interim-Update values are 0-1440. Setting the value to 0 disables periodic
interim updates to the accounting server, but client IP changes are still sent to
the RADIUS Accounting server.
Access Controls: Toggle this drop-down list to select Access Control Lists (L2
or L3/L4), Device Policy and Precedence Policy to apply to this WLAN. An access
control entry must be created before being available here. For more information,
see Controlling Network Access Permissions.
Enable Role based Access Control Policy: This feature allows different user
groups to have different access policies based on their user roles using the same
WLAN. See Role Based Access Control Policy.
Call Admission Control (Disabled by default): Enable Wi-Fi Multimedia Admission
Control (WMM-AC) to support Polycom/Spectralink VIEW certification. When
enabled, the AP announces in beacons if admission control is mandatory or not
for various access categories and admits only the traffic streams it can support
based on available network resources. When network resources are not suffi-
cient to provide this level of performance, the new traffic stream is not admitted.
Call Admission Control is effective only when both AP and the client support
WMM-AC. Ruckus APs are capable of handling hundreds of simultaneous
clients, but when it comes to VoIP traffic, the number of VoIP calls needs to be
policed to ensure adequate voice/video quality. Ruckus recommends limiting
bandwidth allocation to six calls (four active calls and two reserved for roaming)
on the 2.4 GHz radio and 10 calls on the 5 GHz radio (seven active and three
reserved for roaming). Enable this feature if you want this WLAN to serve as a
Creating a WLAN
Advanced Options
196 Ruckus Wireless, Inc.
VoIP WLAN to support Spectralink phones. (You will also need to enable Call
Admission Control on any APs supporting this WLAN from the Configure >
Access Points page.)
Rate Limiting: Rate limiting controls fair access to the network. When enabled,
the network traffic throughput of each network device (i.e., client) is limited to
the rate specified in the traffic policy, and that policy can be applied on either the
uplink or downlink. Toggle the Uplink and/or Downlink drop-down lists to limit
the rate at which WLAN clients upload/download data. The “Disabled” state
means rate limiting is disabled; thus, traffic flows without prescribed limits.
Multicast Filter: When enabled for a WLAN, all client multicast traffic will be
dropped at the AP. Broadcast and unicast frames remain unchanged.
Access VLAN: By default, all wireless clients associated with APs that ZoneDi-
rector is managing are segmented into a single VLAN (with VLAN ID 1). If you
want to tag this WLAN traffic with a different VLAN ID, enter a valid VLAN ID (2-
4094) in the box. Select the Enable Dynamic VLAN check box to allow
ZoneDirector to assign VLAN IDs on a per-user basis. Before enabling dynamic
VLAN, you need to define on the RADIUS server the VLAN IDs that you want to
assign to users. See How Dynamic VLAN Works for more information.
Hide SSID: Activate this option if you do not want the ID of this WLAN advertised
at any time. This will not affect performance or force the WLAN user to perform
any unnecessary tasks.
Tunnel Mode: Select this check box if you want to tunnel the WLAN traffic back
to ZoneDirector. Tunnel mode enables wireless clients to roam across different
APs on different subnets. If the WLAN has clients that require uninterrupted
wireless connection (for example, VoIP devices), Ruckus Wireless recommends
enabling tunnel mode.
NOTE: Note that Wireless Distribution System (WDS) clients, for example,
MediaFlex 7211/2111 adapters, do not work when the ZoneDirector WLAN is in
Tunnel Mode.
NOTE: When tunnel mode is enabled on a WLAN, multicast video packets are
blocked on that WLAN. Multicast voice packets, however, are allowed.
Proxy ARP: When enabled on a WLAN, the AP provides proxy service for stations
when receiving neighbor discovery packets (e.g., ARP request and ICMPv6
Neighbor Solicit messages), and acts on behalf of the station in delivering ARP
Creating a WLAN
Advanced Options
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 197
replies. When the AP receives a broadcast ARP/Neighbor Solicit request for a
known host, the AP replies on behalf of the host. If the AP receives a request for
an unknown host, it forwards the request at the rate limit specified in the Packet
Inspection Filter.
DHCP Relay: Enable DHCP Relay agent to convert broadcast DHCP messages
to unicast in Tunnel Mode WLANs. For more information, see Configuring DHCP
Relay.
Background Scanning: Background scanning enables the Ruckus Wireless
access points to continually scan for the best (least interference) channels and
adjust to compensate. However, disabling Background Scanning may provide
better quality (lower latency) for time-sensitive applications like voice conversa-
tions. If this WLAN will be used primarily as a voice network, select this check
box to disable Background Scanning for this WLAN. You can also disable
Background Scanning per radio (see Background Scanning).
Load Balancing: Client load balancing between APs is disabled by default on all
WLANs. To disable load balancing for this WLAN only (when enabled globally),
check this box. Ruckus Wireless recommends disabling load balancing on VoIP
WLANs. For more information, see Load Balancing.
Band Balancing: Client band balancing between the 2.4 GHz and 5 GHz radio
bands is disabled by default on all WLANs. To disable band balancing for this
WLAN only (when enabled globally), check this box. For more information see
Band Balancing.
Max Clients: Limit the number of clients that can associate with this WLAN per
AP radio (default is 100). You can also limit the total number of clients per AP
using the AP Groups settings. See Modifying Model Specific Controls for more
information.
802.11d: The 802.11d standard provides specifications for compliance with
additional regulatory domains (countries or regions) that were not defined in the
original 802.11 standard. Enable this option if you are operating in one of these
additional regulatory domains. For optimal performance of Apple iOS devices, it
is recommended that you enable this option. Please be aware that some legacy
embedded devices such as wireless barcode scanners may not operate properly
if this option is enabled. This option is enabled by default for any WLANs created
on ZoneDirector version 9.6 or later, and disabled by default for any WLANs
created running earlier versions. If upgrading from a previous version to 9.6 or
later, existing WLANs will retain their original settings.
Creating a WLAN
Advanced Options
198 Ruckus Wireless, Inc.
DHCP Option 82: When this option is enabled and an AP receives a DHCP
request from a wireless client, the AP will encapsulate additional information
(such as VLAN ID, AP name, SSID and MAC address) into the DHCP request
packets before forwarding them to the DHCP server. The DHCP server can then
use this information to allocate an IP address to the client from a particular DHCP
pool based on these parameters. See also DHCP Option 82 for information on
enabling this option for Ethernet ports.
Force DHCP: Enable this option to force clients to obtain a valid IP address from
DHCP within the specified number of seconds. This prevents clients configured
with a static IP address from connecting to the WLAN. Additionally, if a client
performs Layer 3 roaming between different subnets, in some cases the client
sticks to the former IP address. This mechanism optimizes the roaming experi-
ence by forcing clients to request a new IP address.
Client Tx/Rx Statistics: Enable this option to ignore unauthorized client statistics
and report only statistics from authorized clients in device view and other reports.
This can be useful for service providers who are more interested in accounting
statistics (after authorization) than in all wireless client statistics. For example, a
Hotspot WLAN can be configured to allow unauthorized clients to connect and
traverse any walled garden web pages without adding to transmission statistics
(until after authorization).
Application Visibility: Enable this option to allow APs to collect client application
data, which can then be consolidated for use by the Applications and Top 10
Applications by Usage widgets on the Dashboard.
NOTE: Supported APs: H500, R500, R700, T300, 7982, 7372/52, 7055, 7782/81,
SC-8800 series.
When Application Visibility is enabled, the Apply Policy group option becomes
available. Use this option to apply an Application Denial Policy to this WLAN
(see Configure Application Denial Policies).
Client Fingerprinting: When this option is enabled ZoneDirector will attempt to
identify client devices by their Operating System, device type and Host Name,
if available. This makes identifying client devices easier in the Dashboard, Client
Monitor and Client Details screens.
Service Schedule: Use the Service Schedule tool to control which hours of the
day, or days of the week to enable/disable WLAN service. For example, a WLAN
for student use at a school can be configured to provide wireless access only
Creating a WLAN
Advanced Options
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 199
during school hours. Click on a day of the week to enable/disable this WLAN for
the entire day. Colored cells indicate WLAN enabled. Click and drag to select
specific times of day. You can also disable a WLAN temporarily for testing
purposes, for example.
NOTE: This feature will not work properly if ZoneDirector does not have the correct
time. To ensure ZoneDirector always maintains the correct time, configure an NTP
server and point ZoneDirector to the NTP server’s IP address, as described in Setting
the System Time.
NOTE: WLAN service schedule times should be configured based on your
browser’s current timezone. If your browser and the target AP/WLAN are in different
timezones, configure the on/off times according to the desired schedule according
to your local browser. For example if you wanted a WLAN in Los Angeles to turn on
at 9 AM and your browser was set to New York time, please configure the WLAN
service schedule to enable the WLAN at noon. When configuring the service
schedule, all times are based on your browser's timezone setting.
Auto-Proxy: The Auto-Proxy feature automatically configures client browsers
with web proxy settings when the user joins the wireless network. Clients locate
the proxy script according to the Web Proxy Autodiscovery Protocol (WPAD).
WPAD uses discovery methods such as DNS and DHCP Option 252 to locate
the configuration file. To use this feature, you must designate where the wpad.dat
file is to be stored. Click Choose File to upload a wpad.dat file conforming to the
WPAD protocol to ZoneDirector, or select External Server and enter the IP
address of the external DHCP/DNS server where the file is stored.
Internet Explorer supports DNS and DHCP Option 252, while Firefox, Chrome
and Safari support the DNS method only.
If the wpad.dat file is stored on ZoneDirector, only one file can be uploaded
and this file applies to all WLANs that use the ZD-stored file.
Up to 8 wpad.dat files can be saved on external servers in addition to the
single wpad.dat file that can be stored on ZoneDirector.
Creating a WLAN
Advanced Options
200 Ruckus Wireless, Inc.
NOTE: If Wireless Client Isolation, ACLs or Web/Guest Captive Portal are enabled
on the WLAN, an additional ACL may be required to allow wireless clients to access
the web proxy server and ZD Captive Portal redirection page. For more information,
refer to the Auto-Proxy Application Note available from support.ruckuswireless.com.
Inactivity Timeout: Enter a value in minutes after which idle stations will be
disconnected (1 to 10 minutes).
Radio Resource Management: Radio Resource Management utilizes 802.11k
Neighbor Reports, which are sent by the AP to inform clients of the preferred
roaming target AP. The client sends neighbor report request to an AP, and the
AP returns a neighbor report containing information about known neighbor APs
that are candidates for a service set transition.
NOTE: Background Scanning (Configure > Services) and Report Rogue Devices
(Configure > WIPS) must be enabled for 802.11k radio resource management to
work properly. If these options are not enabled, the AP will send neighbor reports
consisting of only APs found on the same channel as the operating channel of the AP.
NOTE: If 802.11k is disabled, fast roaming between APs is achieved using
Opportunistic Key Caching (OKC) and Pairwise Master Key caching (PMK caching).
These methods also require Background Scanning to be enabled. Both methods
allow clients to roam without having to repeat the entire 802.1X authentication
process.
PMK Caching: PMK caching allows the client to skip 802.1X authentication to any
AP to which it has previously authenticated (only the 4-way handshake is required).
PMK caching is useful when a client reconnects to an AP that it previously roamed
away from. PMK Caching is the method defined in the 802.11i specification, which
also defined WPA2.
Opportunistic Key Caching: With this method, a client can skip the 802.1X
authentication to an AP as long as the client has authenticated successfully to at
least one of the APs in the same zone as the an AP that handled the previous
successful authentication. In this case, the PMK is cached at a central location
(ZoneDirector).
Creating a WLAN
Advanced Options
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 201
Figure 110. Advanced options for creating a new WLAN
Creating a Copy of an Existing WLAN for Workgroup Use
Advanced Options
202 Ruckus Wireless, Inc.
Figure 111. Configuring WLAN service schedule
Creating a Copy of an Existing WLAN for
Workgroup Use
If you want to create an additional WLAN based on your existing default WLAN and
limit its use to a select group of users (e.g, Marketing, Engineering), you can do so
by following these steps:
1Make a list of the group of users.
2Go to Configure > WLANs.
3When the WLANs page appears, the default internal and guest networks are
listed in the table (once you have created a WLAN, it will appear in this table).
4If you have no need for custom authentication or encryption methodologies in
this new WLAN, locate the default WLAN record and click Clone.
5A workspace appears, displaying the default settings of a new WLAN, using the
same configuration settings as the default WLAN.
6Type a descriptive name for this WLAN, and then click OK. This new WLAN is
ready for use by selected users.
Customizing WLAN Security
Reviewing the Initial Security Configuration
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 203
7You can now assign access to this new WLAN to a limited set of internal users,
as detailed in Creating New User Roles.
Customizing WLAN Security
When you worked through the installation wizard, you were instructed to create your
first WLAN. Most users will likely have created an “Open/WPA2” (open authentica-
tion, WPA2 encryption) WLAN as their first wireless network. To review the security
configuration and the available options (customize the existing WLAN setup or
replace it with a totally different configuration), review the following procedures.
Reviewing the Initial Security Configuration
1Go to Monitor > WLANs.
2The Currently Active WLANs table lists the WLANs created during the setup
process. You can review the details of a WLAN’s configuration by clicking the
WLAN name. See Figure 112.
3You have three options for the internal WLAN: [1] continue using the current
configuration, [2] fine-tune the existing security mode, or [3] replace this mode
entirely with a different authentication and encryption method. The two WLAN-
editing processes are described separately, below.
Figure 112. Viewing WLAN security configurations from the Monitor > WLANs page
Customizing WLAN Security
Fine-Tuning the Current Security Mode
204 Ruckus Wireless, Inc.
Fine-Tuning the Current Security Mode
To keep the original security mode and fine-tune its settings:
1Go to Configure > WLANs.
2In the Internal WLAN row, click Edit.
3Choose from the following options to keep the default WPA2 encryption with no
authentication (Open Auth).
WPA-Mixed: Allows both WPA and WPA2 compliant devices to access the
network.
Passphrase: Replace the current passphrase with a new one, to help lower
the risk of unauthorized access.
4Click OK to apply any changes.
Switching to a Different Security Mode
You also have the option of replacing the default internal WLAN's Open authenti-
cation/WPA encryption mode with one of several other modes:
Open Auth/WEP encryption: Least security, only use if necessary to support
older WEP-only client devices.
Open Auth/WPA2 encryption: The recommended configuration for modern
wireless clients.
Open Auth/WPA-Mixed encryption: Allows both WPA and WPA2 devices on
the same WLAN. Use this option only if older WPA devices cannot be upgraded
to WPA2.
802.1X EAP Auth/Any encryption: Authentication to an AAA server (RADIUS
or Local Database) using IEEE 802.1X authentication protocol.
MAC Auth/Any encryption: Authentication by MAC address. Provides limited
security due to ease of MAC address spoofing.
802.1X EAP + MAC Auth/Any encryption: Allows clients to connect using
either MAC address or 802.1X authentication.
To change the security mode for an existing WLAN:
1Go to Configure > WLANs.
2When the WLANs workspace appears, you will want to review and then change
the security options for the internal network. To start, click Edit in the Internal
WLAN row.
Customizing WLAN Security
Using the Built-in EAP Server
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 205
3When the Editing (Internal) options appear, look at the two main categories --
Authentication Options and Encryption Options.
4If you click an Authentication Option Method such as Open, or 802.1X, different
sets of encryption options are displayed:
Open allows you to configure a WPA- or WEP-based encryption, or "none"
if you're so inclined. After selecting a WPA or WEP level, you can then enter
a passphrase or key text of your choosing.
802.1X EAP allows you to choose from all available encryption methods,
but you do not need to create a key or passphrase. Instead, users will be
authenticated against ZoneDirector’s internal database or an external
RADIUS server.
MAC Address allows you to use an external RADIUS server to authenticate
wireless clients based on their MAC addresses. Before you can use this
option, you need to add your external RADIUS server to ZoneDirector’s
Configure > AAA Servers page. You also need to define the MAC addresses
that you want to allow on the RADIUS server.
802.1X EAP + MAC Address allows the use of both authentication methods
on the same WLAN.
5Depending on your Authentication Option Method selection, review and
reconfigure the related Encryption Options.
6Review the Advanced Options to change any settings as needed.
7When you are finished, click OK to apply your changes.
NOTE: Replacing your WPA configuration with 802.1X requires the users to make
changes to their Ruckus wireless connection configuration—which may include the
importation of certificates.
Using the Built-in EAP Server
(Requires the selection of “Local Database” as the authentication server.) If you are
re-configuring your internal WLAN to use 802.1X/EAP authentication, you normally
have to generate and install certificates for your wireless users. With the built-in EAP
server and Zero-IT Wireless Activation, certificates are automatically generated and
installed on the end user's computer. Users simply follow the instructions provided
during the Zero-IT Wireless Activation process to complete this task (see Self-
Provisioning Clients with Zero-IT). Once this is done, users can connect to the
internal WLAN using 802.1X/EAP authentication.
Customizing WLAN Security
Authenticating with an External RADIUS Server
206 Ruckus Wireless, Inc.
Authenticating with an External RADIUS Server
You can also use an external RADIUS server for your wireless client 802.1X/EAP
authentication. An EAP-aware RADIUS server is required for this application. Also,
you might need to deploy your own certificates for wireless client devices and for
the RADIUS server you are using. In this case, ZoneDirector works as a bridge
between your wireless clients and the RADIUS server during the wireless authenti-
cation process.
ZoneDirector allows wireless clients to access the networks only after successful
authentication of the wireless clients by the RADIUS server. For information on
configuring a RADIUS server for client authentication, see RADIUS / RADIUS
Accounting.
CAUTION! If your wireless network is using EAP/external RADIUS server for client
authentication and you have Windows Vista clients, make sure that they are
upgraded to Vista Service Pack 1 (SP1). SP1 includes fixes for client authentication
issues when using EAP/external RADIUS server.
If You Change the Internal WLAN to WEP or 802.1X
If you replace the default configuration of the internal WLAN, your users must
reconfigure the wireless LAN connection settings on their devices. This process is
described in detail below and can be performed when logging into the WLAN as a
new user.
If Switching to WEP-based Security
1Each user should be able to repeat the Zero-IT Wireless Activation process and
install the WEP key by executing the activation script.
2Alternatively, they can manually enter the WEP key text into their wireless device
connection settings.
If Switching to 802.1X-based Security
1(Applies only to the use of the built-in EAP server.) Each user should be able to
repeat the Zero-IT Wireless Activation process and download the certificates and
an activation script generated by ZoneDirector.
2Each user must first install certificates to his/her computer.
3Each user must then execute the activation script, in order to configure the
correct wireless setting on his/her computer.
Working with WLAN Groups
If You Change the Internal WLAN to WEP or 802.1X
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 207
4To manually configure 802.1X/EAP settings for non-EAP capable client use, use
the wireless settings generated by ZoneDirector.
Working with WLAN Groups
WLAN groups are used to specify which APs provide which WLAN services. If your
wireless network covers a large physical environment (for example, multi-floor or
multi-building office) and you want to provide different WLAN services to different
areas of your environment, you can use WLAN groups to do this.
For example, if your wireless network covers three building floors (1st Floor to 3rd
Floor) and you need to provide wireless access to visitors on the 1st Floor, you can
do the following:
1Create a WLAN service (for example, “Guest Only Service”) that provides guest-
level access only.
2Create a WLAN group (for example, “Guest Only Group”), and then assign “Guest
Only Service” (WLAN service) to “Guest Only Group” (WLAN group).
3Assign APs on the 1st Floor (where visitors need wireless access) to your “Guest
Only Group”.
Any wireless client that associates with APs assigned to the “Guest Only Group” will
get the guest-level access privileges defined in your “Guest Only Service.” APs on
the 2nd and 3rd Floors can remain assigned to the Default WLAN Group and provide
normal-level access.
NOTE: Creating WLAN groups is optional. If you do not need to provide different
WLAN services to different areas in your environment, you do not need to create a
WLAN group.
NOTE: A default WLAN group called Default exists. The first 27 WLANs that you
create are automatically assigned to this Default WLAN group.
NOTE: A WLAN Group can include a maximum of 27 member WLANs. For dual
radio APs, each radio can be assigned to only one WLAN Group (single radio APs
can be assigned to only one WLAN Group).
The maximum number of WLAN groups that you can create depends on the
ZoneDirector model.
Working with WLAN Groups
Creating a WLAN Group
208 Ruckus Wireless, Inc.
Table 20. Maximum number of WLAN groups by ZoneDirector model
Creating a WLAN Group
1Go to Configure > WLANs.
2In the WLAN Groups section, click Create New. The Create New form appears.
3In Name, type a descriptive name that you want to assign to this WLAN group.
For example, if this WLAN will contain WLANs that are designated for guest
users, you can name this as Guest WLAN Group.
4In Description (optional), type some notes or comments about this group.
5Under Group Settings, select the check boxes for the WLANs that you want
to be part of this WLAN group.
6In the VLAN override settings, choose whether to override the VLAN configured
for each member WLAN. Available options include:
No Change: Click this option if you want the WLAN to keep the same VLAN
tag (default: 1).
Tag: Click this option to override the VLAN configured for the WLAN service.
7Click OK. The Create New form disappears and the WLAN group that you
created appears in the table under WLAN Groups.
You may now assign this WLAN group to an AP.
ZoneDirector Model Max WLAN Groups
ZoneDirector 1200 256
ZoneDirector 3000 1024
ZoneDirector 5000 2048
Working with WLAN Groups
Assigning a WLAN Group to an AP
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 209
Figure 113. WLAN group
Assigning a WLAN Group to an AP
1Go to Configure > Access Points.
2In the list of access points, find the MAC address of the AP that you want to
assign to a WLAN group, and then click Edit.
3In WLAN Group, click Override Group Config and select the WLAN group to
which you want to assign the AP. Each AP (or radio, on dual radio APs) can only
be a member of a single WLAN group.
4Click OK to save your changes.
Working with WLAN Groups
Viewing a List of APs That Belong to a WLAN Group
210 Ruckus Wireless, Inc.
Figure 114. Assign a WLAN group to an AP
Viewing a List of APs That Belong to a WLAN Group
1Go to Monitor > WLANs.
2Under Currently Active WLAN Groups, click the WLAN group name for which
you want to view the member AP list.
3On the page that loads, look for the Member APs section. All APs that belong
to this WLAN group are listed.
Deploying ZoneDirector WLANs in a VLAN Environment
Viewing a List of APs That Belong to a WLAN Group
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 211
Deploying ZoneDirector WLANs in
a VLAN Environment
NOTE: Configuring VLANs for ZoneDirector, Access Points and wireless clients is
not required for normal operation, and should not be undertaken without a thorough
understanding of your networks VLAN environment and switch port configuration.
You can set up a ZoneDirector wireless LAN as an extension of a VLAN network
environment by tagging wireless client traffic to specific VLANs. Qualifications
include the following:
Verifying that the VLAN switch supports native VLANs. A native VLAN is a
VLAN that allows the user to designate untagged frames going in/out of a
port to a specific VLAN.
For example, if an 802.1Q port has VLANs 1, 20, and 30 enabled with VLAN
1 being the native VLAN, frames on VLAN 1 that egress (exit) the port are not
given an 802.1Q header (i.e., they are plain Ethernet frames). Frames which
ingress (enter) this port and have no 802.1Q header are assigned to VLAN
1. Traffic from WLANs configured with access VLANs 20 and 30 is tagged
with an 802.1Q header containing the respective VLAN assignment before
being forwarded to its destination on the Ethernet network.
Connecting ZoneDirector and any Access Points (APs) to trunk ports on the
switch.
Verifying that those trunk ports are on the same native VLAN.
Example configuration (Figure 115): VLAN 20 is used for internal clients, VLAN 30
is used for guest clients, and Management VLAN configuration is optional.
Deploying ZoneDirector WLANs in a VLAN Environment
Viewing a List of APs That Belong to a WLAN Group
212 Ruckus Wireless, Inc.
Figure 115. Sample VLAN configuration
You must ensure that switch ports are configured properly to pass the VLAN traffic
necessary for ZoneDirector, AP and client communications. In the sample VLAN
scenario above, the switch ports would need to be configured as follows:
Corp VLAN: 20
•Guest VLAN: 30
Management VLAN: (optional)
Some common VLAN scenarios include:
WLANs assigned to specific VLANs; ZD and APs with no management VLAN
WLANs assigned to specific VLANs; ZD and APs within their own single
management VLAN
WLANs assigned to specific VLANs; ZD and APs are configured for management
VLAN, but are different VLANs and there is an L3 connection between (typical
branch/remote office deployments)
WLANs assigned to specific VLANs; ZD or APs only (not both) configured with
management VLAN (again typically with a L3 connection between ZD and APs)
The following factors need to be taken into consideration:
Default/Native VLAN configuration
Where the DHCP/DNS servers sit in the architecture
If tunneling is used for WLANs
Deploying ZoneDirector WLANs in a VLAN Environment
Tagging Management Traffic to a VLAN
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 213
Trunking between switch ports
NOTE: All DNS, DHCP, ARP, and HTTP traffic from an unauthenticated wireless
client will be forwarded by the AP onto the ZoneDirector via the management LWAPP
tunnel. If the client belongs to a particular VLAN, the ZoneDirector will add the
respective VLAN tag before forwarding the traffic to the wired network. After client
authentication is complete, the AP adds the respective VLAN tag and forwards the
client traffic directly to the wired network. This explains why it is necessary to
configure the tagged VLANs on all switch ports connected to the ZoneDirector and
APs.
Tagging Management Traffic to a VLAN
Assigning management traffic to a specific management VLAN can provide benefits
to the overall performance and security of a network. If your network is designed to
segment management traffic to a specific VLAN and you want to include ZoneDi-
rector’s AP management traffic in this VLAN, you can set the parameters in the
ZoneDirector system configuration.
NOTE: Assigning management traffic to a VLAN makes automatic AP provisioning
more complicated, and should not be undertaken without a thorough understanding
of your own network configuration as well as the ZoneFlex wireless deployment.
Configuring a management VLAN is not required. Access ports in a native VLAN
can be used as the management VLAN rather than actually configuring a
management VLAN.
To assign ZD - AP management traffic to a management VLAN:
1Go to Configure > Access Points.
2In Access Point Policies, click VLAN ID next to Management VLAN, and enter
the VLAN ID in the field provided.
3Click Apply to save your settings.
4Go to Configure > System.
5In Device IP Settings, enter the VLAN ID in the Access VLAN field.
6If you are using an additional management interface for ZoneDirector, enter the
same ID in the Access VLAN field for the additional management interface.
7Click Apply to save your settings.
Deploying ZoneDirector WLANs in a VLAN Environment
Tagging Management Traffic to a VLAN
214 Ruckus Wireless, Inc.
NOTE: ZoneDirector will need to be rebooted after changing management VLAN
settings.
8Go to Administer > Restart, and click Restart to reboot ZoneDirector.
CAUTION! When configuring or updating the management VLAN settings, make
sure that the same VLAN settings are applied on the Configure > Access Points >
Access Point Policies > Management VLAN page, if APs exist on the same VLAN
as ZoneDirector.
Figure 116. Configuring management VLAN for ZoneDirector
Deploying ZoneDirector WLANs in a VLAN Environment
How Dynamic VLAN Works
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 215
Figure 117. Configuring management VLAN for APs
How Dynamic VLAN Works
Dynamic VLAN can be used to automatically and dynamically assign wireless clients
to different VLANs based on RADIUS attributes.
Dynamic VLAN Requirements:
A RADIUS server must have already been added to ZoneDirector
WLAN authentication method must be set to 802.1X, MAC address or 802.1X
+ MAC address
To enable Dynamic VLAN for a WLAN:
1Go to Configure > WLANs. Click Edit next to the WLAN you want to configure.
2In Authentication Server, select the RADIUS server that you configured on the
AAA Servers page.
3Expand the Advanced Settings section and click the Enable Dynamic VLAN
box next to Access VLAN.
4Click OK to save your changes.
Deploying ZoneDirector WLANs in a VLAN Environment
How Dynamic VLAN Works
216 Ruckus Wireless, Inc.
Figure 118. Enabling Dynamic VLAN
Priority of VLAN, Dynamic VLAN and Tunnel Mode
If the VLAN, Dynamic VLAN and Tunnel Mode features are all enabled and they have
conflicting rules, ZoneDirector prioritizes and applies these three features in the
following order:
1Dynamic VLAN (top priority)
2VLAN
3Tunnel Mode
How It Works
1User associates with a WLAN on which Dynamic VLAN has been enabled.
2The AP requires the user to authenticate with the RADIUS server via
ZoneDirector.
3When the user completes the authentication process, ZoneDirector sends the
join approval for the user to the AP, along with the VLAN ID that has been
assigned to the user on the RADIUS server.
Deploying ZoneDirector WLANs in a VLAN Environment
How Dynamic VLAN Works
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 217
4User joins the AP and is segmented to the VLAN ID that has been assigned to
him.
Required RADIUS Attributes
For dynamic VLAN to work, you must configure the following RADIUS attributes for
each user:
Tunnel-Type: Set this attribute to VLAN.
Tunnel-Medium-Type: Set this attribute to IEEE-802.
Tunnel-Private-Group-ID: Set this attribute to the VLAN ID to which you want to
segment this user.
Depending on your RADIUS setup, you may also need to include the user name or
the MAC address of the wireless device that the user will be using to associate with
the AP. Tab le 2 1 lists the RADIUS user attributes related to dynamic VLAN.
Here is an example of the required attributes for three users as defined on Free
RADIUS:
0018ded90ef3
User-Name = user1,
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = 0014
00242b752ec4
User-Name = user2,
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = 0012
Table 21. RADIUS user attributes related to dynamic VLAN
Attribute Type ID Expected Value
(Numerical)
Tunnel-Type 64 VLAN (13)
Tunnel-Medium-Type 65 802 (6)
Tunnel-Private-Group-Id 81 VLAN ID
Deploying ZoneDirector WLANs in a VLAN Environment
Working with VLAN Pools
218 Ruckus Wireless, Inc.
013469acee5
User-Name = user3,
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = 0012
NOTE: The values in bold are the users' MAC addresses.
Working with VLAN Pools
When Wi-Fi is deployed in a high density environment such as a stadium or a
university campus, the number of IP addresses required for client devices can easily
run into the thousands. Placing thousands of clients into a single large subnet or
VLAN can result in degraded performance due to factors like broadcast and
multicast traffic.
To address this problem, VLAN pooling allows administrators to a deploy pool of
multiple VLANs to which clients are assigned, thereby automatically segmenting
large groups of clients into multiple smaller subgroups, even when connected to
the same SSID. As the client device joins the WLAN, the VLAN is assigned to one
of the VLANs in the pool based on a hash of the client’s MAC address.
While you can also achieve the same results using Dynamic VLAN, with VLANs
assigned by a RADIUS server (see How Dynamic VLAN Works), the VLAN pooling
feature allows distribution of clients into multiple VLANs without the need for a
RADIUS server.
To create a VLAN pool:
1Go to Configure > WLANs, and locate the VLAN Pooling section.
2Click Create New to create a new VLAN pool.
3Enter a Name, and optionally a Description for this VLAN pool.
4In VLANs, enter the VLAN IDs to be assigned to this pool. VLAN IDs can be
separated by hyphens, commas, or a combination (e.g., 7-10, 13, 17, 20-28).
5Click OK to save the VLAN pool.
Each VLAN pool can contain up to 16 VLANs, and a maximum of 64 VLAN pools
can be created. Each WLAN can be configured with a single VLAN pool.
Deploying ZoneDirector WLANs in a VLAN Environment
Working with VLAN Pools
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 219
Figure 119. Creating a VLAN pool
To assign a pool of VLANs to an SSID:
1Go to Configure > WLANs.
2Click Create New or Edit to create or edit a WLAN.
3Expand the Advanced Options section, and locate the VLAN Pooling entry.
4Select the VLAN Pool you created from the VLAN Pools List. Alternatively, you
can create a new VLAN pool by clicking Create New VLAN Pool.
5Click OK to save your changes.
Clients connecting to this WLAN will now be automatically assigned to a VLAN from
the specified VLAN pool.
Deploying ZoneDirector WLANs in a VLAN Environment
Working with VLAN Pools
220 Ruckus Wireless, Inc.
Figure 120. Assign a VLAN Pool to a WLAN
NOTE: A VLAN pool cannot be applied to a WLAN with a Device Policy enabled,
and vice-versa. If a Device Policy is selected, the VLAN Pooling option will
automatically be disabled. If a VLAN pool is selected, the Access VLAN option will
be disabled.
NOTE: VLAN Pooling has the lowest priority when used in conjunction with other
VLAN assignment features. In case of conflict, the priority is as follows: 1) Role-
Based Access Control (RBAC), 2) AAA Server, 3) Device Policy 4) VLAN Pooling.
For additional information on configuring VLANs for Access Point Ethernet ports,
refer to Configuring AP Ethernet Ports.
Working with Hotspot Services
Creating a Hotspot Service
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 221
Working with Hotspot Services
A hotspot is a venue or area that provides Internet access to devices with wireless
networking capability such as notebooks and smartphones. Hotspots are
commonly available in public venues such as hotels, airports, coffee shops and
shopping malls.
ZoneDirector provides two types of Hotspot services based on the WISPr (Wireless
Internet Service Provider roaming) 1.0 and 2.0 specifications, as described in the
following sections:
Creating a Hotspot Service
Creating a Hotspot 2.0 Service
Creating a Hotspot Service
ZoneDirector’s Configure > Hotspot Services page can be used to configure a
traditional (WISPr 1.0) hotspot service to provide public access to users via its
WLANs. In addition to ZoneDirector and its managed APs, you will need the following
to deploy a hotspot:
Captive Portal: A special web page, typically a login page, to which users that
have associated with your hotspot will be redirected for authentication purposes.
Users will need to enter a valid user name and password before they are allowed
access to the Internet through the hotspot. Open source captive portal pack-
ages, such as Chillispot, are available on the Internet. For a list of open source
and commercial captive portal software, visit http://en.wikipedia.org/wiki/
Captive_portal#Software_Captive_Portals, and
RADIUS Server: A Remote Authentication Dial-In User Service (RADIUS) server
through which users can authenticate.
For installation and configuration instructions for the captive portal and RADIUS
server software, refer to the documentation that was provided with them. After
completing the steps below, you will need to edit the WLAN(s) for which you want
to enable Hotspot service.
ZoneDirector supports up to 32 WISPr Hotspot service entries, each of which can
be assigned to multiple WLANs.
To create a Hotspot service:
1Go to Configure > Hotspot Services.
2Click Create New. The Create New form appears.
Working with Hotspot Services
Creating a Hotspot Service
222 Ruckus Wireless, Inc.
3In Name, enter a name for this hotspot service. (You will need to choose this
name from a list when creating a WLAN to serve this hotspot service.)
4In WISPr Smart Client Support, select whether to allow WISPr Smart Client
support:
None: (default).
Enabled: Enable Smart Client support.
NOTE: The WISPr Smart Client is not provided by Ruckus - you will need to provide
Smart Client software/hardware to your users if you select this option.
Only WISPr Smart Client allowed: Choose this option to allow only clients
that support WISPr Smart Client login to access this hotspot. If this option is
selected, a field appears in which you can enter instructions for clients
attempting to log in using the Smart Client application.
Smart Client HTTP Secure: If Smart Client is enabled, choose whether to
authenticate users over HTTP or HTTPS.
5In Login Page (under Redirection), type the URL of the captive portal (the page
where hotspot users can log in to access the service).
6Configure optional settings as preferred:
•In Start Page, configure where users will be redirected after successful login.
You could redirect them to the page that they want to visit, or you could set
a different page where users will be redirected (for example, your company
website).
•In User Session, configure session timeout and grace period, both disabled
by default.
- Session Timeout: Specify a time limit after which users will be discon-
nected and required to log in again.
- Grace Period: Allow disconnected users a grace period after disconnec-
tion, during which clients will not need to re-authenticate. Enter a number
in minutes, between 1 and 144,000.
7In Authentication Server, select the AAA server that you want to use to
authenticate users.
Options include Local Database and any AAA servers that you configured on
the Configure > AAA Servers page. If a RADIUS server is selected, an
additional option appears: Enable MAC authentication bypass (no redi-
rection). Enabling this option allows users with registered MAC addresses
Working with Hotspot Services
Creating a Hotspot Service
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 223
to be transparently authorized without having to log in. A user entry on the
RADIUS server needs to be created using the client MAC address as both
the user name and password. The MAC address format can be configured
in one of the formats listed in MAC Authentication with an External RADIUS
Server.
