Step-by-step instructions to set up a Radius-based captive portal with Ruckus SmartZone controller v6.x and Cloudi-Fi for user authentication.
You will require Commscope Ruckus vSZ Controller v6.x to continue.
There is separate documentation for v5.x
Integration tested on a vSZ controller 6.0.0.0.1331 & 6.1.1.0.959
Prerequisites
Before starting, ensure that you have the following prerequisites:
- CommScope Ruckus Access points connected to Ruckus Virtual SmartZone controller.
- Access to the Ruckus Virtual SmartZone controller.
- Access to Cloudi-Fi’s admin console
- Cloudi-Fi Radius IPs and Secret
- Knowledge of your network’s IP addressing scheme.
- Firewall ports allowed:
- For WISPr: TCP 8090, 8099, 8100, 8111, 9997, 9998
- For Northbound API (NBI): TCP 9080, 9443
- RADIUS: UDP 1812, 1813
1. Get the Cloudi-Fi required URL
To create a new location in the Cloudi-fi Admin interface if it doesn't already exist, follow these instructions:Go to the "Location" section in the Cloudi-fi Admin interface.
Create New Location and enter the required details for the new location:
- Location Name
- Type (Redirect URL)
- Portal template
- Country
Location URL: this URL will be used to configure an External Captive Portal
- Access the Cloudi-Fi administration console
- Select the location
- Click on the menu button for the location
- Select "Copy Splash page URL"
Transform the URL as follows:
Cloudi-Fi
https://login.cloudi-fi.net/start/ch/ebd2egzrfgrgq2/lh/qgrzqrgegs/sp/spsomething.com
Ruckus virtual SmartZone
https://login.cloudi-fi.net/start/ch/ebd2egzrfgrgq2/lh/qgrzqrgegs/sp/spruckusnbi.com
2. Get Radius information
You will need the Radius information (Server IPs, Secret, Ports) to set up.
- IPs address of the Radius servers
- Ports: UDP 1812 (Authentication) & 1813 (Accounting)
- The Secret (provided by Cloudi-Fi Support)
You can get the Secret by asking in the Chatbot, Cloudi-Fi’s Support team will provide you with the necessary information.
What shared secret is used for the Radius server? (Please save this confidential information securely, and do not share it publicly.)
Then go to Settings > Company Account :
- Copy your Cloudi-Fi public key
3. Create Hotspot WISPr service
- Navigate to Services, then Hotspots & Portals Hotspot and Hotspot (WISPr).
- Create a new object.
- Configure as follows
-
- Portal Name: Cloudi-Fi Captive Portal
- Smart Client Support: None
- Login URL: External
- Redirect unauthenticated user, Primary:
- Start Page, Redirect to the following URL: https://login.cloudi-fi.net/success.php
- HTTPS Redirect: ON
- Session Timeout: Same value as Cloudi-Fi Session lifetime
- Grace Period: Same value as Cloudi-Fi Session Lifetime
-
- Walled Garden: Add the URLs below (Additional URLs may be added in case of Social Media connector on your captive portal)
*.cloudi-fi.net
*.cloudi-fi.com
4. Create authentication services
- Navigate to Security, then Authentication and Proxy (SZ Authenticator)
- Create a new object.
- Configure as follows.
-
- Name: Cloudi-FI Radius
- Service Protocol: Radius
- IP Address, Port, and Secret will be provided by the Cloudi-FI Support team
5. Create the Guest WLAN
- Navigate to Network, then Wireless and Wireless LANs.
- Select the Zone/WirelessGroup
- Create a new object
- Configure as follows
-
- Name: Your Guest SSID’s Name
- SSID: Your Guest SSID’s Name
- Authentication Type: Hotspot (WISPr)
- Method: Open
- Encryption options: None
- Hotspot (WISPr) portal: Cloudi-Fi Captive Portal
-
- Bypass CNA: OFF
- Authentication service: Use the controller as a proxy and select Cloudi-Fi Radius
- NAS ID: User-defined
- Called Station ID: AP MAC
- NAS IP: SZ Control IP
6. Disable MAC address encryption
By default, the Ruckus vSZ controller will encrypt the device's mac-address.
Cloudi-Fi needs to see the actual mac-address of the client’s device.
To disable this feature, connect in CLI to your vSZ controller and run the following command in config mode :
no encrypt-mac-ip
7. Configure the Northbound interface (NBI) credentials
To allow Cloudi-Fi to communicate with your vSZ controller, we use the NBI.
Navigate to Administration, External Services, WISPr Northbound Interface
- Enable Northbound Portal Interface Support: ON
- Then, you can configure your Username and password.
8. Provide NBI credentials to Cloudi-Fi
Navigate to Cloudi-Fi Administration interface Configuration > Integrations > Commscope Ruckus SmartZone.
Fill out the username and password fields.
Troubleshooting
- Firewall problem
- Before beginning, please check that the following Firewall rules are active, as mentioned in the Solution prerequisites section.
- If you still encounter problems after following all the configuration steps, follow the steps below and provide it to the Cloudi-Fi support team:
- Make a web capture of your browser
- Share with the Cloudi-Fi support team
- The URL of the captive portal configured on Ruckus
- User ID facing the error page Aruba troubleshooting command lists
- Captive portal display issue before or after authentication
- The problem may be related to DHCP or DNS.
- Check that your IP private address is valid.
- Check that login.cloudi-fi.net is resolved.
Assuming the DNS and IP address function correctly, you still have a captive portal problem.
- Type http://neverssl.com on your browser to apply the redirection on the portal.
- If the captive portal still does not appear, check the authorizations in "Access".
- Click on "Your_Group" > Device > Config > WLANs > Access > Rule
- Follow the path below and check if Cloudi-Fi's domains or IPs are authorized before authentication.
- The problem may be related to DHCP or DNS.
- Error after authentication on the page
- Once connected to the SSID, if you notice a Cloudi-Fi error page instead of your captive portal
- Check the configuration of the Radius server:
- The IP address of RADIUS
- RADIUS port (default port 1812)
- The shared password
- Check the availability of the RADIUS server:
- Go to Services & Profiles > Authentication.
- Select the Proxy (SZ Authenticator) tab, then select the zone for which to test the AAA server.
- Click Test AAA.
- The Test AAA Server page appears.
- Check the configuration of the Radius server:
- Once connected to the SSID, if you notice a Cloudi-Fi error page instead of your captive portal
These results can be used to troubleshoot the reasons for failure to authenticate administrators with an AAA server through the controller