How to configure 802.1X authentication on Ruckus access points (through VirtualSmartZone) using Cloudi-Fi as the RADIUS provider.
Prerequisites
Before starting, ensure that you have the following prerequisites:
- Cloudi-Fi Radius IPs and Secret
- Access to Virtual SmartZone dashboard. You will require Commscope Ruckus vSZ Controller v6.x to continue.
- Knowledge of your network’s IP addressing scheme.
- Access to your firewall to allow several ports:
| Source | Destination | Port | Protocol | Action | Comment |
| 802.1x subnet | Cloudi-Fi IPs | 1815 | UDP | Allow | RADIUS traffic |
| 802.1x subnet | Any | 80 | TCP | Allow | HTTP traffic |
| 802.1x subnet | Any | 443 | TCP | Allow | HTTPS traffic |
| 802.1x subnet | Any | 53 | UDP/TCP | Allow | DNS resolution |
| * | * | * | * | Deny | To be adjusted according to your needs |
1. Get Radius information
You will need the Radius information (Server IPs, Secret, Ports) to proceed with the setup.
| Parameter | Description |
| RADIUS IPs | Provided by Cloudi-Fi |
| Ports | UDP 1815 (Authentication) |
| Shared Secret | Obtain via the Cloudi-Fi chatbot or Support team |
You can get the Secret by asking in the Chatbot. Cloudi-Fi’s Support team will provide you with the necessary information.
What shared secret is used for the Radius server for 802.1X for Ruckus? Please save this confidential information securely, and do not share it publicly.
2. Get the Cloudi-Fi NAS-ID
You must create or use a Cloudi-Fi location and retrieve its NAS-ID (Hash key).
- Log in to the Cloudi-Fi admin console.
- Go to Location.
- Create a new location if needed and fill in:
- Location name
- Type (Redirect URL)
- Country
- Save.
- Click the location you created.
- Go to Network parameters and copy the Hash key — this will be used as the NAS-ID.
3. Create Radius authentication server
Navigate to Security > Authentication > Proxy (SZ Authenticator).
Create a new object and configure as follows
- Name : name of your Radius (e.g. cfi_nac_radius)
Primary / Secondary Server
- IP Address / FQDN : see Radius Servers for 802.1X
- Port : see Radius Servers for 802.1X
- Shared secret : secret provided by the Cloudi-FI Support team
Health Check Policy (default parameters)
- Response Window : 20 seconds
- Zombie Period : 40 seconds
- Revive Interval : 120 seconds
- No Response Fail : No
Rate Limiting (default parameters)
- Maximum Outstanding Requests (MOR) : 0 Requests per Server
- Threshold : 0 % of MOR
- Sanity Timer : 10 Seconds
User Role Mapping (default parameters)
4. Create you WLAN configuration
Navigate to Network > Wireless LANs and select the zone were you want to broadcast your SSID.
Create a new object and configure as follows
General options
- Name : name of your WLAN (e.g. NAC_Ruckus)
- SSID : name of your SSID (e.g. NAC_Ruckus)
Authentication options
- Authentication type : standard usage
- Method : 802.1X EAP
Encryption Options
- Method : WPA3
- Algorithm : AES
- 802.11r Fast Roaming : OFF
- 802.11w MFP : Required
- Transition Disable indication : OFF
Authentication & Accounting Server
- Authentication Server : ON (select Cloudi-Fi Radius Server set in 3. Create Radius authentication server
Wireless Client isolation (default parameters)
- Client Isolation : OFF
Radius Options
- NAS ID : User-defined (here please paste the NAS-ID collected in 2. Get the Cloudi-Fi NAS-ID)
- NAS Request Timeout : 3 seconds
- NAS Max Number of Retries : 2 times
- NAS Reconnect Primary : 5 minutes
- Called Station ID : WLAN BSSID
- NAS IP : Disabled
- Single Session ID Accounting : OFF
- Vendor Specific Attribute Profile : Disabled
Firewall options (default parameters)
Advanced options : At this stage, you will be able to define parameters such as the VLAN ID and the SSID display.
5. Validation
- After completing the configuration:
- Connect a test client to the SSID.
- The client should be prompted for 802.1X credentials.
- Successful authentication should appear in Bot
- Ruckus > Monitor > Wireless Clients
-
Cloudi-Fi > Users > Authentications