8In Accounting Server (if you have an accounting server set up), select the server
from the list and configure the frequency (in minutes) at which accounting data
will be retrieved.
9In Wireless Client Isolation, choose whether clients connected to this Hotspot
WLAN should be allowed to communicate with one another locally. See
Advanced Options in the Creating a WLAN section for a description of the same
feature for non-Hotspot WLANs.
10 Configure optional settings as preferred:
•In Location Information, enter Location ID and Location Name WISPr
attributes, as specified by the Wi-Fi Alliance.
•In Walled Garden, enter network destinations (URL or IP address) that users
can access without going through authentication. A Walled Garden is a
limited environment to which an unauthenticated user is given access for the
purpose of setting up an account. After the account is established, the user
is allowed out of the Walled Garden.
•In Restricted Subnet, define L3/4 IP address access control rules for the
hotspot service to allow or deny wireless devices based on their IP addresses.
Under Advanced Options, enable Intrusion Prevention to temporarily
block hotspot clients that fail repeated authentication attempts. When this
option is enabled, if the same station attempts to authenticate 10 times
unsuccessfully within 600 seconds, the station will be blocked for 600
seconds. If the same user unsuccessfully attempts to authenticate 30 times
within the same time period, the user will be blocked for 600 seconds.
11 Click OK to save the hotspot settings.
The page refreshes and the hotspot service you created appears in the list. You may
now assign this hotspot service to the WLANs that you want to provide hotspot
Internet access, as described in Assigning a WLAN to Provide Hotspot Service.
Working with Hotspot Services
Assigning a WLAN to Provide Hotspot Service
224 Ruckus Wireless, Inc.
Figure 121. Creating a Hotspot service
NOTE: If ZoneDirector is located behind a NAT device and signed certificates are
used with portal authentication, a static entry must be added to the DNS server to
resolve ZoneDirector’s private IP address to its FQDN. Otherwise, client browsers
may enter an infinite redirect loop and be unable to reach the login page. Before the
signed certificate gets added the client gets redirected to the IP address of the ZD
instead of the FQDN.
Assigning a WLAN to Provide Hotspot Service
After you create a hotspot service, you need to specify the WLANs to which you
want to deploy the hotspot configuration. To configure an existing WLAN to provide
hotspot service, do the following:
1Go to Configure > WLANs.
2In the WLANs section, look for the WLAN that you want to assign as a hotspot
WLAN, and then click the Edit link that is on the same row. The Editing (WLAN
name) form appears.
3In Type , click Hotspot Service (WISPr).
Working with Hotspot Services
Common WISPr Attribute Abbreviations
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 225
4In Hotspot Services, select the name of the hotspot service that you created
previously.
5Click OK to save your changes.
Figure 122. Assigning a Hotspot service to a Hotspot WLAN
Common WISPr Attribute Abbreviations
Tab l e 22 lists common WISPr attributes and their definitions.These attributes are
added automatically to the redirect URL sent to the captive portal server. See the
following URL for an example:
http://portal.free.com/?sip=192.168.120.15&mac=74911a20-
dac0&client_mac=00216a95b0de&uip=192.168.120.13&lid=101&
dn=free.com&url=&ssid=Free-WiFi&loc=London&vlan=101
For a more complete guide on enabling WISPr Hotspot services with ZoneDirector,
refer to the Ruckus Enabling WISPr Application Note.
Table 22. Common WISPr Attributes
Abbreviation Description
sip The IP address of ZoneDirector.
Creating a Hotspot 2.0 Service
Common WISPr Attribute Abbreviations
226 Ruckus Wireless, Inc.
NOTE: For more information on Captive Portal redirection for Hotspot, Web Auth
and Guest Access WLANs, see Captive Portal Redirect on Initial Browser HTTPS
Request.
Creating a Hotspot 2.0 Service
“Hotspot 2.0” is a newer Wi-Fi Alliance specification that allows for automated
roaming between service provider access points when both the client and access
gateway support the newer protocol.
Hotspot 2.0 (also known as “PasspointTM”, the trademark name of the Wi-Fi Alliance
certification) aims to improve the experience of mobile users when selecting and
joining a Wi-Fi hotspot by providing information to the station prior to association.
This information can then be used by the client to automatically select an appropriate
mac The MAC address of the Access Point (Ethernet).
lid The Location ID of the Hotspot service.
uip The client’s real IP address. In a Layer 3 NAT environment, the
client’s IP address will be translated to the gateway’s IP address
when logging to the Hotspot service. In this case, the login request
has to include the client’s real IP address to be handled properly.
dn The domain name of the ZoneDirector. The domain name is
obtained from the SSL certificate when importing a certificate to
ZoneDirector.
uid The user’s login ID (passed in the UAM login form’s user name
parameter).
client_mac The client’s MAC address.
SSID The SSID to which the client is associated.
Loc The location name defined in the AP settings.
vlan The client’s VLAN ID.
reason The reason for redirection; can be empty for first redirect, failed for
auth failure, or logout when client logs off.
Table 22. Common WISPr Attributes
Abbreviation Description
Creating a Hotspot 2.0 Service
Create a Service Provider Profile
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 227
network based on the services provided and the conditions under which the user
can access them. In this way, rather than being presented with a list of largely
meaningless SSIDs to choose from, the Hotspot 2.0 client can automatically select
and authenticate to an SSID based on the client’s configuration and services offered,
or allow the user to manually select an SSID for which the user has login credentials.
ZoneDirector’s Hotspot 2.0 implementation complies with the IEEE 802.11u stan-
dard and the Wi-Fi Alliance Hotspot 2.0 Technical Specification.
Enabling Hotspot 2.0 service on ZoneDirector requires the following three steps:
Create a Service Provider Profile
Create an Operator Profile
Create a Hotspot 2.0 WLAN
Create a Service Provider Profile
To create a Service Provider Profile:
1Go to Configure > Hotspot 2.0 Services.
2Click Create New under Service Provider Profiles.
3Configure the settings in Tab l e 23 to create a Service Provider profile.
Table 23. Hotspot 2.0 Service Provider profile configuration
Option Description
Name Enter a name for this Service Provider profile.
Description (Optional) Enter a description.
NAI Realm List List of network access identifier (NAI) realms
corresponding to SSPs or other entities whose
networks or services are accessible via this AP.
Up to five NAI realm entries can be created.
Each NAI realm entry can contain up to four EAP
methods. Each EAP method can contain up to
four authentication types.
Domain Name List List of domain names of the entity operating the
access network. Up to five entries can be
created.
Creating a Hotspot 2.0 Service
Create a Service Provider Profile
228 Ruckus Wireless, Inc.
4Click OK to save your changes.
5Continue to Create an Operator Profile.
Figure 123. Creating a Service Provider Profile
Roaming Consortium List List of Organization Identifiers included in the
Roaming Consortium list, as defined in
IEEE802.11u, dot11RoamingConsortiumTable.
Up to two Roaming Consortium entries can be
created.
3GPP Cellular Network Information Contains cellular information such as network
advertisement information to assist a 3GPP
station in selecting an AP for 3GPP network
access, as defined in Annex A of 3GPP TS
24.234 v8.1.0. Up to eight entries can be
created.
Table 23. Hotspot 2.0 Service Provider profile configuration
Option Description
Creating a Hotspot 2.0 Service
Create a Service Provider Profile
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 229
Create an Operator Profile
To create an Operator Profile:
1Go to Configure > Hotspot 2.0 Services.
2Click Create New under Operator Profiles.
3Configure the settings in Tab l e 12 4 to create a Hotspot 2.0 Operator profile.
Figure 124. Hotspot 2.0 Operator profile configuration options
Option Description
Name Enter a name for this Operator profile. This
name identifies the service operator when
assigning an HS2.0 service to a HS2.0 WLAN.
Description (Optional) Enter a description for the service.
Venue Information Select venue group and venue type as defined
in IEEE802.11u, Table 7.25m/n.
ASRA Option Additional steps required for access. Select to
indicate that the network requires a further step
for access.
Internet Option Specify if this HS2.0 network provides
connectivity to the Internet.
Access Network Type Access network type (private, free public,
chargeable public, etc.), as defined in
IEEE802.11u, Table 7-43b.
IP Address Type Select IP address type availability information,
as defined in IEEE802.11u, 7.3.4.8.
Operator Friendly Name Network operator names in multiple languages.
Service Provider Profiles Information for each service provider, including
NAI realm, domain name, roaming consortium,
3GPP cellular network info. (A Service Provider
profile must first be created before it appears
here.) Up to six Service Provider Profiles can be
indicated for each Operator Profile.
HESSID Homogenous extended service set identifier.
The HESSID is a 6-octet MAC address that
identifies the homogeneous ESS. The HESSID
value must be identical to one of the BSSIDs in
the homogeneous ESS.
Creating a Hotspot 2.0 Service
Create a Service Provider Profile
230 Ruckus Wireless, Inc.
4Click OK to save this Operator Profile.
5Continue to Create a Hotspot 2.0 WLAN.
Figure 125. Creating a Hotspot 2.0 Operator Profile
WAN Metrics Provides information about the WAN link
connecting an IEEE 802.11 access network
and the Internet; includes link status and
backhaul uplink/downlink speed estimates.
Connection Capability Provides information on the connection status
within the hotspot of the most commonly used
communications protocols and ports. 11 static
rules are available, as defined in WFA Hotspot
2.0 Technical Specification, section 4.5.
Additional Connection Capability Allows addition of custom connection capability
rules. Up to 21 custom rules can be created.
Figure 124. Hotspot 2.0 Operator profile configuration options
Option Description
Creating a Hotspot 2.0 Service
Create a Service Provider Profile
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 231
Create a Hotspot 2.0 WLAN
After you create a HS2.0 service, you need to specify the WLANs to which you want
to deploy the hotspot configuration. To configure an existing WLAN to provide
hotspot service, do the following:
1Go to Configure > WLANs.
2In the WLANs section, look for the WLAN that you want to assign as a HS2.0
WLAN, and then click the Edit link that is on the same row. The Editing (WLAN
name) form appears.
3In Type , click Hotspot 2.0.
NOTE: 802.1X EAP is the only authentication method and WPA2/AES is the only
encryption method available when you select Hotspot 2.0 for WLAN type.
4In Hotspot 2.0 Operator, select the name of the Operator profile that you
created previously.
5In Authentication Server, select the RADIUS server used to authenticate users.
6Optionally, enable Proxy ARP for this Hotspot 2.0 WLAN (see Advanced Options
under Creating a WLAN.)
If Proxy ARP is enabled, you also have the option to disable downstream
group-addressed frame forwarding by selecting the DGAF option. This
option prevents stations from forwarding group-addressed (multicast/broad-
cast) frames and converts group-addressed DHCP and ICMPv6 router
advertisement packets from layer 2 multicast to unicast.
7Click OK to save your changes.
Working with Dynamic Pre-Shared Keys
Create a Service Provider Profile
232 Ruckus Wireless, Inc.
Figure 126. Creating a Hotspot 2.0 WLAN
Setting the Venue Name for a Hotspot 2.0 AP
See Configuring Hotspot 2.0 Venue Settings for an AP for instructions on setting
AP venue names for individual APs.
Working with Dynamic Pre-Shared Keys
Dynamic PSK is a unique Ruckus Wireless feature that enhances the security of
normal Pre-shared Key (PSK) wireless networks. Unlike typical PSK networks, which
share a single key amongst all devices, a Dynamic PSK network assigns a unique
key to every authenticated user. Therefore, when a person leaves the organization,
network administrators do not need to change the key on every device. Dynamic
PSK offers the following benefits over standard PSK security:
Every device on the WLAN has its own unique Dynamic PSK (DPSK) that is valid
for that device only.
Working with Dynamic Pre-Shared Keys
Enabling Dynamic Pre-Shared Keys on a WLAN
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 233
Each DPSK is bound to the MAC address of an authorized device - even if that
PSK is shared with another user, it will not work for any other machine.
Since each device has its own DPSK, you can also associate a user (or device)
name with each key for easy reference.
Each DPSK may also have an expiration date - after that date, the key is no
longer valid and will not work.
DPSKs can be created and removed without impacting any other device on the
WLAN.
If a hacker manages to crack the DPSK for one client, it does not expose the
other devices which are encrypting their traffic with their own unique DPSK.
DPSKs can be created in bulk and manually distributed to users and devices, or
ZoneDirector can auto-configure devices with a DPSK when they connect to the
network for the first time using Zero-IT Activation (see Enabling Automatic User
Activation with Zero-IT).
Enabling Dynamic Pre-Shared Keys on a WLAN
To use DPSK for client authentication, you must enable it for a particular WLAN (if
you did not enable it during the initial ZoneDirector Setup Wizard process).
To enable DPSK for a WLAN:
1Go to Configure > WLANs.
2Either Edit an existing WLAN or Create New to open the WLAN configuration
form.
3Under Type, select Standard Usage.
4Under Authentication Options: Method, select MAC Address or Open.
5Under Encryption Options: Method, select WPA2 (not WPA-Mixed, as selecting
WPA-Mixed will disable the Zero-IT activation option).
6Under Encryption Options: Algorithm, select AES (not Auto, as selecting Auto
will disable the Zero-IT activation option).
7If using MAC Address authentication, choose an Authentication Server to
authenticate clients against--either Local Database or RADIUS Server.
8Ensure that the Zero-IT Activation check box is enabled.
9Next to Dynamic PSK, enable the check box next to Enable Dynamic PSK.
Select a DPSK passphrase length (between 8 and 62 characters).
10 Choose whether to use Secure DPSK or Mobile Friendly DPSK.
Working with Dynamic Pre-Shared Keys
Enabling Dynamic Pre-Shared Keys on a WLAN
234 Ruckus Wireless, Inc.
Secure DPSK: Includes almost all printable ASCII characters, including
periods, hyphens, dashes, etc. This option is more secure, however it is
difficult to input for mobile clients whose keyboards may not contain the entire
set of printable ASCII characters.
Mobile Friendly DPSK: Choose this option if this WLAN will be used for
mobile clients. This option limits the range of characters to lower case and
upper case letters and numbers, which makes it easier for users to input the
DPSK when activating a mobile client to a Zero-IT WLAN. (You may also want
to limit the DPSK length to 8 characters for the convenience of your mobile
client users.)
11 Expire DPSK: Set when the DPSK should expire. In Validity period, choose
whether the DPSK expiration period will start from first use or creation time.
12 Limit DPSK: By default each authenticated user can generate multiple DPSKs.
Select this option to limit the number of DPSKs each user can generate (1-4).
13 Click OK to save your settings.
This WLAN is now ready to authenticate users using Dynamic Pre-Shared Keys
once their credentials are verified against either the internal database or an external
AAA server.
Working with Dynamic Pre-Shared Keys
Setting Dynamic Pre-Shared Key Expiration
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 235
Figure 127. Enabling Dynamic PSK for a WLAN
Setting Dynamic Pre-Shared Key Expiration
By default, dynamic pre-shared keys do not expire and are effective from first use.
You can control when the PSK expires, at which time the users will be prompted
to reactivate their wireless access.
To set the dynamic PSK expiration:
1Go to Configure > WLANs, and click Edit to modify your DPSK WLAN.
2Expand the Advanced Options and locate the Dynamic PSK section.
3In the Expire DPSK section, select the PSK expiration time. Range includes one
day to unlimited (never expires).
4In Validity Period, select Effective from first use or Effective from creation
time.
5Click the Apply button that is in the same section. The new setting goes into
effect immediately.
Working with Dynamic Pre-Shared Keys
Generating Multiple Dynamic PSKs
236 Ruckus Wireless, Inc.
Figure 128. Dynamic PSK expiration options
NOTE: If you change the dynamic PSK expiration period, the new expiration period
will only be applied to new PSKs. Existing PSKs will retain the expiration period that
was in effect when the PSKs were generated. To force expiration, go to Monitor >
Generated PSK/Certs.
Generating Multiple Dynamic PSKs
If you will be generating DPSKs frequently (for example, to configure school-owned
laptops in batch), you may want to generate multiple DPSKs at once and distribute
them to your users in one batch. Before performing this procedure, check your
WLAN settings and make sure that the Dynamic PSK check box is selected.
To generate multiple dynamic PSKs:
1Go to Configure > WLANs.
2Scroll down to the Dynamic PSK Batch Generation section.
3In Target WLAN, select one of the existing WLANs with which the users will be
allowed to associate. (Only WLANs with DPSK enabled will be listed.)
Working with Dynamic Pre-Shared Keys
Generating Multiple Dynamic PSKs
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 237
4In Number to Create, select the number of dynamic PSKs that you want to
generate. ZoneDirector will automatically populate the names of each user
(BatchDPSK_User_1, BatchDPSK_User_2, and so on) to generate the dynamic
PSKs.
5In Role, select the Role you want to apply to this batch of DPSK users.
6In Dynamic VLAN ID, enter Dynamic VLAN ID (if Dynamic VLAN is enabled for
this WLAN).
7If you want to be able to identify the dynamic PSK users by their names, click
Choose File, and upload a batch dynamic PSK profile instead. See Creating a
Batch Dynamic PSK Profile below for more information.
8Click Generate. ZoneDirector generates the dynamic PSKs, and then the
following message appears:
9To download the new DPSK record, click here
10 Click the click here link in the message to download a CSV file that contains the
generated dynamic PSKs.
You have completed generating the dynamic PSKs for your users. Using a spread-
sheet application (for example, Microsoft Excel), open the CSV file and view the
generated dynamic PSKs. The CSV file contains the following columns:
•User Name
• Passphrase
•Role
•WLAN Name
MAC Address
•VLAN ID
• Expiration
NOTE: The MAC address column shows 00:00:00:00:00:00 for all users. When a user
accesses the WLAN using the dynamic PSK that has been assigned to him, the
MAC address of the device that he used will be permanently associated with the
dynamic PSK that he used.
To enable wireless users to access the wireless network, you need to send them
the following information:
•User Name: The user name generated via batch DPSK generation (by default,
“Batch_DPSK_User_[#]”.
Working with Dynamic Pre-Shared Keys
Creating a Batch Dynamic PSK Profile
238 Ruckus Wireless, Inc.
WLAN Name: This is the WLAN with which they are authorized to access and
use the dynamic PSK passphrase that you generated.
Passphrase: This is the network key that the user needs to enter on his WLAN
configuration client to access the WLAN.
Expiration: (Optional) This is the date when the DPSK passphrase will expire.
After this date, the user will no longer be able to access the WLAN using the
same DPSK.
Alternatively, you can allow users to automatically self-provision their clients using
Zero-IT, as described in Enabling Automatic User Activation with Zero-IT.
Creating a Batch Dynamic PSK Profile
Creating a DPSK batch generation profile is useful if you want to customize the user
names that will be used for accessing the DPSK WLAN, as opposed to user names
such as “BatchDPSK_User_1,” etc.
1In the Dynamic PSK Batch Generation section, look for the following message:
To download an example of profile, click here.
2Click the click here link to download a sample profile.
3Save the sample batch DPSK profile (in CSV format) to your computer.
4Using a spreadsheet application, open the CSV file and edit the batch dynamic
PSK profile by filling out the following columns:
User Name: (Required) Type the name of the user (one name per row).
MAC Address: (Optional) If you know the MAC address of the device that
the user will be using, type it here.
Figure 129. Editing the batch_dpsk_sample.csv file to create a custom batch DPSK profile
5Go back to the Dynamic PSK Batch Generation section, and click the Choose
File button to upload the CSV file you edited.
Bypass Apple CNA
Creating a Batch Dynamic PSK Profile
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 239
6Click Generate to generate the custom DPSKs that you modified.
Figure 130. DPSK batch generation
After the DPSKs have been generated, you can download the same file (with the
passphrases filled in) by clicking the Click Here link at the end of the “To download
the generated DPSK record, click here” sentence.
Figure 131. Downloading a generated batch DPSK profile
Bypass Apple CNA
Some Apple iOS and OS X clients include a feature called Captive Network Assistant
(Apple CNA), which allows clients to connect to an open captive portal WLAN
without displaying the login page. When a client connects to a wireless network,
the CNA feature launches a pre-browser login utility and it sends a request to a
success page on the Apple website. If the success page is returned, the device
Bypass Apple CNA
Creating a Batch Dynamic PSK Profile
240 Ruckus Wireless, Inc.
assumes it has network connectivity and no action is taken. However, this login
utility is not a fully functional browser, and does not support HTML, HTML5, PHP
or other embedded video. In some situations, the ability to skip the login page for
open WLANs is a benefit. However, for other guest or public access designs, the
lack of ability to control the entire web authentication process is not desirable.
ZoneDirector provides an option to work around the Apple CNA feature if it is not
desirable for your specific deployment. With CNA bypass enabled, captive portal
(web-based authentication) login must be performed by opening a browser to any
unauthenticated page (http) to get redirected to the login page.
To enable Apple CNA bypass, use the following procedure:
1Go to Configure > WLANs.
2Locate the Bypass Apple CNA Feature section at the bottom of the page.
3Select any or all of the following WLAN types for which you want to bypass the
Apple CNA feature:
Web Authentication
Guest Access
Hotspot service
4Click Apply to save your changes.
Figure 132. Enabling the Bypass Apple CNA Feature
Bypass Apple CNA
Creating a Batch Dynamic PSK Profile
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 241
Bypass Apple CNA
Creating a Batch Dynamic PSK Profile
242 Ruckus Wireless, Inc.
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 243
5
Managing Access Points
In this chapter:
Adding New Access Points to the Network
Working with Access Point Groups
Configuring AP Ethernet Ports
Reviewing Current Access Point Policies
Importing a USB Software Package
Managing Access Points Individually
Optimizing Access Point Performance
Adding New Access Points to the Network
Connecting the APs to the Network
244 Ruckus Wireless, Inc.
Adding New Access Points to the Network
If your staffing or wireless coverage needs increase, you can add APs to your
network easily and efficiently. Depending on your network security preferences, the
new APs can be automatically detected and activated, or new APs may require per-
device manual approval before becoming active.
The Automatic AP Approval process is enabled by default, automatically approving
AP join requests. If you prefer, you can disable Automatic Approval. If this is your
preference, ZoneDirector will detect new APs, alert you to their presence, and then
wait for you to manually “approve” their activation—as detailed in this guide.
Figure 133. Automatic AP approval is enabled by default. Deselect this option to manually
approve each AP join request.
Connecting the APs to the Network
1Place the new APs in the appropriate locations.
2Write down the MAC address (on the bottom of each device) and note the
specific location of each AP as you distribute them.
3Connect the APs to the LAN with Ethernet cables.
Adding New Access Points to the Network
Verifying/Approving New APs
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 245
NOTE: If using Gigabit Ethernet, ensure that you use Cat5e or better Ethernet
cables.
NOTE: By default, Ruckus Wireless APs will attempt to obtain an IP address via
DHCP as soon as they are connected to the network. If you do not want the AP to
automatically request an IP address, you must first configure a static IP address
using the AP web interface or CLI before connecting them to your network.
4Connect each AP to a power source.
NOTE: If the Ruckus Wireless APs that you are using are PoE-capable and power
sources are not convenient, they will draw power through the Ethernet cabling if
connected to a PoE-ready hub or switch.
Verifying/Approving New APs
1Go to Monitor > Access Points. The Access Points page appears, showing
the first 15 access points that have been approved or are awaiting approval. If
ZoneDirector is managing more than 15 access points, the Show More button
at the bottom of the list will be active. To display more access points in the list,
click Show More. When all access points are displayed on the page, the Show
More button disappears.
2Review the Currently Managed APs table. See Figure 134.
If the Configure > Access Points > Access Points Policies > Approval
check box is checked, all new APs should be listed in the table, and their
Status should be “Connected.”
If the Automatic AP Approval option is disabled, all new APs will be listed,
but their status will be “Approval Pending.”
3Under the Action column, click Allow . After the status is changed from
“Disconnected” to “Connected,” the new AP is activated and ready for use.
NOTE: Use “Map View” (on the Monitoring tab) to place the marker icons of any
newly approved APs. See Evaluating and Optimizing Network Coverage for more
information.
Adding New Access Points to the Network
Verifying/Approving New APs
246 Ruckus Wireless, Inc.
Figure 134. The Monitor > Access Points page
Working with Access Point Groups
Verifying/Approving New APs
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 247
Working with Access Point Groups
Access Point groups can be used to define configuration options and apply them
to groups of APs at once, without having to modify each AP’s settings individually.
For each group, administrators can create a configuration profile that defines the
channels, radio settings, Ethernet ports and other configurable fields for all members
of the group or for all APs of a specific model in the group.
Access Point groups are similar to WLAN groups (see Working with WLAN Groups
for more information). While WLAN groups can be used to specify which WLAN
services are served by which APs, AP groups are used for more specific fine-tuning
of how the APs themselves behave.
The following sections describe the three main steps involved in working with AP
groups:
Modifying the System Default AP Group: The first step in working with AP groups
is defining the default behavior of all APs controlled by ZoneDirector.
Creating a New Access Point Group: After you have defined how you want your
default APs to behave, you can create a subset of access points with different
settings from the default settings.
Modifying Access Point Group Membership: Lastly, you can easily move access
points between groups as described in this section.
AP group configuration settings can be overridden by individual AP settings. For
example, if you want to set the transmit power to a lower setting for only a few
specific APs, leave the Tx Power Adjustment at Auto in the System Default AP
Group, then go to the individual AP configuration page (Configure > Access Points
> Edit [AP MAC address]) and set the Tx Power setting to a lower setting.
Table 24. Maximum number of AP groups by ZoneDirector model
ZoneDirector Model Max AP Groups
ZoneDirector 1200 64
ZoneDirector 3000 256
ZoneDirector 5000 512
Working with Access Point Groups
Modifying the System Default AP Group
248 Ruckus Wireless, Inc.
Modifying the System Default AP Group
If you want to apply global settings to all access points that are controlled by
ZoneDirector, you can modify the settings of the System Default AP group and apply
them to all ZoneDirector-controlled APs at once.
To modify the System Default Access Point group and apply global configuration
settings:
1Go to Configure > Access Points.
2In the Access Point Groups section, locate the System Default access point
group, and click the Edit button on the same line. The Editing (System Default)
form appears.
3Modify any of the settings in Table 2 5 that you want to apply to the System
Default AP group, and click OK to save your changes.
Table 25. Access Point group settings
Setting Description
Name The System Default group name cannot be changed (you can
edit this field when creating/editing any other AP group).
Description The System Default description cannot be changed (you can
edit this field when creating/editing any other AP group).
Channel Range
Settings
To limit the available channels for 2.4 GHz, 5 GHz Indoor and
5 GHz Outdoor channel selection, deselect any channels that
you do not want the APs to use.
Channelization Select Auto, 20MHz or 40MHz channel width for either the 2.4
GHz or 5 GHz radio.
Channel Select Auto or manually assign a channel for the 2.4 GHz or 5
GHz radio.
Tx Power Allows you to manually set the transmit power on all 2.4 GHz
or 5 GHz radios (default is Auto).
11n/ac Only Mode Force all 802.11n and 11ac APs to accept only 802.11n/ac
compliant devices on the 2.4 GHz or 5 GHz radio. If 11n/ac
Only Mode is enabled, all older 802.11b/g devices will be
denied access to the radio.
WLAN Group Specify which WLAN group this AP group belongs to.
Working with Access Point Groups
Modifying the System Default AP Group
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 249
Call Admission Control (Disabled by default). Enable Wi-Fi Multimedia Admission
Control (WMM-AC) to support Polycom/Spectralink VIEW
certification. See Advanced Options under Creating a WLAN
for more information.
Spectralink
Compatibility
(Disabled by default). Enable this option if this AP radio will be
used as a voice WLAN for Polycom/Spectralink phones. This
option changes several AP radio settings such as DTIM, BSS
minrate and RTS-CTS to improve voice quality with Spectralink
phones.
For optimal VoWLAN voice quality, also disable Self-Healing
and Background Scanning from the Configure > Services
page).
IP Mode Set IPv4, IPv6 or dual-stack IPv4/IPv6 IP addressing mode.
ChannelFly Enable this check box to allow ZoneDirector to disable
ChannelFly on an AP if the AP’s uptime is greater than the value
entered for the AP group. This feature can be useful if
ChannelFly causes client connection instability due to APs
restarting and re-running the ChannelFly scanning process. The
option is supported on specific 11n and 11ac APs only.
Location Service Enable this option to enable ZoneDirector’s share in the Ruckus
SmartPositioning Technology (SPoT) location based service
solution. Select the Venue Name that you created on the
Configure > Location Services page. See Configuring SPoT
Location Services.
For information on configuration and administration of Ruckus
SmartPositioning Technology (SPoT) service, please refer to the
SPoT User Guide, available from the Ruckus support site:
https://support.ruckuswireless.com.
Model Specific Control Use this section to configure max clients, LEDs and port
settings for all APs of each specific model that are members of
the group. See Modifying Model Specific Controls.
Group Settings The Group Settings section is used to move access points
between groups. See Modifying Access Point Group
Membership.
Setting Description
Working with Access Point Groups
Creating a New Access Point Group
250 Ruckus Wireless, Inc.
Figure 135. Editing the System Default access point group settings
Creating a New Access Point Group
To create a new AP group with custom settings:
1Go to Configure > Access Points.
2In the Access Point Groups section, click the Create New button. The Create
New form appears.
3Enter a Name and optionally a Description for the new AP group.
4Modify any of the settings in Table 2 5 that you want to apply to the new AP
group, and click OK to save your changes.
Modifying Access Point Group Membership
When more than one AP group exists, you can move APs between groups using
the Group Settings section of the Editing [AP Group] form. The Group Settings
section is divided into two subsections:
Members: Lists the current member APs of this AP group.
Access Points: Lists the APs that are members of other AP groups.
Working with Access Point Groups
Modifying Model Specific Controls
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 251
To move an AP from the current AP group to another group:
1In Members, select the AP (or APs) that you want to move to another AP group,
select the target AP group from the menu, and click the Move to button. (To
select all APs in the group, click the check box at the top of the column)
2Click OK to save your changes.
To move an AP from another AP group into the AP group you are currently editing:
1In Access Points, click the check box next to any AP you want to move, and
click Add to this group. The AP disappears from the Access Points list and
appears immediately in the Members list.
2Click OK to save your changes.
Figure 136. Modify AP group membership
Modifying Model Specific Controls
The following settings can be applied to all APs of a particular model that are
members of the AP group:
Max Clients: Set the maximum number of clients that can associate per AP. Note
that different AP models have different maximum client limitations.
Working with Access Point Groups
Modifying Model Specific Controls
252 Ruckus Wireless, Inc.
Internal Heater: Enable internal heaters (specific AP models only).
NOTE: For the internal heater to be operational, ZoneFlex 7762 APs must be
powered by the supplied PoE injector and its associated power adapter or a
standard 802.3at PSE. For the PoE Out port to be operational, ZoneFlex 7762 APs
must be powered by the supplied PoE injector and its associated power adapter.
PoE Out Ports: Enable PoE out ports (specific AP models only).
NOTE: If your ZoneDirector country code is set to United Kingdom, an additional
“Enable 5.8 GHz Channels” option will be available for outdoor 11n/11ac APs.
Enabling this option allows the use of restricted C-band channels. These channels
are disabled by default and should only be enabled by customers with a valid license
to operate on these restricted channels.
PoE Operating Mode: Select PoE operating mode, Auto or 802.3af PoE (specific
AP models only). Default is Auto. If 802.3af PoE is selected, the AP will operate
in 802.3af mode (not 802.3at mode), and will consume less power than in
802.3at mode. However, when this option is selected, some AP features are
disabled to reduce power consumption, such as the USB port and one of the
Ethernet ports. See the Access Point User Guide for model-specific information.
USB Port: On APs with USB ports, you can disable the USB port for all APs of
a specific model in an AP group using this setting (USB ports are enabled by
default). For more information, see Configuring AP USB Ports.
Status LEDs: When managed by ZoneDirector, you can disable the external
LEDs on certain ZoneFlex models, such as the 7300 series APs. This can be
useful if your APs are installed in a public location and you don’t want to draw
attention to them.
External Antenna: External antenna configuration is available for the 5 GHz radio
on the ZoneFlex 7762, and for the 2.4 and 5 GHz radios on the 7782-E APs.
Once enabled, enter a gain value in the range of 0 to 90dBi.
Radio Band: (ZoneFlex 7321 only) Select 2.4 GHz or 5 GHz radio band for the
7321 APs.
USB Software: On SmartPoint APs (ZoneFlex 7321-u only), you can override the
system default USB software per AP group using this setting. See Importing a
USB Software Package.
Port Settings: See Configuring AP Ethernet Ports.
Working with Access Point Groups
Modifying Model Specific Controls
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 253
NOTE: The ZoneDirector web interface does not provide an option for LLDP (Link
Layer Discovery Protocol). This option is currently configurable only via CLI. Please
refer to the ZoneDirector Command Line Interface Reference Guide for more
information.
Configuring AP USB Ports
Some Ruckus Wireless APs, such as the H500, support customer-supplied, low
power (1W or less), Bluetooth Low Energy (BLE) devices, such as BLE beacons.
The BLE devices plug into a USB port on the AP, and the AP can be configured to
turn power to the USB port either on or off. Ruckus Wireless APs with USB ports
supporting BLE devices can provide power to the BLE device. The BLE devices
perform whatever tasks they are designed to do without interference from or control
(other than supplying USB power) by the Ruckus Wireless network equipment.
AP USB ports are enabled by default. To disable the USB ports for all APs of a
specific model in an AP group:
1Go to Configure > Access Points.
2In Access Point Groups, click Edit next to the group you want to configure.
3Locate the Model Specific Control section, and select the AP model that you
want to configure from the list.
4In USB Port, select Override System Default, and select Disable USB Port.
5Click OK to save your changes.
Configuring AP Ethernet Ports
Modifying Model Specific Controls
254 Ruckus Wireless, Inc.
Figure 137. Disabling AP USB ports
Configuring AP Ethernet Ports
You can use AP groups to control Ethernet ports on all APs of a certain model.
Then, if you want to override the port settings for a specific AP, you can do so as
explained in the Managing Access Points Individually section below.
To configure Ethernet ports for all APs of the same model:
1Go to Configure > Access Points.
2In Access Point Groups, click Edit next to the group you want to configure.
3Locate the Model Specific Control section, and select the AP model that you
want to configure from the list.
4In Port Setting, select Override System Default. The screen changes to display
the Ethernet ports on the AP model currently selected.
5Deselect the check box next to Enable to disable this LAN port entirely. All ports
are enabled by default.
Configuring AP Ethernet Ports
Modifying Model Specific Controls
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 255
6Select the check box next to Tunnel to tunnel all Ethernet traffic on this access
port to ZoneDirector. By default, Ethernet traffic is bridged to the network at the
AP, rather than tunneled to ZoneDirector. In some specific scenarios (such as
Point of Sales and hotel room applications), tunneling Ethernet traffic to
ZoneDirector may be preferable.
NOTE: Note that enabling port tunneling may impact wireless performance.
Additionally, some features are not available for tunneled Ethernet traffic, including
fairness, rate limiting, client count limits, ACLs, prioritization of Ethernet vs. wireless
traffic, client fingerprinting, application visibility, etc. Therefore Ruckus recommends
against enabling port tunneling except in specific cases where it is needed.
7Select DHCP_Opt82 if you want to enable this option for this port (see DHCP
Option 82).
8For any enabled ports, you can choose whether the port will be used as a Trunk
Port, an Access Port or a General Port. The following restrictions apply:
All APs must be configured with at least one Trunk Port.
For single port APs (e.g., ZoneFlex R300), the single LAN port must be a
trunk port and is therefore not configurable.
For ZoneFlex 7055, the LAN5/Uplink port on the rear of the AP is defined as
a Trunk Port and is not configurable. The four front-facing LAN ports are
configurable.
For all other APs, you can configure each port individually as either a Trunk
Port, Access Port or General Port. (See Designating Ethernet Port Type for
more information.)
9(If Smart Mesh is not enabled), choose whether this port will serve as an 802.1X
Authenticator or Supplicant, or leave 802.1X settings disabled (default). (See
Using Port-Based 802.1X for more information.)
