Skip to main content

Search

How can we help ?

How to enable Cloudi-Fi with Ruckus vSZ Controller v5.x

Alexandre de THOMASSON
  • Updated

Step-by-step instructions to set up a Radius-based captive portal with Ruckus Virtual SmartZone controller and Cloudi-Fi for user authentication.

                                                            

You will require Commscope Ruckus vSZ Controller v5.x to continue.

There is separate documentation for v6.x

Integration tested on a vSZ controller 5.2.1.0.515

 

Table of contents

Prerequisites

Step 1: Get the Cloudi-Fi required URL

Step 2: Get Radius information

Step 3: Create Hotspot WISPr Service

Step 4: Create an Authentication Service

Step 5: Create the Guest WLAN

Step 6: Disable MAC-Address Encryption

Step 7: Configure the Northbound Interface (NBI) credentials

Step 8: Provide NBI credentials to Cloudi-Fi

Step 9: (Recommended) - Install an SSL certificate

Troubleshooting

Prerequisites:

Before starting, ensure that you have the following prerequisites:

  • CommScope Ruckus Access points connected to Ruckus Virtual SmartZone controller.
  • Access to the Ruckus Virtual SmartZone controller.
  • Access to Cloudi-Fi’s admin console
  • Cloudi-Fi Radius IPs and Secret  
  • Knowledge of your network’s IP addressing scheme.
  • Firewall ports allowed: 
    • For WISPr: TCP 8090, 8099, 8100, 8111, 9997, 9998
    • For Northbound API (NBI): TCP 9080, 9443
    • RADIUS: UDP 1812, 1813

Step 1: Get the Cloudi-Fi required URL

Location URL: this URL will be used to configure an External Captive Portal

  • Access the Cloudi-Fi administration console
  • Select the location
  • Click on the menu button for the location
  • Select "Copy Splash page URL"

Cloudi-Fi Get captive portal url.png

 

Transform the URL as follows:

 

Cloudi-Fi

https://login.cloudi-fi.net/start/ch/ebd2egzrfgrgq2/lh/qgrzqrgegs/sp/spsomething.com

Ruckus Virtual SmartZone

https://login.cloudi-fi.net/start/ch/ebd2egzrfgrgq2/lh/qgrzqrgegs/sp/spruckusnbi.com

 

Step 2: Get Radius information

You will need the Radius information (Server IPs, Secret, Ports) to proceed with the setup.

  1. IPs address of the Radius servers
  2. Ports: UDP 1812 (Authentication) & 1813 (Accounting)
  3. The Secret (provided by Cloudi-Fi Support)

You can get the Secret by asking in the Chatbot, Cloudi-Fi’s Support team will provide you with the necessary information.

Cloudi-Fi - Get radius information for Aruba Central

What is shared secret is used for the Radius server? (Please save this confidential information securely, and do not share it publicly.)

Step 3: Create Hotspot WISPr Service

  1. Navigate to Services & Profiles, then Hotspots & Portals Hotspot (WISPr)
  2. Create a new one
  3. Configure as follows 
    1. Portal Name: Cloudi-FI Captive Portal

    2. Logon URL: External

    3. Redirect unauthenticated user, Primary:

    4. Start Page: Redirect to the following URL: https://login.cloudi-fi.net/success.php

    5. HTTPS Redirect: ON

    6. Session Timeout: Same value as Cloudi-Fi Session lifetime

    7. Grace Period: Same value as Cloudi-Fi Session Lifetime

    8. Walled Garden: Add only the below URL (Additional URLs may be added in case of Social Media connector on your captive portal)

*.cloudi-fi.net
*.cloudi-fi.com

Step 4: Create an Authentication Service

  1. Navigate to Services & Profiles, then Authentication Proxy (SZ Authenticator)
  2. Create a new object
  3. Configure as follows
    • Name: Cloudi-FI Radius
    • Service Protocol: Radius
    • IP Address, Port, and Secret provided by the Cloudi-FI Support team

