technical note Ruckus + Bradford Interop Introduction

Similar documents
Virtual SmartCell. Virtual. SmartZone ) High Scale SERVICE PROVIDER CLASS WLAN CONTROLLER DESIGNED TO RUN IN THE CLOUD. data sheet

RUCKUS CLOUD WI-FI Cloud Managed Wi-Fi

Virtual SmartCell. Virtual. SmartZone ) High Scale SERVICE PROVIDER CLASS WLAN CONTROLLER DESIGNED TO RUN IN THE CLOUD. data sheet

competitive Ruckus vs. Ubiquiti PRODUCT COMPARISON Ruckus Core Values Ubiquiti Core Values

SUB-TITLE WLAN Management-as-a-Service

BYOD with Ruckus. Introduction. Strong Security with Dynamic Pre-Shared Key

PRODUCT GUIDE ZoneFlex Indoor AP

ZoneFlex 7761-CM DUAL-BAND N SMART WI-FI OUTDOOR AP WITH INTEGRATED DOCSIS 3.0 MODEM

ZoneDirector ENTERPRISE-CLASS SMART WIRELESS LAN CONTROLLER

ZoneDirector ENTERPRISE-CLASS SMART WIRELESS LAN CONTROLLER

Wireless Integration Overview

PRODUCT GUIDE Ruckus Indoor AP

ZoneDirector 5000 Scalable Enterprise Class Smart WLAN Controller

What s New in ZoneFlex Software Release 9.4

ZoneFlex 7762 Series DUAL-BAND N SMART WI-FI OUTDOOR AP

ZoneDirector 3000 Enterprise-Class Smart

PRODUCT GUIDE Indoor Access Points

HOSPITALITY. The Home Away From Home

SmartCell Gateway 200

Accessory Guide ZoneFlex Indoor AP Accessories

ZONEDIRECTOR 1200 Enterprise-Class Smart Wireless LAN Controller

Ruckus ZoneDirector 1106 WLAN Controller (up to 6 ZoneFlex Access Points)

Ruckus ZoneDirector 3450 WLAN Controller (up to 500 ZoneFlex Access Points)

ZoneFlex Smart n 5GHz Outdoor Wireless Bridge. The First Centrally Managed n 5GHz Outdoor Wireless Bridge BENEFITS

ZoneFlex 7300 Series SINGLE/DUAL-BAND N SMART WI-FI ACCESS POINTS

ZoneFlex N SMART WI-FI ACCESS POINTS

ZoneDirector 1100 Enterprise-Class Smart Wireless LAN Controller

Raising a Ruckus in the Google Classroom DELIVERING UNRIVALED PERFORMANCE FOR CHROMEBOOK AND GOOGLE APP ENVIRONMENTS

Tunneling Configuration Guide for Enterprise

TITLE GOES HERE RUCKUS CLOUDPATH ENROLLMENT SYSTEM. The only integrated security and policy management platform that delivers: COMPRISED OF:

FortiNAC. Aerohive Wireless Access Point Integration. Version 8.x 8/28/2018. Rev: E

FortiNAC. HiPath. Enterasys. Siemens. Extreme. Wireless Integration. Version: 8.x. Date: 8/28/2018. Rev: B

Getting Started Guide for SmartZone 3.4

Accessory Guide Indoor AP Accessories

Ruckus SmartZone 100 and Virtual SmartZone (Essentials)

Virtual SmartZone - Essentials Scalable Virtual Wireless LAN Controller

Cisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller

Smart Wi-Fi for HOSPITALITY

FortiNAC. Cisco Airespace Wireless Controller Integration. Version: 8.x. Date: 8/28/2018. Rev: B

ZoneFlex 2741 Smart Wi-Fi g Outdoor Access Point

SmartZone 100 Scalable Wireless LAN Controller

Accessory Guide Indoor AP Accessories

Ruckus Wireless TM Indoor Access Point. Release User Guide

ISE Version 1.3 Hotspot Configuration Example

Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide

H320 Wall-Mounted ac Wave 2 Wi-Fi Access Point and Switch

Virtual SmartZone - Essentials Scalable Virtual Wireless LAN Controller

HOSPITALITY. Give your guests a better network experience

ZoneFlex R700 DUAL-BAND 3X3: AC SMART WI-FI AP

ZoneFlex 7762 Series. Dual-Band n Smart Wi-Fi Outdoor AP

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

SmartZone 100 and Virtual SmartZone Essentials. Administrator Guide for Release 3.5.1