10 Click Apply to save your changes.
Configuring AP Ethernet Ports
Modifying Model Specific Controls
256 Ruckus Wireless, Inc.
Figure 138. The ZoneFlex 7982 has two Ethernet ports, LAN1 and LAN2
Figure 139. The ZoneFlex 7055 has four front-facing Ethernet ports and one rear port
Configuring AP Ethernet Ports
Modifying Model Specific Controls
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 257
DHCP Option 82
The “DHCP Relay Agent Information Option” (Option 82) allows a DHCP Relay Agent
to insert specific identification information into a request that is being forwarded to
a DHCP server.
When this option is enabled for an Ethernet port or a WLAN SSID, additional
information will be encapsulated in DHCP option 82 and inserted into DHCP request
packets. This option supports the ability for a service provider to allocate IP
addresses intelligently by considering information on the origin of the IP allocation
request.
DHCP Option 82 Sub-Options
Option 82 sub-options can be used to further customize the format and content of
information provided in DHCP requests. ZoneDirector supports the following Option
82 sub-options:
Sub-option 1: Agent Circuit ID
Sub-option 2: Agent Remote ID
Sub-option 150: DHCPv4 Virtual Subnet Selection
Sub-option 151: DHCPv4 Virtual Subnet Selection Control
Sub-option 1 (Circuit ID) can be customized to send only the AP’s MAC address in
hexadecimal format or the MAC address and ESSID. The default format is: IF-
Name:VLAN-ID:ESSID:AP-Model:AP-Name:AP-MAC.
Sub-option 2 (Remote ID) sends the client’s MAC address by default. It can be
configured to send the AP’s MAC address, or the client MAC plus ESSID or AP MAC
plus ESSID.
Sub-option 150 can be enabled to encapsulate the VLAN ID.
Sub-option 151 can be enabled to encapsulate either the ESSID or a configurable
Area Name.
Configuring AP Ethernet Ports
Modifying Model Specific Controls
258 Ruckus Wireless, Inc.
Figure 140. Enabling DHCP Option 82 sub-options for a WLAN
Designating Ethernet Port Type
Ethernet ports are defined as one of the following port types:
Trunk Ports
Access Ports
General Ports
All three port types are used to define how to manage the following two aspects of
VLAN processing:
Which VLANs are processed vs. dropped
What to do with untagged packets (in other words, Native VLAN)
For most ZoneFlex APs, you can set which ports you want to be your Access, Trunk
and General Ports from the ZoneDirector web interface, as long as at least one port
on each AP is designated as a Trunk Port.
By default, all ports are enabled as Trunk Ports with Untag VLAN set as 1 (except
for ZoneFlex 7055, whose four front-bottom ports are enabled as Access Ports by
default). If configured as an Access Port, all untagged ingress traffic is sent to the
Configuring AP Ethernet Ports
Modifying Model Specific Controls
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 259
configured Untag VLAN, and all egress traffic is sent untagged. If configured as a
Trunk Port, all untagged ingress traffic is the configured Untag VLAN (by default, 1),
and all VLAN-tagged traffic on VLANs 1-4094 will be seen when present on the
network.
The default Untag VLAN for each port is VLAN 1. Change the Untag VLAN to:
Segment all ingress traffic on this Access Port to a specific VLAN.
Redefine the Native VLAN on this Trunk Port to match your network configura-
tion.
Trunk Ports
Trunk links are required to pass VLAN information between switches. Trunking is a
function that must be enabled on both sides of a link. If two switches are connected
together, for example, both switch ports must be configured as trunk ports.
The Trunk port is a member of all the VLANs that exist on the AP/switch and carries
traffic for all VLANs between switches.
For a Trunk port, the VLAN Untag ID field is used to define the native VLAN - the
VLAN into which untagged ingress packets are placed upon arrival. If your network
uses a different VLAN as the native VLAN, configure the AP Trunk port’s VLAN Untag
ID with the native VLAN used throughout your network.
Access Ports
Access ports provide access to the network and can be configured as members of
a specific VLAN, thereby separating the traffic on these ports from traffic on other
VLANs.
All Access Ports are set to Untag (native) VLAN 1 by default. This means that all
Access Ports belong to the native VLAN and are all part of a single broadcast
domain. When untagged frames from a client arrive at an AP’s Access Port, they
are given an 802.1Q VLAN header with 1 as their VLAN ID before being passed
onto the wired network.
When VLAN 1 traffic arrives destined for the client, the VLAN tag is removed and it
is sent as plain (untagged) 802.11 traffic. When any tagged traffic other than VLAN
1 traffic arrives at the same Access Port, it is dropped rather than forwarded to the
client.
To remove ports from the native VLAN and assign them to specific VLANs, select
Access Port and enter any valid VLAN ID in the VLAN ID field (valid VLAN IDs are
2-4094).
Configuring AP Ethernet Ports
Modifying Model Specific Controls
260 Ruckus Wireless, Inc.
The following table describes the behavior of incoming and outgoing traffic for
Access Ports with VLANs configured.
Table 26. Access Ports with VLANs configured
General Ports
General ports are user-defined ports that can have any combination of up to 20
VLAN IDs assigned. General ports function similarly to Trunk ports, except that
where Trunk ports pass all VLAN traffic, General ports pass only the VLAN traffic
that is defined by the user.
To configure an AP Ethernet port as a General port, select General Port and enter
multiple valid VLAN IDs separated by commas or a range separated by a hyphen.
NOTE: You must also include the Untag VLAN ID in the Members field when defining
the VLANs that a General port will pass. For example, if you enter 1 as the Untag
VLAN ID and want the port to pass traffic on VLANs 200 and 300, you would enter:
1,200,300.
Using Port-Based 802.1X
802.1X authentication provides the ability to secure the network and optionally bind
service policies for an authenticated user. 802.1X provides logical port control and
leverages the EAP authentication and RADIUS protocols to allow the network policy
to be effectively applied in real time, no matter where the user connects to the
network.
VLAN Settings Incoming Traffic (from the
client)
Outgoing Traffic (to the
client)
Access Port, Untag
VLAN 1
All incoming traffic is native
VLAN (VLAN 1).
All outgoing traffic on the port
is sent untagged.
Access Port, Untag
VLAN [2-4094]
All incoming traffic is sent to the
VLANs specified.
Only traffic belonging to the
specified VLAN is forwarded.
All other VLAN traffic is
dropped.
Configuring AP Ethernet Ports
Modifying Model Specific Controls
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 261
AP Ethernet ports can be individually configured to serve as either an 802.1X
supplicant (authenticating the AP to an upstream authenticator switch port), or as
an 802.1X authenticator (receiving 802.1X authentication requests from down-
stream supplicants). A single port cannot provide both supplicant and authenticator
functionality at the same time.
NOTE: If mesh mode is enabled on ZoneDirector, the 802.1X port settings will be
unavailable for any APs that support mesh.
AP Ethernet Port as Authenticator
The Access Point is similar in many ways to a wireless switch. On APs with two or
more wired ports, the AP acts as a network edge switch and can be configured to
authenticate downstream wired stations (which could include multiple clients
connected to another edge switch). When the AP Ethernet port is configured as an
802.1X authenticator, it can be further defined as either Port-based or MAC-based.
MAC-based authenticator mode is only supported if the port is an Access Port.
Table 27. Authenticator support vs. Port Type
To configure an AP Ethernet port as an 802.1X authenticator:
1Go to Configure > Access Points and click the Edit link next to the AP whose
ports you want to configure.
2Locate the Port Setting section and select Override Group Config. The screen
changes to display the AP’s Ethernet ports.
3For Type, select Access Port.
4For 802.1X, select Authenticator (MAC-based) or Authenticator (Port-
based).
In Port-based mode, only a single MAC host must be authenticated for all
hosts to be granted access to the network.
In MAC-based mode, each MAC host is individually authenticated. Each
newly-learned MAC address triggers an EAPOL request-identify frame.
Trunk Port Access Port General Port
Port-based mode X X X
MAC-based mode X
Configuring AP Ethernet Ports
Modifying Model Specific Controls
262 Ruckus Wireless, Inc.
-Guest VLAN: (Default disabled). When a station fails to authenticate to
this port, it will be assigned to this “guest” VLAN, with access to Internet
but not to internal resources.
-Dynamic VLAN: (Default disabled). Dynamically assign VLANs based on
the policies set on the RADIUS server.
-Authenticator: Select the RADIUS server from the list. A RADIUS server
must be selected to set this port as a MAC-based authenticator.
5Enable MAC authentication bypass: Enable this option to allow AAA server
queries using the MAC address as both the user name and password. If MAC
authentication is unsuccessful, the normal 802.1X authentication exchange is
attempted.
Figure 141. Enabling Guest VLAN and Dynamic VLAN on a MAC-based 802.1X Authenticator
port
AP Ethernet Port as Supplicant
You can also configure a port to act as a supplicant and force it to authenticate itself
to an upstream authenticator port. Until the AP has successfully done so, the state
of the authenticator port is closed and packets from the AP or stations behind it will
be dropped at the authenticator port.
In this configuration, it is expected that the connected authenticator port is config-
ured with the following characteristics:
As a Trunk Port to pass all VLAN packets, and
In port-based authentication mode
Configuring AP Ethernet Ports
Viewing AP Ethernet Port Status
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 263
Each AP is allowed to configure a maximum of one Ethernet port as an 802.1X
supplicant, and the supplicant port must be a Trunk Port.
Figure 142. Configuring an AP Ethernet port as an 802.1X Supplicant
Viewing AP Ethernet Port Status
You can view the status of an AP’s port configuration by going to Monitor > Access
Points and clicking on the MAC address of the AP.
Configuring AP Ethernet Ports
Viewing AP Ethernet Port Status
264 Ruckus Wireless, Inc.
Figure 143. Viewing an AP’s Ethernet port configuration
Reviewing Current Access Point Policies
Viewing AP Ethernet Port Status
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 265
Reviewing Current Access Point Policies
The Access Point Policies options allow you to define how new APs are detected
and approved for use in WLAN coverage, as well as policies on client distribution
and communicating with ZoneDirector. These policies are enforced on all APs
managed by ZoneDirector unless a specific WLAN setting overrides them. For
example, if you want to enable Load Balancing for most APs but disable it on specific
WLANs, you would enable it in the Access Point Policies section, then disable it for
the particular WLAN from the Configure > WLANs page.
To review and revise the general AP policies, follow these steps:
1Go to Configure > Access Points.
2Review the current settings in Access Point Policies. You can change the
following settings:
Approval: This is enabled by default, which means that all join requests from
any ZoneFlex AP will be approved automatically. If you want to manually
review and approve the joining of new APs to the WLAN, clear this check box.
Limited ZD Discovery: If you have multiple ZoneDirectors on the network
and want specific APs to join specific ZoneDirectors, you can limit ZoneDi-
rector discovery. To do this, select the Limited ZD Discovery check box,
and then enter the IP addresses (or FQDN) of the primary and secondary
ZoneDirector units to which you want APs to join. When Limited ZD
Discovery is enabled, APs will first attempt to join the primary ZoneDirector.
If they cannot find or are unable to join the primary ZoneDirector, they will
attempt to join the secondary ZoneDirector. If still unsuccessful, APs will stop
attempting for a brief period of time, and then they will restart the joining
process. They will repeat this process until they successfully join either the
primary or secondary ZoneDirector.
NOTE: If you have two ZoneDirectors of the same model, Ruckus Wireless
recommends using the Smart Redundancy feature. If you have two ZoneDirectors
of different models, you can use Limited ZD Discovery to provide limited redundancy;
however, this method does not provide synchronization of the user database. For
information on Smart Redundancy configuration, see Enabling Smart Redundancy.
For information on N+1 redundancy using Limited ZD Discovery, see Using Limited
ZD Discovery for N+1 Redundancy.
Reviewing Current Access Point Policies
Viewing AP Ethernet Port Status
266 Ruckus Wireless, Inc.
-Prefer Primary ZD: Enable this option if you want APs to revert to the
primary ZoneDirector’s control after connection to the primary controller
is restored.
-Keep AP’s Primary and Secondary ZD Settings: Enable this option if
you want the AP’s existing settings to take precedence (not be overwritten
by secondary controller’s settings after failover to secondary ZD).
Management VLAN: You can enable the ZoneDirector management VLAN
if you want to separate management traffic from regular network traffic. The
following options are available:
-Keep AP's setting: Click this option if you want to preserve the Manage-
ment VLAN settings as configured on the AP. Note that Management
VLAN on the AP is disabled by default.
-VLAN ID: Enter a valid VLAN ID to segment management traffic into the
VLAN specified. Valid VLAN IDs are 1-4094.
NOTE: If you change the Management VLAN ID here, you also need to set the
Management VLAN ID that ZoneDirector needs to use on the Configure > System
Settings page. Otherwise, ZoneDirector and the APs will be unable to communicate
via the Management VLAN.
Load Balancing: Balances the number of clients across adjacent APs (see
Load Balancing).
Tunnel MTU: Use this field to set the Maximum Transmission Unit for tunnel
packets between ZoneDirector and APs. The MTU is the size of the largest
protocol data unit (in bytes) that can be passed. Supported MTU values range
from 850 to 1500 (default is 1500). Note that changing this setting to a value
less than 1280 will affect IPv6 connectivity.
Auto Recovery: Set an AP auto recovery time in minutes, after which APs
will reboot in attempt to reconnect to ZoneDirector. Default is 30 minutes.
3Click Apply to save and apply your settings.
Reviewing Current Access Point Policies
Using Limited ZD Discovery for N+1 Redundancy
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 267
Figure 144. Setting global AP policies on the Configure > Access Points page
Using Limited ZD Discovery for N+1 Redundancy
ZoneDirector’s Smart Redundancy feature (see Enabling Smart Redundancy) can
only be used with two ZoneDirectors of the same model (e.g., two ZoneDirector
1200s). If you want to deploy one ZoneDirector as a backup controller for multiple
primary controllers (for example, using a ZD3000 as a backup for several ZD1200s
in remote locations), you can use Limited ZD Discovery to achieve limited N+1
redundancy.
NOTE: Using Limited ZD Discovery for redundancy purposes does not synchronize
the user database, guest database or DPSKs.
To deploy multiple ZoneDirectors in a limited redundancy configuration:
1On each primary ZoneDirector, go to Configure > Access Points > Access
Point Policies and locate the Limited ZD Discovery section.
2Activate the check box next to Only connect to the following ZoneDirector.
Reviewing Current Access Point Policies
Using Limited ZD Discovery for N+1 Redundancy
268 Ruckus Wireless, Inc.
3Enter the IP address of the primary ZoneDirector (the one you are currently
configuring) in Primary ZoneDirector Addr.
4Enter the IP address of the backup ZoneDirector in Secondary ZoneDirector
Addr.
5(Optional) Enable the check box next to Prefer Primary ZD. This ensures that
the AP will revert to its primary controller after connection to the primary has
been restored.
6Click Apply to save your changes.
7Once all the APs, WLANs, WLAN groups and AP groups have been deployed
on the primary ZoneDirector(s), back up the AP configurations for each primary
controller, by going to Administer > Backup and clicking the Backup button
under Back Up Configuration.
NOTE: You should also configure the same exact settings for WLANs, WLAN
groups, AP Groups, Mesh settings and AAA servers on the backup controller prior
to importing AP lists. If you do, the APs will be automatically mapped to their
respective settings on the backup controller. If you do not configure these settings
first before importing AP lists, you will need to configure them for each AP after
importing. For example, you will need to manually move APs into their respective
AP groups from the System Default group if you did not create the AP groups prior
to importing.
8Log into the secondary/backup ZoneDirector, and go to Configure > Access
Points.
9Import the AP lists that you backed up from the primary ZoneDirectors by
selecting Import this backup file and additional backup file(s) and clicking
Import.
10 Repeat until all backup files have been imported.
11 Go to Configure > Access Points > Access Point Policies, and enable the
check box next to Keep AP’s Primary and Secondary ZD Settings. This
ensures that the APs’ primary/secondary ZD settings will not be overwritten by
the secondary ZoneDirector’s configuration after failover to the secondary
controller.
12 Click Apply to save your changes.
13 Reboot the backup/secondary ZoneDirector for all changes to take effect
(Administer > Restart > Restart.)
Importing a USB Software Package
Using Limited ZD Discovery for N+1 Redundancy
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 269
The imported APs will be placed into AP Groups according to the settings that were
backed up from the primary controller. If the original AP Group or WLAN Group name
does not exist on the destination controller, the AP will be placed in the System
Default AP Group/WLAN Group.
Additionally, you must make sure that the maximum number of APs is not exceeded.
Table 28. Max APs by ZoneDirector model
Importing a USB Software Package
Ruckus ZoneFlex Access Points with USB ports (“SmartPoint” APs) can be config-
ured to support a range of 3G, 4G/LTE, and WiMAX wireless USB devices for non-
WiFi wireless connection to a service provider’s network. The ZoneDirector web
interface allows administrators to provision SmartPoint APs with the USB device
configuration files directly through ZoneDirector, providing a simple and straightfor-
ward provisioning process with minimal human intervention required.
Provisioning requires that the SmartPoint Access Points must be connected to the
ZoneDirector acting as the provisioning server over the wired network. After an AP
is provisioned, an automatic 3G/4G/LTE/WiMAX network connection is made to
connect the AP to the Internet, then to ZoneDirector, enabling the creation of an
LWAPP tunnel and providing 802.11 wireless services.
To upload a USB provisioning file to ZoneDirector
1Go to Configure > Access Points.
2Scroll down to Access Point USB Software Packages.
3Click Choose File, and select the file to upload.
4Click OK to upload the file to ZoneDirector.
To provision a SmartPoint Access Point with USB software:
1Plug the 3G/4G/LTE/WiMAX USB modem into the SmartPoint AP’s USB port.
2Connect the SmartPoint AP to ZoneDirector via wired L2 or L3 network.
Model Max APs per controller
ZoneDirector 1200 75
ZoneDirector 3000 500
ZoneDirector 5000 1000
Importing a USB Software Package
Using Limited ZD Discovery for N+1 Redundancy
270 Ruckus Wireless, Inc.
3Once an LWAPP tunnel between the AP and ZoneDirector has been established,
ZoneDirector automatically pushes the corresponding USB drivers, network
connection scripts and configuration files to the AP.
4The AP saves the files to its persistent storage.
5Disconnect the wired network connection, then reboot the AP.
6After reboot, the AP detects the appropriate drivers on its persistent storage,
goes through the 3G/4G/LTE network connection process and establishes an
LWAPP tunnel with ZoneDirector.
7ZoneDirector pushes the 802.11 wireless configuration to the AP.
8The AP implements the 802.11 wireless configuration and is ready to provide
802.11 wireless services.
9A wireless client connects to the AP’s 802.11 wireless service, and the data traffic
is tunneled to ZoneDirector through the LWAPP tunnel.
Figure 145. Importing a USB software package
Managing Access Points Individually
Using Limited ZD Discovery for N+1 Redundancy
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 271
Managing Access Points Individually
You can add a description, or change the channel selection, transmit power and
Ethernet port settings of a managed access point by editing the AP’s parameters.
Additionally, you can manually assign an IP address or disable WLAN service entirely
for a specific radio. Configuring any of these settings for an individual AP overrides
settings configured in AP Groups.
To edit the parameters of an access point:
1Go to Configure > Access Points.
2Find the AP to edit in the Access Points table, and then click Edit under the
Actions column.
3Edit any of the following:
Device Name: Enter a descriptive name for the AP for easy identification in
ZoneDirector tables and Dashboard widgets. Names can consist of up to 64
letters, numbers, hyphens and underscores. Note however that only the first
17 characters of the device name will be displayed in the Events/Activities
tables.
Description: Enter a description for the AP. This description is used to identify
the AP in the Map View.
Location: Enter a recognizable location for the AP.
GPS Coordinates: Enter GPS coordinates for location on Google Maps, if
using FlexMaster.
Group: Select an AP group from the list if you want to place this AP into a
group other than the system default group.
4By clicking “Override Group Config” and changing the default values, the
following parameters can be configured independently for each AP radio:
5Channel Range Settings: Deselect any channels that you do not want the AP to
use in channel selection.
6Channelization: Sets the channel width (20 or 40 MHz) of each channel in the
spectrum used during transmission.
7Channel: Manually set the channel used by the AP radio.
8Tx Power: Manually set the maximum transmit power level relative to the
calibrated power.
9WLAN Group: Specify a WLAN group for this radio.
Managing Access Points Individually
Using Limited ZD Discovery for N+1 Redundancy
272 Ruckus Wireless, Inc.
10 Call Admission Control: (Disabled by default). Enable Wi-Fi Multimedia
Admission Control (WMM-AC) to support Polycom/Spectralink VIEW
certification. See Advanced Options under Creating a WLAN for more
information.
11 Spectralink Compatibility: (Disabled by default). Enable this option if this AP
radio will be used as a voice WLAN for Polycom/Spectralink phones. This option
changes several AP radio settings such as DTIM, BSS minrate and RTS-CTS to
improve voice quality with Spectralink phones.
NOTE: For optimal VoWLAN voice quality, also disable Self-Healing and
Background Scanning from the Configure > Services page).
12 WLAN Service: Uncheck this check box to disable WLAN service entirely for
this radio. (This option can be useful if you want dual-band 802.11n APs to
provide service only on the 5 GHz radio, in order to reduce interference on the
2.4 GHz band, for example.) You can also disable service for a particular WLAN
at specific times of day or days of the week, by setting the Service Schedule.
For more information, see Advanced Options for creating a WLAN.
13 External Antenna: External antenna configuration is available for the 5 GHz
radio on the ZoneFlex 7762, and for the 2.4 and 5 GHz radios in the 7782-E
APs. Once enabled, enter a gain value in the range of 0 to 90dBi.
14 Radio Band: (ZoneFlex 7321 only) Select 2.4 GHz or 5 GHz radio band for the
7321 APs.
15 The Network Setting options allow you to configure the IP address settings of
the AP.
IP Mode: Select IPv4 only, IPv6 only or dual IPv4/IPv6 addressing mode.
If you want the AP to keep its current IP address, click Keep AP's Setting.
If the AP’s IP address has not been set, it will automatically attempt to obtain
an IP address via DHCP.
If you want the AP to automatically obtain its IP address settings from a DHCP
server on the network, click the DHCP option in Management IP. You do
not need to configure the other settings (netmask, gateway, and DNS
servers).
If you want to assign a static IP address to the AP, click the Manual option
next to Device IP Settings, and then set the values for the following options:
- IP Address
Managing Access Points Individually
Using Limited ZD Discovery for N+1 Redundancy
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 273
-Netmask
- Gateway
- Primary DNS Server
- Secondary DNS Server
16 If Smart Mesh is enabled (see Deploying a Wireless Mesh via ZoneDirector), the
Advanced Options section lets you define the role this AP should play in the
mesh network--Auto, Root AP, Mesh AP, or Disable (default is Auto). In most
cases, Ruckus Wireless recommends leaving this setting on Auto to reduce the
risk of isolating a Mesh AP. Select Disable if you do not want this AP to be part
of your mesh network.
17 If this AP is a Mesh AP and you want to manually set which APs can serve as
its uplinks, select the Manual radio button under Advanced Options > Uplink
Selection (default is Smart). The other APs in the mesh appear below the
selection.
18 Select the check box next to each AP that you want to allow the current AP to
use as an uplink.
NOTE: If you set Uplink Selection for an AP to Manual and the uplink AP that you
selected is off or unavailable, the AP status on the Monitor > Access Points page
will appear as Isolated Mesh AP. See Troubleshooting Isolated Mesh APs for more
information.
Figure 146. Manual uplink selection for APs in a mesh
19 If you select Override Group Config in the Port Setting section, a new section
opens where you can customize the Ethernet port behavior for this AP. Enabling
this will override the AP Group settings made on Configuring AP Ethernet Ports.
Managing Access Points Individually
Configuring Hotspot 2.0 Venue Settings for an AP
274 Ruckus Wireless, Inc.
20 Click OK to save your settings.
Figure 147. Ethernet port configuration - Override Group Config
Configuring Hotspot 2.0 Venue Settings for an AP
If this Access Point will be serving a Hotspot 2.0 hotspot, you can set the Venue
Name for the venue at which the AP will be operating. You can create up to two
Venue Names (two languages for the venue name).
To set the Hotspot 2.0 Venue Name for an AP
1Go to Configure > Access Points.
2Click the Edit link next to the AP you want to configure.
3Scroll down to the bottom and expand the Hotspot 2.0 Settings section.
4Click Create New to create a new venue name for this AP. Select the language
and enter the venue name in that language.
5Click Save to save the entry, and click OK to save the Venue Name settings for
the AP.
Optimizing Access Point Performance
Assessing Current Performance Using the Map View
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 275
Figure 148. Setting the Venue Name for a Hotspot 2.0 service AP
Optimizing Access Point Performance
ZoneDirector, through its web interface, allows you to remotely monitor and adjust
key hardware settings on each of your network APs. After assessing AP perfor-
mance in the context of network performance, you can reset channels and adjust
transmission power, or adjust the priority of certain WLANs over others, as needed.
Assessing Current Performance Using the Map View
REQUIREMENT: The importing of a floorplan and placement of APs are detailed in
Importing a Map View Floorplan Image and Placing the Access Point Markers.
1Go to Monitor > Map View. If Map View displays a floorplan with active device
symbols, you can assess the performance of individual APs, in terms of
coverage. (For detailed information on the Map View, see Using the Map View
Too l s .)
2In the Coverage options, select 2.4 GHz or 5 GHz to view coverage for the radio
band.
Optimizing Access Point Performance
Improving AP RF Coverage
276 Ruckus Wireless, Inc.
3When the “heat map” appears, look for the Signal (%) scale in the upper right
corner of the map.
4Note the overall color range, especially colors that indicate low coverage.
5Look at the floorplan and evaluate the current coverage. You can make
adjustments as detailed in the following procedure.
Improving AP RF Coverage
1Click and drag individual AP markers to new positions on the Map View floorplan
until your RF coverage coloration is optimized. There may be a need for additional
APs to fill in large coverage gaps.
2When your adjustments are complete, note the new locations of relocated AP
markers.
3After physically relocating the actual APs according to the Map View placements,
reconnect the APs to a power source.
4To refresh the ZoneDirector Map View, run a full-system RF Scan, as detailed in
Starting a Radio Frequency Scan.
5When the RF scan is complete and ZoneDirector has recalibrated the Map View,
you can assess your changes and make further adjustments as needed.
Assessing Current Performance Using the Access Point
Table
1Go to Monitor > Access Points.
2When the Access Points page appears, review the Currently Managed APs for
specific AP settings, especially the Channel and Clients columns.
3Click on the MAC address of any AP to view detailed information about the AP
such as associated clients, channel, signal strength, neighbor APs and warnings/
events associated with the AP.
4If you want to make changes to individual AP settings, proceed to the next task.
Adjusting AP Settings
1Go to Configure > Access Points.
2Review the Access Points table and identify an AP that you want to adjust.
3Click the Edit button in that AP row.
4Review and adjust any of the following Editing (AP) options:
Optimizing Access Point Performance
Prioritizing WLAN Traffic
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 277
NOTE: Some options are read-only depending on the approval status.
Channelization: Choose 20/40MHz or Auto channel width (11n APs only).
Tx Power: Choose the amount of power allocated to this channel. The default
setting is “Auto” and your options range from “Full” to “Min.”
Mesh Mode: Use this setting to manually configure this AP’s Mesh role (Root
AP, Mesh AP, or Disable). Default is Auto.
Uplink Selection: Use this setting to manually define which APs can serve as
an uplink for this Mesh AP.
5Click OK. The adjusted AP will be automatically restarted, and when it is active,
will be ready for network connections.
Prioritizing WLAN Traffic
If you want to prioritize internal traffic over guest WLAN traffic, for example, you can
set the WLAN priority in the WLAN configuration settings to "high" or "low." By
default all WLANs are set to high priority.
To set a specific WLAN to lower priority:
1Go to Configure > WLANs.
2Click the Edit link next to the WLAN for which a lower priority will be set.
3Select Low next to Priority, and click OK.
Optimizing Access Point Performance
Prioritizing WLAN Traffic
278 Ruckus Wireless, Inc.
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 279
6
Monitoring Your Wireless Network
In this chapter:
Reviewing the ZoneDirector Monitoring Options
Importing a Map View Floorplan Image
Using the Map View Tools
Evaluating and Optimizing Network Coverage
Reviewing Current Alarms
Reviewing Recent Network Events
Moniting WLAN Status
Reviewing Current User Activity
Monitoring Individual Clients
Monitoring Access Point Status
Monitoring Individual APs
Monitoring Mesh Status
Detecting Rogue Access Points
Monitoring System Ethernet Port Status
Monitoring AAA Server Statistics
Monitoring Location Services
Reviewing the ZoneDirector Monitoring Options
280 Ruckus Wireless, Inc.
Reviewing the ZoneDirector Monitoring
Options
The following highlights key ZoneDirector tab options and what you can do with
them.
Dashboard: Every time you log into ZoneDirector via the web interface, this
collection of status indicators appears. Use it as your regular network-monitoring
starting point. Data are blue-colored links that you can use to further drill down
to focus on particular activities or devices.
Real Time Monitoring: To view network traffic, resource utilization and usage
statistics in real time, use the Real Time Monitoring tool accessible via the Toolbox
at the top of any page of the web interface (see Real Time Monitoring).
Monitor > Map View provides a fast scan of key network factors: APs (legitimate,
neighboring and rogue), client devices, and RF coverage. You can see what
devices are where in your floorplan, and visually evaluate network coverage.
NOTE: Map View to work, your computer must have Java version 7 installed. If it
is not installed, ZoneDirector will notify you that you need to download it. The latest
version can be downloaded from www.java.com.
Other Monitor tab options incorporated in the left column's buttons provide
numeric data on WLAN performance and individual device activity. As with the
Dashboard, some data entries are links that take you to more detailed informa-
tion. And, finally, the All Events/Activities log displays the most recent actions by
users, devices and network, in chronological order.
Configure: Use the options in this tab to assess the current state of WLAN users,
any restricted WLANs, along with the settings for guest access, user roles, etc.
You can also combine this tab's options with those in the Administer tab to
perform system diagnostics and other preventive tasks.
Importing a Map View Floorplan Image
Requirements
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 281
Importing a Map View Floorplan Image
If your Ruckus ZoneDirector does not display a floorplan for your worksite when you
open the Monitor tab Map View, you can import a floorplan and place AP markers
in relevant locations by following the steps outlined in this section. The sample
floorplan image cannot be deleted, but it can be replaced with an actual floorplan
image file and relabeled. Then you can add additional floorplan maps for additional
locations or floors.
You can import an unlimited number of floorplan images to ZoneDirector. However,
the total file size of all imported floor maps is limited to 2MB on ZoneDirector 1200,
and 10MB on ZoneDirector 3000/5000. An error message appears when these file
size limits are reached.
Additionally, the maximum file size per floorplan image is 512kb. (200kb or smaller
is recommended).
Requirements
A floorplan image in .GIF, .JPG or .PNG format
The image should be monochrome or grayscale.
The file size should be no larger than 200kb in size.
The floorplan image should be (ideally) no larger than 10 inches (720 pixels) per
side.
Importing the Floorplan Image
1Go to Configure > Maps.
2Click Create New. The Create New form appears.
3In Name, type a name to assign to the floorplan image that you will be importing.
Type a description as well, if preferred.
4Click Browse. The Choose File dialog box appears.
5Browse to the location of the floorplan image file, select the file, and then click
Open to import it. If the import is successful, a thumbnail version of the floorplan
will appear in the Map Image area.
6Go to Monitor > Map View to see this image.
You can now use the Map View to place the Access Point markers.
Importing a Map View Floorplan Image
Placing the Access Point Markers
282 Ruckus Wireless, Inc.
Figure 149. The Create New form for importing a floorplan image
Placing the Access Point Markers
After using the Configure > Maps options to import your floorplan image, you can
use the Monitor tab's Map View to distribute markers that represent the APs to the
correct locations. This will give you a powerful monitoring tool.
NOTE: If you have imported multiple floor plans representing multiple floors in your
building(s), make sure you place the access point markers on the correct floorplan.
1Have the list of APs handy, with MAC addresses and locations.
2Go to Monitor > Map View (if it is not already in view).
3Look in the upper left corner for AP marker icons. There should be one for each
AP, with a tiny red question mark at the top.
4Look at the MAC address notation under the marker icon, to identify a marker.
5Drag each marker icon from the upper left corner into its correct location on the
floorplan.
When you finish, you can make immediate use of the Map View to optimize your
wireless coverage, as detailed in Optimizing Access Point Performance.
Using the Map View Tools
Placing the Access Point Markers
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 283
Using the Map View Tools
If your worksite floorplan has been scanned in and mapped with APs, the Map View
will display a graphical image of your physical Ruckus network AP distribution.
Figure 150. Elements on the Map View
There are a number of helpful features built into the Map View, as noted here and
marked in the above illustration:
1Map drop-down list: Select the floorplan to view from the Map drop-down list.
2Coverage and Show Rogue APs box: For Coverage, selecting 2.4 GHz enables
a signal strength view of your placed 2.4 GHz APs. Selecting 5 GHz displays the
signal coverage of 5 GHz radios. Selecting either 2.4 or 5 GHz opens the Signal
(%) legend on the right side of the Map View. See item number 8 below for the
description of the Signal%. For Show Rogue APs, selecting Yes displays the
detected rogue APs in the floorplan.
1
2
3
4
5
6
7
8
9
10
11
Using the Map View Tools
Placing the Access Point Markers
284 Ruckus Wireless, Inc.
3Unplaced APs area: As noted in Importing a Map View Floorplan Image, when
you first open the Map View, newly placed APs appear in this area. If they are
approved for use (see Adding New Access Points to the Network), you can drag
them into the correct location in the floorplan. Unplaced APs are available across
all of the floor plans you upload. Thus, you can toggle between maps (see
number 1) and place each AP on the appropriate map. For the various AP icon
types, see AP Icons.
4Access Points, Rogue APs, and Clients box: This lower left corner box displays
the number of active APs, any rogue (unapproved or illegitimate) APs, and all
associated clients.
5Search text box: Enter a string, such as part of an AP's name or MAC address,
and the map is filtered to show only the matching results. Clearing the search
value returns the map to its unfiltered view.
6Floorplan area: The floorplan displays in this main area. You can manipulate the
size and angle of the floorplan by using the tools on this screen. Note the following
icons:
7Signal (%): This colored legend displays the signal strength coverage when you
selected either 2.4 GHz or 5 GHz for Coverage (see #2 above). See Evaluating
and Optimizing Network Coverage for more information.
8Upper slider: The upper slider is a zoom slider, allowing you to zoom in and out
of the floorplan. This is helpful in exact AP marker placement, and in assessing
whether physical obstructions that affect RF coverage are in place.
9Lower slider: The bottom slider is the image contrast slider, allowing you to dim
or enhance the presence of the floorplan. If you have trouble seeing the floorplan,
move the slider until you achieve a satisfactory balance between markers and
floorplan details.
10 Scale legend: To properly assess the distances in a floorplan, a scaler has been
provided so that you can place APs in the most precise location.
Click this icon, and then click an AP from the floorplan to remove
that AP.
Click this icon to rotate the floorplan. When clicked, rotation
crosshairs appear in the center of the map; click and hold these
crosshairs and move your cursor to rotate the view.
Refresh the floorplan.
Using the Map View Tools
AP Icons
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 285
11 Open Space Office drop-down list: Open Office Space refers to the methodology
used to compute RF coverage/signal% (i.e., heat map) based on the current
environment.
AP Icons
Each AP marker has variable features that help indicate identity and status:
A normal AP marker displays the
description of the AP and the number
of users that are currently associated
with the AP.
An unplaced AP marker displays a “?”
(question mark) above the icon.
A rogue AP displays a smaller red icon
imprinted with a “bug.”
A “bug” icon with a lock on it indicates
a rogue AP with security enabled.
In a Smart Mesh network, an isolated
AP displays a red “X” above the icon.
When Smart Mesh is enabled, a
circled number appears next to the AP
icon to indicate that it is a Mesh AP.
The number indicates the number of
hops from this Mesh AP to the Root
AP.
When Smart Mesh is enabled, a blue
square with an arrow indicates that it
is a Root AP with active downlinks.
Dotted lines that connect this AP to
other APs indicate the active
downlinks.
When Smart Mesh is enabled, a gray
square (dimmed) with an arrow
indicates that it is a Root AP without
any active downlinks.
