Step-by-step instructions to set up a Radius-based captive portal with Ruckus Virtual SmartZone controller and Cloudi-Fi for user authentication.

You will require Commscope Ruckus vSZ Controller v5.x to continue.

There is separate documentation for v6.x

Integration tested on a vSZ controller 5.2.1.0.515

Prerequisites

Before starting, ensure that you have the following prerequisites:

• CommScope Ruckus Access points connected to Ruckus Virtual SmartZone controller.
• Access to the Ruckus Virtual SmartZone controller.
• Access to Cloudi-Fi’s admin console
• Cloudi-Fi Radius IPs and Secret  
• Knowledge of your network’s IP addressing scheme.
• Firewall ports allowed: 
  • For WISPr: TCP 8090, 8099, 8100, 8111, 9997, 9998
  • For Northbound API (NBI): TCP 9080, 9443
  • RADIUS: UDP 1812, 1813

1. Get the Cloudi-Fi required URL

Go to the "Location" section in the Cloudi-fi Admin interface.
Create a New Location and enter the required details for the new location:

• Location Name
• Type (Redirect URL)
• Portal template
• Country 

Location URL: this URL will be used to configure an External Captive Portal

• Access the Cloudi-Fi administration console
• Select the location
• Click on the menu button for the location
• Select "Copy Splash page URL"

Transform the URL as follows:

Cloudi-Fi

https://login.cloudi-fi.net/start/ch/ebd2egzrfgrgq2/lh/qgrzqrgegs/sp/spsomething.com

Ruckus Virtual SmartZone

https://login.cloudi-fi.net/start/ch/ebd2egzrfgrgq2/lh/qgrzqrgegs/sp/spruckusnbi.com

2. Get Radius information

You will need the Radius information (Server IPs, Secret, Ports) to set up.

1. IPs address of the Radius servers
2. Ports: UDP 1812 (Authentication) & 1813 (Accounting)
3. The Secret (provided by Cloudi-Fi Support)

You can get the Secret by asking in the Chatbot, Cloudi-Fi’s Support team will provide you with the necessary information.

What shared secret is used for the Radius server? (Please save this confidential information securely, and do not share it publicly).

3. Create hotspot WISPr service

1. Navigate to Services & Profiles, then Hotspots & Portals Hotspot (WISPr)
2. Create a new one
3. Configure as follows 
   1. Portal Name: Cloudi-FI Captive Portal
   2. Logon URL: External
   3. Redirect unauthenticated user, Primary
   4. Start Page: Redirect to the following URL: https://login.cloudi-fi.net/success.php
   5. HTTPS Redirect: ON
   6. Session Timeout: Same value as Cloudi-Fi Session lifetime
   7. Grace Period: Same value as Cloudi-Fi Session Lifetime

• • Walled Garden: Add only the below URL (Additional URLs may be added in case of Social Media connector on your captive portal)

*.cloudi-fi.net
*.cloudi-fi.com

4. Create an authentication service

1. Navigate to Services & Profiles, then Authentication & Proxy (SZ Authenticator)
2. Create a new object
3. Configure as follows
   1. Name: Cloudi-FI Radius
   2. Service Protocol: Radius
   3. IP Address, Port, and Secret provided by the Cloudi-FI Support team

5. Create the guest WLAN

1. Navigate to Wireless LANs.
2. Select the correct Zone/Wireless Group
3. Create a new WLAN
   1. Name: Your Guest SSID Name
   2. SSID: Your Guest SSID Name
   3. Authentication Type: Hotspot (WISPr)
   4. Method: Open
   5. Encryption Options: None

• • Hotspot WISPr Portal: Cloudi-Fi Captive Portal
  • Bypass CNA: OFF
  • Authentication Service: Use the controller as a proxy and Select Cloudi-FI Radius
  • Radius Option NAS-ID: Select Custom and set your Cloudi-FI Company key
  • Called Station ID: AP MAC

6. Disable MAC-address encryption

By default, the Ruckus vSZ controller will encrypt the device's Mac address.

Cloudi-Fi needs to see the actual mac address on the client’s device.

To disable this feature, connect in CLI to your vSZ controller and run the following command in config mode :

no encrypt-mac-ip

7. Configure the Northbound Interface (NBI) credentials

We use the NBI to allow Cloudi-Fi to communicate with your vSZ controller.

It prevents redirection issues (Security Warning due to HTTP Redirection or Certificate warning with HTTPS redirection).

Go to System, then General Settings and WISPr Northbound Interface

• Enable Northbound Portal Interface Support: ON

• Then configure your Username and password

8. Provide NBI credentials to Cloudi-Fi

Go to Cloudi-Fi Admin interface Settings, then Integrations Commscope Ruckus SmartZone.

Fill out the username and password fields.

9. Install an SSL certificate

Before starting, why should you use a certificate? TLS/SSL certificates secure internet connections by encrypting your data. They ensure data is transmitted privately, without modification, loss, or theft. By adding a certificate, you will provide a safer internet experience for your users.

Moreover, some browsers might block authentication on HTTP pages. Using a certificate will permit access to HTTPS pages, and your users can authenticate, improving the user's experience.

You can go to System, then Certificates SZ as a Server Certificate, and then import a new Certificate.

Give it a name and import the following :

• Server Certificate
• All the Intermediate CA Certificate
• Private Key

Click on Validate. You should have PASS on every line, and click OK to save

Go to System > Certificates > Certificate as Service Mapping

Replace the Default Certificate to the imported certificate within Hotspot (WISPr), then click OK to save

Necessary: This will reboot the controller, so make the changes during non-working hours.

Troubleshooting

Firewall problem

1. Before beginning, please check that the following Firewall rules are active, as mentioned in the Solution prerequisites section.
2. If you still encounter problems after following all the configuration steps, follow the steps below and provide it to the Cloudi-Fi support team:
3. Make a web capture of your browser
4. Share with the Cloudi-Fi support team
5. The URL of the captive portal configured on Ruckus 
6. User ID facing the error page Ruckus troubleshooting command lists

Captive portal display issue before or after authentication

1. The problem may be related to DHCP or DNS.
   1. Check that your IP private address is valid.
   2. Check that login.cloudi-fi.net is resolved.
2. Assuming the DNS and IP address function correctly, you still have a captive portal problem.
3. Type http://neverssl.com on your browser to apply the redirection on the portal.
4. If the captive portal still does not appear, check the authorizations in "Access".
5. Click on "Your_Group" > Device > Config > WLANs > Access > Rule
6. Follow the path below and check if Cloudi-Fi's domains or IPs are authorized before authentication.

Error after authentication on the page

Once connected to the SSID, if you notice a Cloudi-Fi error page instead of your captive portal

1. Check the configuration of the Radius server:
   1. The IP address of RADIUS 
   2. RADIUS port (default port 1812)
   3. The shared password
2. Check the availability of the RADIUS server:
   1. Go to Services & Profiles > Authentication.
   2. Select the Proxy (SZ Authenticator) tab
   3. Select the zone to test the AAA server.
   4. Click Test AAA.
   5. The Test AAA Server page appears.

• These results can be used to troubleshoot the reasons for failure to authenticate administrators with an AAA server through the controller.