PRODUCT GUIDE Indoor Access Points

DELL EMC NETWORKING RUCKUS ZONEDIRECTOR 1200

Creating Wireless Networks

ForeScout CounterACT. Configuration Guide. Version 1.8

FortiNAC Motorola Wireless Controllers Integration

The Impact of AP Capacity on Wireless LAN Total Cost of Ownership

ZoneFlex TM Indoor Access Point. Release 9.8 User Guide

TECHNICAL NOTE MSM & CLEARPASS HOW TO CONFIGURE HPE MSM CONTROLLERS WITH ARUBA CLEARPASS VERSION 3, JUNE 2016

ForeScout CounterACT. Controller Plugin. Configuration Guide. Version 1.0

Multicast VLAN, page 1 Passive Clients, page 2 Dynamic Anchoring for Clients with Static IP Addresses, page 5

SmartZone 100 Scalable Wireless LAN Controller

Vendor: Cisco. Exam Code: Exam Name: Implementing Advanced Cisco Unified Wireless Security (IAUWS) v2.0. Version: Demo

Configuring NAC Out-of-Band Integration

Configure 802.1x Authentication with PEAP, ISE 2.1 and WLC 8.3

Installation & Setup of your Access Networks Ruckus Wireless System

Ruckus SmartCell Gateway. Setup Guide. Published April Version 1.0

R310 Indoor ac 2x2:2 Wi-Fi Access Point

MediaFlex 2800 Series g Multimedia Smart Wi-Fi Router and Adapter Ruckus MediaFlex 2825 Multimedia Wireless Router

LAB: Configuring LEAP. Learning Objectives

ISE Version 1.3 Self Registered Guest Portal Configuration Example

Service Discovery Gateway Deployment Guide, Cisco IOS-XE Release 3.3

R310 Indoor ac 2x2:2 Wi-Fi Access Point

ZoneFlex 7762-S. World s First Concurrent 2.4/5GHz n Sector Access Point with Dynamic Beamforming

FortiNAC ADTRAN vwlan Wireless Controllers Integration

VIEW Certified Configuration Guide. Extreme Networks. Summit WM 100, 1000 Wireless Controllers with Altitude AP

Cisco Exam Questions and Answers (PDF) Cisco Exam Questions BrainDumps

Securing Cisco Wireless Enterprise Networks ( )

Adaptive antenna technology is ideal for making handheld devices, which move consistently with hand and body motion, completely reliable.

Ruckus Wireless Outdoor Access Point. Release User Guide

TECHNICAL NOTE UWW & CLEARPASS HOW-TO: CONFIGURE UNIFIED WIRELESS WITH CLEARPASS. Version 2

A Division of Cisco Systems, Inc. GHz 2, g. Wireless-G. User Guide. Access Point WIRELESS WAP54G (EU/LA/UK) Model No.

Release Notes for Avaya WLAN 9100 AOS-Lite Operating System WAP9112 Release WAP9114 Release 8.1.0

Ruckus Wireless ZoneFlex (ZoneDirector and ZoneFlex Access Points) Release Notes. October 26, 2012

CCIE Wireless v3 Workbook Volume 1

CounterACT Wireless Plugin

MediaFlex 2800 Series g Multimedia Smart Wi-Fi Router and Adapter Ruckus MediaFlex 2825 Multimedia Wireless Router

Configuring Client Profiling

AIRPLAY AND AIRPRINT ON CAMPUS NETWORKS AN ARUBA AIRGROUP SOLUTION GUIDE

Identity Services Engine Guest Portal Local Web Authentication Configuration Example

Ruckus Wireless ZoneFlex Indoor Access Point. Release 9.3 User Guide

Wireless LAN Overview

VIRTUAL SMARTZONE - HIGH SCALE Scalable Virtual Wireless LAN Controller

Cloudpath and Aruba Instant Integration

SmartCell Gateway 200 CARRIER CLASS WLAN CONTROLLER WITH WLAN GATEWAY SUPPORT

Contents. Cisco WAP121 and WAP321 Wireless Access Points, Firmware Version Release Notes. This document includes the following topics:

VIEW Certified Configuration Guide. BelAir Networks. BelAir50, BelAir100, BelAir200. January 2008 Edition Version D