Evaluating and Optimizing Network Coverage
Moving the APs into More Efficient Positions
286 Ruckus Wireless, Inc.
Evaluating and Optimizing Network Coverage
If there are gaps or dead spots in your worksite WLAN coverage, you can use
ZoneDirector to assess network RF coverage and then reposition APs to enhance
coverage.
1Go to Monitor > Map View.
2If Map View displays a floorplan with active device symbols, you can assess the
performance of individual APs, in terms of coverage. (See Importing a Map View
Floorplan Image for information on setting up the Map View.)
3For the Coverage option, click 2.4 GHz or 5 GHz.
4When the “heat map” appears, look for a Signal% scale in the upper right corner
of the map.
5Note the color range, especially colors that indicate low coverage.
6Look at the floorplan and evaluate the current coverage.
Moving the APs into More Efficient Positions
You can now move the APs into more efficient positions.
1To do so, click and drag individual AP markers on the Map View floorplan until
your RF coverage coloration is optimized. (You may need to acquire additional
APs to fill in large coverage gaps.)
2Note the new physical locations of relocated AP markers.
3After physically relocating the actual APs in accordance with Map View
repositioning, reconnect each AP to a power source.
When ZoneDirector has recalibrated the Map View after each AP restart, you can
assess your changes and make further adjustments as needed.
An AP with a red square with an arrow
indicates this is an eMAP. An eMAP
uses its wired Ethernet interface as its
uplink, and can mesh with other Mesh
APs through its wireless interface.
Reviewing Current Alarms
Moving the APs into More Efficient Positions
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 287
Reviewing Current Alarms
If an alarm condition is detected, ZoneDirector will record it in the events log, and if
configured, will send an email warning. To review the current alarms and clear all
resolved alarm records, follow these steps:
1Go to Monitor > All Alarms.
2When the All Alarms page appears, the Alarms table lists the unresolved alarms,
the most recent at the top.
Figure 151. The All Alarms page
3Review the contents of this table. The Activities column is especially informative.
4If a listed alarm condition has been resolved, click the now-active Clear link to
the right. You also have the option of clicking Clear All to resolve all alarms at
one time.
Reviewing Recent Network Events
You have two options for reviewing events in your network: [1] open a complete list
of all events, or [2] look at specific lists of events in each Monitor tab workspace,
such as the WLANs workspace “Events/Activities” table.
1Open the ZoneDirector Dashboard and look at the Most Recent User Activities
table and Most Recent System Activities table for summaries of activity in the
network.
Moniting WLAN Status
Clearing Recent Events/Activities
288 Ruckus Wireless, Inc.
2Go to the Monitor tab.
3Click any of the specific options, such as WLANs, Access Points, or Clients.
4Look for an All Events table that specifically focuses on the selected category.
5Under the Monitor tab, click either the All Alarms button or the All Events/
Activities button to see a complete list, with all categories represented in
chronological order.
AP events display the first 17 characters of an AP name, if AP names are used. The
All Events/Activities table displays a maximum of 2,500 events. When this limit is
reached, the oldest events will be overwritten when new events occur.
Clearing Recent Events/Activities
To review the current events and, if appropriate, clear all resolved events, follow
these steps:
1Go to Monitor > All Events/Activities.
2When the All Events/Activities page appears, the Events/Activities table lists the
unresolved events, the most recent at the top.
3Review the contents of this table. You can sort the list by severity level, date/
time, user name and activity type. Click the column header to sort, and click
again to reverse the order displayed.
4You can click Clear All at the bottom of the table to resolve and clear all events
in the view.
Moniting WLAN Status
The Monitor > WLANs page lists the currently deployed WLANs, WLAN Groups,
VLAN Pools, Events/Activities and RADIUS statistics for any WLANs that use
RADIUS authentication.
Moniting WLAN Status
Clearing Recent Events/Activities
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 289
Figure 152. The Monitor > WLANs page
Reviewing Current User Activity
Viewing Application Usage Statistics
290 Ruckus Wireless, Inc.
Reviewing Current User Activity
You can monitor current wireless users by viewing a general overview and on a per-
client basis by doing the following:
1Go to Monitor > Wireless Clients.
2When the Clients page appears, review the table for a general survey.
3Click any client device MAC address link to monitor that client in more detail.
Additionally, you can perform a number of actions on individual clients from this
page, including blocking unauthorized clients, deleting clients from the table (which
will allow them to attempt to reconnect), testing throughput using SpeedFlex, and
testing connectivity using Ping and Traceroute.
Viewing Application Usage Statistics
The Applications/Ports pie chart displays user activity by application or port for the
selected time span. The Application Performance chart displays uplink and downlink
throughput over time. Select time span, AP group and SSID to change the values
displayed in the charts.
Reviewing Current User Activity
Viewing Application Usage Statistics
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 291
Figure 153. Monitoring client activity
Click the Show Details button to display detailed application or port usage
percentages.
Reviewing Current User Activity
Viewing Application Usage Statistics
292 Ruckus Wireless, Inc.
Figure 154. Click Show Details to view application usage statistics
Figure 155. Client application usage details table
Reviewing Current User Activity
Viewing Application Usage Statistics
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 293
Viewing Application Usage by Client
The Applications pie chart can also be used to discover which clients are using the
most used applications. When you mouse over a section of the pie chart, a table is
displayed to the right providing a list of the top 10 clients responsible for this traffic.
Figure 156. Viewing the top 10 clients of an application
Viewing the Top 10 Clients by Usage
Clicking the Top 10 Clients button launches a new web page with a pie chart and
table displaying the top 10 clients by traffic volume.
Reviewing Current User Activity
Active Clients
294 Ruckus Wireless, Inc.
Figure 157. Click the “Top 10 Clients” button to view details on the top clients by traffic
volume
Active Clients
The Active Clients table displays a list of active wireless clients. You can customize
the columns displayed by clicking the Edit Columns button. You can also delete,
block, run SpeedFlex and test connectivity using the action icons in this table.
Inactive Clients
The Inactive Clients table displays a list of inactive clients and can be used to view
usage statistics of recently disconnected clients.
Events/Activities
The Events/Activities table displays a client-specific subset of the events listed on
the All Events/Activities page.
Reviewing Current User Activity
Events/Activities
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 295
Figure 158. Monitoring Clients
Monitoring Individual Clients
Events/Activities
296 Ruckus Wireless, Inc.
Monitoring Individual Clients
You can monitor individual wireless clients by clicking on the MAC address of any
connected client from the Clients page, the All Events/Activities page and other
tables where client information is displayed.
To view detailed information about a specific client:
1Go to Monitor > Wireless Clients.
2Click the link for the MAC address of the client you want to monitor. The page
refreshes to display a page of client specific information and statistics.
The Monitoring > Clients > [client MAC address] page displays the following
information about the connected client.
Table 29. Client information details
Heading Description
Applications/Ports and
Application Performance
Charts
Displays client application usage and throughput in pie
chart and time graph formats. Click Show Details to view
application usage statistics for this client.
General Displays general information on the client, including
Host Name, OS, AP, WLAN, channel, and signal
strength indication.
The Last Updated column displays current AP receive
signal strength (in dB), as well as AP transmit data rate.
The Tx Data Rate value consists of the MCS value
(Modulation and Coding Scheme; for a list of MCS
codes, see http://en.wikipedia.org/wiki/IEEE_802.11n-
2009), the channel width (20S or 40S), and the data rate
in Mbps.
Contains a Client Performance icon (see Monitoring
Client Performance).
Events Displays a client-specific subset of the events in the All
Events/Activities table.
Monitoring Individual Clients
Monitoring Client Performance
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 297
Figure 159. Viewing individual client information and performance statistics
Monitoring Client Performance
The Client Performance graph can be used to track the uplink/downlink throughput
and estimated capacity of a specific client over time.
To monitor a client’s performance:
1Go to Monitor > Wireless Clients and locate the client MAC address in the
Active Clients list.
2Click the client’s MAC address link to view the client details page.
3Click the Client Performance icon to launch a new browser page displaying
client throughput and capacity over time. Select a time increment and the chart
updates immediately.
Monitoring Individual Clients
Monitoring Client Performance
298 Ruckus Wireless, Inc.
Figure 160. The Client Performance icon
Figure 161. Client Performance chart
Monitoring Access Point Status
Monitoring Wired Clients
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 299
The estimated capacity is the maximum potential throughput of a particular client.
Estimated capacity or estimated throughput is the short-time averaged MSDU
throughput the client is receiving when the AP is actually transmitting to that client.
It is measured in bits/s and takes into account the PHY rate, error rate, and all
contention due to 802.11 and non-802.11 transmitters. Because it takes into
account every source of link impairment, estimated throughput is the best possible
way of numerically characterizing client performance in a single number. This
estimate is based on measurements of downlink traffic and is updated only when
the AP transmits more than 1000 packets, each containing at least 1024 bytes of
data, within a one-minute measurement interval.
The uplink and downlink throughput curves show the actual throughput of the client
as measured by the AP. These curves are influenced by the user session, and they
vary as a function of gaps in browsing activity and internet server response times.
Monitoring Wired Clients
You can also monitor currently connected wired clients using the Monitor >Wired
Clients page. This page displays all currently connected 802.1X or tunneled wired
client devices. Only devices with an “authorized” status are permitted access to the
network. The Clients table lists the wired client’s MAC address, user name or IP
address, the AP it is connected to, the port number, VLAN and authorization status.
Click the delete button to remove the entry of the wired client. The Events / Activities
table displays recent connection and authentication events related to wired clients
only.
Monitoring Access Point Status
ZoneDirector provides several different features for monitoring the status and
performance of your APs. The following are three ways you can quickly locate
information on the APs that ZoneDirector is managing:
•Open the Dashboard for a snapshot of the most active APs. Click the MAC
address link of any AP record to see more details.
•Go to Monitor > Map View and click a radio frequency to see a heat-map
rendering of the current RF coverage.
•Go to Monitor > Access Points and review the usage and coverage of your
APs. Click the MAC address link of any listed APs to see more details.
Monitoring Access Point Status
Using the AP Status Overview Page
300 Ruckus Wireless, Inc.
Using the AP Status Overview Page
The Monitor > Access Points page provides an overview of currently managed
APs and consists of three tables: Currently Managed APs, Currently Managed AP
Groups and Events/Activities. These tables list the first 15 entries by default and can
be expanded using the Show More button. Click on the MAC address, AP name
or user name for more detailed information on the specific AP or client.
Currently Managed APs
The Currently Managed APs table includes the following information:
Table 30. Currently managed APs
Heading Description
MAC Address The AP’s MAC address. Click this link to view details
specific to this AP.
Device Name The AP’s “name.” This can be modified on the Configure
> Access Points page by clicking the Edit link next to the
AP’s MAC address.
Description The AP’s “description.” This can be modified on the
Configure > Access Points page by clicking the Edit link
next to the AP’s MAC address.
Location The AP’s “location.” This can be modified on the Configure
> Access Points page by clicking the Edit link next to the
AP’s MAC address.
Model The ZoneFlex model number.
Status Displays the current status of the AP from ZoneDirector’s
perspective:
Approval Pending
Connected
Disconnected
Root AP
Mesh AP
eMesh AP
Number of hops
Mesh Mode Displays whether the AP is manually set as a Root or Mesh
AP, or set to automatically choose Mesh mode.
IP Address The IP address of the AP.
Monitoring Access Point Status
Using the AP Status Overview Page
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 301
Export to CSV
The Currently Managed APs table can be exported as a CSV file, which can be
opened in a spreadsheet program such as Microsoft Excel. Once you have finished
editing which columns you want to display, the option to Export to CSV appears.
If the search box is empty, all APs will be saved to the CSV file. If you enter text in
the search box, only the APs currently matching the search text will be exported.
External IP: Port This column displays the public IP and port number for
APs connected via Layer 3 behind a NAT device.
VLAN The VLAN ID, if configured.
Channel Displays the channel number and channel width. On dual
band APs, details for each radio are shown.
Clients The number of clients currently connected to this AP.
Bonjour Gateway Indicates whether Bonjour Gateway service is enabled,
disabled or not supported on this AP.
Application Capability Indicates whether Application Visibility is enabled, disabled
or not supported on this AP.
Action These icons allow you to configure and troubleshoot APs
individually. See Using Action Icons to Configure and
Troubleshoot APs in a Mesh.
Monitoring Access Point Status
Using the AP Status Overview Page
302 Ruckus Wireless, Inc.
Figure 162. Saving a managed AP list as a CSV file
Currently Managed AP Groups
Click the + icon to expand the AP group to display all members of the group.
Monitoring Access Point Status
Using the AP Status Overview Page
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 303
Figure 163. Viewing AP group members
Events/Activities
This table displays an AP-related subset of the information on the Monitor > All
Events/Activities page.
Monitoring Individual APs
Using the AP Status Overview Page
304 Ruckus Wireless, Inc.
Monitoring Individual APs
When you click on the MAC address of any AP, the Monitor > Access Points page
changes to a detailed view of information related to that specific AP.
You can also click the AP name or MAC address in any of the tables or dashboard
widgets in which it appears as a link to go directly to the AP detail page.
The Monitor > Access Points > [MAC Address] page provides the following details
on the specific AP:
Table 31. AP Information details
Heading Description
General Displays general information on the AP, including software
version, IP address and model number.
Info Displays uptime, clients and mesh status.
Actions Action icons provide tools for managing the AP (see “Using
Action Icons to Configure and Troubleshoot APs in a
Mesh”). On supported APs, an additional “Spectrum
Analysis” icon launches the spectrum analysis tool.
WLANs Displays the WLANs that this AP is supporting.
Radio 802.11(a/n or b/g/n) Displays details on the 2.4 GHz (g/n) and 5 GHz (a/n)
radios. Transmission statistics are totals since last radio
restart. Airtime % statistics represent the time spent
sending and receiving 802.11 frames, plus the time spent
waiting for non-802.11 interference to avoid collision. Free
airtime is 100% - total. High numbers indicate contention
in the channel.
LAN Port Configuration Displays the current configuration of the AP’s LAN ports,
including their enabled state, type (Access Port or Trunk
Port), and Access VLAN ID.
Monitoring Individual APs
RF Pollution FAQ
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 305
RF Pollution FAQ
What is RF Pollution?
“RF Pollution” is a linear index used to describe the level of performance-
impacting RF contention and interference that an AP is experiencing. It distills
several low-level mac and phy-level error metrics into a single parameter. Values
Performance Displays a graphical view of AP performance and RF
environment statistics. Three Performance analysis graphs
plot the capacity, throughput, associated clients and RF
contention in the channel as a function of time. The
estimated capacity is the maximum potential throughput
of a particular client or the current mix of clients. This
estimate is based on measurements of downlink traffic and
is updated only when the AP transmits more than 1000
packets, each containing at least 1024 bytes of data,
within a one-minute measurement interval. The uplink and
downlink throughput curves show the actual throughput
of a particular client or the current mix of clients. These
curves are influenced by the user session, and they vary
as a function of gaps in browsing activity and internet
server response times.
The RF Pollution graph plots a proprietary metric
describing the impediment due to other RF signals
competing for use of the channel over time. (*See RF
Pollution FAQ for more information.)
Neighbor APs Displays nearby APs, their channel and signal strength.
Mesh-related Information Displays uplink/downlink information, transmission
statistics and details on mesh signal strength and stability
(if mesh is enabled).
Sensor Information Displays AP orientation and temperature details as
reported by the AP’s internal sensors (not supported on all
APs). See “Orientation” below for more information.
Clients Displays a list of the currently connected clients. Action
icons can be used to configure or troubleshoot a client from
this list.
Events Displays an AP-related subset of the All Events / Activities
table.
Monitoring Individual APs
RF Pollution FAQ
306 Ruckus Wireless, Inc.
can range from 0 to infinity, although in most normal environments the RF
Pollution index will average between 10 and 100. Higher values are indicative of
a noisier environment.
What is RF Pollution measuring?
It is measuring the level of RF contention and interference experienced by the
AP. It distills several low-level mac and phy-level error metrics into a single
parameter.
How is RF Pollution different than noise?
Noise may or may not have an impact on performance. RF Pollution is a measure
of noise or other interference that is in fact impacting performance.
How do customers use this new concept to understand and manage their WiFi
networks?
RF Pollution is an informational metric. BeamFlex and ChannelFly use a variant
of this metric and other throughput-based metrics internally to optimize the RF
so that you don’t have to.
Why is Ruckus using this new term vs. the existing measurements such as PHY
errors, CRC errors, etc.
PHY Errors and CRC errors can be very misleading metrics because there is no
standard way for the chipset to report them. Different chipsets can report these
errors in different ways and certain types of noise can even mask these errors
entirely. RF Pollution is a more stable metric that will never produce misleading
results.
Monitoring Individual APs
RF Pollution FAQ
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 307
Figure 164. Viewing an individual AP’s information
Figure 165. Monitoring an AP’s performance
Monitoring Individual APs
Spectrum Analysis
308 Ruckus Wireless, Inc.
Spectrum Analysis
Spectrum analysis provides two real time views of the RF environment using data
generated by the AP to chart power levels across the 2.4 and 5GHz frequency
bands.
Instantaneous Samples View (top view): The instantaneous samples plot
provides a real time display of signal power across the entire 2.4 or 5GHz
frequency bands. The plot is color-coded based on the signal power within each
part of the frequency band. Red represents stronger signals while weaker signals
are closer to blue.
CDF of Samples View (bottom view): This graph displays the concentration of
signal power readings within each portion of the frequency band in a cumulative
distribution format. The CDF plot is color-coded based upon the frequency with
which each point is observed during consecutive spectral sweeps of the entire
2.4/5Ghz frequency band. Frequently occurring points are marked ‘red’, moder-
ately occurring points are marked ‘yellow’, and occasionally occurring points are
marked ‘green’.
To view spectrum analysis data for an access point:
1Go to Monitor > Access Points and click the MAC address of the AP to view
the AP detailed information page.
2Click the Spectrum Analysis icon in the “Actions” table. (APs that do not support
this feature do not display this icon).
3The Spectrum Analysis display opens in a new window.
4Select 2.4G or 5G to choose the frequency band for which spectrum analysis
data will be collected and click Start Monitoring to begin.
Monitoring Individual APs
Spectrum Analysis
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 309
Figure 166. APs that support spectrum analysis display an extra icon in the Actions table
Figure 167. The Spectrum Analysis page
Monitoring Individual APs
Neighbor APs
310 Ruckus Wireless, Inc.
Neighbor APs
ZoneDirector uses several calculations to determine which APs are in proximity to
one another. This information can be useful in planning or redesigning your Smart
Mesh topology or in troubleshooting link performance issues.
Details on neighbor APs include:
Access Point: The AP’s description, if configured, or the MAC address if no name
or description is available.
Channel: The channel that the neighbor AP is currently using.
Signal (dB): Signal strength.
Path Score (status): A higher score indicates better performance over the link
between this AP and its neighbor. Note that only ZoneFlex APs of the same radio
type can mesh with one another. If the AP is of a different radio type than the
one you are currently viewing, this field will display “N/A (Unknown).”
Access Point Sensor Information
If your APs include internal sensors, ZoneDirector will display the AP’s status in this
section. Temperature and orientation sensors are available on most Ruckus Wire-
less outdoor APs.
Orientation
This sensor displays the mounting orientation of the AP. Three orientations are
possible:
Desktop/Horizontal Mount
Ceiling/Horizontal Mount
Wall/Vertical Mount
Figure 168. AP orientation sensor information
Monitoring Mesh Status
Access Point Sensor Information
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 311
Temperature
This sensor displays the temperature statistics as reported by the AP.
Figure 169. AP temperature sensor information
Monitoring Mesh Status
The Monitor > Mesh page can be used to view Smart Mesh topologies of any mesh
trees present on your network. Similar to the Mesh widget on the Dashboard, this
page also displays non-meshing APs controlled by ZoneDirector and provides a
number of action icons to troubleshoot and diagnose mesh-related problems.
Detecting Rogue Access Points
Access Point Sensor Information
312 Ruckus Wireless, Inc.
Figure 170. Reviewing Mesh status of APs using the Monitor > Mesh page
Detecting Rogue Access Points
“Rogue” (unauthorized) APs pose problems for a wireless network in terms of airtime
contention as well as security. Usually, a rogue AP appears in the following way: an
employee obtains another manufacturer's AP and connects it to the LAN, to gain
wireless access to other LAN resources. This would potentially allow even more
unauthorized users to access your corporate LAN - posing a security risk. Rogue
APs also interfere with nearby Ruckus Wireless APs, thus degrading overall wireless
network coverage and performance.
ZoneDirector’s rogue AP detection options include identifying the presence of a
rogue AP, categorizing it as either a known neighbor AP or as a malicious rogue,
and locating it on your worksite floorplan prior to its physical removal.
To detect a rogue AP:
1Go to Monitor > Rogue Devices. (You can also click the “#of Rogue Devices
link from the Devices Overview widget on the Dashboard.)
Detecting Rogue Access Points
Access Point Sensor Information
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 313
Figure 171. Rogue devices indicator
2When the Monitor > Rogue Devices page appears, three tables are listed:
Currently Active Rogue Devices: Lists all currently detected rogue APs.
Known/Recognized Rogue Devices: Lists rogue APs that have been marked
as known, typically neighbor APs.
User Blocked Rogue Devices: Lists devices that have been marked as
malicious by the user.
3Review the Currently Active Rogue Devices table. The following types of Rogue
APs generate an alarm when ZoneDirector detects them (if the alarm has been
enabled from the Configure > Alarms page):
AP: A normal rogue AP. This rogue AP has not yet been categorized as
malicious or non-malicious.
malicious AP (SSID-spoof): A malicious rogue AP that uses the same SSID
as ZoneDirector’s AP, also known as an Evil-twin AP.
malicious AP (MAC-spoof): A malicious rogue AP that has the same BSSID
(MAC) as one of the virtual APs managed by ZoneDirector.
malicious AP (Same-Network): A malicious rogue AP that is connected to the
same wired network.
malicious AP (User-Blocked): A rogue AP that has been marked as malicious
by the user.
4To mark an AP as malicious, click Mark as Malicious. This AP will now be
blocked and listed in the User Blocked Rogue Devices table. The malicious rogue
AP protection mechanism (enabled from the Configure > WIPS > Intrusion
Detection and Prevention page) is automatically applied to all rogue APs
categorized as “malicious”, whether user-blocked or another type.
5If a listed AP is part of another, known neighbor network, click Mark as Known.
This identifies the AP as posing no threat, while copying the record to the Known/
Recognized Rogue Devices table.
6To locate rogue APs that do pose a threat to your internal WLAN, click the Map
View icon for a device to open the Map View.
Detecting Rogue Access Points
Access Point Sensor Information
314 Ruckus Wireless, Inc.
7Open the Map View, and look for rogue AP icons . This provides a clue to
their location.
You can now find the rogue APs and disconnect them. Or, if a rogue AP is actually
a component of a neighboring network, you can mark it as “known”.
NOTE: If your office or worksite is on a single floor in a multistory building, your
upper- and lower-floor neighbors' wireless access points may show up on the Map
View, but seemingly in your site. As the Map View cannot locate them in vertical
space, you may need to do a bit more research to determine where the AP is located
and if it should be marked as “Known.”
NOTE: To assist in physically locating rogue devices, click the plus sign (+) icon
next to a detected rogue AP. This expands a list to display which ZoneFlex APs have
detected this rogue, sorted according to signal strength.
Figure 172. Monitoring Rogue Access Points
Monitoring System Ethernet Port Status
Access Point Sensor Information
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 315
Monitoring System Ethernet Port Status
To view the status of ZoneDirector’s Ethernet ports, go to Monitor > System Info.
The table displays the MAC address, Interface ID, physical link status, link speed,
and total packets/bytes received/transmitted on the port since last restart.
Figure 173. Monitoring system Ethernet port information
Monitoring AAA Server Statistics
To monitor AAA servers that you have configured on the Configure > AAA Servers
page, go to Monitor > AAA Servers Statistics.
Monitoring Location Services
Access Point Sensor Information
316 Ruckus Wireless, Inc.
Figure 174. Monitoring AAA servers
Monitoring Location Services
To monitor SmartPositioning location servers that you have configured on the
Configure > Access Points > AP Groups page, go to Monitor > Location Services.
NOTE: For information on configuration and administration of Ruckus
SmartPositioning Technology (SPoT) service, please refer to the SPoT User Guide,
available from the Ruckus support site: https://support.ruckuswireless.com.
Monitoring Location Services
Access Point Sensor Information
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 317
Figure 175. Monitoring Location Services
You can also view the status of location services venues by dragging the Location
Services widget onto the Dashboard.
Figure 176. SPoT dashboard widget
Monitoring Location Services
Access Point Sensor Information
318 Ruckus Wireless, Inc.
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 319
7
Managing User Access
In this chapter:
Enabling Automatic User Activation with Zero-IT
Adding New User Accounts to ZoneDirector
Managing Current User Accounts
Creating New User Roles
Managing Automatically Generated User Certificates and Keys
Using an External Server for User Authentication
Activating Web Authentication
Enabling Automatic User Activation with Zero-IT
320 Ruckus Wireless, Inc.
Enabling Automatic User Activation with
Zero-IT
Ruckus Wireless Zero-IT Activation allows network users to self-activate their
devices for secure access to your wireless networks with no manual configuration
required by the network administrator. Once your ZoneFlex network is set up, you
need only direct users to the Activation URL, and they will be able to automatically
authenticate themselves to securely access your wireless LAN.
Before enabling Zero-IT, make sure you have at least one of each of the following
configured:
•A WLAN configured (Configure > WLANs)
A user Role with access to this WLAN (Configure > Roles)
•A User with this role assigned that exists in either the internal database or an
external RADIUS, Active Directory or LDAP server (Configure > Users)
To enable Zero-IT activation, do the following:
1Go to Configure > WLANs.
2Click Edit on the WLAN where you want to enable Zero-IT Activation.
3Enable WPA2 (not WPA-Mixed; selecting WPA-Mixed will disable the Zero-IT
option).
4Enter a passphrase. (This passphrase will only be used for administrator testing
- you will not need to provide this passphrase to end users.)
5Enable Zero-IT Activation.
6Optionally, enable Dynamic PSK if your WLAN’s authentication and encryption
methods support it (Open authentication and WPA2 encryption only; see
Working with Dynamic Pre-Shared Keys for more information.)
7If the Authentication Method is 802.1X or MAC Address, select which
Authentication Server to authenticate users against. If you are not using an
external server for authentication, you can use ZoneDirector’s internal database.
8Note the Activation URL in the Zero-IT Activation section further down the page.
9Click OK to save your settings.
Enabling Automatic User Activation with Zero-IT
Clients that Support Zero-IT
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 321
Figure 177. Enabling Zero-IT for a WLAN
You have completed enabling Zero-IT for this WLAN. At this point, any user with the
proper credentials (username and password) and running a supported operating
system can self-provision his/her wireless client to securely access your wireless
LANs.
Clients that Support Zero-IT
NOTE: For a detailed list of the operating systems that the Zero-IT configuration
supports, refer to the Release Notes.
Zero-IT Activation can be used with most modern operating systems including
Windows (7/8/Vista), Apple OS X, Apple iOS, Windows Phone and Android OS. For
Windows 7/8/Vista or Mac notebook clients with Ethernet ports, the user simply
connects to the ZoneDirector activation URL and runs the self-activation script.
For clients running Mac OS X, the user must be logged in as an administrator for
Zero-IT activation to work.
Self-Provisioning Clients with Zero-IT
To self-provision a computer to the wireless LAN, use the following procedure:
Enabling Automatic User Activation with Zero-IT
Self-Provisioning Clients with Zero-IT
322 Ruckus Wireless, Inc.
1Connect the computer to the wired LAN using an Ethernet cable.
2Open a web browser and enter the Activation URL in the navigation bar (http:/
/<zonedirector’s_IP_address>/activate). A WLAN Connection
Activation web page appears.
3Enter User Name and Password, and click OK. If the user name and password
are confirmed and the computer is running a supported operating system, an
automated script will launch.
Figure 178. Zero-IT automatic activation
4Run the prov.exe script to automatically configure this computer’s wireless
settings for access to the secure internal WLAN.
5If you are not running a supported operating system, you can manually configure
wireless settings by clicking the link at the bottom of the page (see Provisioning
Clients that Do Not Support Zero-IT).
Enabling Automatic User Activation with Zero-IT
Self-Provisioning Clients without Ethernet Ports
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 323
Figure 179. Corporate WLAN configuration
You have completed Zero-IT configuration for this user. Repeat this procedure to
automatically configure all additional users of your internal WLAN.
Self-Provisioning Clients without Ethernet Ports
Many mobile devices such as iOS, Windows Phone and Android smartphones can
also use Zero-IT Activation. This is done using the Onboarding Portal which is
described in Using the BYOD Onboarding Portal.
Provisioning Clients that Do Not Support Zero-IT
If your users are connecting with clients running earlier versions of Windows, Linux,
or other operating systems that do not support Zero-IT provisioning, users must
manually configure wireless settings. A manual configuration page displays the
settings needed for manual configuration.
Adding New User Accounts to ZoneDirector
Internal User Database
324 Ruckus Wireless, Inc.
Figure 180. Manual configuration information
Adding New User Accounts to ZoneDirector
Once your wireless network is set up, you can instruct ZoneDirector to authenticate
wireless users using an existing Active Directory, LDAP or RADIUS server, or to
authenticate users by referring to accounts that are stored in ZoneDirector's internal
user database.
This section describes the procedures for managing users using ZoneDirector’s
internal user database. For authentication using an external AAA server, see Using
an External Server for User Authentication.
Internal User Database
To use the internal user database as the default authentication source and to create
new user accounts in the database:
1Go to Configure > Users.
2In the Internal User Database table, click Create New.
Adding New User Accounts to ZoneDirector
Internal User Database
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 325
3When the Create New form appears, fill in the text fields with the appropriate
entries:
User Name: Enter a name for this user. User names must be 1-32 characters
in length, using letters, numbers, underscores (_) and periods (.). User names
are case-sensitive and may not begin with a number.
Full Name: Enter the assigned user's first and last name. The user name can
be up to 64 characters, including special characters and spaces.
Password: Enter a unique password for this user, 4-32 characters in length,
using a combination of letters, numbers and special characters including
characters from (!) (char 33) to (~) (char 126). Passwords are case-sensitive.
Confirm Password: Re-enter the same password for this user.
NOTE: ZoneDirector 1200 can support up to 2,000 DPSK users and guest passes,
and up to 2,000 concurrently connected clients. ZoneDirector 3000 can support up
to 10,000 total DPSK users and guest passes, and up to 10,000 concurrently
connected clients. ZoneDirector 5000 can support up to 20,000 guest passes and
10,000 DPSKs, and up to 20,000 concurrently connected clients. When the
maximum number of users that ZoneDirector supports has been reached, additional
clients attempting to connect will be refused.
4If you have created roles that enable non-standard client logins or that gather
staff members into workgroups, open the Role menu, and then choose the
appropriate role for this user. For more information on roles and their application,
see Creating New User Roles.
5Click OK to save your settings. Be sure to communicate the user name and
password to the appropriate end user.
Managing Current User Accounts
Changing an Existing User Account
326 Ruckus Wireless, Inc.
Figure 181. The Create New form for adding users to the internal database
Managing Current User Accounts
ZoneDirector allows you to review your current user roster on the internal user
database and to make changes to existing user accounts as needed.
Changing an Existing User Account
1Go to Configure > Users.
2When the Users features appear, locate the specific user account in the Internal
User Database panel, and then click Edit.
3When the Editing [user name] form appears, make the needed changes.
4If a role must be replaced, open that menu and choose a new role for this user.
(For more information, see Creating New User Roles.)
5Click OK to save your settings. Be sure to communicate the relevant changes
to the appropriate end user.
Creating New User Roles
Deleting a User Record
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 327
Deleting a User Record
1Go to Configure > Users.
2When the Users screen appears, review the “Internal User Database.”
3To delete one or more records, click the check boxes next to those account
records.
4Click the now-active Delete button.
5When the Deletion Confirmation dialog box appears, click OK to save your
settings. The records are removed from the internal user database.
Creating New User Roles
ZoneDirector provides a “Default” role that is automatically applied to all new user
accounts. This role links all users to the internal WLAN and permits access to all
WLANs by default. As an alternative, you can create additional roles that you can
assign to selected wireless network users, to limit their access to certain WLANs,
to allow them to log in with non-standard client devices, or to grant permission to
generate guest passes. (You can then edit the “default” role to disable the guest
pass generation option.)
To create a new user Role:
1Go to Configure > Roles. The Roles and Policies page appears, displaying a
Default role in the Roles table.
2Click Create New (below the Roles table).
3Enter a Name and a short Description for this role.
4Choose the options for this role from the following:
Group Attributes: Fill in this field only if you are creating a user role based
on Group attributes extracted from an Active Directory or LDAP server (see
Group Extraction). Enter the User Group name here. Active Directory/LDAP
users with the same group attributes are automatically mapped to this user
role.
NOTE: For information on how to authenticate administrators using an external
authentication server, refer to Using an External Server for Administrator
Authentication.
Creating New User Roles
Deleting a User Record
328 Ruckus Wireless, Inc.
Allow All WLANs: You have two options: (1) Allow Access to all WLANs,
or (2) Specify WLAN Access. If you select the second option, you must
specify the WLANs by clicking the check box next to each one. This option
requires that you create WLANs prior to setting this policy. See Creating a
WLAN.
Guest Pass: If you want users with this role to have the permission to
generate guest passes, enable this option.
NOTE: When creating a guest pass generator Role, you must ensure that this Role
is given access to the Guest WLAN. If you create a Role and allow guest pass
generation, but do not allow the Role access the relevant WLAN, members of the
“Guest Pass Generator” Role will still be unable to generate guest passes for the
Guest WLAN.
Administration: This option allows you to create a user role with ZoneDi-
rector administration privileges - either full access or limited access.
5When you finish, click OK to save your settings. This role is ready for assignment
to authorized users.
6If you want to create additional roles with different policies, repeat this procedure.
Creating New User Roles
Role Based Access Control Policy
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 329
Figure 182. The Create New form for adding a role
Role Based Access Control Policy
Using the Role Based Access Control Policy (RBAC) feature, organizations can
deploy a single SSID for multiple roles and provide different access privileges based
on the user’s role in the organization. For example, a school could create a single
secure WLAN for both students and staff members. Then when either connects to
the network they would be given access rights based on their roles at the school.
Users created on an AAA server can be mapped to roles on ZoneDirector using
group attributes. When a client completes authentication successfully, ZoneDirector
gets the group attributes assigned to this user from the AAA server and uses the
group attributes to determine the user’s role, and applies the access control
restrictions defined in that role to the client’s access privileges.
When RBAC is enabled on a WLAN, Client Fingerprinting must be enabled and
Dynamic VLAN should also be enabled.
Managing Automatically Generated User Certificates and Keys
Role Based Access Control Policy
330 Ruckus Wireless, Inc.
Figure 183. Configuring RBAC policy for a role
Managing Automatically Generated User
Certificates and Keys
With Ruckus Zero-IT wireless activation, a unique key or certificate is automatically
generated for a user during the activation process. More precisely, for a WLAN
configured with WPA or WPA2 and Dynamic PSK enabled, a unique and random
key phrase is generated for each wireless user. Similarly, for a WLAN configured
with 802.1X/EAP authentication, a unique certificate for each wireless user is
created.
Using an External Server for User Authentication
Role Based Access Control Policy
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 331
When using the internal user database, automatically generated user certificates
and keys are deleted whenever the associated user account is deleted from the
user database. In the case of using Windows Active Directory, LDAP or RADIUS as
an authentication server, you can delete the generated user keys and certificates by
following these steps:
1Go to Monitor > Generated PSK/Certs. The Generated PSK/Certs page
appears.
2Select the check boxes for the PSKs and Certificates that you want to delete.
3Click Delete to delete the selected items.
The selected PSKs and Certificates are deleted from the system.
A user with a deleted PSK or a deleted certificate will not be able to connect to the
wireless network without obtaining a new key or a new certificate.
Using an External Server for User
Authentication
Once your wireless network is set up, you can instruct ZoneDirector to authenticate
wireless users using your existing Authentication, Authorization and Accounting
(AAA) server. The following types of AAA servers are supported:
Active Directory
LDAP
RADIUS / RADIUS Accounting
The ZoneDirector web interface provides a sample template for each of the AAA
server types. These templates can be customized to match your specific network
setup, or you can create new AAA server objects and add them to the list.