Step 5: Create the Guest WLAN

  1. Navigate to Wireless LANs.
  2. Select the correct Zone/Wireless Group
  3. Create a new WLAN

    • Name: Your Guest SSID Name

    • SSID: Your Guest SSID Name

    • Authentication Type: Hotspot (WISPr)

    • Method: Open

    • Encryption Options: None

    • Hotspot WISPr Portal: Cloudi-Fi Captive Portal

    • Bypass CNA: OFF

    • Authentication Service: Use the controller as a proxy and Select Cloudi-FI Radius

    • Radius Option NAS-ID: Select Custom:

    • Called Station ID: AP MAC

Step 6: Disable MAC-Address Encryption

By default, the Ruckus vSZ controller will encrypt the device's mac-address.

Cloudi-Fi needs to see the actual mac-address of the client’s device.

To disable this feature, connect in CLI to your vSZ controller and run the following command in config mode :

no encrypt-mac-ip

 

Step 7: Configure the Northbound Interface (NBI) credentials

To allow Cloudi-Fi to communicate with your vSZ controller, we use the NBI.

It prevents redirection issues (Security Warning due to HTTP Redirection or Certificate warning with HTTPS redirection).

Go to System General Settings WISPr Northbound Interface

  • Enable Northbound Portal Interface Support: ON

  • Then configure your Username and password

Step 8: Provide NBI credentials to Cloudi-Fi

Go to Cloudi-Fi Admin interface Settings Integrations Commscope Ruckus SmartZone.

Fill out the username and password fields.

 

 

Step 9: (Recommended) - Install an SSL certificate

Before starting, why should you use a certificate? TLS/SSL certificates secure internet connections by encrypting your data. They ensure data is transmitted privately, without modification, loss, or theft. By adding a certificate, you will provide a safer internet experience for your users.

Moreover, some browsers might block authentication on HTTP pages. Using a certificate will permit access to HTTPS pages, and your users can authenticate, improving the user's experience.

 

You can go to System Certificates SZ as a Server Certificate and then import a new Certificate.

Give it a name and import the following :

  • Server Certificate

  • All the Intermediate CA Certificate

  • Private Key

Click on Validate. You should have PASS on every line, and click OK to save

Go to System Certificates Certificate as Service Mapping

 

Apply the imported certificate to Hotspot (WISPr), then click OK to save

Necessary: This will reboot the controller, so make the changes during non-working hours.

 

Troubleshooting

  1. Firewall problem
    1. Before beginning, please check that the following Firewall rules are active, as mentioned in the Solution prerequisites section.
    2. If you still encounter problems after following all the configuration steps, follow the steps below and provide it to the Cloudi-Fi support team:
    3. Make a web capture of your browser
    4. Share with the Cloudi-Fi support team
    5. The URL of the captive portal configured on Aruba 
    6. Capture HTTP
    7. User ID facing the error page Aruba troubleshooting command lists
  2. Captive portal display issue before or after authentication
    1. The problem may be related to DHCP or DNS.
      • Check that your IP private address is valid.
      • Check that login.cloudi-fi.net is resolved.

      Assuming the DNS and IP address function correctly, you still have a captive portal problem.

    2. Type http://neverssl.com on your browser to apply the redirection on the portal.
    3. If the captive portal still does not appear, check the authorisations in "Access".
    4. Click on "Your_Group" > Device > Config > WLANs > Access > Rule
    5. Follow the path below and check if Cloudi-Fi's domains or IPs are authorized before authentication.
  3. Error after authentication on the page
    1. Once connected to the SSID, if you notice a Cloudi-Fi error page instead of your captive portal

      1. Check the configuration of the Radius server:

        • The IP address of RADIUS RADIUS port (default port 1812)
        • The shared password

      2. Check the availability of the RADIUS server:

        • Go to Services & Profiles > Authentication.
        • Select the Proxy (SZ Authenticator) tab, then select the zone for which to test the AAA server.
        • Click Test AAA.
        • The Test AAA Server page appears

Ruckus UI - Test AAA Radius servers.png

        • These results can be used to troubleshoot the reasons for failure to authenticate administrators with an AAA server through the controller.