R310 Indoor ac 2x2:2 Wi-Fi Access Point

Verify Radius Server Connectivity with Test AAA Radius Command

Transcription:

technical note Ruckus + Bradford Interop Introduction Bradford Network Sentry is a purpose-built Network Access Control (NAC) physical/ virtual appliance. It dynamically leverages the continuously growing library of security commands and controls built into today s switches, routers, wireless controllers and wireless access points to perform pre-connect risk assessments on every device attempting to connect to the network. This note provides step by step instructions on setting up a Ruckus-Bradford solutions environment. It assumes that the reader is reasonably familiar with both Ruckus and Bradford products. Versions: Ruckus ZoneDirector: 9.8.2 Ruckus SmartZone (SZ100, vsz-e, vsz-h, SCG200): 3.2 Bradford: 7.1 (for ZoneDirector); 7.3.2 for SmartZone Setup Overview 1. Two VLANs: Production and Isolation. Unauthenticated users are placed into the Isolation VLAN and authenticated users are placed into the Production VLAN. 2. Two SSIDs/WLANs are setup corresponding to the Production and Isolation VLANs. The Production SSID is broadcast over the air whereas the Isolation SSID is a dummy. 3. The Production SSID/WLAN is set up with Dynamic VLAN (DVLAN) capabilities and MAC Authentication. The Bradford Network Sentry appliance acts as the Radius Server.

4. The Isolation SSID/WLAN is a dummy and is not broadcast over the air. 5. The Network Sentry Appliance acts as the DHCP/DNS server for the Isolation VLAN. The Production VLAN uses the organization s regular DHCP/DNS servers. 6. The Network Sentry Appliance reads the WLAN/VLAN configuration from the Ruckus controllers via SNMP. User Experience 1. New user connects to the Production SSID. Ruckus sends a Radius Request to the Network Sentry appliance. On seeing that the device is unregistered, Network Sentry places this device into the Isolation VLAN via the DVLAN capability in the Radius Response. The user is assigned an IP address on the Isolation VLAN by the Network Sentry Appliance. Ruckus ZoneDirector Setup This involves the following: 5. Setting up the Network Sentry Appliance as the Radius Server 6. Setting up the Production and Isolation SSIDs/WLANs (the latter as a dummy). 7. Enabling SNMP with the appropriate accounts/ passphrases. 2. User browses to say, google.com and is re-directed to the Network Sentry Appliance portal page. User authenticates 3. Network Sentry sends Radius DM message to the Ruckus controller and the user is disconnected from the SSID. In older versions, the Network Sentry would disconnect the user via CLI commands issued to the Ruckus ZoneDirector. 4. User automatically reconnects and now the Network Sentry Appliance places this authenticated user into the Production VLAN. The IP address is obtained from the organization s regular DHCP/DNS servers. Towards the end, this note also addresses the issue of wired clients on the Access Points. Following the Radius exchange is a brief troubleshooting section.

Network Sentry As Radius Server After logging into the ZoneDirector, go to Configure->AAA Servers and set up the Network Sentry Appliance as a Radius Server (IP Address, shared secret, etc.)

Production SSID/WLAN From the Configure->WLANs tab, create a new SSID for the Production WLAN/VLAN. This should be set up for (a) Mac Authentication (b) Network Sentry Appliance as the Authentication Server and (c) Dynamic VLAN capabilities.

Enable Dynamic VLAN under Advanced options

Isolation SSID/WLAN Similarly create an Isolation SSID/WLAN of any type with the Access VLAN being set to the correct desired Isolation VLAN (Advanced Options).

Remove Isolation WLAN from Default Group Remove this isolation WLAN from the Default WLAN Group, so that the SSID is not broadcast over the air.

Enable SNMP From Configure->System->Network Management (towards the bottom of the page), enable the SNMP v3 Agent together with the appropriate users, authentication andprivacy types and passphrases. These will be used for the corresponding entries in the Network Sentry appliance. Ruckus SmartZone Setup (SZ100, vsz-e) This involves the following: 1. Setting up the Network Sentry Appliance as the Radius and Radius Accounting Server 2. Setting up the Production and Isolation SSIDs/WLANs (the latter as a dummy). 3. Enablin g SNMP with the appropriate accounts/ passphrases.

Network Sentry as Radius Server From Configuration->AAA Servers->Proxy AAA, setup the Network Sentry Appliance as the Radius as well as Radius Accounting Server as shown below.

Network Sentry as Radius Accounting Server

Production SSID/WLAN Setup the Production SSID with the following: 1. MAC Authentication and MAC Address format as aa:bb:cc:dd:ee:ff 2. Network Sentry as the Radius and Radius Accounting Server. 3. Dynamic VLAN (VLAN Override)

Enable VLAN Override in Advanced Options

Isolation SSID/WLAN Setup the Isolation SSID as any type and assign it the Isolation VLAN. This is a dummy WLAN and needs to be removed from the Default WLAN Group, so that it is not broadcast over the air.