To use an external authentication server:
1Go to Configure > AAA Servers. The Authentication/Accounting Servers page
appears.
2Click the Create New link in the Authentication/Accounting Servers table, or
click Edit next to the relevant server type in the list.
3When the Create New form (or “Editing” form) appears, make the following
entries:
•In Name, type a descriptive name for this authentication server (for example,
“Active Directory”).
•In Ty pe , verify that one of the following options is selected:
Using an External Server for User Authentication
Role Based Access Control Policy
332 Ruckus Wireless, Inc.
-Active Directory: If you select this option, you also need to enter the IP
address of the AD server, its port number (default is 389), and its Windows
Domain Name.
-LDAP: If you select this option, you also need to enter the IP address of
the LDAP server, its port number (default is 389), and its LDAP Base DN.
-RADIUS: If you select this option, you also need to enter the IP address
of the RADIUS server, its port number (default is 1812), and its shared
secret.
-RADIUS Accounting: If you select this option, you also need to enter the
IP address of the RADIUS Accounting server, its port number (default is
1813), and its shared secret.
4Additional options appear depending on which AAA server Type you have
selected. See the respective server type for more information.
5Click OK to save this server entry. The page refreshes and the AAA server that
you added appears in the list of authentication and accounting servers.
Note that input fields differ for different types of AAA server. ZoneDirector only
displays the option to enable Global Catalog support if Active Directory is chosen,
for example, and only offers backup RADIUS server options if RADIUS or RADIUS
Accounting server is chosen. Also note that attribute formats vary between AAA
servers.
NOTE: If you want to test your connection to the authentication server, enter an
existing user name and password in the Test Authentication Settings panel, and
then click Test. If testing against a RADIUS server, this feature uses PAP or CHAP
depending on the RADIUS server configuration and the choice you made in RADIUS/
RADIUS Accounting. Make sure that either PAP or CHAP is enabled on the Remote
Access Policy (assuming Microsoft IAS as the RADIUS server) before continuing
with testing authentication settings.
Activating Web Authentication
Role Based Access Control Policy
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 333
Figure 184. The Create New form for adding an authentication server
For more information on configuring an external authentication server, see Using an
External AAA Server.
Activating Web Authentication
Web authentication (also known as a “captive portal”) redirects users to a login web
page the first time they connect to this WLAN, and requires them to log in before
granting access to use the WLAN.
After you activate web authentication on your WLAN, you must then provide all users
with a URL to your login page. After they discover the WLAN on their wireless device
or laptop, they open their browser, connect to the Login page and enter the required
login information.
To activate web authentication:
1Go to Configure > WLANs. The WLAN page appears.
2Look for the WLAN that you want to edit, and then click the Edit link that is on
the same row.
3When the Editing (WLAN_Name) form appears, locate the Web Authentication
option. See Figure 185.
Activating Web Authentication
Captive Portal Redirect on Initial Browser HTTPS Request
334 Ruckus Wireless, Inc.
4Click the check box to Enable captive portal/Web authentication.
5Select the preferred authentication server from the Authentication Server drop-
down menu.
6Click OK to save this entry.
Repeat this “enabling” process for each WLAN to which you want to apply web
authentication.
Figure 185. Activating captive portal/web authentication
Captive Portal Redirect on Initial Browser HTTPS
Request
When logging in to a Web Auth/Hotspot/Guest WLAN by initially requesting an
HTTPS page in the browser, the client may encounter one or two SSL/HTTPS
security warnings as follows:
The first is generated because the SSL certificate of the HTTPS site the user is
trying to reach does not match the certificate installed on the ZoneDirector.
Depending on the browser/OS, this maybe flagged as a potential Man in the
Middle attack (MiM).
Activating Web Authentication
Captive Portal Redirect on Initial Browser HTTPS Request
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 335
The second is generated if the ZoneDirector or Hotspot server does not have an
SSL certificate signed by a recognized Certificate Authority installed when the
client is redirected to the login page.
These browser security warnings are there to encourage users to take care when
browsing secure sites and ensure their authenticity. However, there are 2 options to
help mitigate these warnings:
1Completely disable the “redirect on initial browser HTTPS request” feature (refer
to the ZoneDirector CLI Reference Guide, “no https-redirection” command).
Users will no longer be redirected to the captive portal when their browser initially
requests an HTTPS page and the browser will display a message similar to “Page
not found” or “SSL connection error”. In this case, the user will then need to
request an HTTP page (not HTTPS) to be redirected to the login page. This
approach prevents users from being “conditioned” to click-through browser
security warnings.
2Install an SSL certificate signed by a recognized Certificate Authority on the
ZoneDirector or captive portal server. This will only prevent the second security
warning - the first will still occur because the certificate will not match that of the
requested secure site. See Working with SSL Certificates for more information.
Activating Web Authentication
Captive Portal Redirect on Initial Browser HTTPS Request
336 Ruckus Wireless, Inc.
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 337
8
Managing Guest Access
In this chapter:
Configuring Guest Access
Creating a Guest Access Service
Creating a Guest WLAN
Using the BYOD Onboarding Portal
Working with Guest Passes
Configuring Guest Access
338 Ruckus Wireless, Inc.
Configuring Guest Access
Using ZoneDirector’s Guest Access features, visitors to your organization can be
allowed limited access to a guest WLAN with configurable guest policies, or given
the option to self-activate their devices to an internal WLAN using Zero-IT activation
via the BYOD Onboarding Portal, or both. The following sections describe how to
configure guest WLANs and access policies that control guest use of your network:
Creating a Guest Access Service
Creating a Guest WLAN
Using the BYOD Onboarding Portal
Working with Guest Passes
Creating a Guest Access Service
Each guest WLAN must be associated with a Guest Access Service, which defines
the behavior of the guest WLAN interface.
To create a Guest Access Service:
1Go to Configure > Guest Access.
2Click Create New to configure a guest access service.
3In Onboarding Portal, choose which options to display in the BYOD Onboarding
Portal. See Using the BYOD Onboarding Portal.
4In Authentication, choose whether to use guest pass authentication or no
authentication:
Use guest pass authentication: Redirect the user to a page requiring the user
to enter a valid guest pass before allowing access to the guest WLAN. See
Working with Guest Passes.
No authentication: Do not require redirection and guest pass validation.
5Under Validity Period, choose whether the guest pass will be effective from
creation time or effective from first use, and enter an expiration period after
which the guest pass will expire if unused.
6Under Terms of Use, select the Show terms of use check box to require the
guest user to read and accept your terms of use prior to use. Type (or cut and
paste) your terms of use into the large text box.
7Under Redirection, select one of the following radio buttons to use/not use
redirection:
Creating a Guest Access Service
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 339
Redirect to the URL that the user intends to visit: Allows the guest user to
continue to their destination without redirection.
Redirect to the following URL: Redirect the user to a specified web page
(entered into the text box) prior to forwarding them to their destination. When
guest users land on this page, they are shown the expiration time for their
guest pass.
8Customize any of the following optional configuration settings:
Web Portal Logo: Upload a logo to replace the Ruckus logo.
Guest Access Customization: Enter text to display on the welcome page.
Guest Pass Self-Service: Enable this option to allow users to self-activate
guest passes. See Using Guest Pass Self-Service.
Restricted Subnet Access: See Configuring Guest Subnet Restrictions.
9Click Apply to save your settings.
Figure 186. Configuring Guest Access
Creating a Guest Access Service
Using Guest Pass Self-Service
340 Ruckus Wireless, Inc.
Using Guest Pass Self-Service
The Guest Pass Self-Service feature allows guests to connect to a guest SSID and
submit basic information (name, email address and mobile phone number) to receive
a guest pass code. The guest then enters this code to gain access to the internet,
with no IT involvement required.
Using the default settings, a guest user connects to a self-service guest WLAN and
enters his contact information to receive a guest pass code. The user then activates
the guest pass, and can now freely use the internet.
Additional configuration options allow the administrator to set the guest pass
delivery method (either displayed directly on the device screen, or sent to the user
via email, SMS, or both) to set session length and access duration, and to require
“sponsor approval” prior to providing a guest pass to the new guest user.
To enable Guest Pass Self-Service:
1On the Configure > Guest Access page, create a new Guest Access service or
edit an existing one.
2Enter a Name for the guest access service.
3In Authentication, select Use Guest Pass Authentication.
4Set the guest pass validity period by selecting one of the following options:
Effective from the creation time: This type of guest pass is valid from the
time it is first created to the specified expiration time, even if it is not being
used by any end user.
Effective from first use: This type of guest pass is valid from the time the
user uses it to authenticate with ZoneDirector until the specified expiration
time. An additional parameter (A Guest Pass will expire in X days) can be
configured to specify when a guest pass will expire when unused. The default
is 7 days.
5Enable Terms of Use and customize the content in the text box, if you want to
require guests to read and accept a Terms of Use prior to accessing the network.
6In Redirection, select Redirect to the following URL and enter a destination
URL, or select Redirect to the URL that the user intends to visit.
7Select Enable Guest Pass Self-Service (enabled by default). The following new
options appear:
Access Duration: Select the default access time provided with one guest
pass in days, hours or weeks. (Default is one day.)
Creating a Guest Access Service
Using Guest Pass Self-Service
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 341
Session: Optionally, enable the session limitation to require guest pass users
to re-login after the specified time period.
Max Device: Allow multiple devices to share a single guest pass. (Default is
one device.)
Sponsor Approval: Select this option to require email approval for issuing
self-service guest passes. (See Requiring Sponsor Approval for Self-Service
Guest Pass Authentication.)
Notification Method: Select whether the guest pass will be delivered via
email, SMS, or displayed directly on the device screen. When Sponsor
Approval is selected, the Device Screen option is not allowed.
Terms and Conditions: Enable this option to display a message to the user
before proceeding to registration/authentication.
8Click OK to save your changes.
9Go to Configure > WLANs, and apply this Guest Access Policy to a Guest
Access WLAN, as described in Creating a Guest WLAN.
Figure 187. Creating a Self-Service Guest Access service
Creating a Guest Access Service
Using Guest Pass Self-Service
342 Ruckus Wireless, Inc.
Accessing a Self-Service Guest WLAN
The simplest way to deploy a self-service guest WLAN is to enable the self-service
option and do not change any of the default settings. When a self-service guest
WLAN is deployed in this way, the user follows these steps to self-activate and begin
using a guest pass:
1Connect to the guest WLAN, launch a web browser and attempt to browse to
any site.
2The browser redirects to the Guest Access Login page.
3Click Register New Guest Access.
Figure 188. Guest Access login page
4The New Guest Registration page appears.
5Enter a Name, Email address and mobile phone number.
6Click Submit.
Creating a Guest Access Service
Using Guest Pass Self-Service
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 343
Figure 189. New Guest Registration page
7The Welcome to Guest Access page appears, displaying the information you
entered along with your new Guest Pass code.
Figure 190. Your Guest Pass code along with your registration information are displayed
8Click Go to Guest Access Portal.
Creating a Guest Access Service
Using Guest Pass Self-Service
344 Ruckus Wireless, Inc.
9The Authenticated page appears. Your guest pass is now activated and you can
begin using the wireless network. Click Continue to be redirected to the URL
you originally intended to visit.
Figure 191. Click the Continue icon to begin using the wireless network
Requiring Sponsor Approval for Self-Service Guest Pass
Authentication
If the “Sponsor Approval” option is enabled, when the user connects to the WLAN,
he or she submits registration information along with a Sponsor’s email address
and waits for sponsor approval. The Sponsor receives an email request and clicks
a link to allow this user access to the guest WLAN. Once the registration is approved,
ZoneDirector then generates a guest pass and sends it to the user via email and/
or SMS using the contact information the user provided.
NOTE: If using Sponsor Approval, ZoneDirector must be configured with your
SMTP settings for email delivery, or with a valid Twilio or Clickatell account to deliver
guest passes via SMS. See Setting Up Email Alarm Notifications and Configuring
SMS Settings for Guest Pass Delivery via SMS for more information.
Configure the following options if Sponsor Approval is enabled:
Sponsor number: Set how many sponsors the user can specify to approve
the guest pass request. Valid values are 1-5.
Creating a Guest Access Service
Using Guest Pass Self-Service
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 345
Sponsor Authentication Server: Select the authentication server to be used
for sponsor authentication. When a guest pass approval request is sent to
the sponsor’s email, the sponsor must click the link in the email, log in to this
authentication server, and approve or reject the request. Options include
Local Database, Active Directory, LDAP and RADIUS.
NOTE: When sponsor approval is enabled, all guest service profiles share the same
sponsor authentication server. If you select a different authentication server when
creating a new guest service, the new server will be used for all guest services.
Notification Method: Select whether the guest pass will be delivered via
email, mobile (SMS), or both. When Sponsor Approval is selected, delivering
the guest pass directly to the client Device Screen is not allowed.
Figure 192. Configuring Sponsor Approval for Self Service Guest Passes
When a user connects to a guest WLAN with Sponsor Approval enabled, the New
Guest Registration page displays an additional mandatory field, Sponsor’s email.
Creating a Guest Access Service
Using Guest Pass Self-Service
346 Ruckus Wireless, Inc.
Figure 193. New Guest Registration page - with Sponsor Approval enabled
To request, approve and activate a sponsor-approved guest pass, use following
procedure:
1On the New Guest Registration screen, enter your Name, Mobile number and
Email address.
2Enter the sponsor’s email address and click Submit. A guest pass request email
is sent to the sponsor’s address, and the Guest Access request submitted
screen is displayed.
Creating a Guest Access Service
Using Guest Pass Self-Service
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 347
Figure 194. Guest Access Request Submitted page
3The sponsor will then receive an email requesting approval for guest pass
activation.
4Open the email and click the link to open the Sponsor/Approver Authentication
page.
Figure 195. Sponsor approval email
5On the Sponsor/Approver Authentication page, enter a valid User Name and
Password and click Log in to continue.
NOTE: This user name and password must exist on the Authentication Server
(Local Database, AD, LDAP or RADIUS) configured for this guest access service.
Creating a Guest Access Service
Using Guest Pass Self-Service
348 Ruckus Wireless, Inc.
Figure 196. Sponsor Login
6Upon successful login, the Guest Pass Approval page appears, displaying the
name, phone and email addresses of all pending guest pass requests. Select
the check boxes next to each guest pass you wish to approve, set the Duration
for each, and click Approve to approve them.
Figure 197. Guest Pass Approval
7Approving a guest pass triggers delivery of an email (and/or SMS message)
containing the guest pass code to the guest.
8As a guest user, open this email and copy the Guest Pass code to the clipboard.
Figure 198. Guest pass activation email
Creating a Guest Access Service
Using Guest Pass Self-Service
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 349
9Launch a web browser and browse to any URL. You will be redirected to the
Welcome login page.
10 Enter the Guest Pass code received in the activation email and click Submit.
Figure 199. Enter Guest Pass code and click Submit
11 You have successfully authenticated to this guest network using the guest pass
provided. Click Continue to complete activation and continue to your original
destination URL.
Creating a Guest Access Service
Configuring Guest Subnet Restrictions
350 Ruckus Wireless, Inc.
Figure 200. Click Continue to begin using the wireless network
Configuring Guest Subnet Restrictions
By default, guest pass users are automatically blocked from the ZoneDirector
subnet (format: A.B.C.D/M) and the subnet of the AP to which the guest user is
connected. If you want to create additional rules that allow or restrict guest users
from specific subnets, use the Restricted Subnet Access section.
You can create up to 22 subnet access rules, which will be enforced both on the
ZoneDirector side (for tunneled/redirect traffic) and the AP side (for local-bridging
traffic).
To create a guest access rule for a subnet:
1Go to Configure > Guest Access.
2Edit or create a new Guest Access Service.
3Scroll down to the bottom and expand the Restricted Subnet Access section.
4Click Create New to create a new subnet restriction. Text boxes appear under
the table columns in which you can enter parameters that define the access rule.
5Under Description, type a name or description for the access rule that you are
creating.
6Under Type, select Deny if this rule will prevent guest users from accessing
certain subnets, or select Allow if this rule will allow them access.
Creating a Guest WLAN
Configuring Guest Subnet Restrictions
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 351
7Under Destination Address, type the IP address and subnet mask (format:
A.B.C.D/M) on which you want to allow or deny users access.
8If you want to allow or restrict subnet access based on the application, protocol,
or destination port used, click the Advanced Options link, and then configure
the settings.
9Click OK to save the subnet access rule.
Repeat Steps 4 to 9 to create up to 22 subnet access rules.
Figure 201. The Restricted Subnet Access options
Creating a Guest WLAN
After you have created a guest access service, create a WLAN of the type “Guest
Access.” This WLAN can be configured to allow access only to a specific set of
resources - such as ZoneDirector’s Zero-IT activation address, from which users
can then activate their devices to gain access to the secure internal WLANs.
To create a Guest WLAN:
1Go to Configure > WLANs.
2Under WLANs, click Create New. The Create New WLAN form appears.
3Enter a Name (SSID) for this WLAN that will be easy for your guests to remember
(e.g., “Guest WLAN”). The Description field is optional.
Creating a Guest WLAN
Configuring Guest Subnet Restrictions
352 Ruckus Wireless, Inc.
4Under Type, select Guest Access.
5Since this is a Guest network, the only Authentication Option available is Open.
6Choose an Encryption Method that provides the best compromise between
security and compatibility, based on the kinds of client devices that you expect
your guests will use.
7Select a Guest Access Service from the list of services created on the Configure
> Guest Access page.
8If you want your internal wireless traffic to have priority over guest traffic, set the
Priority to Low.
9Under Advanced Options, select the options to enable for this WLAN. For more
information on WLAN advanced options, see Advanced Options.
Optionally, enable a Grace Period (disabled by default) and enter a value in
minutes to allow disconnected users a grace period after disconnection,
during which users will not need to re-authenticate.
10 Click OK to save your changes.
Figure 202. Create a Guest Access WLAN
Using the BYOD Onboarding Portal
Configuring Guest Subnet Restrictions
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 353
Using the BYOD Onboarding Portal
The Onboarding Portal feature provides a series of intuitive option screens allowing
mobile users to choose whether to connect to a Guest WLAN or to self-configure
their mobile devices to authenticate to an internal WLAN using Zero-IT activation.
To enable the Onboarding Portal for mobile devices:
1Go to Configure > Guest Access.
2Click Edit or Create New to configure a guest access service.
3Enable the check box next to Onboarding Portal to enable Zero-IT device
registration from the Guest Portal.
4Select one of the following options to display when connecting to the Onboarding
Portal:
Guest Pass + Device Registration: Show both buttons.
Device Registration: Show Zero-IT Device Registration button only.
5If Guest Pass is enabled, configure Guest Pass options as described in Working
with Guest Passes.
6Click Apply.
Figure 203. Enable Onboarding Portal
Using the BYOD Onboarding Portal
Configuring Guest Subnet Restrictions
354 Ruckus Wireless, Inc.
When a client connects to the Open Guest WLAN for the first time, the Ruckus
Onboarding Portal page is displayed. The screen displays the following three
options:
Guest Access
Register Device (download Zero-IT activation file)
•Both
Figure 204. The Onboarding Portal for mobile devices
If the user clicks the Guest Access button, the process is the same as when
connecting to a Guest WLAN and all settings on the Guest Access configuration
page will be put into effect.
Using the BYOD Onboarding Portal
Configuring Guest Subnet Restrictions
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 355
Figure 205. Guest Access welcome and terms of use screens
If the user clicks the Register Device button, the web page will be redirected to the
WLAN Connection Activation page, from which the user can enter user name and
password to activate this device. A Zero-IT activation file is generated for download
once the client is registered with ZoneDirector.
Figure 206. Activate device using the WLAN Connection Activation screen, and download
activation file
After running the downloaded Zero-IT file, the device will be configured with the
settings to automatically connect to the secure internal/corporate WLAN.
NOTE: You may need to manually switch from the guest WLAN to the secure WLAN
after activation (on some mobile devices).
Using the BYOD Onboarding Portal
Configuring Guest Subnet Restrictions
356 Ruckus Wireless, Inc.
NOTE: You may need to manually delete any previously installed Zero-IT activation
files before a new one can be run. On some devices (including some Android
versions), the activation file will not run if an older an existing package of the same
name with a conflicting signature is already installed.
Working with Guest Passes
Configuring Guest Pass Generation
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 357
Working with Guest Passes
Guest passes are temporary privileges granted to guests to access your wireless
LANs. ZoneDirector provides many options for customizing guest passes,
controlling who is allowed to issue guest passes, and controlling the scope of access
to be granted.
With Guest Pass authentication enabled, guests are required to enter a guest pass
code when connecting to a guest WLAN. Temporary guest passes can be issued
for single users, multiple users, one-time login, time-limited multiple logins for a
single guest user, or can be configured so that a single guest pass can be shared
by multiple users. Additionally, they can be batch generated if many short-term guest
passes need to be created at once.
Guest passes can be delivered in any of the following ways:
•Printout
Send SMS with guest credentials
Send email with guest credentials
NOTE: To enable guest pass delivery via email or SMS, you must first configure an
email server or an SMS delivery account (Twilio or Clickatell) from the Configure >
System page.
NOTE: ZoneDirector 1200 can support up to 2,000 DPSK users and guest passes,
and up to 2,000 concurrently connected clients. ZoneDirector 3000 can support up
to 10,000 total DPSK users and guest passes, and up to 10,000 concurrently
connected clients. ZoneDirector 5000 can support up to 20,000 guest passes and
10,000 DPSKs, and up to 20,000 concurrently connected clients. When the
maximum number of users that ZoneDirector supports has been reached, additional
clients attempting to connect will be refused.
Configuring Guest Pass Generation
By default, all authenticated users in the internal database with the Default role are
allowed to generated guest passes. To authenticate guest pass generators using
an external authentication server, do the following:
1Go to Configure > Guest Access. The Guest Access page appears.
2Scroll down to the Guest Pass Generation section.
Working with Guest Passes
Configuring Guest Pass Generation
358 Ruckus Wireless, Inc.
3In Authentication Server, select the authentication server that you want to use
to authenticate users who want to generate guest passes.
If you configured an AAA server (RADIUS, Active Directory or LDAP) on the
Configure > AAA Servers page and you want to use that server to authenti-
cate users, select the server name from the drop-down menu. (See Using an
External Server for User Authentication.)
If you want to use ZoneDirector’s internal database, select Local Database.
4When you finish, click Apply to save your settings and make this new policy
active.
NOTE: Remember to inform users that they can access the Guest Pass Generation
page at https://{zonedirector-hostname-or-ipaddress}/
guestpass. In the example Figure 207, the Guest Pass Generation URL is
https://192.168.40.100/guestpass.
Figure 207. The Guest Pass Generation section on the Guest Pass page
Controlling Guest Pass Generation Privileges
To disable the guest pass generation privilege granted to all basic “default” role
users, follow these steps:
Guest Pass
Generation URL
Working with Guest Passes
Configuring Guest Pass Generation
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 359
1Go to Configure > Roles. When the Roles and Policies page appears, a table
lists all existing roles, including “Default.”
2Click Edit (in the “Default” role row).
3In the Policies options, clear the Allow Guest Pass Generation check box.
4Click OK to save your settings. Users with “default” roles no longer have guest
pass generation privileges.
Creating a Guest Pass Generation User Role
To create a guest pass generator role that can be assigned to authorized users,
follow these steps:
1Go to Configure > Roles.
2In the Roles table, click Create New.
3When the Create New features appear, make these entries:
Name: Enter a name for this role (e.g., “Guest Pass Generator”).
Description: Enter a short description of this role's application.
Group Attributes: This field is only available if you choose Active Directory
as your authentication server. Enter the Active Directory User Group names
here. Active Directory users with the same group attributes are automatically
mapped to this user role.
Allow All WLANs: You have two options: (1) allow all users with this role to
connect to all WLANs, or (2) limit this role's users to specific WLANs, and
then pick the WLANs they can connect to.
NOTE: When creating a guest pass generator Role, you must ensure that this Role
is given access to the Guest WLAN. If you create a Role and allow guest pass
generation, but do not allow the Role access the relevant WLAN, members of the
“Guest Pass Generator” Role will still be unable to generate guest passes for the
Guest WLAN.
Guest Pass: If you want users with this role to have permission to generate
guest passes, check this option.
4Click OK to save your settings. This new role is ready for application to authorized
users.
Working with Guest Passes
Configuring Guest Pass Generation
360 Ruckus Wireless, Inc.
Figure 208. Create a guest pass generator Role
Assigning a Pass Generator Role to a User Account
This procedure details the procedure for assigning a guest pass generator role to
a user account.
1Go to Configure > Users.
2At the bottom of the Internal User Database, click Create New.
3When the Create New form appears, fill in the text fields with the appropriate
entries.
4Open the Role menu and choose the assigned role for this user.
NOTE: You can edit an existing user account and reassign the guest pass generator
role, if you prefer.
5Click OK to save your settings. Be sure to communicate the role, user name and
password to the appropriate end user.
Working with Guest Passes
Generating and Delivering a Single Guest Pass
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 361
Generating and Delivering a Single Guest Pass
You can provide the following instructions to users with guest pass generation
privileges. A single guest pass can be used for one-time login, time-limited multiple
logins for a single guest user, or can be configured so that a single guest pass can
be shared by multiple users.
NOTE: The following procedure will guide you through generating and delivering a
guest pass. For instructions on how to generate multiple guest passes, see
Generating and Printing Multiple Guest Passes at Once.
NOTE: If printing the guest pass, make sure that your computer is connected to a
local or network printer before starting.
To generate a single guest pass:
1On your computer, start your web browser.
2In the address or location bar, type the URL of the ZoneDirector Guest Pass
Generation page:
https://{zonedirector-hostname-or-ipaddress}/guestpass
3In User Name, type your user name.
4In Password, type your password.
5Click Log In. The Guest Information page appears. On this page, you need to
provide information about the guest user to enable ZoneDirector to generate the
guest pass.
Working with Guest Passes
Generating and Delivering a Single Guest Pass
362 Ruckus Wireless, Inc.
Figure 209. Creating a Guest Pass
6On the Guest Information page, fill in the following options:
Creation Type: Choose Single to generate a single guest pass. To generate
multiple guest passes in batch, see Generating and Printing Multiple Guest
Passes at Once.
Full Name: Type the name of the guest user for whom you are generating
the guest pass.
Valid for: Specify the time period when the guest pass will be valid. Do this
by typing a number in the blank box, and then selecting a time unit (Hours,
Days or Weeks).
WLAN: Select the WLAN for this guest (typically, a “guest” WLAN).
Email (optional): Enter the email address for this user.
Phone Number (optional): Enter a phone number for this user.
Key: Leave as is if you want to use the random key that ZoneDirector
generated. If you want to use a key that is easy to remember, delete the
random key, and then type a custom key. For example, if ZoneDirector
Working with Guest Passes
Generating and Delivering a Single Guest Pass
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 363
generated the random key OVEGS-RZKKF, you can change it to joe-
guest-key. Customized keys must be between one and 16 ASCII charac-
ters.
NOTE: Each guest pass key must be unique and is distributed on all guest WLANs.
Therefore, you cannot create the same guest pass for use on multiple WLANs.
Remarks (optional): Type any notes or comments. For example, if the guest
user is a visitor from a partner organization, you can type the name of the
organization.
Sharable: Use this option to allow multiple users to share a single guest pass.
Session: Enable this check box and select a time increment after which
guests will be required to log in again. If this feature is disabled, connected
users will not be required to re-log in until the guest pass expires.
7Click Next. The Wireless Access Portal page appears.
8Choose whether to activate this guest pass for either yourself or a guest, and
click Next.
9The Request a Guest Pass page appears.
10 Enter the guest User Name and Password, and click Log In.
11 The Guest Pass Generated page appears. This page presents the guest pass
code and a list of options for delivering this code to your guest(s). Options include
email (if you configured an email address for the guest), SMS (if you configured
a phone number for the guest) and Print Instructions.
12 If you want to print out the guest access instructions, select the guest pass
instructions that you want to print out from the drop-down menu. If you did not
create custom guest pass printouts, select Default.
13 Click Print Instructions. A new browser page appears and displays the guest
pass instructions. At the same time, the Print dialog box appears.
14 Select the printer that you want to use, and then click OK to print the guest pass
instructions.
You have completed generating and delivering a guest pass for your guest user.
Working with Guest Passes
Generating and Delivering a Single Guest Pass
364 Ruckus Wireless, Inc.
Figure 210. The Guest Pass Generated page
Figure 211. Sample guest pass printout
Working with Guest Passes
Generating and Printing Multiple Guest Passes at Once
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 365
Generating and Printing Multiple Guest Passes at Once
You can provide the following instructions to users with guest pass generation
privileges.
NOTE: The following procedure will guide you through generating and printing
multiple guest passes. For instructions on how to generate a single guest pass, see
Generating and Delivering a Single Guest Pass.
NOTE: Before starting, make sure that your computer is connected to a local or
network printer.
To generate and print multiple guest passes at the same time:
1On your computer, start your web browser.
2In the address or location bar, type the URL of the ZoneDirector Guest Pass
Generation page:
https://{zonedirector-hostname-or-ipaddress}/guestpass
3In User Name, type your user name.
4In Password, type your password.
5Click Log In. The Guest Information page appears. On this page, you need to
provide information about the guest users to enable ZoneDirector to generate
the guest passes.
6On the Guest Information page, fill in the following options:
Creation Type: Click Multiple.
Valid for: Specify the time period during which the guest passes will be valid.
Do this by typing a number in the blank box, and then selecting a time unit
(Days, Hours, or Weeks).
WLAN: Select one of the existing WLANs with which the guest users will be
allowed to associate.
Number: Select the number of guest passes that you want to generate.
ZoneDirector will automatically populate the names of each user (Batch-
Guest-1, Batch-Guest-2, and so on) to generate the guest passes.
NOTE: Each guest pass key must be unique and is distributed on all guest WLANs.
Therefore, you cannot create the same guest pass for use on multiple WLANs.
Working with Guest Passes
Generating and Printing Multiple Guest Passes at Once
366 Ruckus Wireless, Inc.
Profile (*.csv): If you have created a Guest Pass Profile (see Creating a Guest
Pass Profile), use this option to import the file.
Sharable: Configure this option if you want to allow multiple users to share
a single guest pass (default: 1; not shared).
Session: Enable this check box and select a time increment after which
guests will be required to log in again. If this feature is disabled, connected
users will not be required to re-log in until the guest pass expires.
Figure 212. Generating multiple guest passes at once
NOTE: If you want to be able to identify the guest pass users by their names (for
monitoring or auditing purposes in a hotel setting, for example), click Choose File,
and upload a guest pass profile instead. See “Creating a Guest Pass Profile” below
for more information.
7Click Next. The Guest Pass Generated page appears, displaying the guest pass
user names and expiration dates.
8In Select a template for Guest Pass instructions, select the guest pass
instructions that you want to print out. If you did not create custom guest pass
printouts, select Default.
9Print the instructions for a single guest pass or print all of them.
To print instructions for all guest passes, click Print All Instructions.
Working with Guest Passes
Monitoring Generated Guest Passes
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 367
To print instructions for a single guest pass, click the Print link that is in the
same row as the guest pass for which you want to print instructions.
A new browser page appears and displays the guest pass instructions. At the
same time, the Print dialog box appears.
10 Select the printer that you want to use, and then click OK to print the guest pass
instructions.
You have completed generating and printing guest passes for your guest users. If
you want to save a record of the batch guest passes that you have generated, click
the here link in “Click here to download the generated Guest Passes record,” and
then download and save the CSV file to your computer.
Creating a Guest Pass Profile
1Log in to the guest pass generation page. Refer to steps 2 to 5 in “Generating
and Printing Multiple Guest Passes at Once above for instructions.
2In Creation Type, click Multiple.
3Click the click here link in To download a profile sample, click here.
4Save the sample guest pass profile (in CSV format) to your computer.
5Using a spreadsheet application, open the CSV file and edit the guest pass profile
by filling out the following columns:
#Guest Name: Type the name of the guest user (one name per row).
Remarks: (Optional) Type any note or remarks about the guest pass.
Key: Type a guest pass key consisting of 1-16 alphanumeric characters. If
you want ZoneDirector to generate the guest pass key automatically, leave
this column blank.
6Go back to the Guest Information page, and then complete steps 6 to 10 in
“Generating and Printing Multiple Guest Passes at Once” above to upload the
guest pass profile and generate multiple guest passes.
Monitoring Generated Guest Passes
Once you have generated a pass for a guest, you can monitor and, if necessary,
remove it.
1Go to Monitor > Generated Guest Passes.
2View generated guest passes.
3To remove a guest pass, select the check box for the guest pass, and click the
Delete button. Click Delete All to delete all generated guest passes at once.
Working with Guest Passes
Customizing the Guest Login Page
368 Ruckus Wireless, Inc.
Figure 213. Viewing generated Guest Passes
Customizing the Guest Login Page
You can customize the guest user login page, to display your corporate logo and
to note helpful instructions, along with a “Welcome” title.
If you want to include a logo, you will need to prepare a web-ready graphic file, in
one of three acceptable formats (.JPG, .GIF or .PNG). Make sure that the logo file
does not exceed the following:
Length: Two inches on any side
File size: 20kB
To customize the guest login page
1Go to Configure > Guest Access. Edit or create a new Guest Access Policy.
2Scroll down to the Web Portal Logo section.
3If your logo is ready for use, click Browse to open a dialog box that you can use
to import the logo file. (ZoneDirector will notify you if the file is too large.)
4Scroll down to the Guest Access Customization section.
5(Optional) Delete the text in the Title field and type a short descriptive title or
“welcome” message.
6Click OK to save your settings.
Working with Guest Passes
Creating a Custom Guest Pass Printout
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 369
Figure 214. The Guest Access Customization options
Creating a Custom Guest Pass Printout
The guest pass printout is a printable HTML page that contains instructions for the
guest pass user on how to connect to the wireless network successfully. The
authenticated user who is generating the guest pass will need to print out this HTML
page and provide it to the guest pass user. A guest pass in English is included by
default.
As administrator, you can create custom guest pass printouts. For example, if your
organization receives visitors who speak different languages, you can create guest
pass printouts in other languages.
To create a custom guest pass printout:
1Go to Configure > Guest Access.
2Scroll down to the Guest Pass Printout Customization section.
3Click the click here link under the Guest Pass Printout Customization section
title to download the sample guest pass printout (in HTML format). Save the
HTML file to your computer.
4Using a text or HTML editor, customize the guest pass printout. Note that only
ASCII characters can be used. You can do any or all of the following:
Reword the instructions
Translate the instructions to another language
Working with Guest Passes
Creating a Custom Guest Pass Printout
370 Ruckus Wireless, Inc.
Customize the HTML formatting
The guest pass printout contains several tokens or variables that are substituted
with actual data when the guest pass is generated. When you customize the
guest pass printout, make sure that these tokens are not deleted. For more
information on these tokens, see Guest Pass Printout Tokens.
5Go back to the Guest Pass Printout Customization section, and then click Create
New. The Create New form appears.
6In Name, type a name for the guest pass printout that you are creating. For
example, if this guest pass printout is in Spanish, you can type Spanish.
7In Description (optional), add a brief description of the guest pass printout.
8Click Browse, select the HTML file that you customized earlier, and then click
Open. ZoneDirector copies the HTML file to its database.
9Click Import to save the HTML file to the ZoneDirector database.
You have completed creating a custom guest pass printout. When users generate
a guest pass, the custom printout that you created will appear as one of the options
that they can print (see Figure 210).
Guest Pass Printout Tokens
Tab l e 32 lists the tokens that are used in the guest pass printout. Make sure that
they are not accidentally deleted when you customize the guest pass printout.
Table 32. Tokens that you can use in the guest pass printout
Token Description
{GP_GUEST_NAME} Guest pass user name.
{GP_GUEST_KEY} Guest pass key.
{GP_IF_EFFECTIVE_FROM_CREATION_
TIME}
If you set the validity period of guest
passes to Effective from the
creation time (in the Guest Pass
Generation section), this token shows
when the guest pass was created and
when it will expire.
Working with Guest Passes
Delivering Guest Passes via Email
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 371
Delivering Guest Passes via Email
NOTE: Email delivery requires that the SMTP settings on the Configure > System
page are first configured to allow ZoneDirector to use the configured email server
to deliver guest passes.
To customize the content of the email message used to deliver the guest pass code,
use the following procedure:
1On the Configure > Guest Access page, locate the Customize the Email
Content section.
2Customize the message in the text box and click Apply to save your changes.
{GP_ELSEIF_EFFECTIVE_FROM_FIRST
_USE}
If you set the validity period of guest
passes to Effective from first use (in
the Guest Pass Generation section),
this token shows the number of days
during which the guest pass will be
valid after activation. It also shows the
date and time when the guest pass will
expire if not activated.
{GP_ENDIF_EFFECTIVE} This token is used in conjunction with
either the
{GP_ELSEIF_EFFECTIVE_FROM
_FIRST_USE} or
{GP_ENDIF_EFFECTIVE} token.
{GP_VALID_DAYS} Number of days for which the guest
pass is valid.
{GP_VALID_TIME} Date and time when the guest pass
expires.
{GP_GUEST_WLAN} Name of WLAN that the guest user can
access.
Token Description
Working with Guest Passes
Delivering Guest Passes via SMS
372 Ruckus Wireless, Inc.
Figure 215. Customize the email content
Delivering Guest Passes via SMS
NOTE: SMS delivery requires that the SMS settings on the Configure > System
page are first configured to allow ZoneDirector to use the configured Twilio or
Clickatell account to deliver guest passes.
To customize the content of the SMS message used to deliver the guest pass code,
use the following procedure:
1On the Configure > Guest Access page, locate the Customize the SMS
Content section.
2Customize the message in the text box and click Apply to save your changes.
Working with Guest Passes
Delivering Guest Passes via SMS
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 373
Figure 216. Customize the SMS content
NOTE: For more information on Captive Portal redirection for Hotspot, Web Auth
and Guest Access WLANs, see “Captive Portal Redirect on Initial Browser HTTPS
Request”.
Working with Guest Passes
Delivering Guest Passes via SMS
374 Ruckus Wireless, Inc.
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 375
9
Deploying a Smart Mesh Network
In this chapter:
Overview of Smart Mesh Networking
Smart Mesh Networking Terms
Supported Mesh Topologies
Deploying a Wireless Mesh via ZoneDirector
Understanding Mesh-related AP Statuses
Using the ZoneFlex LEDs to Determine the Mesh Status
Using Action Icons to Configure and Troubleshoot APs in a Mesh
Setting Mesh Uplinks Manually
Troubleshooting Isolated Mesh APs
Best Practices and Recommendations
Overview of Smart Mesh Networking
376 Ruckus Wireless, Inc.
Overview of Smart Mesh Networking
A Smart Mesh network is a peer-to-peer, multi-hop wireless network wherein
participant nodes cooperate to route packets. In a Ruckus wireless mesh network,
the routing nodes (that is, the Ruckus Wireless APs forming the network), or “mesh
nodes,” form the network's backbone. Clients (for example, laptops and other
mobile devices) connect to the mesh nodes and use the backbone to communicate
with one another, and, if permitted, with nodes on the Internet. The mesh network
enables clients to reach other systems by creating a path that 'hops' between
nodes.
Smart Mesh networking offers many advantages:
Smart Mesh networks are self-healing: If any one of the nodes fails, the nodes
note the blockage and re-route data.
Smart Mesh networks are self-organizing: When a new node appears, it
becomes assimilated into the mesh network.
In the Ruckus Wireless Smart Mesh network, all traffic going through the mesh links
is encrypted. A passphrase is shared between mesh nodes to securely pass traffic.
When deployed as a mesh network, Ruckus Wireless APs communicate with
ZoneDirector through a wired LAN connection or through wireless LAN connection
with other Ruckus Wireless access points.
NOTE: For best practices and recommendations on planning and deploying a
Ruckus Wireless Smart Mesh network, refer to Choosing the Right AP Model for
Your Mesh Network.
Smart Mesh Networking Terms
Before you begin deploying your Smart Mesh network, Ruckus Wireless recom-
mends getting familiar with the following terms that are used in this document to
describe wireless mesh networks.
Table 33. Mesh networking terms
Te r m D e f i n it i o n
Mesh Node A Ruckus Wireless ZoneFlex AP with mesh capability enabled.
Root AP (RAP) A mesh node that communicates with ZoneDirector through its
Ethernet (that is, wired) interface.
Supported Mesh Topologies
Standard Topology
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 377
Supported Mesh Topologies
Smart Mesh networks can be deployed in three types of topologies:
Standard Topology
Wireless Bridge Topology
Hybrid Mesh Topology
Standard Topology
The standard Smart Mesh topology consists of ZoneDirector and a number of Root
APs and Mesh APs. In this topology, ZoneDirector and the upstream router are
connected to the same wired LAN segment. You can extend the reach of your
wireless network by forming and connecting multiple mesh trees (see Figure 217)
to the wired LAN segment. In this topology, all APs connected to the wired LAN are
considered “Root APs,” and any AP not connected to the wired LAN is considered
a “Mesh AP.”
Mesh AP (MAP) A mesh node that communicates with ZoneDirector through its
wireless interface.
Ethernet-Linked
Mesh AP (eMAP)
An eMAP is a mesh node that is connected to its uplink AP through
a wired Ethernet cable, rather than wirelessly. eMAP nodes are used
to bridge wireless LAN segments together.
Mesh Tree Each Mesh AP can have exactly one uplink to a Root AP or another
Mesh AP, and each Root AP or Mesh AP can have multiple Mesh
APs connected to it, resulting in a tree-like topology.
A single ZoneDirector can manage more than one mesh tree. There
is no limit on the number of mesh trees per ZoneDirector. For
example, a ZoneDirector 1106 can manage 1mesh tree of 6 APs, 2
mesh trees of 3 APs each, or 3 mesh trees of 2 APs each.
Hop The number of wireless mesh links a data packet takes from one
Mesh AP to the Root AP. For example, if the Root AP is the uplink of
Mesh AP 1, then Mesh AP 1 is one hop away from the Root AP. In
the same scenario, if Mesh AP 1 is the uplink of Mesh AP 2, then
Mesh AP 2 is two hops away from the Root AP. A maximum of 8
hops is supported.
Te r m D e f i n it i o n
Supported Mesh Topologies
Wireless Bridge Topology
378 Ruckus Wireless, Inc.
Figure 217. Mesh - standard topology
Wireless Bridge Topology
If you need to bridge isolated wired LAN segments, you can set up a mesh network
using the wireless bridge topology. In this topology, ZoneDirector and the upstream
router are on the primary wired LAN segment, and another isolated wired segment
exists that needs to be bridged to the primary LAN segment. You can bridge these
two wired LAN segments by forming a wireless mesh link between the two wired
segments, as shown in Figure 218 below.
Supported Mesh Topologies
Hybrid Mesh Topology
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 379
Figure 218. Mesh - wireless bridge topology
Hybrid Mesh Topology
A third type of network topology can be configured using the Hybrid Mesh concept.
Ethernet-connected Mesh APs (eMAP) enable the extension of wireless mesh
functionality to a wired LAN segment. An eMAP is a special kind of Mesh AP that
uses a wired Ethernet link as its uplink rather than wireless. An eMAP is not
considered a Root AP, despite the fact that it discovers ZoneDirector through its
Ethernet port.
Multiple eMAPs can be connected to a single Mesh AP to, for example, bridge a
wired LAN segment inside a building to a wireless mesh outdoors.
In designing a mesh network, connecting an eMAP to a Mesh AP extends the Smart
Mesh network without expending a wireless hop, and can be set on a different
channel to take advantage of spectrum reuse.
Deploying a Wireless Mesh via ZoneDirector
Hybrid Mesh Topology
380 Ruckus Wireless, Inc.
Figure 219. eMAP - Hybrid Mesh topology
Use the Monitor > Mesh page to see a tree diagram of your Smart Mesh network.
You can also view the role of any AP in your mesh network from the Monitor >
Access Points page or from the Mesh Topology widget on the Dashboard.
Deploying a Wireless Mesh via ZoneDirector
Deploying a wireless mesh via ZoneDirector involves the following steps:
Step 1: Prepare for Wireless Mesh Deployment
Step 2: Enable Mesh Capability on ZoneDirector
Step 3: Provision and Deploy Mesh Nodes
Step 4: Verify That the Wireless Mesh Network Is Up
Icon Meaning
Root AP (RAP)
Mesh AP (MAP)
eMesh AP (eMAP)
Deploying a Wireless Mesh via ZoneDirector
Step 1: Prepare for Wireless Mesh Deployment
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 381
Step 1: Prepare for Wireless Mesh Deployment
Before starting with your wireless mesh deployment, Ruckus Wireless recommends
performing a number of tasks that can help ensure a smooth deployment.
Ensure that the APs that will form the mesh are of the same radio type.
Single band APs can only mesh with other single band APs.
Dual band APs can only mesh with other dual band 11n/11ac APs.
Plan Your Wireless Mesh Network - Survey your deployment site, decide on the
number of APs that you will deploy (including the number of Root APs and Mesh
APs), and then create a simple sketch of where you will deploy each Root AP
and Mesh AP. Remember that Root APs need to be connected to ZoneDirector
via their Ethernet ports. Make sure that the Root AP locations can be wired easily,
if cabling is not yet available.
Make Sure That Your Access Points Support Mesh Networking - Verify that the
access points that you are planning to include in your wireless mesh network all
provide mesh capability.
Enable Auto Approval - If you do not want to have to manually approve the join
requests from each mesh AP when they start forming the wireless mesh, you
can enable Auto Approval. For instructions on how to enable Auto Approval, see
Adding New Access Points to the Network.
Step 2: Enable Mesh Capability on ZoneDirector
If you did not enable mesh capability on ZoneDirector when you completed the
Setup Wizard, you can enable it on the Configure > Mesh screen.
Deploying a Wireless Mesh via ZoneDirector
Step 2: Enable Mesh Capability on ZoneDirector
382 Ruckus Wireless, Inc.
Figure 220. Enable Mesh in Configure > Mesh
To enable mesh capability:
1Log into the ZoneDirector web interface.
2Click the Configure tab.
3On the menu, click Mesh.
4Under Mesh Settings, select the Enable Mesh check box.
NOTE: You cannot disable Smart Mesh once you enable it. This is by design, to
prevent isolating nodes. If you want to disable Smart Mesh once it has been enabled,
you will have to factory reset ZoneDirector, or disable mesh for each AP, as described
in Managing Access Points Individually.
5In Mesh Name (ESSID), type a name for the mesh network. Alternatively, do
nothing to accept the default mesh name that ZoneDirector has generated.
6In Mesh Passphrase, type a passphrase that contains at least 12 characters.
This passphrase will be used by ZoneDirector to secure the traffic between Mesh
APs. Alternatively, click Generate to generate a random passphrase with 32
characters or more.
7In the Mesh Settings section, click Apply to save your settings and enable Smart
Mesh.
Deploying a Wireless Mesh via ZoneDirector
Step 3: Provision and Deploy Mesh Nodes
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 383
You have completed enabling mesh capability on ZoneDirector. You can now start
provisioning and deploying the APs that you want to be part of your wireless mesh
network.
Optional Mesh Configuration Features
The following settings are disabled by default and are not necessary for standard
mesh configuration. These settings can be used to fine-tune your mesh network to
prevent issues such as excessive broadcast ARP (Address Resolution Protocol)
requests, traffic looping and excessive number of mesh hops.
ARP Broadcast Filter: The ARP Broadcast filter is designed to reduce IPv4
Address Resolution Protocol (ARP) and IPv6 Neighbor Discovery Protocol (NDP)
broadcasts over the air. Once enabled, access points will sniff ARP/NDP
responses and maintain a table of IP addresses to MAC address entries. When
the AP receives an ARP/NDP broadcast request from a known host, the AP
converts the broadcast request packet into a unicast request by replacing the
broadcast address with the MAC address. If the AP receives a request from an
unknown host, it forwards the request at the rate limit specified in the Packet
Inspection Filter.
Mesh Topology Detection: Set the number of mesh hops and mesh downlinks
after which ZoneDirector should trigger warning messages.
Step 3: Provision and Deploy Mesh Nodes
In this step, you will connect each AP to the same wired network as ZoneDirector
to provision it with mesh-related settings. After you complete provisioning an AP,
you must reboot it for the mesh-related settings to take effect.
To provision and deploy a mesh node:
1Using one of the AP's Ethernet ports, connect it to the same wired network to
which ZoneDirector is connected, and then power it on. The AP detects
ZoneDirector and sends a join request.
2If Auto Approval is enabled, continue to Step 3. If Auto Approval is disabled, log
into ZoneDirector, check the list of currently active access points for the AP that
you are attempting to provision, and then click the corresponding Allow link to
approve the join request. For detailed procedures on approving join requests,
see Verifying/Approving New APs.
3After the AP has been provisioned, disconnect it from the wired network, unplug
the power cable, and then move the device to its deployment location.
Deploying a Wireless Mesh via ZoneDirector
Step 4: Verify That the Wireless Mesh Network Is Up
384 Ruckus Wireless, Inc.
If you want the AP to be a Root AP, reconnect it to the wired network using
one of its Ethernet ports, and then power it on. When the AP detects
ZoneDirector again through its Ethernet port, it will set itself as a Root AP,
and then it will start accepting mesh association requests from Mesh APs.
If you want the AP to be a Mesh AP, power it on but do not reconnect it to
the wired network. When it does not detect ZoneDirector through its Ethernet
port within 90 seconds, it will search for other Root APs or Mesh APs and,
once mesh neighbor relationships are established, form a mesh tree.
NOTE: After an AP in its factory default state has been provisioned, you need to
reboot it to enable mesh capability.
NOTE: If you are located in the United States and have a DFS-capable AP that is
expected to serve as a Root AP (or eMAP), with a non-DFS-capable Mesh AP as
its downlink, you will need to set the channel for the Root AP to one of the non-DFS
channels. Specifically, choose one of the following channels: 36, 40, 44, 48, 149,
153, 157, 161, 165. This is due to the DFS-capable AP’s ability to use more channels
than the non-DFS-capable AP, which could result in the RAP choosing a channel
that is not available to the MAP. Alternatively, go to Configure > System > Country
Code, and set the Channel Optimization setting to “Optimize for Compatibility.”
Repeat Steps 1 to 3 for each AP that you want to be part of your wireless mesh
network. After you complete provisioning and deploying all mesh nodes, verify that
the wireless mesh has been set up successfully.
Step 4: Verify That the Wireless Mesh Network Is Up
After you complete deploying all mesh nodes to their locations on the network, you
can check the Map View on the ZoneDirector web interface to verify that mesh
associations have been established and mesh trees formed.
1On the ZoneDirector web interface, click the Monitor tab, and then click Map
View on the menu. The Map View appears and shows the mesh nodes that are
currently active. (See Importing a Map View Floorplan Image for instructions on
importing a map.)
2Check if all the mesh nodes that you have provisioned and deployed appear on
the Map View.
Deploying a Wireless Mesh via ZoneDirector
Step 4: Verify That the Wireless Mesh Network Is Up
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 385
3Verify that a mesh network has been formed by checking if dotted lines appear
between the mesh nodes. These dotted lines identify the neighbor relationships
that have been established in the current mesh network.
NOTE: If your mesh spans multiple ZoneDirectors, it is possible for a node to be
associated to a different ZoneDirector than its parent or children.
Figure 221. Dotted lines indicate that these APs are part of the wireless mesh network
The symbols next to the AP icons indicate whether the AP is a Root AP, Mesh AP
or eMAP. Refer to the following table:
An AP with the upward pointing arrow is a Root AP.
An AP with a number in a circle is a Mesh AP. The number indicates
the number of hops from the mesh AP to the Root AP.
An AP with a dimmed blue square indicates that it is a Root AP without
any active downlinks.
An AP with a red square is an Ethernet-Linked Mesh AP (eMAP).
Understanding Mesh-related AP Statuses
Step 4: Verify That the Wireless Mesh Network Is Up
386 Ruckus Wireless, Inc.
Understanding Mesh-related AP Statuses
In addition to using the Map View to monitor the status of the mesh network, you
can also check the Access Points page on the Monitor tab for mesh-related AP
statuses. The table below lists all possible AP statuses that are related to mesh
networking, including any actions that you may need to perform to resolve mesh-
related issues.
An AP with an X icon is disconnected.
Status Description Recommended Action
Connected AP is connected to
ZoneDirector, but mesh is
disabled
If mesh is enabled on the AP,
you may need to reboot it to
activate the mesh.
Connected (Root AP) AP is connected to
ZoneDirector via its Ethernet
port
Connected (Mesh AP, n
hops)
AP is connected to
ZoneDirector via its wireless
interface and is n hops away
from the Root AP.
Connected (eMesh AP, n
hops)
AP is connected to
ZoneDirector via its Ethernet
port, but acts as a Mesh AP
using another Mesh AP as its
uplink.
Isolated Mesh AP AP is disconnected from the
ZoneDirector mesh
The AP may be configured
incorrectly. Verify that the
mesh SSID and
passphrase configured on
the AP are correct.
If Uplink Selection is set to
Manual, the uplink AP
specified for this AP may
be off or unavailable.
Using the ZoneFlex LEDs to Determine the Mesh Status
On Single-band ZoneFlex APs
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 387
Using the ZoneFlex LEDs to Determine the
Mesh Status
In addition to checking the mesh status of ZoneFlex APs from the ZoneDirector web
interface, you can also check the LEDs on the APs. The LED behaviors that indicate
the AP's mesh status vary depending whether the AP is a single-band or a dual-
band model.
On Single-band ZoneFlex APs
On single-band ZoneFlex APs (for example, ZoneFlex 7321, 7341, 7343, 7352), the
two LEDs that indicate the mesh status are:
WLAN (Wireless Device Association) LED - Indicates downlink status and client
association status
AIR (Signal/Air Quality) LED - Indicates uplink status and the quality of the wireless
signal to the uplink AP
WLAN LED
When Smart Mesh is enabled, the behavior of the WLAN LED indicates downlink
status. Refer to the table below for a complete list of possible LED colors and
behaviors for Root APs and Mesh APs, and the mesh status that they indicate.
LED Color/Behavior Root AP / Mesh AP / eMAP
Solid green No mesh downlink, and;
At least one client is associated with the AP
Solid amber (not available
on some models)
No mesh downlink, and;
No client is associated with the AP
Fast blinking green At least one mesh downlink exists, and;
At least one client is associated with the AP
Slow blinking green At least one mesh downlink exists, and;
No client is associated with the AP
Using the ZoneFlex LEDs to Determine the Mesh Status
On Dual-band ZoneFlex APs
388 Ruckus Wireless, Inc.
Signal/Air Quality LED
On Dual-band ZoneFlex APs
NOTE: On dual-band ZoneFlex APs, mesh networking is enabled only on the 5 GHz
radio.
Refer to the following sections for information on how to check these dual-band
APs for their mesh status.
Outdoor ZoneFlex APs
On outdoor ZoneFlex 7762 and 7782 series APs, the STATUS LED indicates the
AP's mesh status. See the table below for more information.
LED Color/Behavior Root AP / eMAP Mesh AP
Solid green N/A Connected to a Root AP or
another Mesh AP
Signal quality is good
Fast blinking green N/A Connected to a Root AP or
another Mesh AP
Signal quality is fair or poor
Slow blinking green N/A The AP is searching for an uplink
Off This is a Root AP or eMAP N/A
LED Color/Behavior Description
Solid green This is a Root AP or eMAP, or;
This is a Mesh AP and is connected to a Root AP with
good signal
Fast blinking green This is a Mesh AP, and;
The Root AP signal is fair
Slow blinking green This is a Mesh AP that is currently searching for a Root
AP, or;
This AP is currently searching for ZoneDirector
Using Action Icons to Configure and Troubleshoot APs in a Mesh
On Dual-band ZoneFlex APs
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 389
Indoor Dual Band APs
On dual band ZoneFlex indoor APs, the 5G LED indicates the AP's mesh status.
See the table below for more information.
Using Action Icons to Configure and
Troubleshoot APs in a Mesh
The following action icons are used to perform configuration and troubleshooting
tasks on the respective AP. The icons are displayed next to APs in the Currently
Managed APs table on the Dashboard. Some of the same action icons are also
available on other pages including Monitor > Access Points and Monitor > Mesh.
Table 34. Action icons
LED Color/Behavior Root AP / eMAP Mesh AP
Fast blinking green No Mesh AP is connected Disconnected from the Root
AP
Solid green At least one Mesh AP is
connected
Signal quality is good
Connected to a Root AP
Signal quality is good
Solid amber At least one Mesh AP is
connected
Signal quality is fair
Connected to a Root AP
Signal quality is fair
Icon Icon Name Action
System Info Generate a log file (support.txt) containing system
information on this AP.
Configure Go to the Configure > Access Points page and
edit the configuration settings for this AP.
Mesh View Open a “Mesh View” screen with this AP
highlighted in a Mesh tree that also shows the
uplink and downlink APs connected to this AP.
SpeedFlex Launch the SpeedFlex performance test tool to
measure uplink/downlink speeds to/from this AP.
Troubleshoot Troubleshoot connectivity issues using Ping and
Traceroute.
Restart Initiate a reboot of this AP.
Setting Mesh Uplinks Manually
On Dual-band ZoneFlex APs
390 Ruckus Wireless, Inc.
Setting Mesh Uplinks Manually
In a wireless mesh network, the default behavior of Mesh APs is to connect
automatically to a mesh node (either Mesh AP or Root AP) that provides the highest
throughput. This automatic connection is called Smart Uplink Selection.
If you want to shape your mesh network or force a certain topology, you will need
to disable Smart Uplink Selection and manually set the mesh nodes to which an AP
can connect. Note that in most situations, Ruckus Wireless recommends against
manually changing the roles of APs in a mesh, because it can result in isolated Mesh
APs.
Recover Recover an isolated Mesh AP.
Allow Allow this AP to be managed by ZoneDirector.
This icon will only appear if you have disabled
automatic approval under “Access Point Policies”
on the Configure > Access Points page.
RF Info Generates a log file called info.txt, containing
radio frequency data that can be used for
troubleshooting the RF environment.
Icon Icon Name Action
Setting Mesh Uplinks Manually
On Dual-band ZoneFlex APs
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 391
Figure 222. Setting Uplink Selection to Manual
CAUTION! Do not manually set a Mesh AP as a Root AP. Only APs that are
connected to ZoneDirector via Ethernet (and on the same LAN segment) should be
configured as Root APs. Mis-configuring a Mesh AP or an eMAP as a Root AP can
cause the AP to become isolated, or, in the case of eMAP, can result in a network
loop.
To set the mesh uplink for an AP manually:
1On the ZoneDirector web interface, click the Configure tab.
2On the menu, click Access Points.
3In the Access Points table, find the AP you want to restrict, and click Edit under
the Actions column. The editing form appears below your selection.
4Under Advanced Options > Uplink Selection, select the Manual radio button.
The other APs in the mesh appear below the selection.
5Select the check box for each AP that the current AP can use as uplink.
NOTE: If you set Uplink Selection for an AP to Manual and the uplink AP that you
selected is off or unavailable, the AP status on the Monitor > Access Points page
will appear as Isolated Mesh AP.
6Click OK to save your settings.
Troubleshooting Isolated Mesh APs
Understanding Isolated Mesh AP Statuses
392 Ruckus Wireless, Inc.
Troubleshooting Isolated Mesh APs
Isolated Mesh APs are those that were once managed by ZoneDirector but are now
unreachable. They are up and running and constantly searching for mesh uplinks,
but are unable to connect to any root AP. You can check if you have any isolated
mesh APs on the network by checking the Monitor > Access Points page.
NOTE: A mesh network is dynamic in nature. Before attempting to resolve any
mesh-related issue, please wait 15 minutes to allow the mesh network to stabilize.
Some mesh-related issues are automatically resolved once the mesh network
stabilizes.
Understanding Isolated Mesh AP Statuses
There are five possible reasons for a mesh AP to become isolated. The table below
lists all possible Isolated Mesh AP statuses that may appear on the Monitor > Access
Points page, and provides possible reasons for the isolation and the recommended
steps for resolving the issue.
Status Possible Reason
No APs in manual uplink selection You have set uplink selection to Manual, but none
of the uplink APs you specified is available or
reachable.
To resolve this, go to the Configure > Access
Points page on the ZoneDirector web interface,
and then click SmartSelection.
No APs within hop-limit The AP cannot find other APs within the internally
defined limit to the number of hops. The hop limit
mechanism helps ensure that mesh APs maintain
reasonable network performance.
To resolve this, add additional Root APs near this
isolated Mesh AP.
Searching for uplinks The AP is still searching for uplinks. This is usually
a temporary state and is typically resolved
automatically within 15 minutes as the mesh
network stabilizes. If there is a significant number
of APs on the network, it might take longer for the
AP to resolve this.
Troubleshooting Isolated Mesh APs
Recovering an Isolated Mesh AP
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 393
Recovering an Isolated Mesh AP
When a Mesh AP becomes isolated, it begins broadcasting a recovery SSID (named
island-<last 6 digits of AP’s MAC address>”), which you can use to connect directly
to the AP and make configuration changes. Note that this SSID is not bridged to
the local network for security reasons.
To perform these procedures, you will need:
A notebook computer with wireless capability.
The current ZoneDirector mesh configuration (steps for obtaining this information
are provided below).
An SSH client, such as PuTTY or OpenSSH.
A text editor such as Notepad.
Step 1: Obtain the Mesh SSID and Passphrase
1On the ZoneDirector web interface, click the Configure tab, and then click Mesh
on the menu.
Config error The AP attempted to establish the mesh uplink
but was unsuccessful. If you recently updated the
mesh SSID and passphrase, it is likely that your
changes have not propagated correctly to this AP
(for example, the AP was offline when you
updated the mesh SSID and passphrase).
To resolve this, follow the instructions in
Recovering an Isolated Mesh AP.
No APs with matching radio type The AP is unable to find an uplink AP with the
same radio type. Ruckus Wireless Smart Mesh
APs must use the same radio type to be able
connect to each other via the mesh network. For
example, an 802.11n Mesh AP will only connect
to another 802.11n AP, and an 802.11b/g Mesh
AP will only connect to another 802.11b/g AP.
To resolve this, place additional wired APs or
Mesh APs that use the same radio type near this
AP.
Status Possible Reason
Troubleshooting Isolated Mesh APs
Recovering an Isolated Mesh AP
394 Ruckus Wireless, Inc.
2Under Mesh Settings, copy the contents of the Mesh Name and Mesh
Passphrase fields into a text editor.
Figure 223. The Mesh Name and Mesh Passphrase you will use to configure the AP
Step 2: Ensure that the AP’s Mesh Mode is set to Auto
1Go to Configure > Access Points and click the Edit link next to the AP you
want to recover.
2Under Advanced Options > Mesh Mode, select Auto and click OK.
Step 3: Locate the AP’s Mesh Recovery SSID
1In your notebook’s wireless connection list, locate the Mesh recovery SSID. The
SSID will be named “island-xxxxxx” (where xxxxxx is the last 6 digits of the
AP’s MAC address).
2Connect to this WLAN using WPA and the passphrase ruckus-<admin
password>. (The admin password is the same as that used to log into
ZoneDirector.)
3You can now access the AP’s web interface by entering the AP’s recovery IP
address 169.254.1.1 in the browser.
Note that because the AP is still in ZoneDirector-managed state, you cannot make
configuration changes via the web interface. Therefore you will need to proceed to
the next step and connect to the AP’s CLI to make changes.
Step 4: Connect to the AP and update its Mesh settings
1Launch your SSH client and enter the IP address 169.254.1.1.
Best Practices and Recommendations
Recovering an Isolated Mesh AP
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 395
2Log into the AP via SSH using the same user name and password that you use
to log into the ZoneDirector web interface.
3Enter the command set meshcfg ssid <current_ssid>, where
current_ssid is the SSID that the mesh network is currently using.
4Enter the command set meshcfg passphrase
<current_passphrase>, where current_passphrase is the passphrase that
the mesh network is currently using.
NOTE: To paste text into PuTTY, press ctrl+v to paste, then click the right mouse
button.
5Enter the command set mesh auto.
6If there are multiple ZoneDirectors on the network, you may need to specify which
ZoneDirector the AP should connect to, using the command set director
ip <ZoneDirector’s IP address>.
7If a management VLAN is used for ZoneDirector-AP management traffic, enter
the following command: set ipaddr wan vlan <vlan ID>.
8Enter the command reboot to restart the AP with the new configuration
changes.
9Close the SSH client.
You have completed recovering the isolated mesh AP. You should be able to manage
this AP again shortly. Please wait at least 15 minutes (to allow the mesh network to
stabilize), and then try managing this AP again via ZoneDirector.
Best Practices and Recommendations
For recommendations and best practices in planning and deploying a Ruckus
Wireless Smart Mesh network, refer to Smart Mesh Networking Best Practices.
Best Practices and Recommendations
Recovering an Isolated Mesh AP
396 Ruckus Wireless, Inc.
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 397
10
Setting Administrator Preferences
In this chapter:
Changing the ZoneDirector Administrator User Name and Password
Changing the Web Interface Display Language
Upgrading ZoneDirector and ZoneFlex APs
Working with Backup Files
Restoring ZoneDirector to Default Factory Settings
Working with SSL Certificates
Using an External Server for Administrator Authentication
Upgrading the License
Changing the ZoneDirector Administrator User Name and Password
398 Ruckus Wireless, Inc.
Changing the ZoneDirector Administrator
User Name and Password
You should change your ZoneDirector administrator login password on a monthly
basis, but the administrator user name should be changed only if necessary.
NOTE: If authentication with an external server is enabled and the Fallback to admin
name/password if failed check box is disabled, you will be unable to edit the user
name and password. To edit the user name and password:
1. Select the Fallback to admin name/password if failed check box to enable the
user name and password boxes.
2. Change the user name and password.
3. Clear the Fallback to admin name/password if failed check box.
4. Click Apply to save your changes.
To edit or replace the current name or password:
1Go to Administer > Preferences.
2When the Preferences page appears, you have the following options under
Administrator Name/Password:
Authenticate using the admin name and password: The default option,
should be enabled if you are not using an external server for administrator
authentication.
Authenticate with Auth server: Select an authentication server from the list,
if you have configured one on the Configure > AAA Servers page.
-Fallback to admin name/password if failed: Enable this check box to
ensure you will be able to log in when the AAA server is unreachable.
Admin Name: Delete the text in this field and type the new administrator
account name (used solely to log into ZoneDirector via the web interface).
Password/Confirm Password: Delete the text in both fields and type the
same text for a new password.
3Click Apply to save your settings. The changes go into effect immediately.
Changing the Web Interface Display Language
Setting Administrator Login Session Timeout
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 399
Figure 224. The Preferences page
Setting Administrator Login Session Timeout
By default, administrators logged into the web interface are automatically logged
out after 30 minutes of inactivity. This timeout can be configured with a value
between 1 and 1440 minutes (24 hours). To change the admin idle timeout period,
enter a new value in Administer > Preferences > Timeout interval and click Apply.
Changing the Web Interface Display
Language
Depending on your preferences, you can change the language in which the web
interface is displayed in your web browser. The default is English.
This change only affects how the web interface appears, and does not modify either
OS/system or browser settings (which are managed through other processes).
1Go to Administer > Preferences.
2When the Preferences page appears, choose your preferred language from the
Language drop-down menu.
Upgrading ZoneDirector and ZoneFlex APs
Setting Administrator Login Session Timeout
400 Ruckus Wireless, Inc.
NOTE: This only affects how the ZoneDirector web interface appears, and does
not modify either the operating system or web browser settings.
3Click Apply to save your settings. The changes go into effect immediately.
Upgrading ZoneDirector and ZoneFlex APs
Check the Ruckus Wireless Support web site on a regular basis for updates that
can be applied to your Ruckus Wireless network devices — to ZoneDirector and all
your ZoneFlex APs. After downloading any update package to a convenient folder
on your administrative PC, you can complete the network upgrade (of both
ZoneDirector and APs) by following the steps detailed below.
NOTE: Upgrading ZoneDirector and the APs will temporarily disconnect them (and
any associated clients) from the network. To minimize network disruption, Ruckus
Wireless recommends performing the upgrade procedure at an off-peak time.
NOTE: If ZoneDirector is running a software version earlier than version 9.9 and you
want to upgrade to version 9.12, you will need to upgrade to version 9.9 first, and
then upgrade to version 9.12. If you try to upgrade directly to 9.12 from a version
earlier than 9.10, the upgrade will fail (see ZoneDirector Release 9.12 Release Notes
for more information).
1Go to Administer > Upgrade.
2Under the Software Upgrade section, click Browse. The Browse dialog box
appears.
3Browse to the location where you saved the upgrade package, and then click
Open.
4When the upgrade file name appears in the text field, the Browse button
becomes the Upgrade button.
5Click Upgrade.
ZoneDirector will automatically log you out of the web interface, run the upgrade,
and then restart itself. When the upgrade process is complete, the Status LED on
ZoneDirector is steadily lit. You may now log back into the web interface as
Administrator.
Upgrading ZoneDirector and ZoneFlex APs
Performing an Upgrade with Smart Redundancy
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 401
NOTE: The full network upgrade is successive in sequence. After ZoneDirector is
upgraded, it will contact each active AP, upgrade it, and then restore it to service.
NOTE: The AP uses FTP to download firmware updates from ZoneDirector. If you
have an access control list (ACL) or firewall between ZoneDirector and the AP, make
sure that FTP traffic is allowed to ensure that the AP can successfully download the
firmware update.
Figure 225. The Upgrade page
Performing an Upgrade with Smart Redundancy
If you have two ZoneDirectors in a Smart Redundancy configuration, the procedure
is similar. Note however, that the active and standby ZoneDirectors will reverse roles
during an upgrade.
To upgrade both ZoneDirectors in a Smart Redundancy configuration:
1Log in to the active ZoneDirector or the shared Management Interface.
NOTE: Do not attempt to manually upgrade the standby ZoneDirector first, followed
by the active unit. If you do this, some configuration options may get lost during the
upgrade process. Be sure to begin the upgrade process from either the active
ZoneDirector’s web interface or the shared Management interface.
2Go to Administer > Upgrade.
3Under the Software Upgrade section, click Browse. The Browse dialog box
appears.
Working with Backup Files
Backing Up a Network Configuration
402 Ruckus Wireless, Inc.
4Browse to the location where you saved the upgrade package, and then click
Open.
5When the upgrade file name appears in the text field, the Browse button
becomes the Upgrade button.
6Click Upgrade. The backup ZoneDirector is upgraded first.
7When the backup ZoneDirector upgrade is complete, the backup ZoneDirector
reboots and becomes active (begins accepting AP requests), while the original
active ZoneDirector enters backup state and begins its own upgrade process.
8All APs are now associated to the original backup ZoneDirector (which is now
the active ZoneDirector), and begin upgrading AP firmware to the new version.
9Each AP reboots after upgrading.
Working with Backup Files
After you have set up and configured your Ruckus wireless network, you may want
to back up the full configuration. The resulting archive can be used to restore your
ZoneDirector and network. And, whenever you make additions or changes to the
setup, you can create new backup files at that time, too.
Backing Up a Network Configuration
1Go to Administer > Backup.
2Under the Backup Configuration sections, click Back Up. The File Download
dialog box appears.
3Click Save.
4When the Save As dialog box appears, enter a name for this archive file, pick a
destination folder, then click Save.
NOTE: Ruckus Wireless recommends adding the firmware version number to the
backup file name so that you can easily identify which backup files were created on
which firmware version. By default only the backup date is included in the file name.
5Make sure the filename ends in a “.bak” extension.
6When the Download Complete dialog box appears, click Close.
Working with Backup Files
Restoring Archived Settings to ZoneDirector
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 403
Figure 226. The Back Up Configuration option
Restoring Archived Settings to ZoneDirector
NOTE: Restoring a backup file will automatically reboot ZoneDirector and all APs
that are currently associated with it. Users associated with these APs will be
temporarily disconnected; wireless access will be restored automatically after
ZoneDirector and the APs have completed booting up.
1Go to Administer > Backup.
2Under Restore Configuration, click Browse.
3Locate a previously saved backup file, select the file, and then click Open.
4Three restore options appear:
Restore everything: Select this option if you want the device to use all the
settings configured in the backup file (including the IP address, wireless
settings, access control lists, AP and WLAN group configurations, etc.).
NOTE: If you use the Restore everything option to restore settings from one
ZoneDirector unit to another, note that wireless clients reporting to the AP managed
by the first ZoneDirector unit will need to go through Zero-IT activation again to
obtain new client certificates. Zero-IT activation is enabled by default, therefore no
manual configuration is required from you.
Working with Backup Files
Restoring Archived Settings to ZoneDirector
404 Ruckus Wireless, Inc.
Restore everything, except system name and IP address settings (for failover
deployment at the same site): Select this option to import settings saved from
a primary to a backup ZoneDirector for Smart Redundancy deployment.
NOTE: In addition to system name and IP address, this option restores everything
except for the following configuration settings: 1.) VLAN settings. 2.) Management
IP address and VLAN settings. 3.) Smart Redundancy settings. 4.) DHCP server
settings. 5.) Session timeout. 6.) Limited ZD Discovery and Management VLAN
settings in Access Point Policies.
Restore only WLAN settings, access control list, roles, and users (use this as
a template for different sites): Select this option if you want to use the backup
file as a configuration template.
5Click the Restore button.
ZoneDirector restores the backup file. During this process, ZoneDirector automati-
cally logs you out of the web interface. When the restore process is complete,
ZoneDirector automatically restarts and your wireless network will be ready for use
again.
Figure 227. Select the restore level for restoring from a backup file
Working with Backup Files
Restoring Archived Settings to ZoneDirector
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 405
Restoring AP Configuration Settings Only
You can also restore previously saved access point configurations from a backup
file without restoring any other ZoneDirector configuration settings. This feature can
be useful in deploying N+1 redundancy. For example, if three ZoneDirector 1200
controllers are deployed in different locations and with one ZoneDirector 3000
serving as a backup, you can use this feature to export AP lists from the three
ZD1200s and import them one by one into the ZD3000. For more information on
N+1 redundancy deployment, see Using Limited ZD Discovery for N+1 Redun-
dancy.
To restore an AP list from a backup file without altering ZoneDirector settings:
1Go to Configure > Access Points.
2Under the Access Points table, click the Browse button near the line that begins
If you need to import the APs configuration...”.
3Browse to a previously saved backup file, select the file and click Open. The
page refreshes and the name of the backup file you selected is displayed, along
with the option to either import this file and reboot, or import this file and continue
importing additional files before reboot.
To import this file only, select Import this backup file and then reboot.
ZoneDirector will reboot after loading your AP list.
To import this file and continue importing AP lists from other backup files,
select Import this backup file and additional backup file(s). Then click Import.
When the import is complete, you will be prompted to import AP configura-
tions from additional backup files.
4When finished, click Import. ZoneDirector will import all AP configurations from
any backup files selected and reboot automatically. You must wait for the reboot
process to complete before being able to log back into ZoneDirector.
5When the reboot process is complete, the restored APs appear in the Access
Points table at the top of the page.
Restoring ZoneDirector to Default Factory Settings
Restoring Archived Settings to ZoneDirector
406 Ruckus Wireless, Inc.
Figure 228. Importing AP lists only from a backup file
Restoring ZoneDirector to Default Factory
Settings
In certain extreme conditions, you may want to re-initialize ZoneDirector and reset
it to factory default state. In this state, the network is almost ready for use, but all
your user/guest/log and other records, accounts and preference configurations
would need to be manually reconfigured.
CAUTION! Resetting ZoneDirector to factory default settings will erase all
configuration changes that you made, except for AP licenses and SSL certificates.
NOTE: When this procedure is complete, you will need to redo a complete setup.
If ZoneDirector is on a live network, a new IP address may be assigned to the system.
In this case, the system can be discovered by a UPnP client application, such as
Windows “My Network Places.” If there is no DHCP server on the connected
network, the system's default IP address is 192.168.0.2 with subnet mask
255.255.255.0.
Restoring ZoneDirector to Default Factory Settings
Alternate Factory Default Reset Method
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 407
NOTE: A complete set of instructions is available in the ZoneDirector Quick Start
Guide (QSG). Before restoring ZoneDirector to factory default settings, you should
open and print out the QSG pages. You can follow those instructions to set up
ZoneDirector after restoring factory defaults.
To reset your ZoneDirector to factory default settings:
1Go to Administer > Backup.
2When the Backup/Restore page appears, look for Restore Factory Settings,
and click the button.
3Owing to the drastic effect of this operation, one or more confirmation dialog
boxes will appear. Click OK to confirm this operation.
4When this process begins, you will be logged out of the web interface.
5When the reset is complete, the Status LED is blinking green, indicating that the
system is in the “factory default” state. After you complete the Setup Wizard, the
Status LED will be steady green.
Figure 229. The Restore to Factory Settings section
Alternate Factory Default Reset Method
If you are unable to complete a software-based resetting of ZoneDirector, you can
do the following “hard” restore:
Working with SSL Certificates
Basic Certificate Installation
408 Ruckus Wireless, Inc.
NOTE: Do not disconnect ZoneDirector from its power source until this procedure
is complete.
1Locate the Reset pin hole on the front panel of ZoneDirector.
2Insert a straightened paper clip in the hole and press for at least 5 seconds.
After the reset is complete, the Status LED blinks red, then blinks green, indicating
that the system is in factory default state.
After you complete the Setup Wizard, the Status LED will be steady green.
Working with SSL Certificates
SSL certificates enable device or user identification, as well as secure communica-
tions. ZoneDirector captive portal services and the web UI use an SSL certificate
when establishing HTTPS connections.
The default SSL certificate that is installed on the ZoneDirector is self-signed and
therefore not trusted by any web browser. This is the reason why the SSL security
warnings appear when establishing an HTTPS connection to the ZoneDirector.
To eliminate the security warnings, administrators may purchase a trusted SSL
certificate from a public Certificate Authority (CA) such as VeriSign and install it on
the ZoneDirector.
Basic Certificate Installation
The certificate installation process is as follows:
Generate a Certificate Signing Request (CSR) with the required requester
information.
Submit the CSR to a public CA for signing.
Receive a signed certificate from the CA.
Import the signed certificate into ZoneDirector.
Generating a Certificate Signing Request
If you do not have an existing SSL certificate, you will need to create a certificate
signing request (CSR) file and send it to a certificate authority (CA) to purchase an
SSL certificate. The ZoneDirector web interface provides a form that you can use
to create the CSR file. Fields with an asterisk (*) are required entries. Those without
an asterisk are optional.
Working with SSL Certificates
Generating a Certificate Signing Request
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 409
The Configure > Certificate form allows you to perform the following actions:
Generate a certificate signing request.
Import a signed certificate.
View the currently installed certificate.
Advanced Options link displays additional options
Restore the default private key and certificate.
Backup private key and certificate.
Generate a new private key.
To create a certificate request file (CSR):
1Go to Configure > Certificate.
2In the Generate a Request section, complete the following options:
Common Name*: Enter ZoneDirector’s Fully Qualified Domain Name (FQDN).
Typically, this will be “zonedirector.[your company].com”. You can
also enter ZoneDirector’s IP address (e.g., “192.168.0.2”), or a familiar
name by which the ZoneDirector will be accessed in your browser (e.g., by
device name such as “ZoneDirector”).
NOTE: Ruckus Wireless recommends using the FQDN as the Common Name if
possible. If your network does not have a DNS server, you may use ZoneDirector’s
IP address instead. However, note that some CAs may not allow this.
- If you wish to access ZoneDirector from a public network via the internet
you must use a Fully Qualified Domain Name (FQDN).
- In all cases when using a familiar name there must be an appropriate
private or public DNS entry to resolve the familiar name to ZoneDirector’s
IP address.
- If you use a familiar name, this name will be shown in the browser’s URL
whenever accessing ZoneDirector (i.e., administrator interface, standard
captive portal and guest access captive portal).
Subject Alternative Name: (Optional) Select either IP or DNS from the menu
and enter either alternative IP addresses or alternate DNS names.
Organization*: Type the complete legal name of your organization (for
example, Ruckus Wireless, Inc.). Do not abbreviate your organization
name.
Working with SSL Certificates
Generating a Certificate Signing Request
410 Ruckus Wireless, Inc.
Organization Unit: (Optional) Type the name of the division, department, or
section in your organization that manages network security (for example,
Network Management).
Locality/City*: Type the city where your organization is legally located (for
example, Sunnyvale).
State/Province*: Type the state or province where your organization is legally
located (for example, California). Do not abbreviate the state or province
name.
Country*: Select your country or region from the pull-down menu.
3Click Apply. A dialog box appears and prompts you to save the CSR file
(myreq.csr) that you have just created.
4Save the file to your computer.
Figure 230. Generating a CSR file
5Go to a certificate authority's web site and follow the instructions for purchasing
an SSL certificate.
6When you are prompted for the certificate signing request, copy and paste the
content of the text file that you saved to your local computer, and then complete
the certificate purchase.
After the certificate authority approves your CSR, you will receive the SSL certificate
via email. The following is an example of a signed certificate that you will receive
from a certificate authority:
-----BEGIN CERTIFICATE-----
Working with SSL Certificates
Importing an SSL Certificate
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 411
MIIFVjCCBD6gAwIBAgIQLfaGuqKukMumWhbVf5v4vDANBgkqhkiG9w0B
AQUFADCBsDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJ
bmMuMR8wHQYDVQQLBgEFBQcBAQRtMGswJAYIKwYBBQUHMAGGGGh0dHA6
Ly9vY3NwLnZlcmlzaWduLmNvbTBDBggrBgEFBQcwAoY3aHR0cDovL1NW
UlNlY3VyZS1haWEudmVyaXNpZ24uY29tL1NWUlNlY3VyZTIwMDUtYWlh
LmNlcjBuBggrBgEFBQcBDARiMGChXqBcMFowWDBWFglpbWFnZS9naWYw
ITAfMAcGBSsOAwIaBBRLa7kolgYMu9BSOJsprEsHiyEFGDAmFiRodHRw
Oi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvMS5naWYwDQYJKoZIhvcN
AQEFBQADggEBAI/S2dmm/kgPeVAlsIHmx-
751o4oq8+fwehRDBmQDaKiBvVXGZ5ZMnoc3DMyDjx0SrI9lkPsn223CV
3UVBZo385g1T4iKwXgcQ7WF6QcUYOE6HK+4ZGcHermFf3fv3C1-
FoCjq+zEu8ZboUf3fWbGprGRA+MR/dDI1dTPtSUG7/zWjXO5jC//
0pykSldW/q8hgO8kq30S8JzCwkqrXJfQ050N4TJtgb/
YC4gwH3BuB9wqpRjUahTiK1V1-
ju9bHB+bFkMWIIMIXc1Js62JClWzwFgaGUS2DLE8xICQ3wU1ez8RUPGn
wSxAYtZ2N7zDxYDP2tEiO5j2cXY7O8mR3ni0C30=
-----END CERTIFICATE-----
7Copy the content of the signed certificate, and then paste it into a text file. Save
the file.
You may now import the signed certificate into ZoneDirector. Refer to the following
section for instructions.
Importing an SSL Certificate
After you receive the signed certificate from the Certificate Authority, you must
import it into ZoneDirector.
To import a signed certificate:
1Click on the Browse button and select the file that contains the certificate (in
PEM format) to upload it.
2If there are no intermediate CA certificates, then click on the Import button to
install the uploaded certificate.
NOTE: if the certificate does not match the currently installed private key you will
be prompted to upload the correct private key.
Working with SSL Certificates
Importing an SSL Certificate
412 Ruckus Wireless, Inc.
Figure 231. Importing a signed SSL Certificate
3If your ZoneDirector certificate was issued by an intermediate CA, then you must
also import the intermediate CAs certificate (as well as all other intermediate CA
certificates in the path to the root CA). In that event, you would receive
intermediate CA certificate download instructions from the certificate vendor. To
import an intermediate certificate:
After selecting the end certificate, click on the intermediate certificate import
option.
Click on the Import button to reveal the Import Intermediate Certificates form.
Click on Browse button and select the file containing the intermediate
certificate (PEM format) to upload it.
If there are no additional intermediate certificates, click the Import button to
install the uploaded certificate.
4Alternatively, you can simplify this process by appending the intermediate CA
certificate(s) to the ZoneDirector certificate file. Then, you just need to import a
single file. The intermediate certificate(s) will be imported automatically. In this
case, you will see multiple ---BEGIN CERTIFICATE--- and ---END CERTIFICATE-
-- pairs in the file.
Working with SSL Certificates
SSL Certificate Advanced Options
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 413
Figure 232. Importing a signed certificate (continued)
SSL Certificate Advanced Options
The Advanced Options section allows you to perform additional certificate manage-
ment functions. These include the following:
Restore to Default Certificate/Private Key: This deletes any certificate and
private key that has been imported, and restores the factory default certificate/
private key after restore and reboot.
NOTE: Restoring ZoneDirector to factory defaults does not remove imported SSL
certificates. Use this option to remove any imported certificates and revert to the
factory default state.
Back Up Private Key: Back up the current private key by downloading it for
disaster recovery or for use on another ZoneDirector. If your ZoneDirector is
replaced due to an RMA, you will need to restore the private key if you have
installed a public certificate. Ensure that the private key is kept secure because
the security of your SSL communications depends on it.
Back up certificates for Smart Redundancy: If you have two ZoneDirectors
in a Smart Redundancy configuration, you can install the same SSL certificate/
private key pair on both devices. In this way, you can access the shared virtual
Working with SSL Certificates
SSL Certificate Advanced Options
414 Ruckus Wireless, Inc.
management interface advertised in DNS for the same FQDN without seeing the
security warning. If you wish to also use certificates in a Smart Redundancy
configuration with captive portals such as Guest Access, Web Portal and
Hotspot, see Wildcard Certificate Installation.
Back Up Trusted CA Information: Use this option to apply the same trusted
CA from this ZoneDirector to peer ZoneDirectors. The file is output as a .tar.gz
file containing all trusted Certificate Authoritiy information currently installed on
this ZoneDirector. This compressed file must be decompressed and the files
imported into the peer ZoneDirector using the Add a Trusted CA feature
described below.
Re-Generate Private Key of a Specific Key Length: Use this option if your
previous private key has been compromised or you need to use a stronger key
(either 1024 or 2048 bits). Note that a new certificate must be generated and
installed afterwards.
Add a Trusted CA: Use this option to import CA information. Click the Click
Here link to display all of the current trusted CA information, with each trusted
CA separated by a string of number symbols (“#######”). Options include:
Add a new trusted CA: Import a single CA file.
Cover all trusted CA: Use the new trusted CA file to cover all existing trusted
CA files.
Working with SSL Certificates
SSL Certificate Advanced Options
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 415
Figure 233. SSL Certificate Advanced Options
Wildcard Certificate Installation
A wildcard certificate is a generic certificate that can be used for devices in a specific
domain. This is useful for Smart Redundancy installations where you have two
ZoneDirectors. You can purchase and install two certificates, or use a wildcard
certificate.
When you try to import a wildcard certificate, the ZoneDirector will notify you that it
does not have the matching private key. At this point, click on the “click here” link
to import the private key. Once the private key is imported, try to import the certificate
again. The ZoneDirector will prompt you for the host name. Enter the hostname and
ensure that your DNS server is configured to resolve that name to the IP address of
ZoneDirector.
Wildcard Certificates In Smart Redundancy With Captive Portals
In order to prevent redirect loops when deploying SSL certificates in a Smart
Redundant configuration with Guest Access, Web Portal and Hotspot captive
portals, use the following wildcard certificate procedure:
Using an External Server for Administrator Authentication
SSL Certificate Advanced Options
416 Ruckus Wireless, Inc.
1Purchase or generate a self-signed wildcard certificate such as *.acompany.com
and install it on both ZoneDirectors in the Smart Redundant pair.
2In DNS, add 3 host/IP entries similar to the following
management.acompany.com; 192.168.0.100: This is the FQDN you wish to
use for reaching the shared virtual management interface and is mapped to
its configured IP address.
primary-zd.acompany.com; 192.168.0.98: This is the FQDN for the primary
ZD controller and its physical IP address.
backup-zd.acompany.com; 192.168.0.99: This is the FQDN for the backup
ZD controller and its physical IP address
3When you import the wildcard certificate into the ZoneDirectors you will be
prompted to enter the host name – make sure you use the same host name as
you will advertise in DNS for that ZoneDirector (the default is the same configured
ZoneDirector name).
NOTE: Currently it is not possible to support this configuration with the Hotspot
captive portal when it is being used for Zero-IT activation through the ZoneDirector
because the FQDN for the “/activate” URL is identical on both ZoneDirectors. To
achieve this use the Onboarding Portal feature for Zero-IT activation.
Using an External Server for Administrator
Authentication
ZoneDirector supports additional administrator accounts that can be authenticated
using an external authentication server such as RADIUS, LDAP, Active Directory or
TACACS+. Three types of administrative privileges can be assigned to these
administrator accounts:
Super Admin - Allows all types of configuration and management tasks
Operator Admin - Allows AP configuration only
Monitoring Admin – Allows monitoring operations only
This section provides basic instructions for setting up ZoneDirector to authenticate
additional administrator accounts with an external authentication server. For more
information on AAA server configuration, see Using an External AAA Server.
To authenticate ZoneDirector administrators using an AAA server:
Using an External Server for Administrator Authentication
SSL Certificate Advanced Options
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 417
1Set up Group Attributes on the AAA server.
RADIUS:
Ruckus Wireless private attribute
- Vendor ID: 25053
- Vendor Type/Attribute Number: 1 (Ruckus-User-Groups)
- Value Format: group_attr1,group_attr2,group_attr3,...
Cisco private attribute (if your network is using a Cisco access control server)
- Vendor ID: 9
- Vendor Type / Attribute Number: 1 (Cisco-AVPair)
- Value Format: shell:roles=”group_attr1 group_attr2 group_attr3 ...”
Active Directory or LDAP:
Set up administrator groups.
Populate these groups with users to whom you want to grant administrator
access. One way to do this is to edit each users Member of profile and add
the group to which you want the user to belong. Remember the group names
that you set; you will enter this information when you create administrator
roles in ZoneDirector (see Step 3).
TACACS+: See TACACS+ for more information.
2Set up ZoneDirector to use an AAA server (Configure > AAA Servers).
3Create an Administrator Role in ZoneDirector (Configure > Roles).
Allow access to all/specific WLANs.
Allow/deny Guest Pass Generation.
Ensure that Allow ZoneDirector Administration is enabled, and choose the
level of administration privileges you want to allow for this role.
CAUTION! If you do not select the Allow ZoneDirector Administration check box,
administrators that are assigned this role will be unable to log into ZoneDirector even
if all other settings are configured correctly.
4Test your authentication settings (Configure > AAA Servers > Test
Authentication Settings).
5Specify AAA server to use (Administer > Preferences > Authenticate with
Auth Server).
Upgrading the License
SSL Certificate Advanced Options
418 Ruckus Wireless, Inc.
Verify that the Fallback to admin name/password if failed check box is
selected. Keeping this check box selected ensures that administrators will still
be able to log into the ZoneDirector web interface even when the authentication
server is unavailable.
Congratulations! You have completed setting up ZoneDirector to use external
servers for administrator authentication. Whenever a user with administrator privi-
leges logs into the ZoneDirector web interface, an event will be recorded. The
following is an example of the event details that you will see:
Admin [user_name] login (authenticated by {Authentication
Server} with {Role}).
Upgrading the License
Depending on the number of Ruckus Wireless APs you need to manage with your
ZoneDirector, you may need to upgrade your license as your network expands.
Contact your authorized Ruckus Wireless reseller to purchase an upgrade license.
Once you load the license via the web interface, it takes effect immediately.
Current license information (description, PO number, status, etc.) is displayed on
the web interface.
NOTE: The system does not reboot or reset after a license is imported.
To import a new license file
1Go to Administer > License.
2Click Choose File and select your license file.
3Once you select your license file and close the Browse window, ZoneDirector
immediately attempts to validate and install the license.
Figure 234. The License page
Support Entitlement
SSL Certificate Advanced Options
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 419
Support Entitlement
The Support Entitlement license allows you to extend the period for which you are
allowed to continue upgrading your ZoneDirector when newer versions are released.
If your support contract has expired, you can contact your Ruckus customer service
representative or Ruckus reseller to purchase a new support entitlement. After you
have purchased a support package and registered your purchase on the Support
website, you can click Check Entitlement to download the entitlement file and
automatically import into your ZoneDirector or manually upload it to ZoneDirector.
To import a new Support entitlement file:
1Go to Administer > Support.
2In the Support Service section, click Browse... to import a new support
entitlement file.
Figure 235. Uploading a Support entitlement file
Support Entitlement
SSL Certificate Advanced Options
420 Ruckus Wireless, Inc.
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 421
11
Troubleshooting
In this chapter:
Troubleshooting Failed User Logins
Fixing User Connections
Measuring Wireless Network Throughput with SpeedFlex
Diagnosing Poor Network Performance
Starting a Radio Frequency Scan
Using the Ping and Traceroute Tools
Viewing Current System and AP Logs
Packet Capture and Analysis
Importing a Script
Enabling Remote Troubleshooting
Restarting an Access Point
Restarting ZoneDirector
Troubleshooting Failed User Logins
422 Ruckus Wireless, Inc.
Troubleshooting Failed User Logins
SUMMARY: This troubleshooting topic addresses the problems that network users
might have with configuring their client devices and logging into your ZoneFlex
WLAN.
Upon the completion of the Setup Wizard, ZoneDirector automatically activates a
default internal WLAN for authorized users. A key benefit of the internal WLAN is
the Zero-IT configuration, which enables new users to self-activate their wireless
client devices with little or no assistance from the IT department. Zero-IT client device
configuration requires that the client be running a compatible operating system and
using a wireless network adapter that implements WPA encryption.
If you and your WLAN users run into initial connection failures when using the Zero-
IT configuration and login, almost all of the problems have two key causes:
Your users' client devices are running another OS, such as Linux, ChromeOS,
etc.
Your users' client devices are using wireless network adapters without a WPA
implementation.
The following list of options may be applicable based on your client system’s
qualifications:
Option 1: If the client is running a supported operating system, check the wireless
network adapter to verify the implementation of WPA.
Option 2: Upgrade to Windows 7, and if needed, acquire a wireless network
adapter with WPA support. Once these changes are made, your users can
attempt Zero-IT activation again.
Option 3: If an older version of Windows is in use, or if another OS is being used,
the user must manually enter the WPA passphrase in their network configuration
(see Provisioning Clients that Do Not Support Zero-IT).
Option 4: If the client’s OS cannot be upgraded and the wireless adapter is limited
to WEP, you will need to do the following:
Create an additional WLAN for non-standard client connections, then create
a Role that refers to this WLAN, and assign that role to the relevant user
accounts.
Enter the WEP key in the network configuration on the client device.
Fixing User Connections
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 423
Fixing User Connections
If any of your users report problematic connections to the WLAN, the following
debugging technique may prove helpful. Basically, you will be deleting that user's
client from the Active Clients table in the Ruckus ZoneDirector, and when their client
connection automatically renews itself, any previous problems will hopefully be
resolved.
To fix the connection of an active client:
1Go to Monitor > Wireless Clients.
2In the Clients table, locate the problematic client., and click the Delete button
on the same row.
3The client will be immediately disconnected from the WLAN. (Be sure not to block
the client. If you do accidentally block a client, go to Configure > Access Control
to unblock.)
4From the client computer, refresh the list of wireless networks and attempt to log
in again.
5After one to two minutes, the Clients table will refresh and display the client again.
Figure 236. Click the X icon to delete a client record from the Wireless Clients page
Measuring Wireless Network Throughput with SpeedFlex
If WLAN Connection Problems Persist
424 Ruckus Wireless, Inc.
If WLAN Connection Problems Persist
If the previous technique fails to resolve the connection issues, you may need to
guide the user through a reset of their WLAN configuration. This requires deleting
the user record, then creating a new user record, after which the user must repeat
the Zero-IT Activation process to reactivate their device with ZoneDirector.
1Have the user log out of the WLAN.
2Go to Configure > Users. The Internal User Database table appears, displaying
a list of current user accounts.
3Locate the problematic user account in the table, and click the check box to the
left of the user’s name.
4Click Delete.
5Click the Create New button to create a new user account for this user. Enter
a user name and password, and choose a role from the drop-down menu.
6Send a notification to the user with instructions on how to re-configure their client
and log into the WLAN again.
At the end of this process, the user should be reconnected. If problems persist, they
may originate in Windows or in the wireless network adapter.
Measuring Wireless Network Throughput with
SpeedFlex
SpeedFlex is a wireless performance tool included in ZoneDirector that you can use
to measure the downlink throughput between ZoneDirector and a wireless client,
ZoneDirector and an AP, and a wireless client and an AP. When performing a site
survey, you can use SpeedFlex to help find the optimum location for APs on the
network with respect to user locations.
NOTE: Before running SpeedFlex, verify that the Guest Usage and Wireless Client
Isolation options (on the Configure > WLANs > Editing {WLAN Name} page) are
disabled. The SpeedFlex Wireless Performance tool may not function properly when
either or both of these options are enabled. For example, SpeedFlex may be
inaccessible to users at http://{zonedirector-ip-address}/perf or
SpeedFlex may prompt you to install the SpeedFlex application on the target client,
even when it is already installed.
Measuring Wireless Network Throughput with SpeedFlex
If WLAN Connection Problems Persist
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 425
NOTE: The following procedure describes how to run SpeedFlex from the
ZoneDirector web interface to measure a wireless client’s throughput. For
instructions on how to run SpeedFlex from a wireless client (for users), refer to
Allowing Users to Measure Their Own Wireless Throughput.
NOTE: SpeedFlex is unable to measure the throughput between two devices if
those two devices are not on the same VLAN or the same subnet.
To measure the throughput of an AP or a client from the web interface
1Find out the MAC address of the AP or wireless client that you want to use for
this test procedure.
2If you are testing client throughput, verify that the wireless client is associated
with the AP that you want to test.
3Log in to the ZoneDirector web interface. You can use the wireless client that
you are testing or another computer to log in to the web interface.
4If you want to test AP throughput, click Monitor > Access Points. If you want
to test client throughput, click Monitor > Wireless Clients.
5In the list of APs or clients, look for the MAC address of the AP or wireless client
that you want to test, and then click the SpeedFlex link on the same row. The
SpeedFlex Wireless Performance Test interface loads, showing a speedometer
and the IP address of the AP or client that you want to test.
NOTE: If ZoneDirector is unable to determine the IP address of the wireless client
that you want to test (for example, if the wireless client is using a static IP address),
the SpeedFlex link for that client does not appear on the Clients page.
6Choose UDP or TCP from the Protocol drop-down list. Only one type of traffic
can be tested at a time.
7If you are testing AP throughput, you have the option to test both Downlink and
Uplink throughput. Both options are selected by default. If you only want to test
one of them, clear the check box for the option that you do not want to test.
8Click the Start button.
If the target client does not have SpeedFlex installed, a message appears in
the ZoneDirector administrator’s browser, informing you that the SpeedFlex
tool has to be installed and running on the client before the wireless perfor-
Measuring Wireless Network Throughput with SpeedFlex
If WLAN Connection Problems Persist
426 Ruckus Wireless, Inc.
mance test can continue. Click the OK button on the message, download
the appropriate SpeedFlex version (Windows, Mac or Android) from http:/
/<ZoneDirector-IP-Address>/perf, and email it to the user, or
instruct the user to go to http://<ZoneDirector-IP-Address>/
perf to download and install it. (See Allowing Users to Measure Their Own
Wireless Throughput.) After SpeedFlex is installed and running on the client,
click Start again to continue with the wireless performance test.
A progress bar appears below the speedometer as SpeedFlex generates traffic to
measure the downlink or uplink throughput. One throughput test typically runs for
10-30 seconds. If you are testing both Downlink and Uplink options, the two tests
take about one minute to complete.
When the tests are complete, the results appear below the Start button. Downlink
and uplink throughput results are displayed along with packet loss percentages.
Figure 237. The SpeedFlex interface
Measuring Wireless Network Throughput with SpeedFlex
If WLAN Connection Problems Persist
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 427
Figure 238. Click the download link for the target client’s operating system
Figure 239. A progress bar appears as SpeedFlex measures the wireless throughput
Measuring Wireless Network Throughput with SpeedFlex
Using SpeedFlex in a Multi-Hop Smart Mesh Network
428 Ruckus Wireless, Inc.
Figure 240. When the test is complete, the tool shows the uplink and downlink throughput and
packet loss percentage
Using SpeedFlex in a Multi-Hop Smart Mesh Network
SpeedFlex can also be used to measure multi-hop throughput between APs and
ZoneDirector in a mesh tree. For example, if you have a mesh tree that is three hops
deep (i.e., ZoneDirector... Root AP... Mesh AP 1... Mesh AP 2), SpeedFlex can
measure the total throughput between ZoneDirector and Mesh AP 2. Running the
Multi-Hop SpeedFlex tool returns throughput results for each hop as well as the
aggregate throughput from ZoneDirector to the final AP in the tree.
To measure throughput across multiple hops in a Smart Mesh tree:
1Go to Monitor > Mesh, or open the Mesh Topology widget on the Dashboard.
2Locate the AP whose throughput you want to measure, and click the SpeedFlex
icon on the same row as that AP. The SpeedFlex icon changes to an icon with
a green check mark, and the Multi-Hops SpeedFlex button appears.
3Click Multi-Hops SpeedFlex. The SpeedFlex utility launches in a new browser
window.
4Select Uplink, Downlink or both (default is both), and click Start to begin. Note
that multi-hop SpeedFlex takes considerably longer to complete than a single
hop. If you want to complete the test faster, deselect either Uplink or Downlink
and test one direction at a time.
Measuring Wireless Network Throughput with SpeedFlex
Using SpeedFlex in a Multi-Hop Smart Mesh Network
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 429
Figure 241. Running Multi-Hop SpeedFlex in a mesh tree
Figure 242. Multi-Hop SpeedFlex test results
Measuring Wireless Network Throughput with SpeedFlex
Allowing Users to Measure Their Own Wireless Throughput
430 Ruckus Wireless, Inc.
Allowing Users to Measure Their Own Wireless
Throughput
ZoneDirector provides another version of the SpeedFlex Wireless Performance Test
application that does not require authentication. This version can be accessed at:
http://{zonedirector-ip-address}/perf
If you want wireless users to be able to measure their own wireless throughput, you
can provide this link to them, along with the instructions below. Before sending out
these instructions, remember to replace the {zonedirector-ip-address}
variable with the actual ZoneDirector IP address.
How to Measure the Speed of Your Wireless Connection
The following instructions describe how you can use SpeedFlex, a wireless perfor-
mance test tool from Ruckus Wireless, to measure the speed of your wireless
connection to your access point.
1Make sure that your wireless device is connected only to the wireless network.
If your wireless device is also connected to the wired network, unplug the
network cable.
2Start your web browser, and then enter the following in the address or location
bar:
http://{zonedirector-ip-address}/perf
The SpeedFlex Wireless Performance Tool interface loads in your browser.
3Click the Start button. The following message appears:
Your computer does not have SpeedFlex running. Click the
OK button, download the SpeedFlex application for your
operating system, and then double-click SpeedFlex.exe to
start the application.
When SpeedFlex is running on your computer, click Start
again to continue with the wireless performance test.
4Click OK. Windows and Mac (Intel) download links for SpeedFlex appear on the
SpeedFlex Wireless Performance Test interface.
5Click the SpeedFlex version that is appropriate for your operating system,
download the SpeedFlex file, and then save it to your computer’s hard drive.
6After downloading the SpeedFlex file, locate the file, and then double-click the
file to start the application. A command prompt window appears and shows the
following message:
Entering infinite loop. Enjoy the ride.
Diagnosing Poor Network Performance
Allowing Users to Measure Their Own Wireless Throughput
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 431
This indicates that SpeedFlex was successfully started. Keep the command
prompt window open.
7On the SpeedFlex Wireless Performance Test interface, click the Start button
again. A progress bar appears below the speedometer as the tool generates
traffic to measure the downlink throughput from the AP to the client. The test
typically runs from 10 to 30 seconds.
When the test is complete, the results appear below the Start button. Information
that is shown includes the downlink throughput (in Mbps) between your wireless
device and the AP, as well as the packet loss percentage during the test.
If the packet loss percentage is high (which indicates poor wireless connection), try
moving your wireless device to another location, and then run the tool again.
Alternatively, contact your network administrator for assistance.
Diagnosing Poor Network Performance
You can try the following diagnostic and troubleshooting techniques to resolve poor
network performance.
1Go to Monitor > Map View.
2Look on the map for rogue APs. If there is a large number, and they belong to
neighboring networks, proceed to the next task.
3Go to Configure > Access Points.
4Edit each AP record to assign each device a channel that will not interfere with
other nearby APs.
For example, if you have three APs operating in the 2.4 GHz band, you can manually
set each one to a different non-overlapping channel by selecting channel “1”, “6”
and “11” from the Channel drop-down list.
Starting a Radio Frequency Scan
This task complements the automatic RF scanning feature that is built into the
Ruckus ZoneDirector. That automatic scan assesses one radio frequency at a time,
every 20 seconds or so. To manually start a complete radio frequency scan that
assesses all possible frequencies in all devices at one time, follow these steps:
1Go to Administer > Diagnostics.
2When the Diagnostics page appears, look for the Manual Scan options, and then
click Scan.
Using the Ping and Traceroute Tools
Allowing Users to Measure Their Own Wireless Throughput
432 Ruckus Wireless, Inc.
CAUTION! This operation will interrupt active network connections for all current
users.
3Open the Dashboard or go to Monitor > Map View to review the scan results.
This will include rogue device detection, and an updated coverage evaluation.
Figure 243. The Diagnostics page
Using the Ping and Traceroute Tools
The ZoneDirector web interface provides two commonly used tools that allow you
to diagnose connectivity issues while managing ZoneDirector without having to exit
the UI. The Ping and Traceroute tools can be accessed from anywhere in the UI
that you see the icon.
For example, from the Dashboard, if the “Currently Managed APs” widget is open,
click the icon next to an AP to launch the troubleshooting window.
Using the Ping and Traceroute Tools
Allowing Users to Measure Their Own Wireless Throughput
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 433
Figure 244. Launching the Ping/Traceroute Troubleshooting window from the Dashboard
The Network Connectivity window opens. Click Ping to ping the IP address or Trace
Route to diagnose the number of hops to the IP address.
Figure 245. Network Connectivity dialog
You can also access the Ping and Traceroute tools by clicking the troubleshooting
icon for an AP or client on the Monitor > Access Points and Monitor > Wireless
Clients pages, or via the Toolbox drop-down menu available from any page in the
web interface.
Generating a Debug File
Allowing Users to Measure Their Own Wireless Throughput
434 Ruckus Wireless, Inc.
Generating a Debug File
CAUTION! Do not start this procedure unless asked to do so by technical support
staff.
If requested to generate and save a debug file, follow these steps:
1Go to Administer > Diagnostics.
2Select the items under Debug Components as directed by Ruckus technical
support, or check the box next to Debug Components to select all. (If they are
already selected, skip this step.)
3If you are instructed to save only log information for a specific AP or client, you
can select the check box next to Debug log per AP’s or client’s mac address,
then enter the MAC address in the adjacent field.
4Click Apply to save your settings.
5In the Save Debug Info section, click Save Debug Info.
6When the File Download dialog box appears, select Save File, and click OK.
7When the Save As dialog box appears, pick a convenient destination folder, type
a name for the file, and click Save.
8When the Download Complete dialog box appears, click Close.
After the file is saved, you can email it to the technical support representative.
NOTE: The debug (or diagnostics) file is encrypted and only Ruckus Wireless
support representatives have the proper tools to decrypt this file.
Viewing Current System and AP Logs
You can display a list of recent ZoneDirector or AP activity logs from the ZoneDirector
web interface.
To view ZoneDirector system logs:
1Go to Administer > Diagnostics, and locate the System Logs section.
2Click the “Click Here” link next to “To show current System logs...”. The log data
is displayed in the text box beneath the link.
3Click the Save System Log button to save the log as a compressed .tar file.
To view AP logs:
Viewing Current System and AP Logs
Allowing Users to Measure Their Own Wireless Throughput
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 435
1Go to Administer > Diagnostics, and locate the AP Logs section.
2Click the “Click Here” link next toTo show current AP logs...”. The log data is
displayed in the text box beneath the link.
Figure 246. Viewing System and AP logs
Packet Capture and Analysis
Allowing Users to Measure Their Own Wireless Throughput
436 Ruckus Wireless, Inc.
Figure 247. UI display of current system and AP logs
Packet Capture and Analysis
The Packet Capture feature puts one or more APs into packet sniffer mode, allowing
them to capture packets and either save them to a local file or stream them to a
packet inspection program such as Wireshark for later analysis.
Local Capture
Streaming Mode
NOTE: Performing packet capture on the 5 GHz radio of a Mesh AP (MAP) can
result in connectivity issues due to the AP’s use of the 5 GHz radio for Mesh
communications. Therefore, Ruckus recommends performing packet capture only
on the 2.4 GHz radio of a Mesh AP. Root APs (and eMAPs) do not have this limitation
and packet capture can be performed on either radio.
The local capture mode stores packet data from a single capture session in two files
using a “ping-pong” method. Due to memory limitations, the capture files are cleared
after they are retrieved by the Save command and before each new capture session,
and they are not retained on the AP between reboots.
Packet Capture and Analysis
Local Capture
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 437
In streaming capture mode, packet data from the 2.4 GHz and 5 GHz radios are
available simultaneously on AP interfaces wifi0 and wifi1, respectively. The streams
can be accessed using Wireshark’s remote interface capture option. The Windows
version of Wireshark (e.g., v1.2.10) supports this option. Linux versions may not.
Both output modes support packet filtering. In local capture mode, the AP accepts
a packet filter expression and applies it before storing the file. In streaming mode,
Wireshark accepts a capture filter expression and sends it to a daemon running on
the AP, which applies it before streaming. Both modes allow compound filter
expressions conforming to the pcap-filter syntax, which is described at http://
www.manpagez.com/man/7/pcap-filter/.
Local Capture
To capture packets to a local file for external analysis:
1Choose 2.4 GHz or 5 GHz radio (you can only capture packets on one radio at
a time).
2Select one or more APs from the list and click Add to Capture APs. The APs
you selected are moved from the Currently Managed APs table on the left side
to the new Capture APs table on the right.
3Select Local Mode to save the packet capture to a local file.
4Click Start to begin capturing packets. Click Stop to end the capture, and click
Save to save the packet capture to a local file.
5Extract the pcap file(s) from the pcap.zip file and open in Wireshark or other
packet analyzer.
Streaming Mode
To view streaming packets in real time using Wireshark’s remote capture:
1Choose 2.4 GHz or 5 GHz radio.
2Select the AP you want to view and click Add to Capture APs.
3Select Streaming Mode and click Start.
4Launch Wireshark.
5Go to Capture Options.
6Under Capture: Interface, select Remote. A Remote Interface dialog appears.
7In Host, enter the IP address of the AP you want to view. Leave the Port field
empty and click OK.
Packet Capture and Analysis
Streaming Mode
438 Ruckus Wireless, Inc.
8The remote host interface list on the right updates. Select wifi0 from the list if
you are streaming on the 2.4 GHz radio, or select wifi1 if streaming on the 5
GHz radio.
9Click Start. Wireshark displays the packet stream in a new window.
Figure 248. Add APs from Currently Managed APs list to Capture APs list
Figure 249. Click Start to begin packet capture; click Remove to remove APs from the list
Using Ruckus Custom Indicators
Packets captured on Ruckus APs include some information that is not available
when capturing from other Wi-Fi devices. This additional information is stored in the
Per-Packet Information (PPI) header that precedes the over-the-air content.
1The PPI:802.11-Common Header antenna signal and antenna noise fields of
packets transmitted by the AP contain the next-to-lowest byte and the lowest
byte, respectively, of the antenna pattern used to transmit the packet. On some
Packet Capture and Analysis
Streaming Mode
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 439
APs, the pattern value may contain more significant bits, which are not stored
in this header. If the packet is 802.11n, it will also contain the full antenna pattern
value in the header described below.
2The PPI:802.11n-MAC+PHY Header EVM-3 field of packets transmitted by the
AP contains the full antenna pattern used to transmit the packet (similar to above,
except this 32-bit field can accommodate the complete value).
3The PPI:802.11n-MAC+PHY Header MAC Flags field’s upper bits convey
additional TX and RX descriptor indicators described in the table below.
Table 35. Ruckus-defined indicators conveyed in MAC Flags
Limitation: The AP can report RX EVM values or the RX LDPC indicator, but not
both. When packet capture is invoked from the ZD UI, the software selects RX EVM
values. Therefore, the RX LDPC indicator is not reported, and the LDPC indicator
valid bit will be zero. The RX LDPC indicator is available when invoking packet
capture from the AP command line interface.
TX Indicator Bit RX Indicator
Sounding (0=not; 1=yes) 31 Sounding (0=not; 1=yes)
TxBF (0=not applied; 1=yes) 30 unassigned
Ness (#ext spatial streams) 28-29 Ness (#ext spatial streams)
STBC (0=not applied; 1=yes) 27 STBC (0=not applied; 1=yes)
LDPC (0=not applied; 1=yes) 26 LDPC (0=not applied; 1=yes)
LDPC indicator valid 25 LDPC indicator valid
unassigned 24 unassigned
RTS HTC TRQ 23 HW Upload Data
RTS HTC MRQ 22 HW Upload Data Valid
RTS HTC MSI 20-21 HW Upload Data Type
RTS enabled 19 unassigned
Calibrating 18 unassigned
Importing a Script
Streaming Mode
440 Ruckus Wireless, Inc.
Importing a Script
The Import Scripts feature can be used to help Ruckus Support in diagnosing
customer network issues remotely by allowing the administrator to upload a Ruckus-
created script to ZoneDirector themselves. If instructed to do so by Ruckus Support,
go to Administer > Diagnostics > Import Scripts and click Choose File to upload
a script to ZoneDirector.
Enabling Remote Troubleshooting
The Remote Troubleshooting feature allows Ruckus support personnel to connect
directly to a ZoneDirector deployed at a customer’s site for troubleshooting
purposes. Do not enable this feature unless instructed to do so by Ruckus support.
Figure 250. The Upload Scripts and Remote Troubleshooting features are used by Ruckus
Support in diagnosing customer network issues remotely
Restarting an Access Point
One helpful fix for network coverage issues is to restart individual APs. To do so,
follow these steps:
1Go to Monitor > Access Points.
2When the Access Points page appears, look in the Currently Managed APs table
for the particular Access Point record.
The Status column should display “Connected.”
3Click the Restart icon. The Status column now displays “Disconnected”
along with the date and time when ZoneDirector last communicated with the AP.
After restart is complete and the Ruckus ZoneDirector detects the active AP, the
status will be returned to “Connected.”
Restarting ZoneDirector
Streaming Mode
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 441
Restarting ZoneDirector
There are three “restart” options: [1] to disconnect and then reconnect the Ruckus
ZoneDirector from the power source, [2] to follow this procedure which simultane-
ously shuts down ZoneDirector and all APs, then restarts all devices, and [3] a restart
of individual APs (detailed in “Restarting an Access Point”.)
NOTE: If you have made any configuration changes, Ruckus Wireless recommends
shutting down ZoneDirector to ensure that all configuration changes are saved and
remain after reboot. Performing a Restart may cause ZoneDirector to lose
configuration changes if you forgot to click Apply after making changes and navigate
away from a configuration page, for example.
To restart ZoneDirector (and all currently active APs):
1Go to Administer > Restart.
2When the Restart / Shutdown features appear, click Restart.
You will be automatically logged out of ZoneDirector. After a minute, when the
Status LED is steadily lit, you can log back into ZoneDirector.
Figure 251. The Restart/Shutdown page
Restarting ZoneDirector
Streaming Mode
442 Ruckus Wireless, Inc.
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 443
12
Smart Mesh Networking Best
Practices
In this chapter:
Choosing the Right AP Model for Your Mesh Network
Calculating the Number of APs Required
Placement and Layout Considerations
Signal Quality Verification
Mounting and Orientation of APs
Best Practice Checklist
Choosing the Right AP Model for Your Mesh Network
444 Ruckus Wireless, Inc.
Choosing the Right AP Model for Your Mesh
Network
Ruckus Smart Mesh networks support both 802.11n and the newer, faster
802.11ac APs with which to form a mesh network. 802.11ac APs will mesh with
802.11n APs, and vice versa.
The most important point to note, however, is that dual band APs can only mesh
with other dual band APs, while single band APs can only mesh with other single
band APs.
In summary, build your mesh network as follows:
Ensure that all APs are dual band (H500, R500, R600, R700, R710, H500, T300,
SC-8800-S, 7055, 7363, 7372, 7762, 7782, 7982, etc.)
Ensure that all APs are single band (ZoneFlex 7321, 7341, 7343, 7352, etc.)
Calculating the Number of APs Required
This is an important step in planning your mesh network. You will need calculate
the number of total APs (Root APs and Mesh APs) that are needed to provide
adequate coverage and performance for a given property.
Performing a site survey to determine the coverage for your particular installation
environment is essential. Once the coverage area is sufficiently covered with Root
APs to meet your bandwidth and throughput requirements, you will need to adjust
the number and placement to compensate for APs that will serve as Mesh APs.
If you plan to support Internet grade connections for casual web browsing, plan for
a design that delivers 1Mbps of throughput in the entire coverage area. For
enterprise-grade connections, plan for 10Mbps of throughput.
WiFi is a shared medium, of course, so this aggregate bandwidth will be shared
amongst the concurrent users at any given time. In other words, if the network is
designed to support 10Mbps, it would support 1 user at 10Mbps, or 10 users at
1Mbps each. In reality, due to statistical multiplexing (just like the phone system -
the fact that not all users are using the network concurrently), if you use an
oversubscription ratio of 4:1, such a network could actually support 40 users at
1Mbps.
In a Smart Mesh network, the Root AP (RAP) has all its wireless bandwidth available
for downlink, because the uplink is wired. For Mesh APs (MAPs), the available
wireless bandwidth has to be shared between the uplink and the downlink. This
Placement and Layout Considerations
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 445
degrades performance of a Mesh AP as compared to a Root. This problem is
mitigated somewhat by dual radio APs when the uplink and downlink traffic can be
sent/received on two separate radios.
Placement and Layout Considerations
Utilize two or more RAPs: To prevent having a single point-of-failure, it is always
best to have 2 or more RAPs so that there are alternate paths back to the wired
network.
More roots are better: The more Root APs in the design, the higher the
performance. Therefore, as far as possible, try to wire as many APs as is
convenient.
Design for max 3 hops: Avoid an excessive number of hops in your mesh
topology. In general, the goal should be to have the lowest number of hops,
provided other considerations (like Signal >= 25%) are met. Limiting the number
of hops to 3 or less is best practice.
Place a Root towards the middle of a coverage area to minimize the # hops
required to reach some MAPs.
If there are multiple Roots, ensure that the Roots are distributed evenly
throughout the coverage area (not clumped up close together in one area).
Shown in Figure 252 is an ideal scenario, along with a not-so-ideal scenario. Of
course, the whole purpose of mesh is to provide coverage in areas that are hard
to wire, therefore the ideal may not be possible. But as far as possible, evenly
spaced Root APs are preferable.
Signal Quality Verification
446 Ruckus Wireless, Inc.
Figure 252. Root Placement
If the customer's network utilizes a wireless backhaul technology for broadband
access, it is recommended to not mount the broadband wireless modem right
next to a Ruckus Wireless AP. A distance of 10 feet or more would be desirable.
Signal Quality Verification
The above guidelines for planning will result in a well-designed mesh. However, it
is advisable to place the APs in the planned locations temporarily using a tripod
stand or other means, and actually checking the Signal Quality throughout the mesh
network. In addition, once the mesh is deployed, the Signal Quality should be
periodically monitored to make sure the mesh is operating optimally. Signal Quality
is a measurement of the link quality of the MAP's uplink, and is available on the
ZoneDirector web interface.
To view the Signal parameter in the ZoneDirector web interface, go to Monitor >
Access Points, and click on the Mesh AP being tested (click the MAC address) to
see the Access Point detail screen, as shown in Figure 253 below.
There are two best practice observations that should be met:
Signal Quality Verification
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 447
Ensure Signal >= 25%: The Signal value under Neighbor APs that shows
“Connected” should be 25% or better. If it is lower, you need to bring the AP
closer, or move it to avoid an obstruction, such that the Signal value becomes
25% or better. For a more conservative design, you may use 35% as your Signal
benchmark.
Ensure Minimum 2 Uplink options for every MAP: In addition, under Neighbor
APs, it is best practice that there exists an alternate path for this mesh uplink.
This alternate path should also have a Signal of 25% or better. Stated differently,
there should be at least 2 possible links that the MAP can use for uplink, and
both should have a Signal value of 25% or better. For a more conservative design,
you may use 35% as your Signal benchmark.
Figure 253. Check the signal quality from the ZoneDirector web interface
Mounting and Orientation of APs
Indoor APs - Typical Case: Horizontal Orientation
448 Ruckus Wireless, Inc.
Mounting and Orientation of APs
ZoneFlex APs are very tolerant to a variety of mounting and orientation options due
to Ruckus Wireless' use of its unique BeamFlex technology, in which the RF signal
is dynamically concentrated and focused towards the other end of the RF link.
The bottom line regarding orientation and placement is that during the planning
phase, it is advisable to use the Signal Quality as your benchmark, as explained in
the Signal Quality Verification section. Ensure that the Signal is better than 25% for
trouble-free operation.
For additional mounting details, please also consult the Quick Setup Guide and the
Wall and Ceiling Mounting Instructions that came in the AP box.
Indoor APs - Typical Case: Horizontal Orientation
ZoneFlex indoor APs are typically oriented such that the top of the AP is pointing
either straight up or straight down.
Figure 254. ZoneFlex indoor AP horizontal orientation
Mounting and Orientation of APs
Indoor APs - Vertical Orientation
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 449
Indoor APs - Vertical Orientation
A less typical vertical orientation may be used in certain cases where it is not possible
for mechanical or aesthetic reasons to use the typical horizontal orientation. In such
cases, indoor APs may also be wall mounted vertically. Examples of vertical
mounting are shown in Figure 255.
Figure 255. ZoneFlex indoor AP vertical orientation
Mounting and Orientation of APs
Outdoor APs - Typical Horizontal Orientation
450 Ruckus Wireless, Inc.
Outdoor APs - Typical Horizontal Orientation
Outdoor APs are typically mounted in a horizontal orientation, as shown in Figure
256. A less typical orientation would be vertically mounted.
Figure 256. Outdoor AP typical horizontal orientation
Elevation of RAPs and MAPs
In addition to orientation, it is important to also pay attention to the elevation of an
AP for reliable mesh operation. More specifically, large differences in elevation
should be avoided. So whether you are deploying an indoor mesh, an outdoor mesh,
or a mixed indoor-outdoor mesh, you should ensure that as far as convenient and
possible, MAPs and RAPs should all be at a similar elevation from the ground. For
example, for an indoor-outdoor mesh, if all your indoor RAPs and MAPs are at ceiling
height (standard 15-foot ceiling), then you would not want to mount the outdoor
MAPs on 40-foot poles. You would want to keep all MAPs and RAPs at around the
same elevation from the ground.
Best Practice Checklist
Elevation of RAPs and MAPs
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 451
Best Practice Checklist
Following the mesh best practices will ensure that your mesh is well-designed, and
have the capacity and reliability required for your enterprise applications. The best
practices are summarized below as a checklist for quick review.
1Do not mix single band with dual band APs in your mesh. They will NOT mesh.
To ensure your APs will mesh with each other, ensure they are all of the same
radio type: either all single band or all dual band APs.
2Avoid an excessive number of hops. Ideally keep hop count to 3 or less.
3Having more RAPs is better for performance.
4Ensure that there are RAPs near the middle of a coverage area so as to minimize
the number of hops to reach a given MAP.
5Where possible, ensure that the RAPs are distributed evenly throughout the
coverage area rather than clumped together.
6Once the APs are mounted on a test-basis or permanently, use the Signal quality
measurement to ensure that the uplink signal quality from MAP to RAP is 25%
or better.
7Ideally there should be at least one alternate uplink path for each MAP for
reliability, and the signal quality of that alternate path should also be 25% or
better.
Best Practice Checklist
Elevation of RAPs and MAPs
452 Ruckus Wireless, Inc.
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 453
Appendix: Zone 2 APs
Some Ruckus Wireless access points can be purchased with the country code
factory configured and locked to a regulatory region referred to as “Zone 2”. AP
ordering numbers with a “Z2” in the suffix, for example 901-R700-Z200, have been
factory locked to the Zone 2 country code setting. End users of these access points
are not able to change the country code setting, operate the AP on non-Z2 channels,
or use non-Z2 transmit power limits.
APs discover and join Ruckus Wireless controllers with matching “Zone 2” or “Z2”
country code settings.
APs with locked Z2 country code settings comply with the Zone 2 regulatory limits
outlined in Table 3 6 .
Table 36. Zone 2 Regulatory Information
SKU suffix Locked Country Country
Code
2.4 GHz CH
(1-13) and RF
Power Limit
5.150 GHz-
5.250 GHz
(W52) RF
Power Limit
5.250 GHz-
5.350 GHz CH
(W53) and RF
Power Limit
-WWxx Unlocked Algeria DZ 1-13/100mW
(outdoor
limited to
28mW)
200mW Indoor:
200mW
Outdoor:
1000mW
-WWxx Unlocked Morocco MA 1-13/100mW 200mW 200mW
-WWxx Unlocked Tunisia TN 1-13/100mW 200mW 200mW
-WWxx Unlocked Vietnam VN 1-13/100mW 200mW 200mW
-WWxx Unlocked Israel IL 1-13/100mW 200mW 200mW
-ILxx (Note) Locked Israel IL 1-13/100mW 200mW 200mW
-Z2xx Locked Zone 2 Z2 1-13/100mW 200mW 200mW
Note: -ILxx is not used for new designs
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 454
Index
Numerics
11n/ac Only Mode 248
802.11d 197
802.11k 200
802.11r 192
802.11u 226
802.1X
authenticator 261
supplicant 262
user requirements 206
WLAN security 206
802.1X EAP
option values 192
Windows OS requirements 207
802.1X EAP + MAC Address Authentica-
tion 192
A
AAA servers 331
Access Controls 195
Access Permissions 138
Access Point Policy approval 245
Access Point Policy options 265
Access Points
managing individually 271
monitoring 299
monitoring individually 304
sensor information 310
working with AP Groups 247
Accounting Server 195
ACL 195
ACLs
Layer 2/MAC 138
Layer 3/Layer 4/IP Address 139
Management ACL 74
Action Icons 294, 301
Actions
individual APs 304
Active Client Detection 128
Active Clients 294
Active Directory 157, 331
Active Directory over TLS 159
Adding a Widget 49
Adjusting AP Settings
Map View 276
Administrator Login Session Timeout 399
Advanced LDAP Filtering 162
AeroScout 126
AES
option values 193
airtime % 304
Alarms
activating email notification 86
Algorithm
New WLAN creation 193
All Events/Activities (Logs) 80
AP
Zone 2/Z2 453
AP Activities 48
AP Groups 247
AP License Pools 69
AP markers
overview 285
AP Power 116
AP Site Bonjour Policy 109
Application Capability 301
Application Denial Policies 153, 198
Application Performance 290
Application Port Mapping 152
Application Recognition 290
Application Recognition and Filtering 150
Application Usage 290
Application Usage by Client 293
Application Usage Statistics 296
Application Visibility 153, 198, 290
Client Usage 293
Applications 49
Applying an Application Denial Policy to a
WLAN 155
APs
detecting rogue devices 312
placing markers on a floorplan map 282
restarting 440
verifying new APs 245
Archived ZoneDirector settings
restoring 402
ARP Broadcast Filter 383
Assigning a Pass Generator role to a user
360
Authentication Method 191
Authentication Server 194
Authentication Servers
455 Ruckus Wireless, Inc.
external 331
internal user database 324
Authentication settings
testing 182
Authentication, Authorization and Ac-
counting (AAA) 157
Authenticator 261, 262
Authenticator (MAC-based) 261
Authenticator (Port-based) 261
Auto encryption algorithm 193
Auto Recovery 266
Auto Refresh 53
Automatic AP Approval 244, 245, 265,
390
Automatic Channel Selection 116
Automatically Adjust AP Power 116
Automatically Generated User Certificates
and Keys
managing 330
Autonomous WLAN 191
Auto-Proxy 199
Auto-Refresh
stopping and starting 53
AVP 153, 170, 198, 290, 293
B
Background Scanning 116, 119, 197
Backup RADIUS / RADIUS Accounting
165
Backup/Restore ZoneDirector 402
Band Balancing 124, 197
Band Selection (ZoneFlex 7321) 252,
272
Blocked Clients 132, 144
Blocked clients
reviewing a list 147
Blocking Client Devices 146
Temporary 145
Blocking client devices 144
Blocking specific client devices 146
Bonjour
Example 110
Bonjour Gateway 105, 301
Buttons (Web interface)
explained 46
Bypass Apple CNA Feature
Apple CNA Bypass 239
C
Call Admission Control 195, 249, 272
Captive Portal 221, 334
Changing an Existing User Account 326
Changing the event log level 81
Changing the System Name 58
Channel 248, 271
Channel Mode 79
Channel optimization 78
Channel Range Settings 248, 271
Channel Selection 116
ChannelFly 117, 249
Channelization 248, 271, 277
Client Application Usage Statistics 296
Client Device Type 49
Client devices
monitoring 145
permanently blocking WLAN access
146
reviewing a list of blocked clients 147
temporarily disconnecting 145
Client Events 296
Client Events/Activities 294
Client Fingerprinting 198
Client Isolation 194
Client Isolation White Lists 148
Client Tx Data Rate 296
Client Tx/Rx Statistics 198
Clients
monitoring 296
Cloning a WLAN 202
Common WISPr Attribute Abbreviations
225
Configuring Access Controls 138
Controlling Guest Pass Generation Privi-
leges 358
Controlling Network Access Permissions
138
Copying a WLAN 202
Country Code 77
Create New options
Authentication Servers 331
Create New User
internal database 325
create user 324
Creating a Guest Pass Generation User
role 359
Creating a new WLAN
Access VLAN 196
Algorithm 193
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 456
Description 190
Hide SSID 196
Method 192
Name/ESSID 189
Passphrase 193
WEP key 193
Zero IT Activation 194
Creating a WLAN 188
Creating Additional WLANs 202
Current Alarms
reviewing 287
Current User accounts
managing 326
Current User Activity
Reviewing 290
Currently Active WLAN Groups 48
Currently Active WLANs 48
Currently Managed AP Groups 48
Currently Managed APs 48
Customizing Guest Login page 368
Customizing network security 186
D
Dashboard 47
overview 280
Dashboard (Web interface)
explained 46
Dashboard Widgets 47
Data Rate 296
Deleting a User Record 327
Delivering Guest Passes via Email 371
Delivering Guest Passes via SMS 372
Denial of Service (DoS) Protection 132
Description
New WLAN creation 190
option values 190
Detecting rogue Access Points 312
Device Access Policies 141
Device Name 271
Device Policy 220
Devices Overview 48
DGAF 231
DHCP 71
network address option 60
server customization 35
DHCP clients
viewing 73
DHCP Option 82 198, 257
DHCP Relay 102, 197
DHCP server
configuring 71
Diagnostics
tools 432
disabling status LEDs 252
Disconnecting specific client devices 145
Disconnecting users from the WLAN 422
DNS Server
Registering ZoneDirector 37
DoS (Denial of Service) Protection 132
Downlink Throughput 299, 305
Downlink Traffic 299
downstream group-addressed frame for-
warding 231
DPSK 232, 233
Dynamic Pre-Shared Keys 232, 233
Dynamic PSK 194, 320
expiration 235
Dynamic VLAN 196, 262
E
EAP
using the built-in server 205
EAP-MD5 169
Ekahau 127
Email
Guest Passes 371
Email alarm notification
activation 86
Email Guest Passes 371
Encryption Options 192
Estimated Capacity 299, 305
Ethernet port status 263
Event Log Level 81
Events 296
monitoring 305
Events and alarms 80
Events/Activities
Clients 294
Example Bonjour Gateway Network Setup
110
External Antenna 272
external antenna 252
External IP 301
F
Factory default state
restoring ZoneDirector 406
457 Ruckus Wireless, Inc.
Fail Over 65
Failed user connections 422
Failover
force 69
Fast BSS Transition 192
Firewall
open ports 41
Firewall Integration 82
Firmware upgrade 400
FlexMaster
enabling 102
Performance Monitoring 93
Floorplan
adding to Map View 275
Force DHCP 198
G
Graphic file formats
guest user login page 368
Graphic file specifications
guest user login page 368
Group Extraction 163
Group Settings 249
Guest Access Customization 368
Guest Access WLAN 190
Guest Pass 372
custom 369
SMS Delivery 89
Sponsor Approval 344
Guest Pass Access
managing 338
Guest Pass Self-Service 340
Guest Passes
Email Delivery 371
Guest user login page
adding a graphic 368
editing the welcome text 368
Guest users
login page customization 368
Guest VLAN 262
H
Help and Log Out 46
Hide SSID
New WLAN creation 196
Hotspot 221
configuration 221
WISPr Smart Client 222
Hotspot 2.0 226
AP Venue Settings 274
Operator Profile 229
Service Provider Profile 227
WLAN 231
Hotspot 2.0 WLAN 190
Hotspot Service (WISPr) WLAN 190
Hotspot2.0 226
I
Import Scripts 440
Importing the floorplan image 281
Improving AP RF coverage 276
Inactive Clients 294
Inactivity timeout 200
Indicator Widgets 47
installation 43
Internal Heater
enabling 252
internal heater 252
Internal user database
using for authentication 324
Intrusion Detection and Prevention 133
Intrusion Prevention 132
IP Address 300
IP Mode 249
L
L2/MAC Access Control 138
L3/L4 Access Control 139
LAN Port Configuration
monitoring 304
Language
changing the Web interface language
399
Layer 2/MAC Address Access Control
Lists 138
Layer 3/Layer 4/IP Address Access Con-
trol Lists 139
LBS 111, 249
LBS Venue Info Widget 317
LDAP 160, 170, 331
LDAP Filtering 162
LDAP Group Extraction 163
LDAP over TLS 160
LEDs 22, 25
License Pools 69
License Upgrade 418
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 458
Limited ZD Discovery 265
Link Layer Discovery Protocol 253
LLDP 253
Load Balancing 121, 197, 266
Location Service 249
Location Services
Monitoring 316
Location Services Widget 317
Log
All Events/Activities 80
Log settings
changing 80
overview 80
Login failures 422
Login page
guest use 368
Logout Button 46
Logs
sorting contents 80
viewing 434
M
MAC Authentication 167, 192
RADIUS 167
MAC authentication bypass 222, 262
MAC-spoofing Rogue AP 134
malicious AP 313
Malicious Rogue AP 134
Management ACL 74
Management VLAN 266
management VLAN 213
Managing current user accounts 326
Map View
adding a floorplan 275
adjusting AP positions and settings 276
importing a floorplan 281
placing AP markers on a floorplan 282
requirements (graphics) 281
tools 283
Maps
importing a floorplan image 281
Mark as Malicious 134
Max Clients 197, 251, 266
max clients per AP 251
MCS 296
Mesh Mode 277, 300
Mesh recovery SSID 393
Mesh Topology 48
Mesh Topology Detection 383
Mesh-related Information 305
Microsoft IAS 177
Microsoft Windows
EAP requirements 207
Mobile Friendly DPSK 234
Model Specific Control 249
Modulation and Coding Scheme 296
Monitor
overview 280
Monitoring
individual clients 296
Real Time 51
Monitoring Active Clients 294
Monitoring AP status 299
Monitoring Client Devices 145
Monitoring Client Events 296
Monitoring individual APs 304
Monitoring Location Services 316
Monitoring wired clients 299
Monitoring Wireless Clients 290
Monitoring ZoneDirector
overview 280
Most Active Client Devices 48
Most Frequently Used Access Points 48
Most Recent System Activities 48
Most Recent User Activities 48
Multicast Filter 196
Multi-Domain Active Directory Authentica-
tion 158
Multi-Hop SpeedFlex 428
N
Name/ESSID
New WLAN creation 189
option values 189
Navigating the Dashboard 47
Neighbor APs 305, 310
Network addressing
changing 59
Network Connectivity 433
Network Diagnostics 432
New User Accounts
adding new accounts 324
New User Roles
creating 327
O
OKC 200
459 Ruckus Wireless, Inc.
Online Help 46
Opportunistic Key Caching 200
Optimizing network coverage 286
Option 82 257
orientation 310
Overview
Map view 280
P
Packet capture and analysis 436
Packet Inspection Filter 131
Passphrase
New WLAN creation 193
Passpoint 226
Performance Analysis
monitoring APs 305
Performance test 424
Permanently Blocking Client Devices 146
Ping 432
PKC 200
Placing the Access Point markers 282
PMK Caching 200
PoE Operating Mode 252
PoE Out Ports
enabling 252
PoE Out ports 252
Policies
Access Point-specific 265
Poor network performance
diagnosis 431
Port Settings 252
Port-based 802.1X
Authenticator 262
authenticator 261
Dynamic VLAN 262
guest VLAN 262
MAC-based Authenticator 261
Port-based Authenticator 261
supplicant 262
Potential Throughput 299
Precedence Policies 143
Prefer Primary ZD 266
Preference tab
use 398
Priority 195, 277
Product Registration 54
Proxy ARP 130, 196, 231
PSK
Setting key expiration 235
PSK lifetime settings 235
R
Radar Avoidance Pre-Scanning 125
Radio Band (ZoneFlex 7321) 252, 272
Radio frequency scans
starting a scan 431
Radio Resource Management 200
radio statistics 304
RADIUS 163, 164, 331
using an external server 206
using for authentication 331
RADIUS / RADIUS Accounting 164
RADIUS Accounting Attributes 173
RADIUS Attribute Value Pairs 170
RADIUS attributes 170
RADIUS Authentication 171
RADIUS over TLS 165
RAPS 125
Rate Limiting 195, 196
RBAC 195
Real Time Monitoring 51, 280
Recent events
overview 287
Recently Disconnected Clients 294
Recovery SSID 393
Redundancy 65
Registration 54
remote syslog advanced settings 85
Remote Troubleshooting 440
Removing a Widget 51
Report Rogue Devices 134
restarting a ZoneDirector 440
Restarting an Access Point 440
Restoring AP configuration settings only
405
Restoring archived settings 402
Reviewing AP policies 265
Reviewing current alarms 287
RF
see also 'Radio frequencies'
RF Pollution 305
RFID tags 126
Rogue Access Points 133
Rogue APs
detecting 312
Rogue DHCP Server Detection 135
Role Based Access Control Policy 195,
329
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 460
Roles
creating 327
Roles options
Allow all WLANs 327
Description 327
Group attributes 327
Guest Pass 327
Name 327
S
Same-Network Rogue AP 134
Scanning radio frequencies 431
Search Filter 163
Secure Active Directory 159
Secure DPSK 234
Secure LDAP 160
Secure RADIUS 165
Security 187
overview 186, 187
Security configuration
reviewing 203
Self Healing 116
Self-Service Guest Pass 340
Sensor information 305, 310
Service Schedule 198
Session Timeout
admin 399
Setting Dynamic Pre-Shared Key expira-
tion 235
Single Domain Active Directory Authenti-
cation 157
Smart Redundancy 48, 65
Configuration 66
Smart Redundancy AP License Pools 69
SmartPoint 252
SMS 372
Guest Passes 89
SMS Guest Passes 372
SNMP
enabling SNMP agent 94
enabling SNMP trap notifications 97
trap notifications 99
SNMPv2 95
SNMPv3 96
Spectralink Compatibility 249, 272
Spectralink VIEW certification 249
Spectrum Analysis 308
SpeedFlex 424
SpeedFlex in a Multi-Hop Smart Mesh
Network 428
Sponsor Approval 344
SPoT 249, 316
Location Services 111
Monitoring 316
SPoT Dashboard Widget 317
SSID-Spoofing Rogue AP 134
SSL Certificate
importing 411
Standard Usage WLAN 190
Status LEDs
disabling 252
status LEDs 252
Stopping and Starting Auto Refresh 53
Supplicant 262
Support 48
Support Entitlement 419
Syslog Firewall Integration 82
System log 80
System Logs 80
System Name 58
System Overview 48
T
Tabs (Web interface)
explained 46
TACACS+ 180
Telnet 102
Temperature 311
Temporarily Block Wireless Clients 132
Temporarily Disconnecting Client Devices
145
Testing authentication settings 182
Throughput Capacity 299
Timeout interval 399
TKIP
option values 193
TLS encryption 159, 160
Toolbox 46, 51, 433
Tools
Map View 283
Top 10 Applications by Usage 49
Top 10 APs by Usage 49
Top 10 Clients by Usage 49, 293
Top 10 SSIDs by Usage 49
Traceroute 432
transmission statistics 304
Troubleshooting
diagnosing poor network performance
461 Ruckus Wireless, Inc.
431
manually Scanning radio frequencies
431
problems with user connections 422
restarting the ZoneDirector 440
Reviewing Current Activity 290
reviewing current alarms 287
reviewing recent events 287
users cannot connect to WLAN 422
Tunnel configuration 129
Tunnel Mode 196
configuration 129
Tunnel MTU 266
Tx Power 248, 271, 277
U
Upgrading
with Smart Redundancy 401
ZoneDirector software 400
ZoneFlex APs 400
Upgrading the license 418
Uplink Selection 277
Uplink Throughput 299, 305
Usage Summary 48
USB Port 252
USB Software 252
User authentication options
Active Directory 331
RADIUS 331
User Defined Applications 151
User Marked Rogue AP 134
Users
adding new accounts 324
creating new roles 327
disconnecting a user from the WLAN
422
failed WLAN logins 422
managing accounts 326
Reviewing Current User Activity 290
switching to 802.1X-based security 206
switching to WEP-based security 206
troubleshooting connection problems
422
Using Active Directory 331
Using an external RADIUS server 206
Using Indicator Widgets 47
Using Map View to assess network perfor-
mance 275
Using the built-in EAP server 205
Using the Map View 283
V
Verifying/Approving New APs 245
Viewing Application Usage by Client 293
VLAN
New WLAN creation 196
VLAN Pools 218
VLANs 211
W
Walled Garden 223
Web Authentication 194
activating 333
Web interface
changing the language 399
Generated PSK/Certs page 331
Roles and Policies 327
Web interface buttons
explained 46
Web interface Dashboard
explained 46
Web interface tabs
explained 46
Web interface workspaces
explained 46
Web Portal
customizing 368
Well-Known Service and Destination Port
Mappings 153
WEP
WLAN Security 206
WEP Key
New WLAN creation 193
WEP-128
option values 192
WEP-64
option values 192
WEP-based security
user requirements 206
Whitelist 148
Widgets 46, 47
WIPS 132
Wireless Client Isolation 194, 223
Wireless Clients
Monitoring 290
Wireless Intrusion Prevention 132
Wireless networks
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 462
overview 32, 186
Wireless performance test tool 424
WISPr Attributes 225
WLAN
Autonomous 191
creation 188
optimizing coverage 286
recent events (reviewing) 287
WLAN Group 207, 248, 271
WLAN network security
customizing 186
WLAN performance
using Map View 275
WLAN priority 195, 277
WLAN security
overview 187
WLAN Service
disabling 272
WLAN Usages 190
WLANs
blocking client devices 146
Creating Additional Wireless Networks
202
failed user logins 422
WMM-AC 195, 249, 272
Workspaces (Web interface)
explained 46
WPA2 192
WPA-Mixed 192
Z
Z2 APs 453
Zero IT 32, 186, 205, 330, 403
enabling 320
Zero IT Activation
New WLAN creation 194
Zero-IT
for clients without Ethernet ports 323
Zone 2 APs 453
ZoneDirector
changing network addressing 59
Installation 43
Monitoring options overview 280
overview 20
Physical features 21
restarting the device 440
restoring backup file contents 402
restoring to a factory default state 406
upgrading software 400
WLAN security explained 187
ZoneDirector 1200 21
ZoneDirector 3000 24
ZoneDirector 5000 27
ZoneDirector management access 74
ZoneDirector VLAN Deployment
Deploying in a VLAN Environment 211
ZoneFlex 7321
band selection 252, 272
ZoneFlex APs
upgrading software 400
463 Ruckus Wireless, Inc.
ZoneDirector 9.12 User Guide, 800-70898-001 Rev C 464
Copyright © 2006-2015. Ruckus Wireless, Inc.
350 West Java Dr. Sunnyvale, CA 94089. USA
www.ruckuswireless.com

Navigation menu