Access Point Instructions for Ruckus SZ / vSZ with NBI
!Note!: Please make sure you are running SmartZone v3.0 or above in order for this to work
IronWiFi Console Configuration
- Log into the IronWiFi console or register for free
- Create a new network
- After that, create a new captive portal, with vendor Ruckus NBI
Radius Servers Configuration
Log into your SmartZone web interface.
If you want to configure RadSec (Radius over TLS) please follow this link to enable RadSec on your account and download the required certificate bundle zip for your network, and then skip to the RadSec config section here.
- Click Services & Profiles > Authentication on the left. Click the Proxy (SZ Authenticator) tab then Create and configure with:
- Name - Guest WiFi
- Service Protocol - RADIUS
- Primary Server IP Address - get this value from the IronWiFi console
- Port - get this value from the IronWiFi console
- Shared Secret - get this value from the IronWiFi console
- Confirm Secret - get this value from the IronWiFi console
- Backup RADIUS - Enable Secondary Server
- Secondary Server IP Address - get this value from the IronWiFi console
- Port - get this value from the IronWiFi console
- Shared Secret - get this value from the IronWiFi console
- Confirm Secret - get this value from the IronWiFi console
Click OK to save.
- Next, click Accounting on the left. Click the Proxy tab then Create and configure with:
- Name - Guest WiFi Acct
- Primary Server IP Address - get this value from the IronWiFi console
- Port - get this value from the IronWiFi console
- Shared Secret - get this value from the IronWiFi console
- Confirm Secret - get this value from the IronWiFi console
- Backup RADIUS - Enable Secondary Server
- Secondary Server IP Address - get this value from the IronWiFi console
- Port - get this value from the IronWiFi console
- Shared Secret - get this value from the IronWiFi console
- Confirm Secret - get this value from the IronWiFi console
Click OK to save.
Follow this section only if you have enabled RadSec for your Network. If you are using Radius Servers without RadSec, skip to Hotspot section.
RadSec Servers Configuration
- Click Administration> Certificates > SZ Trusted CA Certificates/Chain (external), select + Import
- Input Name i.e. IW Trusted PKI Chain, then add iw-rsa-root-ca.cert.pem as Root CA Certificate and iw-rsa-radsec-signing-ca.cert.pem as the first item in Intermediate Root CA Certificates. Click Validate and then OK.
- Click Administration> Certificates > SZ as Client Certificate, select + Import
- Input Name i.e. My RadSec Certificate, then add xxxx.xxxxx.xxxxx.ironwifi.net.crt.pem from your downloaded bundle as Client Certificate and xxxx.xxxxx.xxxxx.ironwifi.net.key.pem as Private Key. Click Validate and then OK.
- Click Security > Authentication > Proxy (SZ Authenticator) tab then Create and configure with:
- Name - Guest WiFi
- Encryption - On - TLS
- CN/SAN Identity - radsec.ironwifi.com
- Client Certificate - select the client certificate added in step 4 from the dropdown (click Reload ... at the top if it is not visible on the list)
- IP address / FQDN - input IP address visible in the Network page in IronWiFi console
- Port - enter standard RadSec port 2083.
Click OK to save.
- Click Security > Accounting > Proxy tab then Create and configure with:
- Name - Guest WiFi Acct
- Encryption - On - TLS
- CN/SAN Identity - radsec.ironwifi.com
- Client Certificate - select the client certificate added in step 4 from the dropdown (click Reload ... at the top if it is not visible on the list)
- IP address / FQDN - input IP address visible in the Network page in IronWiFi console
- Port - enter standard RadSec port 2083.
Hotspot
- Click Hotspots & Portals on the left. Click the Hotspot (WISPr) tab then Create and configure with:
- Portal Name - Guest Wi-Fi
- Smart Client Support - None
- Login URL - External
- Redirect unauthenticated users to (Primary) - get this value from the IronWiFi console
- Redirected MAC Format - AA-BB-CC-DD-EE-FF
- HTTPS Redirect - OFF
- Start Page - Redirect to the following URL - get this value from the IronWiFi console
- Walled Garden List - 107.178.250.42
You will also need to include the following domains in the walled garden list if you want to make use of social login.
Facebook: | |||
---|---|---|---|
*.facebook.com | *.twitter.com | *.linkedin.com | *.instagram.com |
*.fbcdn.net | *.twimg.com | *.licdn.net | |
*.akamaihd.net | *.licdn.com | ||
connect.facebook.net | *.licdn.com |
Click OK to save.
Wireless LAN
- Click Wireless LANs on the left, then click Create. Configure with:
Under General Options:
- Name - Guest Wi-Fi
- SSID - Guest Wi-Fi (or whatever you wish)
- Zone - Select a zone
- WLAN Group - Select a group (or default)
Under Authentication Options:
- Authentication Type - Hotspot (WISPr)
- Method - Open
Under Encryption Options:
- Method - None
Under Hotspot Portal:
- Hotspot (WISPr) Portal - Guest Wi-Fi
- Bypass CNA - Off
- Authentication Service - ON - Use Controller as proxy - Guest WiFi
- Accounting Service - ON - Use Controller as Proxy - Guest WiFi Acct
- Send interim update - every 10 Minutes
Under RADIUS Options:
- NAS ID - AP MAC
- Delimiter - Dash
- Single Session ID Accounting - ON
- Called Station ID - AP MAC
Click OK to save.
Northbound API
- Click System > General Settings on the left and then the WISPr Northbound Interface tab. Cconfigure as follows:
- Enable Northbound Portal Interface Support - ON
- User Name - api
- Password - enter any password you choose
Click OK to save.
To complete the set up you will need to log in to the IronWiFi console, and under Networks > Captive Portals > Your Captive Portal you will need to enter your SmartZone Public IP and the Northbound Password you chose above. This allows our system to talk to the SmartZone for authenticating users and is a mandatory step.
Please create a new port forward from your Public IP with the following:
- Local/Internal IP - Your Smartzone internal LAN IP (e.g. 192.168.0.1)
- Protocol - TCP
- Destination Port - 9080, 9443
The configuration is now complete.
! You must also install a valid SSL certificate on your controller/AP, in order to avoid authentication issues !