Remove Isolation WLAN from Default Group

Enable SNMP Enable the v3 SNMP Agent as shown below. Ruckus SmartZone (vsz-h, SCG200) Setup This involves the following: 1. Setting up the Network Sentry Appliance as the Radius and Radius Accounting Server. 2. Setting up the Production and Isolation SSIDs/WLANs (the latter as a dummy). 3. Enabling SNMP with the appropriate accounts/ passphrases.

Network Sentry as Radius Server As shown below, (a) Under Services, setup Network Sentry as the Radius Server and (b) Enable the Authentication Profile under Service Profiles.

Authentication Service Profile

Network Sentry as Radius Accounting Server Under Services, setup Network Sentry as a Radius Accounting Server and under Service Profiles, enable the Accounting Profile.

Accounting Service Profile

Production SSID/WLAN Under the desired Zone, setup the Production SSID/WLAN with: 1. MAC Authentication and MAC Address format as aa:bb:cc:dd:ee:ff 2. Network Sentry as the Radius and Radius Accounting Server. 3. Dynamic VLAN (VLAN Override)

Enable VLAN Override in Advanced Options

Isolation SSID/WLAN Setup a dummy SSID/WLAN for Isolation of any type and assign it the appropriate VLAN under Advanced Options.

Remove Isolation WLAN from Default WLAN Group

Enable SNMP Network Sentry Setup It is assumed that the Network Sentry Appliance has been setup and needs to be only configured for interoperability with the Ruckus controllers/access points. The overall steps are: 1. Create new domain for Ruckus 2. Add Ruckus controller (ZoneDirector or SmartZone) to this domain and model its configuration 3. Read VLANs from ZoneDirector 4. Set up Test User Accounts

Create Ruckus Domain From Network Devices->Network Devices create a new domain called Ruckus.

Add Ruckus controller From Network Devices -> Topology, add the Ruckus controller to the Ruckus Domain created above. The SNMP settings are those specified in the Ruckus controllers.

Validate Credentials and Ignore CLI Error Message

Read controller Information Once the Ruckus controller has been created, read its information by right clicking and using Resync Interfaces.

Model Ruckus controller Now Model the Ruckus controller (right click, Model Configuration) and enter all the appropriate information created earlier for the Radius shared secret and the VLAN assignments.

Add Test User Accounts Add some test user accounts as shown below.

Test Clients You can now test by connecting a client to the SSID. It will first be placed in the Isolation VLAN and the user will be asked for credentials (per the test accounts setup in the prior step). Upon authentication, the device will disconnect and be placed in the desired Production VLAN. As shown below, the client device can be seen in the Host View.

AP Wired Clients In order to enable the solution on AP wired clients, the Port Configuration of the AP needs to be changed as shown below (Configure->Access Points->Edit AP). Note that as of this writing, switching from one VLAN to another in this case, may require a physical disconnect/reconnect of the client.

TroubleShooting The best way to troubleshoot is to observe the Radius exchange between the Ruckus controller and the Network Sentry appliance. 1. New User Connects to Production SSID and Ruckus controller sends Radius Request to Network Sentry 2. Network Sentry responds with Access Accept and assigns user to Isolation VLAN via the DVLAN fields in the Radius response. User connects to the SSID and is assigned a DHCP/DNS Server address by Network Sentry. User browses to say, google.com, and is redirected by Network Sentry to itself. User then authenticates with Network Sentry. 3. Network Sentry sends Radius DM Request message to Ruckus controller. 4. Ruckus controller acknowledges the DM request and disconnects the user. User now automatically reconnects to the Production SSID. 5. Ruckus controller sends Radius Request to Network Sentry 6. Network Sentry responds with Radius Accept requesting assignment to the regular VLAN via the DVLAN field in the Accept Response 7. User connects and this time is assigned a DHCP/DNS server by the regular, production infrastructure. Copyright 2016, Ruckus Wireless, Inc. All rights reserved. Ruckus Wireless and Ruckus Wireless design are registered in the U.S. Patent and Trademark Office. Ruckus Wireless, the Ruckus Wireless logo, BeamFlex, ZoneFlex, MediaFlex, FlexMaster, ZoneDirector, SpeedFlex, SmartCast, SmartCell, ChannelFly and Dynamic PSK are trademarks of Ruckus Wireless, Inc. in the United States and other countries. All other trademarks mentioned in this document or website are the property of their respective owners. March 2016. Ruckus Wireless, Inc. 350 West Java Drive Sunnyvale, CA 94089 USA (650) 265-4200 Ph \ (408) 738-2065 Fx www.ruckuswireless.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback