Ruckus Wireless™ ZoneDirector™ Release 9.7 User Guide
Contents
1. Telnet Server Trap Notifications That ZoneDirector Sends There are several events for which ZoneDirector will send trap notifications to the SNMP server that you specified Table 16 lists the trap notifications that ZoneDirector sends and when they are sent 78 Table 16 Trap notifications Trap Name Configuring System Settings Enabling Network Management Systems Description ruckusZDE EventAPJoinTrap An AP has joined ZoneDirector The AP s MAC address is included in the trap notification ruckusZDI EventSSIDSpoofTrap An SSID spoofing rogue AP has been detected on the network The rogue AP s MAC address and SSID are included in the trap notification ruckusZDI EventMACSpoofTrap A MAC spoofing rogue AP has been detected on the network The rogue AP s MAC address and SSID are included in the trap notification ruckusZDI EventRogueAPTrap A rogue AP has been detected on the network The rogue AP s MAC address and SSID are included in the trap notification ruckusZDI EventAPLostTrap An AP has lost contact with ZoneDirector The AP s MAC address is included in the trap notification EventAPLostHeartbe ruckusZDl atTrap An AP s heartbeat has been lost The AP s MAC address is included in the trap notification EventClientAuthFai ruckusZDI lBlockTrap A wireless client repeatedly failed to authenticate with an2. 00005 Background Scan erksa xe ee eet eei hee EA Rae be ats Radar Avoidance Pre Seanrint cesscseekesmes eer mer ees renes Aeroscout RFID Tag Detection isis meets Ekahau Tag Debectign coeecers dues Qaccekiduscobs ebbe eds plots Active Client Detection 0 0 0 0 0 0000 ccc cee eens Tonel COT CIE ceca sk be cerry arena acest ct teen sepes ctt dion Packet Inspection Filt amp r arce 0s c ices seek see bp EE RR RR Configuring Wireless Intrusion Prevention 0 000000 eee ee Controlling Network Access Permissions 2 0000005 Using an External AAA Server 2 0 00 0 eee Testing Authentication Settings 87 Configuring Security and Other Services Configuring Self Healing Options Configuring Self Healing Options ZoneDirector has the capability to perform automatic network adjustments to enhance perfor mance and improve coverage by dynamically modifying power output and channel selection settings for each AP depending on the actual RF environment These features are called Self Healing Automatically Adjust AP Power ZoneDirector provides a feature to automatically adjust power AP radio power to optimize coverage when interference is present This feature is designed to turn down the power of an access point if the following conditions are met 1 The power is set to Auto in the AP configuration 2 The AP can hear another AP that is on the same channel and same Zone Dir
3. Attribute TypelD Expected Value Numerical Tunnel Type 64 VLAN 13 Tunnel Media Type 65 802 6 Tunnel Private Group Id 81 VLAN ID Here is an example of the required attributes for three users as defined on Free RADIUS 0018ded90ef3 User Name userl Tunnel Type VLAN T Tunnel Medium Type IE E 802 Tunnel Private Group ID 0014 00242b752ec4 User Name user2 Tunnel Type VLAN Tunnel Medium Type IEEE 802 0012 Tunnel Private Group ID 013469acee5 User Name user3 Tunnel Type VLAN Tunnel Medium Type IEEE 802 0012 Tunnel Private Group ID i gt NOTE The values in bold are the users MAC addresses 163 Managing a Wireless Local Area Network Working with Hotspot Services Working with Hotspot Services A hotspot is a venue or area that provides Internet access to devices with wireless networking capability such as notebooks and smartphones Hotspots are commonly available in public venues such as hotels airports coffee shops and shopping malls ZoneDirector provides two types of Hotspot services based on the WISPr Wireless Internet Service Provider roaming 1 0 and 2 0 specifications as described in the following sections e Creating a Hotspot Service e Creating a Hotspot 2 0 Service Creating a Hotspot Service ZoneDirector s Configure gt Hotspot Services page can be used to configure a trad
4. H Advanced Options Accounting Server Disabled Send interim Update every 10 minutes Access Control L2 MAC No ACLs v L3 4 1P address No ACLs v Device Policy None v Precedence Policy Default v Call Admission Control Enforce CAC on this WLAN when CAC is enabled on the radio Rate Limiting Uplink Disabled v bownink Disabled v Per Station Traffic Rate Multicast Filter E Drop mutticast packets from associated clients ACCESS VLAN VLAN ID Enable Dynamic VLAN Hide SSID E Hide SSID in Beacon Broadcasting Closed System Tunnel Mode Tunnel WLAN traffic to ZoneDirector Recommended for vaP clients and PDA devices Proxy ARP Tenable Proxy ARP Background Scanning Do not perform background scanning for this WLAN service Any radio that supports this WLAN will not perform background scanning Load Balancing Do not perform client load balancing for this WLAN service applies to this WLAN only Load balancing may be active on other WLANs Max Clients Allow only up to 100 clients per AP radio to associate with this WLAN 802 11d V Support for 802 11d only applies to radios configured to operate in 2 4 GHz band DHCP option 82 E Enable DHCP Option 82 Force DHCP Enable Force DHCP disconnect client if client does not obtain valid IP in 10 seconds Client Tx Rx Statistics F ignore unauthorized client statistics Client Fingerprinting V Enable Client Fingerprinting Service Schedule Q awavs on Alwavs off
5. Radio A N 5G Indoor V 40 V 44 V 48 V 149 V 153 V 157 Radio A N 5G Outdoor 7 149 V 153 V 157 V 161 Radio B G N 2 4 GHz Radio A N 5 0 GHz Auto v Auto v Auto v Indoor Auto Outdoor Auto TX Power Auto v Auto v 11N only Mode Auto v Auto v WLAN Group Default Default Call Admission Control OFF OFF SpectraLink Compatibility Disable v Disable v Network Setting IPv4 and IPv6 IF Turn off ChannelFly if AP s uptime is more than 30 minutes 282741 lee Max Clients Allow Max 100 clients to associate with this AP External Antenna Edit External Antenna Setting Port selling Edit Port Setting Creating a New Access Point Group To create a new AP group with custom settings 1 Go to Configure Access Points 185 Managing Access Points Working with Access Point Groups 2 In the Access Point Groups section click the Create New button The Create New form appears 3 Enter a Name and optionally a Description for the new AP group 4 Modify any ofthe settings in Table 24 that you want to apply to the new AP group and click OK to save your changes Modifying Access Point Group Membership When more than one AP group exists you can move APs between groups using the Group Settings section of the Editing AP Group form To add more access points to this group 1 In Group Settings
6. V Enable Client Fingerprinting 6 EE MES RES NE m EHE Enable Auto Proxy configuration Terminate idle user session after 5 minutes of inactivity Create New Search terms Delete 11006 include all terms Include any of these terms m 149 Managing a Wireless Local Area Network Creating a New WLAN for Workgroup Use Creating a New WLAN for Workgroup Use If you want to create an additional WLAN based on your existing default WLAN and limit its use to a select group of users e g Marketing Engineering you can do so by following these steps 1 Make a list of the group of users 2 Goto Configure gt WLANs When the WLANs page appears the default internal and guest networks are listed in the table once you have created a WLAN it will appear in this table 3 If you have no need for custom authentication or encryption methodologies in this new WLAN locate the default WLAN record and click Clone A workspace appears displaying the default settings of a new WLAN using the same configuration settings as the default WLAN 4 Type a descriptive name for this WLAN and then click OK This new WLAN is ready for use by selected users 5 You can now assign access to this new WLAN to a limited set of internal users as detailed in Creating New User Roles on page 240 Customizing WLAN Security The default security method for your i
7. Currently Active WLANs Name ESSID Authentication 3 ruckus DB ruckus DB 802 1x eap wpa2 E Rhastah1 Rhastah1 guest guest open 6133 Search terms inchisa r ga Currently Active WLAN Groups e Name Description WLANs Default Default WLANs for Access Points Rhastah1 ruckus DB guest guest wan group guest Search terms 9 Include all terms Include any of these terms 812239 FE Events Activities ee Date Time Severity User Activities 2013 05 21 13 26 04 Low User 5c ff 35 7f d2 20 joins WLAN Rhastah1 from AP 7982 2013 05 21 13 25 48 Low User 18 34 51 42 bf 58 joins WLAN guest from AP cO c5 20 3b 91 f0 2013 05 21 13 25 11 Low WLAN guest has been deployed on radio 11a n of AP cO c5 20 3b 91 f0 with BSSID cO c5 20 bb 91 fc 2013 05 21 13 25 11 Low WLAN guest has been deployed on radio 11a n of AP 7982 with BSSID c4 10 8a 9f d fc Fine Tuning the Current Security Mode To keep the original WPA security mode and fine tune its settings 1 Go to Configure gt WLANs 2 In the Internal WLAN row click Edit 3 Choose from the following options to keep the default WPA encryption with no authenti cation Open Auth e WPA2 Switch to this encryption method if you prefer the IEEE 802 11i standard which provides the highest level of security but is limited to devices with newer wireless NICs e WPA Mixed Allows both WPA and WPA2 compliant devices to access the network
8. NOTE The user can reconnect at any time which if this proves to be a problem may prompt you to consider Permanently Blocking Specific Client Devices Permanently Blocking Specific Client Devices Follow these steps to permanently block a client device from WLAN connections 1 Look at the Status column to identify any unauthorized users 2 Click the Block button in the Action column in a specific user row The status is changed to Blocked This will prevent the listed device from using your Ruckus Wireless WLANs 113 Configuring Security and Other Services Controlling Network Access Permissions Figure 71 Click the Block button to permanently delete a client WIRELESS Ruckus ZoneDirector Currently To show a list of 2013 06 11 16 Help Toolbox Logq Active Clients This table lists all currently connected client devices Only those devices with a status of authorized are permitted access to the network To prevent an unau Client from attempting to connect to your network click Block To troubleshoot a problematic connection click Delete That client can then reconnect to the W blocked clients click here e User IP Access Point WLAN Channel Radio Signal amp Status Action c4 10 8a 1f d1 f0 Rhastah1 149 802 11a n N A Authorized 3 t Ib 2e Windows 7 Vista 192 168 40 21 cO c 1 f0 Rhastah 149 802 11a n 84 Authorized XX Q Search terms Include all terms Include
9. Table 20 Create new WLAN options Option Description General Options Enter WLAN name and description WLAN Usages Select usage type standard guest access hotspot autonomous Authentication Options Select an authentication method for this WLAN open 802 1X EAP MAC address 802 1X EAP MAC Address 140 Managing a Wireless Local Area Network Creating a WLAN Table 20 Create new WLAN options Option Description Encryption Options Select encryption method WPA WPA2 WPA Mixed WEP or none encryption algorithm AES or TKIP and enter a WPA passphrase WEP key Options Select whether Web based authentication captive portal will be used and which type of authentication server will be used to host credentials local database Active Directory RADIUS LDAP Also enable or disable Wireless Client Isolation Zero IT Activation Dynamic PSK and Priority for this WLAN Advanced Options Select accounting server ACLs rate limiting VLAN dynamic VLAN settings tunneling Background Scanning maximum client threshold and service schedule 3 When you finish click OK to save the entries This WLAN is ready for use 4 You can now select from these WLANs when assigning roles to users as detailed in Creating New User Roles on page 240 General Options e Name ESSID Type a short name for this WLAN The maximum SSID length can contain between 2 and 32 characters including
10. Manual DHCP IP Address 192 168 11 100 Netmask 255 255 255 0 Gateway 192 168 11 1 Primary DNS Server 192 168 11 1 Secondary DNS Server ACCESS VLAN 1 Management Interface V Enable IPv4 Management Interface IP Address 192 168 11 200 Netmask 255 255 255 0 Default gateway is connected with this interface Gateway 192 168 11 1 ACCESS VLAN h Static Route If ZoneDirector was assigned static network addressing click Manual and make the correct entries If you click DHCP no Manual entries are needed m NOTE If a management interface is used for Web Ul management the actual IP address must still be used when configuring ZoneDirector as a client for a backend RADIUS server FlexMaster server or in any SNMP systems If two ZoneDirectors are deployed in a Smart Redundancy configuration both of the actual IP addresses must be used rather than the management IP address 52 Configuring System Settings Creating Static Route Entries Creating Static Route Entries Static routes can be created to allow ZoneDirector to reach remote networks which can only be reached via a gateway other than default gateway The gateway you use must be in the same subnet as either the ZoneDirector primary IP address or the Management IP address To create a static route to an additional gateway Go to Configure System and locate the Static Route section Click Create New to create a new static route En
11. 802 11 7 Dynamic VLAN Debug log per AP s or client s mac address e g aa bb oc dd ee ff Using the Ping and Traceroute Tools The ZoneDirector Web interface provides two commonly used tools that allow you to diagnose connectivity issues while managing ZoneDirector without having to exit the UI The Ping and Traceroute tools can be accessed from anywhere in the UI that you see the icon For example from the Dashboard if the Currently Managed APs widget is open click the icon next to an AP to launch the troubleshooting window 319 Troubleshooting Using the Ping and Traceroute Tools Figure 193 Launching the Ping Traceroute Troubleshooting window from the Dashboard Configure Toolbox Log Out admin Administer ntly Managed APs ee Address Device Name Description Model Status Mesh Mode IP Address VLAN Channel Clients Action 192 EA 43 01 Warehouse NE zf2925 Connected auto 10 1 0 10 6 11b g 13 A ask 192 EA 43 04 Warehouse NW zf2925 Connected Root AP Auto 10 1 0 11 48 11a 6 11b g 19 I hn 1 92 EA 43 07 Warehouse SE 212925 Connected Link AP 1hop Auto 10 1 0 12 56 11a 1 11b g 12 1 POD 192 EA 43 0A Warehouse SW 217942 Connected Mesh AP 2 hops Auto 10 1 0 13 6 11g n 0 0 d 5e 1 92 EA 43 0D APS zf2925 Connected Auto 10 1 0 14 1 11b g 3 I IA lt Pg 192 EA 43 10 APG 212925 Isolated Mesh AP Config error Auto 0 0 0 0 A A 192 EA 43 13 AP 212925 Provisionin
12. NOTE By default Ruckus Wireless APs will attempt to obtain an IP address via DHCP as soon as they are connected to the network If you do not want the AP to automatically request an IP address you must first configure a static IP address using the AP Web interface or CLI before connecting them to your network 4 Connect each AP to a power source NOTE If the Ruckus Wireless APs that you are using are PoE capable and power sources are not convenient they will draw power through the Ethernet cabling if connected to a PoE ready hub or switch Verifying Approving New APs 1 Go to Monitor gt Access Points The Access Points page appears showing the first 15 access points that have been approved or are awaiting approval If ZoneDirector is managing more than 15 access points the Show More button at the bottom of the list will be active To display more access points in the list clickShow More When all access points are displayed on the page the Show More button disappears 2 Review the Currently Managed APs table See Figure 108 e fthe Configure gt Access Points gt Access Points Policies gt Approval check box is checked all new APs should be listed in the table and their Status should be Connected e Ifthe Automatic AP Approval option is disabled all new APs will be listed but their status will be Approval Pending 3 Underthe Action column click Allow v Afterthe status is changed from Disconnected to
13. e Corp VLAN 20 e Guest VLAN 30 e Management VLAN optional Some common VLAN scenarios include e WLANs assigned to specific VLANs ZD and APs with no management VLAN e WLANs assigned to specific VLANs ZD and APs within their own single management VLAN e WLANs assigned to specific VLANs ZD and APs are configured for management VLAN but are different VLANs and there is an L3 connection between typical branch remote office deployments e WLANsassigned to specific VLANs ZD or APs only not both configured with management VLAN again typically with a L3 connection between ZD and APs 158 Managing a Wireless Local Area Network Deploying ZoneDirector WLANs in a VLAN Environment The following factors need to be taken into consideration e Default Native VLAN configuration e Where the DHCP DNS servers sit in the architecture e If tunneling is used for WLANs e Trunking between switch ports NOTE All DNS DHCP ARP and HTTP traffic from an unauthenticated wireless client will be forwarded by the AP onto the ZoneDirector via the management LWAPP tunnel If the client belongs to a particular VLAN the ZoneDirector will add the respective VLAN tag before forwarding the traffic to the wired network After client authentication is complete the AP adds the respective VLAN tag and forwards the client traffic directly to the wired network This explains why it is necessary to configure the tagged VLANs on all switch ports connect
14. Data bits fe y Parity oe O Stop bits ft sz Flow control oe zl Restore Defaults Cancel Apply 4 Click OK or Open to connect depending on your terminal client 5 Atthe Please Login prompt enter the admin login name default admin and password default admin You are now logged into ZoneDirector with limited privileges As a user with limited privileges you can view a history of previously executed commands and ping a device If you want to run more commands you can switch to privileged mode by entering enable at the root prompt To view a list of commands that are available at the root level enter help or For more information on using the CLI see the Ruckus Wireless ZoneDirector Command Line Interface Reference Guide available from http support ruckuswireless com 36 Introducing Ruckus Wireless ZoneDirector Using the ZoneDirector Web Interface Using the ZoneDirector Web Interface The ZoneDirector Web interface consists of several interactive components that you can use to manage and monitor your Ruckus Wireless WLANs including ZoneDirector and all APs Table 12 Components of the ZoneDirector Web interface Dashboard When you first log into your ZoneDirector using the Web interface the Dashboard appears displaying a number of widgets containing indicators and tables that summarize the network and its current status Each indicator gauge or table provides links
15. Hotspot Service WISPr Hotspot 2 0 Autonomous m Authentication Options Method Open shared 802 1x EAP MAC Address 802 1x EAP MAC Address Encryption Options Method O wpa wpa2 wPA Mixed WEP 64 40 bit WEP 128 104 bit 9 None Options Web Authentication V Enable captive portal Web authentication be cadisact bape ahasktication before they can access the WLAN Authentication Server Local Database E Wireless Client Isolation F Enable Client Isolation White List all wired hosts A list of reachable local wired hosts i e gateway printer etc Zero IT Activation 7 Enable Zero IT Activation WLAN users are provided with wireless configuration installer after they log in Priority High Low H Advanced Options 245 Managing User Access Activating Web Authentication 246 Managing Guest Access In This Chapter Configuring Guest ACCESS o penei lha ceded beth ere Re i eo e depuis 248 Configuring System Wide Guest Access Policies iiie eese 254 Working with Guest Passes cc osesesceeces tees esso dee deseen EDD EEE dp RR 255 Generating and Printing a Single Guest Pass e lees 259 Generating and Printing Multiple Guest Passes at Once 0 0005 262 Monitoring Generated Guest Passes 0 0 e eee eee 264 Configuring Guest Subnet Acceso as cecedenceiqens der Seas b e ep ees 264 Customizing
16. When the tests are complete the results appear below the Start button Downlink and uplink throughput results are displayed along with packet loss percentages 313 Troubleshooting Measuring Wireless Network Throughput with SpeedFlex Figure 186 The SpeedFlex interface SpeedFlex Wireless Performance Test Client IP 192 168 11 5 Figure 187 Click the download link for the target client s operating system SpeedFlex Wireless Performance Test Windows Mac Intel Android Client IP 192 168 11 5 314 Troubleshooting Measuring Wireless Network Throughput with SpeedFlex Figure 188 A progress bar appears as SpeedFlex measures the wireless throughput SpeedFlex Wireless Performance Test ep 111111 amp Client IP 192 168 11 5 Figure 189 When the test is complete the tool shows the uplink and downlink throughput and packet loss percentage SpeedFlex Wireless Performance Test 130Mbps pkt loss 0 c QUGLGEGGGLLULLLLLL GR pkt loss 0 Client IP 192 168 11 5 Using SpeedFlex in a Multi Hop Smart Mesh Network SpeedFlex can also be used to measure multi hop throughput between APs and ZoneDirector in a mesh tree For example if you have a mesh tree that is three hops deep i e ZoneDirector Root AP Mesh AP 1 Mesh AP 2 SpeedFlex can measure the total throughput between ZoneDirector and Mesh AP 2 Running the Multi Hop SpeedFlex tool return
17. 10 mins 1 hour 9 1 day E Estimated capacity E Downtink Throughput IB uplink Throughput 7 m D Monitoring Wired Clients You can also monitor currently connected wired clients using the Monitor Active Wired Clients page Note that connected devices will only be displayed when 802 1X is enabled on the Ethernet port to which they are connected The Clients table lists the wired client s MAC address user name or IP address the AP it is connected to the port number VLAN and authorization status Click the delete button to remove the entry of the wired client The Events Activities table displays recent connection and authentication events related to wired clients only Monitoring Access Point Status ZoneDirector provides several different features for monitoring the status and performance of your APs The following are three ways you can quickly locate information on the APs that ZoneDirector is managing e Open the Dashboard for a snapshot of the most active APs Click the MAC address link of any AP record to see more details Goto Monitor Map View and click a radio frequency to see a heat map rendering of the current RF coverage 219 Monitoring Your Wireless Network Monitoring Access Point Status e Goto Monitor gt Access Points and review the usage and coverage of your APs Click the MAC address link of any listed APs to see more details Using the AP Status Overview Page The Monitor
18. 54 Configuring System Settings Enabling Smart Redundancy Enabling Smart Redundancy ZoneDirector s Smart Redundancy feature allows two ZoneDirectors to be configured as a redundant pair with one unit actively managing your ZoneFlex network while the other serves as a backup in standby mode ready to take over if the first unit fails or loses power Each ZoneDirector will either be in active or standby state If the active ZoneDirector fails the standby device becomes active When the original active device recovers it automatically assumes the standby state as it discovers an already active ZoneDirector on the network The ZoneDirector in active state manages all APs and client connections The ZoneDirector in standby state is responsible for monitoring the health of the active unit and periodically synchronizing its settings to match those of the active device The ZoneDirector in standby state will not respond to Discovery requests from APs and changing from active to standby state will release all associated APs When failover occurs all associated APs will continue to provide wireless service to clients during the transition and will associate to the newly active ZoneDirector within approximately one minute NOTE This feature is only available using two ZoneDirectors of the same model and number of licensed APs You can not enable Smart Redundancy using a ZoneDirector 3000 as the primary and a ZoneDirector 1100 as the backup un
19. Priority High Low Setting the Venue Name for a Hotspot 2 0 AP See Configuring Hotspot 2 0 Venue Settings for an AP on page 203 for instructions on setting AP venue names for individual APs Working with Dynamic Pre Shared Keys Dynamic PSK is a unique Ruckus Wireless feature that enhances the security of normal Pre shared Key PSK wireless networks Unlike typical PSK networks which share a single key amongst all devices a Dynamic PSK network assigns a unique key to every authenticated user Therefore when a person leaves the organization network administrators do not need to change the key on every device Dynamic PSK offers the following benefits over standard PSK security 172 Managing a Wireless Local Area Network Working with Dynamic Pre Shared Keys e Every device on the WLAN has its own unique Dynamic PSK DPSK that is valid for that device only e Each DPSK is bound to the MAC address of an authorized device even if that PSK is shared with another user it will not work for any other machine Since each device has its own DPSK you can also associate a user or device name with each key for easy reference e Each DPSK may also have an expiration date after that date the key is no longer valid and will not work e DPSKs can be created and removed without impacting any other device on the WLAN e fahacker manages to crack the DPSK for one client it does not expose the other devices which a
20. Setting Up Email Alarm Notifications If an alarm condition is detected ZoneDirector will record it in the event log If you prefer an email notification can be sent to a configured email address of your choosing To activate this option follow these steps 1 Go to Configure gt Alarm Settings The Email Notification form appears 2 To enable email notification select the Send an email message when an alarm is triggered check box 3 Configure the settings listed in Table 15 Table 15 SMTP settings for email notification SMTP Setting Description Email address Type the email address to which ZoneDirector will send alarm messages You can send alarm messages to a single email address From email address Type the email address from which ZoneDirector will send alarm messages 69 Configuring System Settings Setting Up Email Alarm Notifications Table 15 SMTP settings for email notification SMTP Setting Description SMTP Server Name Type the full name of the server provided by your ISP or mail administrator Often the SMTP server name is in the format smtp company com ForHotmail addresses the SMTP server name is smtp live com SMTP Server Port Type the SMTP port number provided by your ISP or mail administrator Often the SMTP port number is 25 or 587 The default SMTP port value is 587 SMTP Authentication Username Type the user name provided by your ISP or mail administrator This migh
21. e Passphrase Replace the current passphrase with a new one to help lower the risk of unauthorized access 4 Click OK to apply any changes Switching to a Different Security Mode You also have the option of replacing the default internal WLAN s Open authentication WPA encryption mode with one of several other modes Open Auth WEP encryption Least security only use if necessary to support older WEP only client devices Open Auth WPA encryption Less security than WPA2 but better than WEP e Open Auth WPA2 encryption The recommended configuration for modern wireless clients 151 Managing a Wireless Local Area Network Customizing WLAN Security gt Open Auth WPA Mixed encryption Allows both WPA and WPA2 devices on the same WLAN Use this option only if older WPA devices are cannot be upgraded to WPA2 802 1X EAP Auth Any encryption Authentication to an AAA server RADIUS or Local Database using IEEE 802 1X authentication protocol MAC Auth Any encryption Authentication by MAC address Provides limited security due to ease of MAC address spoofing 802 1X EAP MAC Auth Any encryption Allows clients to connect using either MAC address or 802 1X authentication To change the security mode for an existing WLAN 1 2 Go to Configure gt WLANs When the WLANs workspace appears you will want to review and then change the security options for the internal network To start click Edit in the Internal WLAN r
22. suspended or terminated at any time for any reason If the user clicks the Register Device button the web page will be redirected to the WLAN Connection Activation page from which the user can enter user name and password to activate this device A Zero IT activation file is generated for download once the client is registered with ZoneDirector 252 Managing Guest Access Configuring Guest Access Figure 152 Activate device using the WLAN Connection Activation screen and download activation file wail VIRGIN 3G 4 20PM 9 1 G m ui VIRGIN 3G After running the downloaded Zero IT file the device will be configured with the settings to automatically connect to the secure internal corporate WLAN NOTE You may need to manually switch from the guest WLAN to the secure WLAN after activation on some mobile devices NOTE You may need to manually delete any previously installed Zero IT activation files before a new one can be run On some devices including some Android versions the activation file will not run if an older an existing package of the same name with a conflicting signature is already installed Guest Pass Activation This type of access requires users to enter a guest pass code when connecting By default all of your internal corporate users are allowed to issue temporary day use guest passes for visitors and contractors Temporary guest passes can be issued for single users multipl
23. 144 Managing a Wireless Local Area Network Creating a WLAN Zero IT Activation Enable this option to activate ZoneDirector s share in the automatic new user process in which the new user s PC is easily and quickly configured for WLAN use For more information see Enabling Automatic User Activation with Zero IT on page 234 Dynamic PSK Dynamic PSK is available when you have enabled Zero IT Activation When a client is activated ZoneDirector provisions the user with a pre shared key This per user key does not expire by default If you want to set an expiration for Dynamic PSKs you can do so from the drop down menu further down the page For more information see Working with Dynamic Pre Shared Keys on page 172 Priority Set the priority of this WLAN to Low if you would prefer that other WLAN traffic takes priority For example if you want to prioritize internal traffic over guest WLAN traffic you can set the priority in the guest WLAN configuration settings to Low By default all WLANS are set to high priority Advanced Options The advanced options can be used to configure special WLANs for example you might want to create a special WLAN for VoIP phone use only or create a student WLAN that should be time controlled to provide access only during school hours Accounting Server If you added a RADIUS Accounting server on the AAA servers page select the RADIUS Accounting server from the drop down list and then set th
24. 147 148 Session Timeout admin 291 Setting Dynamic Pre Shared Key expira tion 174 Smart Mesh Networking best practices 329 deploying 87 269 289 309 329 Smart Redundancy 55 Configuration 55 license upgrade 307 SNMP enabling SNMP agent 75 enabling SNMP trap notifications 77 trap notifications 78 SNMPv2 75 SNMPv3 76 Spectralink Compatibility 184 201 Spectralink VIEW certification 184 Spectrum Analysis 224 SpeedFlex 312 SSL Certificate importing 301 Standard Usage WLAN 141 Status LEDs disabling 187 status LEDs 187 Supplicant 193 System log 67 System Logs 67 System name changing 48 T Tabs Web interface explained 37 Temperature 227 Testing authentication settings 135 Timeout interval 291 TKIP option values 143 Toolbox 37 42 320 Tools Map View 213 Traceroute 319 transmission statistics 222 Troubleshooting diagnosing poor network performance 318 manually Scanning radio frequencies 319 problems with user connections 310 restarting the ZoneDirector 326 reviewing current activity 217 reviewing current alarms 216 reviewing recent events 217 users cannot connect to WLAN 310 Tunnel configuration 95 Tunnel Mode 146 configuration 95 Tunnel MTU 197 Tx Power 184 201 205 U Upgrading with Smart Redundancy 293 ZoneDirector software 292 ZoneFlex APs 292 Upgrading the license 307 Uplink Selection 206 User authentication options Active
25. 25 Introducing Ruckus Wireless ZoneDirector Ensuring That APs Can Communicate with ZoneDirector How to Ensure that APs Can Discover ZoneDirector on the Network If you are deploying the APs and ZoneDirector on different subnets you have three options for ensuring successful communication between these two devices e Option 1 Perform Auto Discovery on Same Subnet then Transfer the AP to Intended Subnet e Option 2 Customize Your DHCP Server e Option 3 Register ZoneDirector with a DNS Server If the AP and ZoneDirector Are on the Same Subnet If you are deploying the AP and ZoneDirector on the same subnet you do not need to perform additional configuration Simply connect the AP to the same network as ZoneDirector When the AP starts up it will discover and attempt to register with ZoneDirector Approve the registration request if auto approval is disabled Option 1 Perform Auto Discovery on Same Subnet then Transfer the AP to Intended Subnet If you are deploying the AP and ZoneDirector on different subnets let the AP perform auto discovery on the same subnet as ZoneDirector before moving the AP to another subnet To do this connectthe AP to the same network as ZoneDirector When the AP starts up it will discover and attempt to register with ZoneDirector Approve the registration request if auto approval is disabled After the AP registers with ZoneDirector successfully transfer it to its intended
26. AP default IP address ZoneDirector default IP address IPv4 192 168 0 1 192 168 0 2 IPv6 fc00 1 fc00 2 DNS Address can be configured manually or obtained automatically by the DHCPv client NOTE If you switch from IPv4 to IPv6 you will need to manually change a number of settings i gt that may have previously been configured such as Access Control Lists ACLs AAA server addresses Syslog server SNMP trap receiver etc When IPv6 is enabled the other fields where IP addresses are entered such as Additional Management Interface automatically change to allow entry of IPv6 format addresses as shown in Figure 24 Note that some features are not supported when in IPv6 mode Specifically internal DHCP server LAN rogue AP detection DHCPv6 vendor specific options Aeroscout RFID tag detec tion SSL certificate generation UPnP remote access to ZD and L2TP and WISPr in standalone APs are not supported when in IPv6 mode 50 Configuring System Settings Enabling an Additional Management Interface Figure 24 Enabling IPv automatically changes other fields to allow IPv addresses Device IP Settings If ZoneDirector is on a IPv6 network you can turn on its IPv6 support V Enable IPv6 Support ported network stack ZoneDirector will lose IPv4 connectivity if IPv6 is selected iPv4 and IPv6 IPv6 only If ZoneDirector was assigned static network addressing click Manual and make the correct entries If
27. Connected the new AP is activated and ready for use NOTE Use Map View on the Monitoring tab to place the marker icons of any newly approved APs See Evaluating and Optimizing Network Coverage on page 230 for more information 181 Managing Access Points Adding New Access Points to the Network Figure 108 The Monitor gt Access Points page skus ZoneDirector RELESS Access Points Toolbox r Currently Managed APs 00 13 92 04 25 00 AP 7942 RAP Wilson 8 bc 00 AP 7942 MAP Pantry 0 09 40 d d 37 40 00 13 92 18 78 e0 04 4f 2a 32 2b 40 00 25 c4 00 36 e0 AP 7962 MAP David 0 8c 10 AP 7962 RAP 9F 00 31 30 AP 7962 RAP Formosa 9 82 e0 c4 19 e2 c0 Status Connected Root AP Connected eMesh AP 2 hops Approval Pending Approval Pending Approval Pending Connected Root AP Connected Root AP Connected Root AP Approval Pending Approval Pending 00 1f 41 26 4c cO AP 7942 NMAP Pantry Connected Mesh AP 1 hop 00 25 c4 19 e1 90 AP 7962 RAP Chow Chow Connected Mesh AP 1 hop 74 91 12 20 42 40 Annroval Pending Help Smart Redundancy Active Standb HI i i Auto Auto Auto Auto BEEEEEE Auto 172 17 16 53 1 172 17 16 37 0 172 17 16 82 172 17 16 208 192 168 200 168 192 168 200 156 172 17 16 93 8 172 17 16 62 8 172 17 16 126 3 172 17 16 79 172 17 16 207 172 17 16 89 0 172 17 16 51 2 172 17 16 193 NGGNNGGGNNNNGG
28. If you want to allow or restrict subnet access based on the application protocol or destination port used click the Advanced Options link and then configure the settings 7 Click OK to save the subnet access rule Repeat Steps 2 to 7 to create up to 22 subnet access rules Figure 161 The Restricted Subnet Access options Authentication Server Local Database Y Validity Period Effective from the creation time C Effective from first use Expire new guest passes if not used within F days tem Restricted Subnet Access Guest users are automatically blocked from the subnets to which ZoneDirector and its managed APs are connected If there are other subnets on which you want to block or allow guest users you can create and configure up to 22 guest access rules below Note that guest access rules are prioritized in the order that they are listed 1 has highest priority Hint Layer 3 APs are typically on subnets different from the ZoneDirector subnet OrderDescription Type Destination Address Application Protocol Destination Port Action 1 Deny 192 168 0 101 24 Any Any Any v r2 Deny 10 0 0 0 8 Any Any Any Edit Clone aw r5 Deny 172 16 0 0 12 any Any Any Edit Clone aw Da Deny 192 168 0 0 16 any Any any Edit Clone aw rs 192 168 0 1 16 Allow 192 168 0 1 16 HTTP TCP 6 80 Edit Clone Create New Ej dvanced Options Delete Web Portal Logo Upload your logo to show it on the Web portal pages The recommended image size
29. Service Type hardcoded to be Framed User 2 8 Framed IP address 30 Called Station ID user configurable 31 Calling Station ID format is sta s mac 32 NAS Identifier user configurable 44 Account session ID Se o lc Ruckus private attribute e Vendor ID 25053 e Vendor Type Attribute Number 3 Ruckus SSID WISPr vendor specific attribute vendor id 14122 1 WISPr location id 2 WISPr location name 4 WISPr redirection URL 7 WISPr Bandwidth Max Up Maximum transmit rate bits second 8 WISPr Bandwidth Max Down Maximum receive rate bits second 80 Message Authenticator 128 Configuring Security and Other Services Using an External AAA Server RADIUS Accounting attributes The following table lists attributes used in RADIUS accounting messages Table 18 RADIUS attributes used in Accounting WLAN Type Attribute 802 1X MAC Common to Start Interim Update and Stop messages Auth e 1 User Name e 4 NAS IP Address e 5 NAS Port e 8 Framed IP e 30 Called Station ID user configurable e 31 Calling Station ID format is sta s mac 32 NAS Identifier user configurable e 40 Status Type start stop interim update e 45 Authentic radius auth 1 e 50 Acct Multi Session ID e 61 NAS Port Type hard coded to be 802 11 port 19 e 77 Connection Info indicates client radio type e gt 25 Class if received in radius accept message from AAA e Rucku
30. Tunnel WLAN traffic to ZoneDirector Recommended for vai dients and PDA devices Proxy ARP Enable Proxy ARP Background Scanning Do not perform background scanning for this WLAN service Any radio that supports this WLAN will not perform background scanning Load Balancing Do not perform client load balancing for this WLAN service Applies to this WLAN only Load balancing may be active on other WLANs Noc Clone Alowonlyupto 100 ctients per AP radio to associate with this WLAN 802 11d W Support for 802 11d only applies to radios configured to operate in 2 4 GHz band DHCP option 82 l Enable DHCP Option 82 Force DHCP E Enable Force DHCP disconnect client if client does not obtain valid IP in 10 seconds Client Tx Rx Statistics ignore unauthorized client statistics Client Fingerprinting V Enable Client Fingerprinting Service Schedule Awavson Alwavs aff Snecific Figure 89 Configuring WLAN service schedule Max Clients 802 110 DHCP option 82 Force DHCP Client Tx Rx Statistics Client Fingerprinting Service Schedule Auto Proxy Inactivity Timeout Allow only up to 100 clients per AP radio to associate with this WLAN IV Support for 802 11d only appties to radios configured to operate in 2 4 GHz band F Enable DHCP Option 82 Enable Force DHCP disconnect client if client does not obtain valid IP in 10 seconds Ignore unauthorized client statistics
31. Upgrade click that button to start the upgrade process The network will be restored automatically when the upgrade process is complete Choose File No file chosen Performing an Upgrade with Smart Redundancy If you have two ZoneDirectors in a Smart Redundancy configuration the procedure is similar Note however that the active and standby ZoneDirectors will reverse roles during an upgrade To upgrade both ZoneDirectors in a Smart Redundancy configuration 1 Login to the active ZoneDirector or the shared Management Interface CAUTION Do not attempt to manually upgrade the standby ZoneDirector first followed by the active unit If you do this some configuration options may get lost during the upgrade process Be sure to begin the upgrade process from either the active ZoneDirector s Web interface or the shared Management interface Go to Administer Upgrade Under the Software Upgrade section click Browse The Browse dialog box appears Browse to the location where you saved the upgrade package and then click Open When the upgrade file name appears in the text field the Browse button becomes the Upgrade button 6 Click Upgrade The backup ZoneDirector is upgraded first 7 When the backup ZoneDirector upgrade is complete the backup ZoneDirector reboots and becomes active begins accepting AP requests while the original active ZoneDirector enters backup state and begins its own upgrade process 8 All APs are
32. Using an External AAA Server on page 115 Activating Web Authentication Web authentication also known as a captive portal redirects users to a login Web page the first time they connect to this WLAN and requires them to log in before granting access to use the WLAN After you activate Web authentication on your WLAN you must then provide all users with a URL to your login page After they discover the WLAN on their wireless device or laptop they open their browser connect to the Login page and enter the required login information 244 Managing User Access Activating Web Authentication To activate Web authentication 1 2 3 4 5 6 Go to Configure gt WLANs The WLAN page appears Look for the WLAN that you want to edit and then click the Edit link that is on the same row When the Editing WLAN Name form appears locate the Web Authentication option See Figure 146 Click the check box to Enable captive portal Web authentication Selectthe preferred authentication server from the Authentication Server drop down menu Click OK to save this entry Repeat this enabling process for each WLAN to which you want to apply Web authentication Figure 146 Activating captive portal Web authentication web auth wian ESSID web auth wlan Captive Portal WLAN Standard Usage For most regular wireless network usages Guest Access Guest access policies and access control will be applied
33. per RFC this is between 1 and 4094 WISPr Web Auth Guest Access Common to Start Interim Update and Stop messages e 1 User name e 2 Password e 4 NAS IP address e 5 NAS port e 8 Framed IP e 30 Called station ID user configurable e 31 Calling station ID e 32 NAS Identifier user configurable e 45 Acct authentic e 50 Acct Multi Session Id e 61 NAS port type e 77 Connection Info indicates client radio type Ruckus private attribute e Vendor ID 25053 e Vendor Type Attribute Number 3 Ruckus SSID Additional attributes supported in WISPr WLANs e WISPr vendor specific attributes vendor id 14122 1 WISPr location id e 4 130 Configuring Security and Other Services Using an External AAA Server Table 18 RADIUS attributes used in Accounting WLAN Type Attribute WISPr Web Specific to Interim Update and Stop messages Auth Guest 42 Acct input octets Access e 43 Acct output octets e 44 Acct session ID e 46 Acct session time e 48 Acct output packets e 47 Acct input packets e 52 Acct input giga words e 53 Acct output giga words e 55 Event timestamp e Ruckus private attribute Vendor ID 25053 e Vendor Type Attribute Number 2 Ruckus Sta RSSI Additional attributes supported in WISPr WLANs e WISPr vendor specific attributes vendor id 14122 e 1 WISPr location id e 2 WISPr locatio
34. 06 11 16 34 16 Low AP 7982 radio 11a n detects User 00 22 fb ad 1b 2e in WLAN Rhastah1 roams from AP c0 c5 20 3b 91 f0 2013 06 11 16 34 16 Low AP c0 c5 20 3b 91 f0 radio 11a n detects User 00 22 fb ad 1b 2e in WLAN Rhastah1 roams out to AP 7982 User 5c ff 35 7f 42 20 leave WLAN Rhastah1 at AP cO c5 20 3b 91 f0 with Session Time 1338 48 sec RX Bytes 27790 TX Bytes 242557 2013 06 11 16 19 53 Low User 5c ff 35 7f d2 20 disconnects from WLAN Rhastah1 at AP c0 c5 20 3b 91 f0 2013 06 11 15 57 35 Low offs 42 20 joins WLAN Rhastah1 from AP cO c5 20 3b 91 f0 7f d2 20 leave WLAN Rhastah1 at AP cO c5 20 3b 91 f0 with Session Time 2244 03 sec RX Bytes 38058 TX Bytes 361984 2013 06 11 15 42 51 Low User 5c ff 35 7f 42 20 disconnects from WLAN Rhastah1 at AP cO c5 20 3b 91 f0 All Events Activities 2013 06 11 15 20 07 Low Admin ruckus logs in from 192 168 40 21 2013 06 11 15 05 26 Low User 5c ff 35 7f 42 20 joins WLAN Rhastah1 from AP c0 c5 20 3b 91 f0 2013 06 11 15 05 06 Low AP c0 c5 20 3b 91 f0 radio 11a n detects User 00 22 fb ad 1b 2e in WLAN Rhastah1 roams from AP 7982 2013 06 11 15 05 06 Low AP 7982 radio 11a n detects User 00 22 fb ad 1b 2e in WLAN Rhastah1 roams out to AP c0 c5 20 3b 91 f0 2013 06 11 14 55 13 Low AP 7982 radio 11a n detects User 00 22 fb ad 1b 2e in WLAN Rhastah1 roams from AP cO c5 20 3b 91 f0 2013 06 11 14 55 13 Low AP c0 c5 20 3b 91 f0 radio 11a n detects User 00 22 fb ad 1b 2e in WLAN R
35. 168 40 1 Primary DNS Server 192 168 40 1 Secondary DNS Server ACCESS VLAN 3 Select one of the following e Enable IPv Support By default ZoneDirector operates in IPv4 mode If your network uses IPv6 select Enable IPv6 Support and enter configuration settings for either IPv only or dual IPv4 IPv support See IPv6 Configuration below for more information e Manual If you select Manual enter the correct information in the now active fields IP Address Netmask and Gateway are required e DHCP If you select DHCP no further information is required Click Apply to save your settings You will lose connection to ZoneDirector 5 Tolog back into the Web interface use the newly assigned IP address in your Web browser or use the UPnP application to rediscover ZoneDirector 49 Configuring System Settings Changing the Network Addressing IPv6 Configuration ZoneDirector supports IPv6 and dual IPv4 IPv operation modes If both IPv4 and IPv6 are used ZoneDirector will keep both IP addresses Ruckus ZoneFlex APs operate in dual IPv4 v mode by default so you do not need to manually set the mode for each AP If you enable IPv6 you have the option to manually configure an IP address in IPv format 128 bits separated by colons instead of decimals or to choose Auto Configuration If you choose Manual you will need to enter IP Address Prefix Length and Gateway Table 13 Default static IPv4 and IPv addresses
36. 3 Select Local Mode to save the packet capture to a local file 4 Click Start to begin capturing packets Click Stop to end the capture and click Save to save the packet capture to a local file 5 Extract the pcap file s from the pcap zip file and open in Wireshark or other packet analyzer 323 Troubleshooting Packet Capture and Analysis Streaming Mode To view streaming packets in real time using Wireshark s remote capture Choose 2 4 GHz or 5 GHz radio Select the AP you want to view and click Add to Capture APs Select Streaming Mode and click Start Launch Wireshark Go to Capture Options Under Capture Interface select Remote A Remote Interface dialog appears NO uBR WD gt In Host enter the IP address of the AP you want to view Leave the Port field empty and click OK 8 The remote host interface list on the right updates Select wlan100 from the list if you are streaming on the 2 4 GHz radio or select wlan101 if streaming on the 5 GHz radio 9 Click Start Wireshark displays the packet stream in a new window Figure 197 Add APs from Currently Managed APs list to Capture APs list AP Logs To show current APs logs click here Packet Capture Use this feature to capture wireless packets during normal operation and save them in local files or stream them to Wireshark Radio 2 4GHz 5GHz Current Managed APs Capture APs v MAC Address Device Name Description Model gt Ther
37. 33 hex value 0x21 You will need this information when you configure DHCP Option 43 for both FlexMaster and ZoneDirector To calculate the length field conversion from decimal to hexadecimal you can use an online conversion Web site such as http www easycalculation com decimal converter php to perform the conversion The table below lists the sub option code FlexMaster URL and ZoneDirector IP address that are used as examples in this procedure along with their lengths in decimal and hexadecimal values 27 Introducing Ruckus Wireless ZoneDirector Ensuring That APs Can Communicate with ZoneDirector Table 10 URL IP address and Sub option values that are used as examples in this procedure URL IP Address Decimal Hexadecimal Sub option Length Length Code FlexMaster http 192 168 10 1 33 21 01 intune server URL ZoneDirector 192 168 10 2 IP Address 12 OC 03 Most commonly used DHCP servers such as Microsoft DHCP and ISC DHCP servers support vendor class DHCP option spaces and mapping of those option spaces to option 60 While you can achieve encapsulating TLVs in option 43 by hard coding the DHCP option 43 value Ruckus Wireless recommends using vendor class option spaces especially when you have more than one vendor type on the network and need option 43 to be supported for different vendor type DHCP clients The following example describes how you can encapsulate option 43 using DHCP vendor class optio
38. 802 1X on ZoneFlex 7025 ports when mesh is enabled you must configure each AP individually 191 Managing Access Points Working with Access Point Groups AP Ethernet Port as Authenticator The Access Point acts in many ways similar to a wireless switch On APs with two or more wired ports the AP acts as a network edge switch and can be configured to authenticate downstream wired stations which can even be another edge switch When the AP Ethernet port is configured as an 802 1X authenticator it can be further defined as either Port based or MAC based MAC based authenticator mode is only supported if the port is an Access Port Figure 114 Authenticator support vs Port Type Trunk Port Access Port General Port Port based mode X X X MAC based mode X To configure an AP Ethernet port as an 802 1X authenticator 1 Go to Configure Access Points and click the Edit link next to the AP whose ports you want to configure 2 Locate the Port Setting section and select Override Group Config The screen changes to display the AP s Ethernet ports 3 For Type select Access Port 4 For 802 1X select Authenticator MAC based or Authenticator Port based e n Port based mode only a single MAC host must be authenticated for all hosts to be granted access to the network e In MAC based mode each MAC host is individually authenticated Each newly learned MAC address triggers an EAPOL request identify frame Gues
39. AP 7363 RAP 00 24 82 3 14 60 cold boot successfully m Oct 31 08 50 10 ruckus syslog Root AP 7363 RAP600 24 82 3 14 60 accepts Mesh AP 7962 MAP604 4f 8a 0c b1 00 connection Oct 31 08 50 19 ruckus syslog AP 7962 MAPG04 4f aa 0c b1 00 joins with uptime 136 s Oct 31 08 50 31 ruckus syslog AP 7962 MAPG804 4f aa 0c b1 00 cold boot successfully Oct 31 08 51 05 ruckus syslog Mesh AP 7962 MAP O4 c b1 00 connects to Root AP 7363 RAPG00 24 82 3 14 60 with RSSI 46 across 1 links Oct 31 09 01 45 ruckus syslog Receiving System Info from AP 7962 MAPG04 4f aa 0c b1 00 322 Troubleshooting Packet Capture and Analysis Packet Capture and Analysis The Packet Capture feature puts one or more APs into packet sniffer mode allowing them to capture packets and either save them to a local file or stream them to a packet inspection program such as Wireshark for later analysis e Local Capture e Streaming Mode NOTE Performing packet capture on the 5 GHz radio of a Mesh AP MAP can result in connectivity issues due to the AP s use of the 5 GHz radio for all Mesh communications Therefore Ruckus recommends performing packet capture only on the 2 4 GHz radio of a Mesh AP Root APs and eMAPs do not have this limitation and packet capture can be performed on either radio The local capture mode stores packet data from a single capture session in two files using a ping pong method On 11n APs each f
40. APs Sensor Information Displays AP orientation and temperature details as reported by the AP s internal sensors not supported on all APs See Orientation below for more information Clients Displays a list of the currently connected clients Action icons can be used to configure or troubleshoot a client from this list Events Displays an AP related subset of the All Events Activities table Figure 129 Viewing an individual AP s information 2013 06 11 17 40 56 Help Toolbox Log Ruckus ZoneDirector WIRELESS MIELE Configure Administer Access Points c0 c5 20 3b 91 f0 o This table lists detailed information about the selected access point such as the clients and events associated with it Q Access Point Information Access Points General Info WLANs Device Name RuckusAP Status Connected Mesh AP 1 hop Name E Description Uptime 23h 21m Rhastah Location Connection Mode L3 IPv4 Rhastah GPS Coordinates VLAN 1 MAC Address c0 c5 20 3b 91 f0 Associated Clients 1 IP Address 192 168 40 99 External IP Port 192 168 40 99 12223 IP Type DHCP Actions Model mnn od oz22u e 4H S N 981202006357 Version 9 7 0 0 74 Radio 802 11a n Radio 802 11g n LAN Port Current Channel 149 Current Channel 1 LAN St Channelization 40 Channelization 20 LAN1 En WLAN Group Default WLAN Group Default LAN2 En SpectraLink Compatibility Use Parent Configuration SpectraLink Compatibility Use Parent Configurati
41. Access Control This table lists the specific IP addresses which are allowed access to the ZoneDirector Click Create New to add another IP address or click Edit to make changes to an existing entry Viewing DHCP Clients To view a list of current DHCP clients click the click here link at the end of the To view all currently assigned IP addresses that have been assigned by the DHCP server sentence A table appears and lists all current DHCP clients with their MAC address assigned IP address and the remaining lease time You can clear DHCP leases on ZoneDirector by disabling and re enabling the DHCP service 60 Configuring System Settings Controlling ZoneDirector Management Access Figure 32 To view current DHCP clients click the click here link Peer Device IP Address Shared Secret Management IP Address Disabled Configured in Management Interface DHCP Server If a DHCP server does not exist on your network you can enable this function to provide DHCP service to clients V Enable DHCP server Starting IP 192 168 0 3 3 Number of IPs 200 LeaseTime Oneweek v m V DHCP Option 43 Layer 3 discovery protocol for AP to find ZoneDirector To view all IP addresses that have been assigned by the DHCP i id Management Access Control This table lists the specific IP addresses which are allowed access to the ZoneDirector Click Create New to add another IP address or click Edit to make changes to
42. Access Points 2 When the Access Points page appears review the Currently Managed APs for specific AP settings especially the Channel and Clients columns 3 Click on the MAC address of any AP to view detailed information about the AP such as associated clients channel signal strength neighbor APs and warnings events associated with the AP 4 If you want to make changes to individual AP settings proceed to the next task Adjusting AP Settings Go to Configure Access Points Review the Access Points table and identify an AP that you want to adjust Click the Edit button in that AP row Review and adjust any of the following Editing AP options Boe vx i gt NOTE Some options are read only depending on the approval status e Channelization Choose 20 40MHz or Auto channel width 11n APs only Tx Power Choose the amount of power allocated to this channel The default setting is Auto and your options range from Full to Min e Mesh Mode Use this setting to manually configure this AP s Mesh role Root AP Mesh AP or Disable Default is Auto 205 Managing Access Points Optimizing Access Point Performance e Uplink Selection Use this setting to manually define which APs can serve as an uplink for this Mesh AP 5 Click OK The adjusted AP will be automatically restarted and when it is active will be ready for network connections Prioritizing WLAN Traffic If you want to prioritize internal
43. Access Points page provides an overview of currently managed APs and consists of two tables Currently Managed APs and Events Activities Both sections list the first 15 entries by default and can be expanded using the Show More button Click on the MAC address device name or user name for more detailed information on the specific AP or client Currently Managed APs The Currently Managed APs table includes the following information Table 29 Currently managed APs Heading Description MAC Address The AP s MAC address Click this link to view details specific to this AP Device Name The AP s name This can be modified on the Configure Access Points page by clicking the Edit link next to the AP s MAC address Description The AP s description This can be modified on the Configure Access Points page by clicking the Edit link next to the AP s MAC address Location The AP s location This can be modified on the Configure Access Points page by clicking the Edit link nextto the AP s MAC address Model The ZoneFlex model number Status Displays the current status of the AP from ZoneDirector s perspective e Approval Pending e Connected e Disconnected e Root AP Mesh AP e eMesh AP e Number of hops Mesh Mode Displays whether the AP is manually set as a Root or Mesh AP or set to automatically choose Mesh mode IP Address The IP address of the AP 220 External IP Port Monitoring Yo
44. Capture and Analysis 1 The PPI 802 11 Common Header antenna signal and antenna noise fields of packets transmitted by the AP contain the next to lowest byte and the lowest byte respectively of the antenna pattern used to transmit the packet On some APs the pattern value may contain more significant bits which are not stored in this header If the packet is 802 11n it will also contain the full antenna pattern value in the header described below 2 The PPI 802 11n MAC PHY Header EVM 3 field of packets transmitted by the AP contains the full antenna pattern used to transmit the packet similar to above except this 32 bit field can accommodate the complete value 3 The PPI 802 11n MAC PHY Header MAC Flags field s upper bits convey additional TX and RX descriptor indicators described in the table below Table 37 Ruckus defined indicators conveyed in MAC Flags TX Indicator Bit RX Indicator Sounding O not 1 yes 31 Sounding O not 1 yes TxBF 0 not applied 1 yes 30 unassigned Ness ext spatial streams 28 29 Ness ext spatial streams STBC 0 not applied 1 yes 27 STBC 0 not applied 1 yes LDPC 0 not applied 1 yes 26 LDPC 0 not applied 1 yes LDPC indicator valid 25 LDPC indicator valid unassigned 24 unassigned RTS HTC TRO 23 HW Upload Data RTS HTC MRO 22 HW Upload Data Valid RTS HTC MSI 20 21 HW Upload Data Type RTS enabled 19 unassigned Calibrating 18 unassigned Limit
45. Choose an intermediate certificate to import import conce install this intermediate certificate and then reboot Cc Import next intermediate certificate SSL Certificate Advanced Options The Advanced Options section allows you to perform additional certificate management functions These include the following Restore the factory default certificate and private key This deletes any certificate and private key that was imported Back up the current private key and certificate by downloading them for disaster recovery or for use on another ZoneDirector If your ZoneDirector is replaced due to an RMA you will need to restore the private key if you have installed a public certificate Ensure that the private key is kept secure because the security of your SSL communications depends on it Back up certificates for Smart Redundancy If you have two ZoneDirectors in a Smart Redundancy configuration you can install the same SSL certificate private key pair on both devices In this way you can access the shared virtual management interface advertised in DNS for the same FODN without seeing the security warning If you wish to also use certificates in a Smart Redundancy configuration with captive portals such as Guest Access Web Portal and Hotspot see Wildcard Certificate Installation on page 304 Generate a new private key with a specified key length either 1024 or 2048 bits Use this option if your previous private key has been
46. Click the Create New link under Authentication Accounting Servers 120 Ov Ur RY Configuring Security and Other Services Using an External AAA Server Select Radius or Radius Accounting for the AAA server type Choose PAP or CHAP according to the authentication protocol used by your RADIUS server Enter the IP Address Port number and Shared Secret Click OK to save changes Configuring a Backup RADIUS RADIUS Accounting Server If a backup RADIUS or RADIUS Accounting server is available enable the check box next to Backup RADIUS and additional fields appear Enter the relevant information for the backup server and click OK When you have configured both a primary and backup RADIUS server an additional option will be available in the Test Authentication Settings section to choose to test against the primary or the backup RADIUS server To configure a backup RADIUS RADIUS Accounting server 1 2 Click the check box next to Enable Backup RADIUS support Enter the IP Address Port number and Shared Secret for the backup server these fields can neither be left empty nor be the same values as those of the primary server In Request Timeout enter the timeout period in seconds after which an expected RADIUS response message is considered to have failed In Max Number of Retries enter the number of failed connection attempts after which ZoneDirector will failover to the backup RADIUS server In Reconnect Primary enter
47. Configure gt Access Points gt Access Point Policies the APs will reboot after the specified time Therefore Auto Recovery should be disabled if there is at least one Autonomous WLAN is configured There are several limitations of autonomous WLANs including e ZoneDirector displayed client statistics may be incorrect e Stations may be disconnected when an unreachable ZoneDirector becomes reachable again as ZoneDirector will re deploy all WLAN services to AP radios Client capacity limits defined on ZoneDirector will not be applied on Autonomous WLAN APs and clients may be disconnected upon reconnecting to ZoneDirector if those limits are reached e Zero IT Dynamic PSK and Dynamic VLAN features are disabled among others 142 Managing a Wireless Local Area Network Creating a WLAN Authentication Method Authentication Method defines the method by which users are authenticated prior to gaining access to the WLAN The level of security should be determined by the purpose of the WLAN you are creating Open Default No authentication mechanism is applied to connections Any encryption method can be used 802 1 X EAP Uses 802 1X authentication against a user database MAC Address Uses the device s MAC address for both the user name and password 802 1X EAP MAC Address Allows the use of both authentication methods on the same WLAN See Using 802 1X EAP MAC Address Authentication on page 124 Encryption Opti
48. Dashboard Monitor Configure Administer Authentication Accounting Servers Authentication Accounting Servers This table lists all authentication mechanisms that can be used whenever authentication is needed Name Type Actions Ruckus AD Active Directory Edit Clone Ruckus AD Active Directory LDAP RADIUS RADIUS Accounting TACACS V Enable Global Catalog support 192 168 11 17 3268 Windows Domain Name domain ruckuswireles example domain ruckuswireless com AAA Servers l LDAP ZoneDirector supports several of the most commonly used LDAP servers including e OpenLDAP Apple Open Directory Novell eDirectory e Sun JES limited support To enable LDAP user authentication for all users 1 Click the Edit link next to LDAP on the Configure gt AAA Servers page The Editing LDAP form appears 2 Enter the IP address and Port of your LDAP server The default port 389 should not be changed unless you have configured your LDAP server to use a different port 3 Enter a Base DN in LDAP format for all user accounts 117 Configuring Security and Other Services Using an External AAA Server e Format cn Users dc lt Your Domain gt dc com 4 Enter an Admin DN in LDAP format e Format cn onan Admin dc lt Your Domain gt dc com Enter the Admin Password and reenter to confirm Enter a Key Attribute to denote users default uid Click OK to
49. Default Reset Method If you are unable to complete a software based resetting of ZoneDirector you can do the following hard restore NOTE Do not disconnect ZoneDirector from its power source until this procedure is complete 1 Locate the Reset pin hole on the front panel of ZoneDirector 2 Insert a straightened paper clip in the hole and press for at least 5 seconds After the reset is complete the Status LED blinks red then blinks green indicating that the system is in factory default state After you complete the Setup Wizard the Status LED will be steady green 298 Setting Administrator Preferences Working with SSL Certificates Working with SSL Certificates SSL certificates enable device or user identification as well as secure communications Zone Director captive portal services and the WebUI use an SSL certificate when establishing HTTPS connections The default SSL certificate that is installed on the ZoneDirector is self signed and therefore not trusted by any Web browser This is the reason why the SSL security warnings appear when establishing an HTTPS connection to the ZoneDirector To eliminate the security warnings administrators may purchase a trusted SSL certificate from a public Certificate Authority CA such as VeriSign and install it on the ZoneDirector Basic Certificate Installation The certificate installation process is as follows e Generate a Certificate Signing Request CSR
50. External AAA Server MAC Authentication with an External RADIUS Server To begin using MAC authentication 1 Ensure that a RADIUS server is configured in ZoneDirector Configure AAA Servers RADIUS Server See Using an External AAA Server on page 115 2 Create a user on the RADIUS server using the MAC address of the client as both the username and password The MAC address format is a single string of characters without punctuation Format XXXXXXXXXXXX not XX XX XX XX XX Or 00 9 0 XX XX xx 3 Log in to the ZoneDirector Web interface and go to Configure gt WLANs 4 Click the Edit link next to the WLAN you would like to configure e g internal corpo rate etc 5 Under Authentication Options Method select MAC Address 6 Under Authentication Server select your RADIUS Server 7 Click OK to save your changes Figure 80 RADIUS authentication using MAC address ruckus ESSID ruckust MAC auth WLAN standard Usage For most regular wireless network usages To Suest Access Guest access policies and access control will be applied Hotspot Service WISPr Hotspot 2 0 m Open Shared s02 1x Eae fac asaress 802 1x EAP MAC Address wpa wpa2 wramixed WEP 64 40 bit WEP 128 104 bit 9 None Authentication Server Send username and password in 802 1X format of 00 10 A4 23 19 CO By default 00103423190 Wireless Client Isolation Enable Clien
51. Fallback to admin name password if failed check box 4 Click Apply to save your changes i NOTE f authentication with an external server is enabled and the Fallback to admin name To edit or replace the current name or password 1 Go to Administer gt Preferences 2 When the Preferences page appears you have the following options under Administrator Name Password e Authenticate using the admin name and password The default option should be enabled if you are not using an external server for administrator authentication e Authenticate with Auth server Select an authentication server from the list if you have configured one on the Configure gt AAA Servers page Fallback to admin name password if failed Enable this check box to ensure you will be able to log in when the AAA server is unreachable e Admin Name Delete the text in this field and type the new administrator account name used solely to log into ZoneDirector via the Web interface e Password Confirm Password Delete the text in both fields and type the same text for a new password 3 Click Apply to save your settings The changes go into effect immediately 290 Setting Administrator Preferences Changing the Web Interface Display Language Figure 175 The Preferences page hg D Ruckus ZoneDirector WIRELESS Dashboard Monitor Configure Administer Preferences Language Preferences Select the display language that you want to use on t
52. Figure 43 Enabling the SNMPv2 agent E HD SNMPv2 Agent ZoneDirector supports SNMPv2 agent Enter the Read Only and Read Write communities V Enable SNMP Agent System Contact support ruckuswireless com System Location 880 West Maude Avenue Suite 10 SNMP RO community public SNMP RW community private SNMPv3 Agent ZoneDirector supports SNMPv3 agent E Enable SNMPv3 Agent Privilege User Authentication Auth Pass Phrase Privacy Privacy Phrase Read Only MD5 DES If your network uses SNMPv3 To enable SNMPv3 management 1 Goto Configure System Scroll down to the bottom of the page and click the Network Management link to open the Network Management section 2 Under the SNMPv3 Agent section select the Enable SNMP Agent check box 3 Enter the following information for both the Read Only and Read Write privileges User Enter a user name between 1 and 31 characters Authentication Choose MD5 or SHA authentication method default is MD5 MD5 Message Digest algorithm 5 message hash function with 128 bit output SHA Secure Hash Algorithm message hash function with 160 bit output Auth Pass Phrase Enter a passphrase between 8 and 32 characters in length Privacy Choose DES AES or None DES Data Encryption Standard data block cipher AES Advanced Encryption Standard data block cipher None No Privacy passphrase is required Privacy Phrase If either DES or AES is selecte
53. ID ESSID AP Model AP AP Base sub option Type Name Friendly MAC WLAN or Name Address Ethernet WLAN Example CIRCUIT ID WLAN wlan0 123 Wi Fi Services ZF7762 S Coffee Shop AP 04 4F AA 34 96 50 189 Managing Access Points Working with Access Point Groups Ethernet example CIRCUIT ID ETH eth0 123 N A ZF7762 S Coffee Shop AP 04 4F AA 34 96 50 Designating Ethernet Port Type Ethernet ports are defined as one of the following port types e Trunk Ports e Access Ports e General Ports Trunk links are required to pass VLAN information between switches Access ports provide access to the network and can be configured as members of specific VLANs thereby separating the traffic on these ports from traffic on other VLANs General Ports are user defined ports that can have any combination of up to 20 VLAN IDs assigned For most ZoneFlex APs you can set which ports you want to be your Access Trunk and General Ports from the ZoneDirector Web interface as long as at least one port on each AP is designated as a Trunk Port By default all ports are enabled as Trunk Ports with Untag VLAN set as 1 except for ZoneFlex 7025 whose front ports are enabled as Access Ports by default If configured as an Access Port all untagged ingress traffic is the configured Untag VLAN and all egress traffic is untagged If configured as a Trunk Port all untagged ingress traffic is the configured Untag V
54. IEPERIMIRNE PU qur E a thane EAS 214 Reviewing Current Alarms ree cese ee dup YI ERR end 216 Reviewing Recent Network Events 217 Clearing Recent Events Activities isse 217 Reviewing Current User Activity ss susunanana rreran eee 217 Monitoring Individual Clients llsssslssssss see 218 Monitoring Wired Clients eoe uere ee 219 Monitoring Access Point Status isses ees 219 Using the AP Status Overview Page 00 220 Monitoring Individual APS cip OR RR ae 222 SpectrumAnalysis oss oer te Pie Ra EIER Gees Ree I PA did 224 N ighBor APS a rr ero bee Enc eei eps ER Eden 226 Access Point Sensor Information isse eee 227 Monitoring Mesh Status parri yox pe RR RE ELK Ade PY LNCEM PS 227 Detecting Rogue Access Points een 228 Evaluating and Optimizing Network Coverage 0000 0 00000 230 Moving the APs into More Efficient Positions o suasana scera rerne 230 Monitoring System Ethernet Port Status iilsl sees 231 7 Managing User Access Enabling Automatic User Activation with Zero IT 0000202 0000 234 Clients that SUpport Zero IT usado Creek eh Rer xem wank om esa 235 Self Provisioning Clients with Zero IT isses 236 Self Provisioning Clients without Ethernet Ports 000 eee eee 237 Provisioning Clients that Do Not Support Zero IT 00 00 237 Adding New User Accounts to ZoneDirector 0000s 238 Int
55. If you enable ChannelFly Background Scanning can still be used for adjusting radio power and rogue detection while ChannelFly manages the channel assignment Both can not be used at the same time for channel management Benefits of ChannelFly With ChannelFly the AP intelligently samples different channels while using them for service ChannelFly assesses channel capacity every 15 seconds and changes channel when based on historical data a different channel is likely to offer higher capacity than the current channel Each AP makes channel decisions based on this historical data and maintains an internal log of channel performance individually When ChannelFly changes channels it utilizes 802 11h channel change announcements to seamlessly change channels with no packet loss and minimal impact to performance The 802 11h channel change announcements affect both wireless clients and Ruckus mesh nodes in the 2 4 GHz and or 5 GHz bands Initially in the first 30 60 minutes there will be more frequent channel changes as ChannelFly learns the environment However once an AP has learned about the environment and which channels are most likely to offer the best throughput potential channel changes will occur less frequently unless a large measured drop in throughput occurs ChannelFly can react to large measured drops in throughput capacity in as little as 15 seconds while smaller drops in capacity may take longer to react to Disadvantages o
56. Intermediate Certificates form Click on Browse button and select the file containing the intermediate certificate PEM format to upload it e fthere are no additional intermediate certificates click the Import button to install the uploaded certificate 4 Alternatively you can simplify this process by appending the intermediate CA certificate s to the ZoneDirector certificate file Then you just need to import a single file The intermediate certificate s will be imported automatically In this case you will see multiple BEGIN CERTIFICATE and END CERTIFICATE pairs in the file 302 Setting Administrator Preferences Working with SSL Certificates Figure 182 Importing a signed certificate continued Import Signed Certificate To show current certificate information click here Import a signed certificate file to replace current one mycert cert 1960 bytes Choose an import certificate type Import Cancel install this certificate and then reboot C There wil be intermediate certificate needed to import Import Intermediate Certificates Import intermediate certificates for installed certificate Please the import intermediate certificates from lowest to high level pBewe Import Intermediate Certificates Import intermediate certificates for installed certificate Please the import intermediate certificates from lowest to high level Test Intermediate CA cert 1736 bytes
57. LED LED Color Behavior Description Solid green This is a Root AP or eMAP or This is a Mesh AP and is connected to a Root AP with good signal Fast blinking green This is a Mesh AP and The Root AP signal is fair Slow blinking green This is a Mesh AP that is currently searching for a Root AP or This AP is currently searching for ZoneDirector 282 Deploying a Smart Mesh Network Using Action Icons to Configure and Troubleshoot APs in a Mesh ZoneFlex 7363 7372 7962 7982 APs On ZoneFlex 7363 7372 7962 and 7982 APs the 5G LED indicates the AP s mesh status See the table below for more information Figure 172 Behavior of the 5G LED LED Color Behavior Root AP eMAP Mesh AP Fast blinking green No Mesh AP is connected Disconnected from the Root AP Solid green Atleast one Mesh AP is Connected to a Root AP connected e Signal quality is good Signal quality is good Solid amber Atleast one Mesh AP is e Connected to a Root AP connected Signal quality is fair Signal quality is fair Using Action Icons to Configure and Troubleshoot APs in a Mesh The following action icons are used to perform configuration and troubleshooting tasks on the respective AP The icons are displayed next to APs in the Currently Managed APs table on the Dashboard Some of the same action icons are also available on other pages including Monitor gt Access Points and Monitor gt Mesh Table 35 Actio
58. Restore Back Up Configuration Click Back Up to save an archive file of your current ZoneDirector configuration This archive will simplify system recovery if needed Back up Restore Configuration If you need to restore the system configuration click Browse and then select the backup file that contains the settings that you want to restore No file chosen Restore to Factory Settings If needed you can restore ZoneDirector to its factory settings which will delete all settings that you have configured You will need to manually set up ZoneDirector again For more information see the online help Restore to Factory Settings Restoring Archived Settings to ZoneDirector CAUTION Restoring a backup file will automatically reboot ZoneDirector and all APs that are currently associated with it Users associated with these APs will be temporarily disconnected wireless access will be restored automatically after ZoneDirector and the APs have completed booting up 1 Go to Administer Backup 2 Under Restore Configuration click Browse 3 Locate a previously saved backup file select the file and then click Open 4 Three restore options appear Restore everything Select this option if you want the device to use all the settings configured in the backup file including the IP address wireless settings access control lists AP and WLAN group configurations etc NOTE If you use the Restore everything option to rest
59. Setup Wizard 12 Go to Configure System enable Smart Redundancy and enter the primary ZoneDi rector s IP address in Peer Device IP address 13 Click Apply If an active ZoneDirector is discovered the second ZoneDirector will assume the standby state If an active device is not discovered you will be prompted to retry discovery or to continue configuring the current device Once Smart Redundancy has been enabled a status link is displayed at the top of the Web interface Figure 29 Smart Redundancy status link 2010 07 30 13 47 48 Help Toolbox LogOut admin Configure Administer Smart Redundancy Active Standby rector Monitor eee Mesh Topology mesh saigon Active PY dE Access Points Signal dB Description Channel IP Address Action d Standby Efi 00 1f 41 10 2942MAP upper 5 82 1 11b g 168 168 168 92 ji A e P 2 168 168 16 Ed 00 22 7f 0f 2b 26 25 2942MAP upper 6 82 1 11b g 168 168 168 55 jf X PY 168 168 73 P 00 22 7f 24 a8 60 2942MAP upper 8 82 1 11b g 168 168 168 2 9 A Ve P Dialed di 00 22 7f 0f 23 10 28 228 2942MAP upper 7 82 1 11b g 168 168 168 19 Z Vp d a ALLES Ef 00 1f 41 0f 68 a0 2942RAP upper 1 82 6 11b g 168 168 168 5 W A 9 Faiover Ed 00 11 41 0f 6c 70 750 238 2942MAP upper 2 82 6 11b g 168 168 168 62 Y A o0 00 11 41 01 68 10 2942MAP upper 4 82 1 11b g 168 168 168 69 f O A V SY 00 1f 41 0f 6b cO 2942MAP upper 3 8
60. Snecific Priority of VLAN Dynamic VLAN and Tunnel Mode Ifthe VLAN Dynamic VLAN and Tunnel Mode features are all enabled and they have conflicting rules ZoneDirector prioritizes and applies these three features in the following order 1 Dynamic VLAN top priority 2 VLAN 3 Tunnel Mode How It Works 1 User associates with a WLAN on which Dynamic VLAN has been enabled 2 The AP requires the user to authenticate with the RADIUS server via ZoneDirector 3 When the user completes the authentication process ZoneDirector sends the join approval for the user to the AP along with the VLAN ID that has been assigned to the user on the RADIUS server 4 User joins the AP and is segmented to the VLAN ID that has been assigned to him Required RADIUS Attributes For dynamic VLAN to work you must configure the following RADIUS attributes for each user e Tunnel Type Set this attribute to VLAN e Tunnel Medium Type Set this attribute to IEEE 802 162 Managing a Wireless Local Area Network Deploying ZoneDirector WLANs in a VLAN Environment Tunnel Private Group ID Set this attribute to the VLAN ID to which you want to segment this user Depending on your RADIUS setup you may also need to include the user name or the MAC address of the wireless device that the user will be using to associate with the AP Table 21 lists the RADIUS user attributes related to dynamic VLAN Table 21 RADIUS user attributes related to dynamic VLAN
61. Tag Click this option to override the VLAN configured for the WLAN service 7 Click OK The Create New form disappears and the WLAN group that you created appears in the table under WLAN Groups You may now assign this WLAN group to an AP 155 Managing a Wireless Local Area Network Working with WLAN Groups Figure 92 WLAN group WLAN Groups This table lists your current WLAN groups and provides basic details about them Click Create New to add another WLAN group or click Edit to make changes to an existing WLAN group m Name Description Actions Default Default WLANs for Access Points Edit Clone m WLANs Original VLAN VLAN override Rhastah1 1 8 No Change 01100 Lj Search terms Include all terms Include any of these terms Create New Delete 1 1 10 Search terms n Include al terms Include any of these terms 7ero IT Activation Assigning a WLAN Group to an AP 1 Go to Configure Access Points 2 Inthe list of access points find the MAC address of the AP that you want to assign to a WLAN group and then click Edit 3 In WLAN Group click Override Group Config and select the WLAN group to which you want to assign the AP Each AP or radio on dual radio APs can only be a member of a single WLAN group 4 Click OK to save your changes 156 Managing a Wireless Local Area Network Deploying ZoneDirector WLANs in a VLAN Environment Fig
62. This tabie lists all currently active access points and highlights basic details such as number of clients per AP Below are a table of currently managed AP groups and an AP specific table of events and activities zd ow zd o 9o E Z Pae Z eaAesy ZePAesd E E CERA AEEY a 182 Log Out ruckus e MAC Address Device Name Managing Access Points Working with Access Point Groups Working with Access Point Groups Access Point groups can be used to define configuration options and apply them to groups of APs at once without having to modify each AP s settings individually For each group administrators can create a configuration profile that defines the channels radio settings Ethernet ports and other configurable fields for all members of the group or for all APs of a specific model in the group Access Point groups are similar to WLAN groups see Working with WLAN Groups for more information While WLAN groups can be used to specify which WLAN services are served by which APs AP groups are used for more specific fine tuning of how the APs themselves behave The following sections describe the three main steps involved in working with AP groups e Modifying the System Default AP Group The first step in working with AP groups is defining the default behavior of all APs controlled by ZoneDirector e Creating a New Access Point Group After you have defined how you want your default APs to behave you ca
63. Type a MAC address in the MAC Address text box and then click Create New to save the address The new MAC address that you added appears next to the Stations field You can enter up to 128 MAC addresses per ACL 7 Click OK to save the L2 MAC based ACL You can create up to 32 L2 MAC ACL rules and each rule can contain up to 128 MAC addresses 9s Ut R ot om 103 Configuring Security and Other Services Controlling Network Access Permissions Figure 62 Configuring an L2 MAC access control list rk Ruckus ZoneDirector WIRELESS Access Control 2013 06 05 15 50 17 Help Toolbox LogOut ruckus Maj Dashboard Monitor Configure Administer Access Control L2 MAC Access Control m You can define L2 MAC access control lists and apply them to WLANs later Set up an L2 MAC access control list to allow or deny wireless devices based on their MAC addresses Restriction Actions Restriction 9 Only alow all stations listed below Only deny all stations listed below MAC Address Stations Create New Delete 0 0 0 Search terms 9 Include al terms Include any of these terms L3 4 IP address Access Control You can define L3 4 IP address access control lists and apply them to WLANs later Set up a L3 4 IP address access control list to allow or deny wireless devices based on their IP addresses Name Description Default Mode Actions Creating Layer 3 Layer 4 IP Address Acces
64. User Access Adding New User Accounts to ZoneDirector Figure 142 Manual configuration information siil VIRGIN 3G 4 20 PM o7 m Ruckus WIRELESS Corporate WLAN Configuration To set up your wireless network connection follow these steps and Network Name SSID Network Authentication Data Encryption Network key Adding New User Accounts to ZoneDirector Once your wireless network is set up you can instruct ZoneDirector to authenticate wireless users using an existing Active Directory LDAP or RADIUS server or to authenticate users by referring to accounts that are stored in ZoneDirector s internal user database This section describes the procedures for managing users using ZoneDirector internal user database For authentication using an external AAA server see Using an External Server for User Authentication on page 243 Internal User Database To use the internal user database as the default authentication source and to create new user accounts in the database 1 Go to Configure gt Users 2 In the Internal User Database table click Create New 3 When the Create New form appears fill in the text fields with the appropriate entries 238 Managing User Access Adding New User Accounts to ZoneDirector e User Name Enter a name for this user User names must be 1 32 characters in length using letters numbers underscores and periods User names are case sensitive and
65. WLANs Displays the WLANs that this AP is supporting Radio 802 11 a n or g n Displays details on the 2 4 GHz g n and 5 GHz a n radios Transmission statistics are totals since last radio restart Airtime statistics represent the time spent sending and receiving 802 11 frames plus the time spent waiting for non 802 11 interference to avoid collision Free airtime is 100 total High numbers indicate contention in the channel LAN Port Configuration Displays the current configuration of the AP s LAN ports including their enabled state type Access Port or Trunk Port and Access VLAN ID Performance Displays a graphical view of AP performance and RF environment statistics Three Performance analysis graphs plot the capacity throughput associated clients and RF contention in the channel as a function of time Limitations 1 The capacity curve is updated only when the AP transmits more than 1000 packets each containing at least 1024 bytes of data within a one minute measurement interval 2 The Other APs curve counts managed APs plus unmanaged BSSIDs many of which may emanate from the same unmanaged AP Neighbor APs Displays nearby APs their channel and signal strength Mesh related Information Displays uplink downlink information transmission statistics and details on mesh signal strength and stability if mesh is enabled 222 Monitoring Your Wireless Network Monitoring Individual
66. Yes rrr Guest 5 Batch generation 2010 06 03 13 19 08 10 mins aaa Yes rr Search terms 9 Include all terms O Include any of these terms Delete All Delete 31 5 5 69 Configuring Guest Subnet Access By default guest pass users are automatically blocked from the ZoneDirector subnet format A B C D M and the subnet of the AP to which the guest user is connected If you want to create additional rules that allow or restrict guest users from specific subnets use the Guest Access gt Restricted Subnet Access section You can create up to 22 subnet access rules which will be enforced both on the ZoneDirector side for tunneled redirect traffic and the AP side for local bridging traffic NOTE All guests share this same subnet access policy To create a guest access rule for a subnet 1 Go to Configure gt Guest Access 264 Managing Guest Access Working with Guest Passes 2 In the Restricted Subnet Access section click Create New Text boxes appear under the table columns in which you can enter parameters that define the access rule 3 Under Description type a name or description for the access rule that you are creating 4 Under Type select Deny ifthis rule will prevent guest users from accessing certain subnets or select Allow if this rule will allow them access 5 Under Destination Address type the IP address and subnet mask format A B C D V on which you want to allow or deny users access 6
67. ZoneDirector Setup Wizard rf Ruckus Setup Wizard Language General General Enter a system name for ZoneDirector The name should be between 1 and 32 characters numbers and letters but not including spaces Management IP Wireless LANs System Name ruckus Country Code United States sz ZoneDirector provides mesh capability Each mesh enabled ZoneDirector requires a unique name SSID for the mesh WLAN for the backbone traffic 3 Enable Mesh Administrator Confirmation Finish Accessing ZoneDirector s Command Line Interface In general this User Guide provides instructions for managing ZoneDirector and your ZoneFlex network using the ZoneDirector Web interface You can also perform many management and configuration tasks using the ZoneDirector Command Line Interface CLI by connecting directly to the Console port or an Ethernet port To access the ZoneDirector CLI 1 Connect an admin PC to the ZoneDirector Console port or any of the LAN ports using either a DB 9 serial cable for the console port or an Ethernet cable for LAN ports Launch a terminal program such as Hyperterminal PuTTy etc Enter the following connection settings Bits per second 115200 Data bits 8 Parity None Stop bits 1 Flow control None 35 Introducing Ruckus Wireless ZoneDirector Accessing ZoneDirector s Command Line Interface Figure 11 Configure a terminal client Port Settings Bits per second
68. above illustration 1 Map drop down list Select the floorplan to view from the Map drop down list 2 Coverage and Show Rogue APs box For Coverage selecting 2 4 GHz enables a signal strength view of your placed 2 4 GHz APs Selecting 5 GHz displays the signal coverage of 5 GHz radios Selecting either 2 4 or 5 GHz opens the Signal legend on the right side of the Map View See item number 8 below for the description of the Signal For Show Rogue APs selecting Yes displays the detected rogue APs in the floorplan 3 Unplaced APs area As noted in Importing a Map View Floorplan Image when you first open the Map View newly placed APs appear in this area If they are approved for use see Adding New Access Points to the Network on page 180 you can drag them into the correct location in the floorplan Unplaced APs are available across all of the floor plans you upload Thus you can toggle between maps see number 1 and place each AP on the appropriate map For the various AP icon types see AP Icons on page 214 4 Access Points Rogue APs and Clients box This lower left corner box displays the number of active APs any rogue unapproved or illegitimate APs and all associated clients 213 Monitoring Your Wireless Network Using the Map View Tools 5 Search text box Enter a string such as part of an AP s name or MAC address and the map is filtered to show only the matching results Clearing the search value
69. address with the MAC address If the AP receives a request from an unknown host it forwards the request at the rate limit specified in the Packet Inspection Filter Mesh Topology Detection Set the number of mesh hops and mesh downlinks after which ZoneDirector should trigger warning messages Step 3 Provision and Deploy Mesh Nodes In this step you will connect each AP to the same wired network as ZoneDirector to provision it with mesh related settings After you complete provisioning an AP you must reboot it for the mesh related settings to take effect To provision and deploy a mesh node 1 Using one of the AP s Ethernet ports connect it to the same wired network to which ZoneDirector is connected and then power it on The AP detects ZoneDirector and sends a join request If Auto Approval is enabled continue to Step 3 If Auto Approval is disabled log into ZoneDirector check the list of currently active access points for the AP that you are attempting to provision and then click the corresponding Allow link to approve the join request For detailed procedures on approving join requests see Verifying Approving New APs on page 181 After the AP has been provisioned disconnect it from the wired network unplug the power cable and then move the device to its deployment location e Ifyou want the AP to be a Root AP reconnect it to the wired network using one of its Ethernet ports and then power it on When
70. an existing entry Name IPaddress Actions Create New Delete System Time Controlling ZoneDirector Management Access The Management Access Control option can be used to control access to ZoneDirector s management interface The Management Access Control interface is located on the Configure System screen Options include limiting access by subnet single IP address and IP address range NOTE When you create a management access control rule all IP addresses and subnets other than those specifically listed will be blocked from accessing ZoneDirector s Web interface To restrict access to ZoneDirector s Web interface 1 Go to Configure System 2 Locate the Management Access Control section and click the Create New link 3 In the Create New menu that appears enter a name for the user s that you want to allow access to ZoneDirector s Web interface 4 Enter an IP address address range or subnet e The administrators current IP address is shown for convenience be sure not to create an ACL that prevents the admin s own IP address from accessing the Web interface 5 Click OK to confirm You can create up to 16 entries to the Management ACL 61 Configuring System Settings Controlling ZoneDirector Management Access Figure 33 Management Access Control DHCP Option 43 Layer 3 discovery protocol for AP to find ZoneDirector To view all IP addresses that have been assigned by the DHCP serve
71. and you want to use that server to authenticate users select the server name from the drop down menu See Using an External Server for User Authentication on page 243 e Ifyou want to use ZoneDirector s internal database select Local Database 4 Set the guest pass validity period by selecting one of the following options Effective from the creation time This type of guest pass is valid from the time it is first created to the specified expiration time even if it is not being used by any end user 255 Managing Guest Access Working with Guest Passes Effective from first use This type of guest pass is valid from the time the user uses it to authenticate with ZoneDirector until the specified expiration time An additional parameter A Guest Pass will expire in X days can be configured to specify when an unused guest pass will expire regardless of use The default is 7 days 5 When you finish click Apply to save your settings and make this new policy active NOTE Remember to inform users that they can access the Guest Pass Generation page at https zonedirector hostname or ipaddress guestpass In the example Figure 154 the Guest Pass Generation URL is https 172 17 17 150 guestpass Figure 154 The Guest Pass Generation section on the Guest Pass page Guest Pass Generation URL Guest Pass Generation Authenticated users can generate guest passes at the URL shown below Guest Pass Generation URL
72. any of these terms 012230 Reviewing a Events Activities Date Time Severity User Activities 2013 06 11 16 55 09 Low User 00 22 fb ad 1b 2e joins WLAN Rhastah1 from AP c0 c5 20 3b 91 f0 2013 06 11 User 00 22 fb ad 1b 2e joins WLAN Rhastah1 from AP c0 c5 20 3b 91 f0 2013 06 11 f0 2013 06 11 AP c0 c5 20 3b 91 f0 radio 11a n detects User 00 22 fb ad 1b 2e in WLAN Rhastah1 roams from AP 7982 2013 06 11 16 AP 7982 radio 11a n detects User 00 22 fb ad 1b 2e in WLAN Rhastah1 roams out to AP cO c5 20 3b 91 f0 2013 06 11 16 34 16 Low AP 7982 radio 11a n detects User 00 22 fb ad 1b 2e in WLAN Rhastah1 roams from AP cO c5 1 f0 2013 06 11 16 34 16 Low AP c0 c5 20 3b 91 f0 radio 11a n detects User 00 22 fb ad 1b 2e in WLAN Rhastah1 roams out to AP 7982 User 5c ff 35 7f d2 20 leave WLAN Rhastah1 at AP c0 c5 20 3b 91 f0 with Session Time 1338 48 sec RX Bytes 2 Bytes 242557 2013 06 11 16 19 53 Low 004254144 ALADE 1o ea Er H E T6 A001 Minn ne eA cbr Fence UI AMID S HEAR 41 Sb ADFA A e E20 21 04 601 List of Previously Blocked Clients 1 Go to Configure Access Control 2 Review the Blocked Clients table 3 You can unblock any listed MAC address by clicking the Unblock button for that address Figure 72 Unbl go Create New Search terms Precedence Policy User can define precedence policy lists and apply them to WLANs later This can make decision for wireless devices according to de
73. appears About This Guide Table 2 Notice Conventions Icon Notice Type Description Information Information that describes D important features or instructions Caution Information that alerts you to potential loss of data or potential damage to an application system or device Warning Information that alerts you to potential personal injury Related Documentation In addition to this User Guide each ZoneDirector documentation set includes the following e Online Help Provides instructions for performing tasks using the Web interface The online help is accessible from the Web interface and is searchable e Release Notes Provide information about the current software release including new features enhancements and known issues Documentation Feedback Ruckus Wireless is interested in improving its documentation and welcomes your comments and suggestions You can email your comments to Ruckus Wireless at docsQruckuswireless com When contacting us please include the following information e Document title e Document part number on the cover page e Page number if appropriate For example e Ruckus Wireless ZoneDirector Release 9 7 User Guide e Part number 800 70505 001 Rev A e Page 88 Contents About This Guide Introducing Ruckus Wireless ZoneDirector Overview of ZoneDirectot esee e ese A CRIT RRE DR etes 14 ZonebDirector Physical Feat res necp eR sepe reete 15 ZonebDir ctor 1
74. arrow is a Root AP w An AP with a number in a circle is a Mesh AP The number indicates the 06 number of hops from the mesh AP to the Root AP An AP with a dimmed blue square indicates that it is a Root AP without any active downlinks I a An AP with a red square is an Ethernet Linked Mesh AP eMAP X An AP with an X icon is disconnected Understanding Mesh related AP Statuses In addition to using the Map View to monitor the status of the mesh network you can also checkthe Access Points page on the Monitor tab for mesh related AP statuses The table below lists all possible AP statuses that are related to mesh networking including any actions that you may need to perform to resolve mesh related issues 279 Deploying a Smart Mesh Network Understanding Mesh related AP Statuses Figure 168 Mesh related AP statuses Status Description Recommended Action Connected AP is connected to ZoneDirector but mesh is disabled If mesh is enabled on the AP you may need to reboot it to activate the mesh Connected Root AP AP is connected to ZoneDirector via its Ethernet port Connected Mesh AP n hops AP is connected to ZoneDirector via its wireless interface and is n hops away from the Root AP Connected eMesh AP n hops AP is connected to ZoneDirector via its Ethernet port but acts as a Mesh AP using another Mesh AP as its uplink Isolated Mesh AP AP is
75. click Add more Access Points to this group or Add more Access Points from System Default group to this group 2 Select the APs you want to add and click Add to this group The AP is added to the Members list above 3 Click OK to save your changes To move an AP from the current AP group to another group 1 Click the check box next to any AP you want to move to select all APs in the group click the check box at the top of the column 2 Select the target AP group from the drop down list and click Move To The AP disappears from the current group list 3 Click OK to save your changes Figure 111 Modify AP group membership Model Specific Control 242942 00 Max Clients Allow Max 100 clients to associate with this AP Port Setting Edit Port Setting Group Settings Members d Member Device Name Description Model Approved DU 04 4f aa 0c b1 00 7962 RAP 7962 RAP 217962 Yes W c4 10 8a 1f d1 f0 7982 MAP 7982 MAP 217982 Yes Q 00 24 82 3f 14 60 RuckusAP 217363 Yes Q 74 91 1a 2b ffia0 RuckusAP 217025 Yes Moveto NewName v 01 4 o0 Search terms 9 Include all terms Include any of these terms New Name 0 Edit Clone Create New Delete 3122 20 Search terms Include all terms Include any of these terms Modifying Model Specific Controls The following settings can be applied to all APs of a particular model that are members of the AP group 186 Managing Access Points Working with Access Point Gr
76. create a new WLAN 1 Go to Configure gt WLANS The first table displays all WLANs that have already been created in ZoneDirector 2 In the top section WLANS click Create New The Create New workspace displays the following Figure 87 Creating a new WLAN New Name ESSID New Name Standard Usage For most reguiar wireless network usages Guest Access Guest access policies and access control will be applied Hotspot Service WISPr Hotspot 2 0 Autonomous Authentication Options Method Open shared 802 1x EAP MAC Address 802 1x EAP MAC Address Encryption Options Method wpa wpa2 wPA Mixed WEP 64 40 bit wEP 128 104 bit 9 None Options Web Authentication 7 Enable captive portal Web authentication Users will be redirected to a Web portal for authentication before they can access the WLAN Authentication Server Local Database Wireless Client Isolation Enable Client Isolation White List None A list of reachable local wired hosts i e gateway printer etc Zero IT Activation Enable Zero IT Activation WLAN users are provided with wireless configuration installer after they log in Priority High Low The WLAN Create New workspace includes the following configuration options used to customize your new WLAN The individual options are explained in detail in the next section beginning with General Options on page 141
77. dates In Select a template for Guest Pass instructions select the guest pass instructions that you want to print out If you did not create custom guest pass printouts select Default Print the instructions for a single guest pass or print all of them To print instructions for all guest passes click Print All Instructions To print instructions for a single guest pass click the Print link that is in the same row as the guest pass for which you want to print instructions A new browser page appears and displays the guest pass instructions At the same time the Print dialog box appears 10 Selectthe printer that you wantto use and then click OK to print the guest pass instructions You have completed generating and printing guest passes for your guest users If you want to save a record of the batch guest passes that you have generated click the here link in Click here to download the generated Guest Passes record and then download and save the CSV file to your computer Creating a Guest Pass Profile 1 Log in to the guest pass generation page Refer to steps 2 to 5 in Generating and Printing Multiple Guest Passes at Once above for instructions In Creation Type click Multiple Click the click here link in To download a profile sample click here Save the sample guest pass profile in CSV format to your computer 263 Managing Guest Access Working with Guest Passes 5 Using a spreadsheet applic
78. defined in IEEE802 11u 7 3 4 8 Operator Friendly Name Network operator names in multiple languages Service Provider Profiles Information for each service provider including NAI realm domain name roaming consortium 3GPP cellular network info A Service Provider profile must first be created before it appears here Up to six Service Provider Profiles can be indicated for each Operator Profile HESSID Homogenous extended service set identifier The HESSID is a 6 octet MAC address that identifies the homogeneous ESS The HESSID value must be identical to one of the BSSIDs in the homogeneous ESS WAN Metrics Provides information about the WAN link connecting an IEEE 802 11 access network and the Internet includes link status and backhaul uplink downlink speed estimates Connection Capability Provides information on the connection status within the hotspot of the most commonly used communications protocols and ports 11 static rules are available as defined in WFA Hotspot 2 0 Technical Specification section 4 5 Additional Connection Capability 4 Click OK to save this Operator Profile 5 Continue to Create a Hotspot 2 0 WLAN Allows addition of custom connection capability rules Up to 21 custom rules can be created 170 Figure 101 Hotspot 2 0 Services Managing a Wireless Local Area Network Working with Hotspot Services Creating a Hotspot 2 0 Operator Profile Hotsp
79. device is also connected to the wired network unplug the network cable 2 Start your Web browser and then enter the following in the address or location bar http zonedirector ip address perf 317 Troubleshooting Diagnosing Poor Network Performance The SpeedFlex Wireless Performance Tool interface loads in your browser 3 Click the Start button The following message appears Your computer does not have SpeedFlex running Click the OK button download the SpeedFlex application for your operating system and hen double click SpeedFlex exe to start the application t When SpeedFlex is running on your computer click Start again to continue with the wireless performance test 4 Click OK Windows and Mac Intel download links for SpeedFlex appear on the SpeedFlex Wireless Performance Test interface 5 Click the SpeedFlex version that is appropriate for your operating system download the SpeedFlex file and then save it to your computer s hard drive 6 After downloading the SpeedFlex file locate the file and then double click the file to start the application A command prompt window appears and shows the following message Entering infinite loop Enjoy the ride This indicates that SpeedFlex was successfully started Keep the command prompt window open 7 On the SpeedFlex Wireless Performance Test interface click the Start button again A progress bar appears below the speedometer as the tool generates
80. disconnected from the ZoneDirector mesh The AP may be configured incorrectly Verify that the mesh SSID and passphrase configured on the AP are correct e f Uplink Selection is set to Manual the uplink AP specifiedforthis AP may be off or unavailable 280 Deploying a Smart Mesh Network Using the ZoneFlex LEDs to Determine the Mesh Status Using the ZoneFlex LEDs to Determine the Mesh Status In addition to checking the mesh status of ZoneFlex APs from the ZoneDirector Web interface you can also check the LEDs on the APs The LED behaviors that indicate the AP s mesh status vary depending whether the AP is a single band or a dual band model On Single band ZoneFlex APs Onsingle band ZoneFlex APs for example ZoneFlex 2741 2942 7321 7341 7343 7351 7352 the two LEDs that indicate the mesh status are e WLAN Wireless Device Association LED Indicates downlink status and client association status e AIR Signal Air Quality LED Indicates uplink status and the quality of the wireless signal to the uplink AP WLAN LED When Smart Mesh is enabled the behavior of the WLAN LED indicates downlink status Refer to the table below for a complete list of possible LED colors and behaviors for Root APs and Mesh APs and the mesh status that they indicate Figure 169 Behavior of the WLAN LED LED Color Behavior Root AP Mesh AP eMAP Solid green No mesh downlink and At least one client is associated with t
81. eS bI dos e DI e gea CER Ca A 155 Assigning a WLAN Group toan AP ier 2k eee 156 Viewing a List of APs That Belong to a WLAN Group 00000 157 Deploying ZoneDirector WLANs in a VLAN Environment 157 Tagging Management Traffic to a VLAN 2 00 cece eee 159 Hew Dynami VEANOWOEKS Ia i sen e e e el eerie sel PS Reads 161 Working with Hotspot Services 00 eh 164 Creating a Hotspot Service s eevee Vay et ey hae hla see CR s 164 Creating a Hotspot 20 Service noi pernp a e eee 167 Setting the Venue Name for a Hotspot 20 AP 172 Working with Dynamic Pre Shared Keys 0 00 0c eee eee eee 172 Enabling Dynamic Pre Shared Keys on a WLAN 000202000 173 Setting Dynamic Pre Shared Key Expiration 000000005 174 Generating Multiple Dynamic PSKs 0 00000 175 Creating a Batch Dynamic PSK Profile csse 176 Enabling Bypass Apple CNA Feature sssssssssss esee 177 Managing Access Points Adding New Access Points to the Network 00000 180 Working with Access Point Groups 00 000 183 Modifying the System Default AP Group 1 0 eee ee 183 Creating a New Access Point Group 00 0 eee 185 Modifying Access Point Group Membership 0000 eee eee 186 Modifying Model Specific Controls isses 186 Configuring AP Ethernet Ports isses e 187 DH CPO pte 82 hcec eser ih Pian diode eine
82. eee 83 Creating a Bonjour Gateway Rule 0 84 Example NetworkSetup y meerebreePeRItGA E pote p R E eg 85 Configuring Security and Other Services Config ring Self Healing Options i ci vu esee da ee hea Gane CHEER 88 Automatically Adjust AP Power gssirpirerricten t ottaa e 88 Automatic Channel Selection 4 croce necesse ke hp b De eC HER 88 Backgro nd scanhilg eter Deer em a utere gite CERTE dtd 90 Radar Avoidance Pre Scanning eioen Ea E E AE esee 92 AeroScout RFID Tag Detection ay RLE a ce EA 92 Ekaha Tag Detection ees eg eue ee eds 93 Active Client Detection eee eee eee tee e Se ete ab Dee dte redit 94 Tunnel Configuration xcu et Bie a be beta pe reed irae 95 Packet Inspection Filtet siu ige esit qure CO PR dee e XR EE wd OR 96 Configuring Wireless Intrusion Prevention 0c cece ee 98 DoS Prot cti nu zo sue esu gu vcre AERO ER SRL IR IA eR Vaso YT 98 Intrusion Detection and Prevention iilssse eese 99 Rogue DHEP Server Detection s cesis ree ue beet epa ebd eps 101 Controlling Network Access Permissions es esses 103 Creating Layer 2 MAC Address Access Control Lists o asuna aaua 103 Creating Layer 3 Layer 4 IP Address Access Control Lists 104 Configuring Device Access Policies 0 0 0 0 eee eee 105 Configuring Client Isolation White Lists 00 0 0 108 Configuring Precedence Policies ess 110 Bldeking Cl
83. enhance wireless security deactivate this option This means you must manually allow each newly discovered AP Limited ZD Discovery Only connect to the following ZoneDirector 8 Configure Primary and Secondary ZD Settings to AP IP or domain name is acceptable Primary ZoneDirector Addr Secondary ZoneDirector Addr Prefer Primary zD Keep AP s Primary and Secondary ZD Settings Management VLAN Keep AP s setting VLANID Load Balancing Disable Enable Balances the number of clients across adjacent APs Tunnel MTU 1500 e etween ZoneDirector and AP range 850 1500 Auto Recovery y AP reboots if disconnected from ZoneDirector for morethan o Minutes Access Point USB Software Packages This table lists supported Access Point USB Software Packages Click Browse to add another AP USB Software Package Delete to delete an existing AP USB Software Package No USB Software Package has been imported Import a new USB Software Package To disable Load Balancing on a per WLAN basis 1 Go to Configure gt WLANs 2 Click the Edit link beside the WLAN for which you want to disable load balancing 3 Click the Advanced Options link to expand the options 4 Select Do not perform load balancing for this WLAN service next to Load Balancing 207 Managing Access Points Optimizing Access Point Performance Figure 124 Disable load balancing on a
84. example To restart ZoneDirector and all currently active APs 1 Goto Administer gt Restart 2 When the Restart Shutdown features appear click Restart You will be automatically logged out of ZoneDirector After a minute when the Status LED is steadily lit you can log back into ZoneDirector Figure 200 The Restart Shutdown page A Ruckus ZoneDirector WIRELESS Dashboard Monitor Configure Administer Restart Shutdown Restart Click this button to restart ZoneDirector Network connections wil be broken temporarily and then renewed when startup is complete Shutdown Click this button to shut down ZoneDirector To restart ZoneDirector disconnect it from the power source and then reconnect it 327 Troubleshooting Restarting ZoneDirector 328 Smart Mesh Networking Best Practices In This Appendix Choosing the Right AP Model for Your Mesh Network esee 330 Calculating the Number of APs Required eese 330 Placement and Layout Considetetions eccseceri se enese eere eee hehe etes 331 Signal Quality Verification sadanie ERR die bts Heese ete 332 Maurine and Otlentatign of APS ccd0 cette ieee ERI ET DPREEPIEINQS 334 Best Practice heces coss ees Rx aad odes Ade de whe eels bd XN Shs 337 329 Smart Mesh Networking Best Practices Choosing the Right AP Model for Your Mesh Network Choosing the Right AP Model for Your Mesh Network Ruckus Wireless
85. feature that can help you prevent connectivity and security issues that rogue DHCP servers may cause When this feature is enabled ZoneDirector scans the network every five seconds for unauthorized DHCP servers and generates an event every time it detects a rogue DHCP server The conditions for detecting rogue DHCP servers depend on whether ZoneDirector s own DHCP server is enabled e fthe built in DHCP server is enabled ZoneDirector will generate an event when it detects any other DHCP server on the network e Ifthe built in DHCP server is disabled ZoneDirector will generate events when it detects two or more DHCP servers on the network You will need to find these DHCP servers on the network determine which ones are rogue and then disconnect them or shut down the DHCP service on them 101 Configuring Security and Other Services Configuring Wireless Intrusion Prevention The Rogue DHCP Server Detection feature is enabled by default If it is disabled use the following procedure to re enable To enable rogue DHCP server detection on ZoneDirector enabled by default 1 Go to Configure gt WIPS 2 In the Rogue DHCP Server Detection section select the Enable rogue DHCP server detection check box 3 Click the Apply button that is in the same section You have completed enabling rogue DHCP server detection Ruckus Wireless recommends checking the Monitor gt All Events Activities page periodically to determine if ZoneDirect
86. for a MacBook and iPad needs to have access to all classroom resources e Students SSID VLAN 300 Students have a separate SSID with no authentication they must be able to backup their iPads to the classroom iMac but should not have access to the Apple TV or File Sharing services Figure 50 Sample Bonjour Gateway configuration for a classroom scenario 1 2013 05 16 14 47 18 1 Help I Toolbox Log Out ruckus i Ruckus ZoneDirector WIRELESS Dashboard Monitor Configure Administer Bonjour Gateway Bonjour Gateway Enable Bonjour gateway You can add new services and rules here Bridge Service From VLAN To VLAN Notes AirPrint 200 allow students to print AirPlay 200 Allow teachers to use Apple TV Edit Clone F iCloud Sync 200 Allow teacher to sync iPads Edit Clone 7 iCloud Sync 300 Allow students to sync iPads Edit Clone Secure File Sharing 100 200 Allow teacher to access file sharing Edit Clone Create New Delete 31 5 5 Search terms Include al terms Include any of these terms Bonjour Gateway In this example the teacher gains access to AirPlay AirPrint iCloud Sync and File Sharing while students are given access to iCloud Sync and AirPrint only 85 Configuring System Settings Enabling Bonjour Gateway 86 Configuring Security and Other Services In This Chapter Configuring Self Healing Options
87. have two options for reviewing events in your network 1 open a complete list of all events or 2 look at specific lists of events in each Monitor tab workspace such as the WLANs workspace Events Activities table 1 Open the ZoneDirector Dashboard and look at the Most Recent User Activities table and Most Recent System Activities table for summaries of activity in the network Go to the Monitor tab Click any of the specific options such as WLANs Access Points or Currently Active Clients Look for an All Events table that specifically focuses on the selected category Ur EO UN Under the Monitor tab click either the All Alarms button or the All Events Activities button to see a complete list with all categories represented in chronological order AP events display the first 17 characters of an AP name if AP names are used Clearing Recent Events Activities To review the current events and if appropriate clear all resolved events follow these steps 1 Go to Monitor gt All Events Activities 2 When the All Events Activities page appears the Events Activities table lists the unresolved events the most recent at the top 3 Reviewthe contents of this table You can sort the list by severity level date time username and activity type Click the column header to sort and click again to reverse the order displayed 4 You can click Clear All at the bottom of the table to resolve and clear all events in the view Re
88. how devices connect what types of devices can connect and what they are allowed to do once connected 105 Configuring Security and Other Services Controlling Network Access Permissions Using the Device Access Policy settings ZoneDirector can identify the type of client attempting to connect and perform control actions such as permit deny rate limiting and VLAN tagging based on the device type Once a Device Access Policy has been created you can apply the policy to any WLANs for which you want to control access by device type You could for example allow only Apple OS devices on one WLAN and only Linux devices on another To create a Device Access Policy 1 Ur SU Go to Configure Access Control In the Device Access Policy section click Create New Enter a Name and optionally a description for the access policy In Default Mode select Deny all by default or Allow all by default In Rules you can create multiple OS specific rules for each access policy e Description Description of the rule e OS Type Select from any of the supported client types Type Select rule type allow or deny e Uplink Downlink Set rate limiting for this client type e VLAN Segment this client type into a specified VLAN 1 4094 if no value entered this policy does not impact device VLAN assignment Click Save to save the rule you created You can create up to nine rules per access policy one for each OS Type To chang
89. https 172 17 17 150 guestpass Authentication Server Local Database v Validity Period Effective from the creation time Effective from first use Expire new guest passes if not used within 3 days Restricted Subnet Access Guest users are automatically blocked from the subnets to which ZoneDirector and its managed APs are connected If there are other subnets on which you want to block or allow guest users you can create and configure up to 22 guest access rules below Note that guest access rules are prioritized in the order that they are listed 1 has highest priority Hint Layer 3 APs are typically on subnets different from the ZoneDirector subnet Order Description Type Destination Address Action 1 Deny 172 17 17 150 23 X 2 Deny 10 0 0 0 8 Edit Clone av 3 Deny 172 16 0 0 12 Edit Clone aw 4 Deny 192 168 0 0 16 Edit Clone a Create New Delete Advanced Options Web Portal Logo Upload your logo to show it on the Web portal pages The recommended image size is 138 x 40 pixels and the maximum file size is 20KB m Re d PNE v 256 Managing Guest Access Working with Guest Passes Controlling Guest Pass Generation Privileges To disable the guest pass generation privilege granted to all basic default role users follow these steps 1 Goto Configure Roles When the Roles and Policies page appears a table lists all existing roles including Default 2 Click E
90. in the Test Authentication Settings panel and then click Test If testing against a RADIUS server this feature uses PAP or CHAP depending on the RADIUS server configuration and the choice you made in RADIUS RADIUS Accounting Make sure that either PAP or CHAP is enabled on the Remote Access Policy assuming Microsoft IAS as the RADIUS server before continuing with testing authentication settings Figure 145 The Create New form for adding an authentication server 2013 06 11 18 07 35 Help Toolbox LogOut ruckus Mag Dashboard Monitor BED Administer Authentication Accounting Servers Authentication Accounting Servers This table lists all authentication mechanisms that can be used whenever authentication is needed Name Type Actions radius1 RADIUS Edit Clone tacacs plus TACPLUS Authenticating Edit Clone 9 Active Directory LDAP RADIUS RADIUS Accounting Global Catalog Enable Global Catalog support IP Address example domain ruckuswireless com Erleben 012230 Search terms include all terms Include any of these terms Test Authentication Settings You may test your authentication server settings by providing a user name and password here Groups to which the user belongs will be returned and you can use them to configure the role Test Against Local Database v User Name For more information on configuring an external authentication server see
91. information To register your ZoneDirector 1 Click the Product Registration link in the Support widget on the Dashboard or 44 Introducing Ruckus Wireless ZoneDirector Registering Your Product Go to Administer Registration Enter your contact information on the Registration page and click Apply 4 The information is sent to a CSV file that opens in a spreadsheet program if you have one installed This file includes the serial numbers and MAC addresses of your ZoneDirector and all known APs and your contact information 5 Save the CSV file to a convenient location on your local computer 6 Click the link on the Registration page to upload the CSV file https support ruckuswire less com register If you do not already have a Support account login first click the https support ruckuswireless com get access now link to create a support account and then click the register link to upload the CSV file to Ruckus Support Figure 20 Support Widget on the Dashboard e Support ee ompan Ruck ireless In t Warranty Info Product Registration a F Ruckus E WIRELESS Ruckus Support Web Support Documentation Discussion Forums Open a Support Case Figure 21 The Product Registration page Dashboard Monitor Configure Administer Product Registration Required fields Ruckus ZoneDirector WIRELESS To start the registration process fil out the required information and then click Apply to gen
92. kote er been Cee ead dA SCRI eed 54 Enabling Smart Red ndancy cios nas mem e hee rey we da 55 Configuring ZoneDirector for Smart Redundancy 000 eee eee 55 Forcing Failover to the Backup ZoneDirector 000002 000004 58 Configuring the Built in DHCP Server iilis 58 Enabling the Built in DHCP server 0 000 000 0000 cee eee eee eee 59 Viewing DACP Clients nite tte eee a tnt etre hee teen 60 Controlling ZoneDirector Management Access sss ll lessen 61 Setting the System Times eias has V ie tas RARE YD ee edu 63 Settipngithe Country Code 11 ide be eee e deed 64 Channel Optimization 4 ke ee ve ie te EN IN er aq 65 Channel Mode stesse RR E RARVADPeRESESHRIEI Sees VAS SEA 66 Changing the System Log Settings escis epo grata ge dni OR UNE 67 Reviewing the Current Log Contents 00 000 eee eee eee eee 67 Customizing the Current Log Settings 0 00000 c eee eee 68 Setting Up Email Alarm Notifications isses 69 Customizing Email Alarms that ZoneDirector Sends 2 72 Enabling Network Management Systems 0 0000 eee eese 72 Enabling Management via FlexMaster isses esses 72 Enabling Northbound Portal Interface Support 0 73 Configuring SNMP Support 0000 tee e eee 74 Enabling SNMP Trap Notifications ciis 77 Configuring DHCP Relay eer eL hated ERIS LEER AI Ds 81 Enabling Bonjour Gateway 02 cee
93. largest protocol data unit in bytes that can be passed Supported MTU values range from 850 to 1500 default is 1500 Note that changing this setting to a value less than 1280 will affect IPv6 connectivity e Auto Recovery Set an AP auto recovery time in minutes after which APs will reboot in attempt to reconnect to ZoneDirector Default is 30 minutes 3 Click Apply to save and apply your settings Create New Search terms Access Point Policies Approval Limited ZD Discovery Management VLAN Load Balancing Tunnel MTU Auto Recovery ACIE 118 Setting global AP policies on the Configure Access Points page E System Default System default group for Access Points 2 Edit Clone Delete 91 1 060 9 Include all terms Include any of these terms V Automatically approve all join requests from APs To enhance wireless security deactivate this option This means you must manually allow each newly discovered AP Only connect to the following ZoneDirector Configure Primary and Secondary ZD Settings to AP IP or domain name is acceptable Primary ZoneDirector Addr Secondary ZoneDirector Addr Prefer Primary ZD Keep AP s Primary and Secondary ZD Settings Q keep AP s setting VLAN ID Disable Enable Balances the number of clients across adjacent APs 1500 To limit the maximum transmission unit size between ZoneDirector and AP range 850 1500 V AP
94. now associated to the original backup ZoneDirector which is now the active ZoneDirector and begin upgrading AP firmware to the new version 9 Each AP reboots after upgrading 293 Setting Administrator Preferences Working with Backup Files Working with Backup Files After you have set up and configured your Ruckus wireless network you may want to back up the full configuration The resulting archive can be used to restore your ZoneDirector and network And whenever you make additions or changes to the setup you can create new backup files at that time too Backing Up a Network Configuration 1 Go to Administer gt Backup 2 Under the Backup Configuration sections click Back Up The File Download dialog box appears 3 Click Save 4 When the Save As dialog box appears enter a name for this archive file pick a destination folder then click Save NOTE Ruckus Wireless recommends adding the firmware version number to the backup file l name so that you can easily identify which backup files were created on which firmware version By default only the backup date is included in the file name 5 Make sure the filename ends in a bak extension 6 When the Download Complete dialog box appears click Close 294 Setting Administrator Preferences Working with Backup Files Figure 177 The Back Up Configuration option PR Ruckus ZoneDirector WIRELESS Dashboard Monitor Configure Administer Back up
95. on page 197 Prefer Primary ZD Enable this option if you want APs to revert to the primary ZoneDirector control after connection to the primary controller is restored Keep AP s Primary and Secondary ZD Settings Enable this option if you want the AP s existing settings to take precedence not be overwritten by secondary controller s settings after failover to secondary ZD Management VLAN You can enable the ZoneDirector management VLAN if you want to separate management traffic from regular network traffic The following options are available Keep AP s setting Click this option if you wantto preserve the Management VLAN settings as configured on the AP Note that Management VLAN on the AP is disabled by default 196 VLAN ID Enter a valid VLAN ID to segment management traffic into the VLAN Managing Access Points Reviewing Current Access Point Policies specified Valid VLAN IDs are 1 4094 VLAN ID that ZoneDirector needs to use on the Configure System Settings page Otherwise r NOTE If you change the Management VLAN ID here you also need to set the Management ZoneDirector and the APs will be unable to communicate via the Management VLAN e Load Balancing Balances the number of clients across adjacent APs see Load Balancing on page 206 Tunnel MTU Use this field to set the Maximum Transmission Unit for tunnel packets between ZoneDirector and APs The MTU is the size of the
96. os By aA 80 eb 608 40 20 oF 16 27 16 28 16 29 16 30 16 31 16 32 ET i wea Packets Transmitted Q 6 8 of APs o Ba Select a time increment to monitor statistics by 5 minutes 1 hour or 1 day and click Start Monitoring to begin Note that because the Real Time Monitoring process itself consumes a small amount of system resources it should be used as a general overview tool rather than a precise measurement Actual resources used CPU and memory utilization will be lower when Real Time Monitoring is not running Real Time Monitoring Widgets CPU Util Displays the utilization of ZoneDirector s CPU Memory Util Displays the utilization of ZoneDirector s memory of APs Displays the number of APs being managed by ZoneDirector of Client Devices Displays the number of client devices associated to APs being managed by ZoneDirector Bytes Received Total bytes received by all APs being managed by ZoneDirector Bytes Transmitted Total bytes received by all APs being managed by ZoneDirector Packets Received Total packets received by all APs being managed by ZoneDirector Packets Transmitted Total packets transmitted by all APs being managed by ZoneDirector NOTE Real Time Monitoring should be closed when not in use as it can impact ZoneDirector performance 43 Introducing Ruckus Wireless ZoneDirector Registering Your Product Stopping and Starting Auto Refresh By default ZoneDirect
97. returns the map to its unfiltered view 6 Floorplan area The floorplan displays in this main area You can manipulate the size and angle of the floorplan by using the tools on this screen 7 Note the following icons Click this icon and then click an AP from the floorplan to remove x that AP Click this icon to rotate the floorplan When clicked rotation 9 crosshairs appear in the center of the map click and hold these crosshairs and move your cursor to rotate the view Refresh the floorplan 4 8 Signal This colored legend displays the signal strength coverage when you selected either 2 4 GHz or 5 GHz for Coverage see 2 above See Evaluating and Optimizing Network Coverage on page 230 for more information 9 Upper slider The upper slider is a zoom slider allowing you to zoom in and out of the floorplan This is helpful in exact AP marker placement and in assessing whether physical obstructions that affect RF coverage are in place 10 Lower slider The bottom slider is the image contrast slider allowing you to dim or enhance the presence of the floorplan If you have trouble seeing the floorplan move the slider until you achieve a satisfactory balance between markers and floorplan details 11 Scale legend To properly assess the distances in a floorplan a scaler has been provided so that you can place APs in the most precise location 12 Open Space Office drop down list Open Office Space re
98. show more section as shown in Figure 76 below 118 Admin DN Admin Password Confirm Password Key Attribute Search Filter Create New Search terms Configuring Security and Other Services Using an External AAA Server Figure 76 LDAP search filter syntax examples LDAP Active Directory Loap RADIUS RADIUS Accounting 192 168 0 4 389 example dc idap dc com To query multiple OUs enter an Admin DN and Password example uid admin dc idap dc com Mouse over show more uid example uid objectClass example objectClass Person show more examplel amp attrl valuel attr2 value2 example2 attrl valuel attr2 value2 Delete 31 3 O0 Include all terms L Include any of these terms Group Extraction By using the Search Filter you can extract the groups to which a user belongs as categorized in your LDAP server Using these groups you can attribute Roles within ZoneDirector to members of specific groups For example in a school setting if you want to assign members of the group students to a Student role you can enter a known student s name in the Test Authentication Settings section click Test and return the groups that the user belongs to If everything is configured correctly the result will display the groups associated with the student which should include a group called student or whatever was configured on your LDAP server Next go to th
99. specific WLAN E Advanced Options Accounting Server Access Control Call Admission Control Rate Limiting Multicast Filter ACCESS VLAN Hide SSID Tunnel Mode Proxy ARP Background Scanning Load Balancing Max Clients 802 110 DHCP option 82 Force DHCP Client Tx Rx Statistics ieu i Disabled Send Interim Update every 10 L2 MAC No ACLs v L3 4 1P address No ACLs v Device Policy None Precedence Policy Default Enforce CAC on this WLAN when CAC is enabled on the radio Upink Disabled v Downink Disabled v Per Station Traffic Rate minutes Drop multicast packets from associated clients VLAN wi C Enable Dynamic VLAN Hide SSID in Beacon Broadcasting Closed System 7 Tunnel WLAN traffic to ZoneDirector Recommended for vai dients and PDA devices m Enable Proxy ARP F Do not perform background scanning for this WLAN service any radio that supports this WLAN will not perform background scanning Do not perform client load balancing for this WLAN service Applies to this WLAN only Load balancing may be active on other WLANs Allow only up to 1 clients per AP radio to associate with this WLAN V support for 802 11d only applies to radios configured to operate in 2 4 GHz band Enable DHCP Option 82 Enable Force DHCP disconnect client if client does not obtain valid I
100. supports both 802 11g and the newer faster 802 11n APs with which to form a mesh network Because mesh throughput degrades with the number of hops the best performance can be achieved using the newer faster 802 11n APs ZoneFlex 7321 7343 7363 7351 7352 7372 7962 7762 7782 7982 etc However the 802 119 APs ZoneFlex 2942 and ZoneFlex 2741 will also form a suitable mesh network if your client devices do not support the newer 11n standard The most important point to note however is that the two technologies cannot be mixed in a mesh topology All nodes in a mesh must be 802 11n or 802 119 You cannot mix 802 11n with 802 119 APs in a mesh You can mix ZoneFlex 2942 with ZoneFlex 2741 in the same mesh because they are both 802 119 Additionally dual band 11n APs can only mesh with other dual band 11n APs and single band 11n APs can only mesh with other single band 11n APs In summary build your mesh network as follows e Ensure that all APs are dual band 802 11n ZoneFlex 7762 7962 7372 7363 7782 7982 e Ensure that all APs are single band 802 11n ZoneFlex 7341 7343 7321 7352 e Ensure that all APs are 802 11g ZoneFlex 2942 and ZoneFlex 2741 to AP to client communication For example 802 119 clients can connect to an 802 11n mesh i NOTE The above restrictions apply only to AP to AP communication as part of a mesh not and vice versa Calculating the Number of APs Required This is an important step in
101. the AP Figure 134 AP temperature sensor information Access Point Description Type ConnectedSince Signal 00 1d 2e 05 42 cO 2942 MAP John L3 Wireless 2010 10 20 15 48 46 54 Access Point Sensor Information Internal Temperature Current 47 C 116 6 F 2010 10 20 16 10 52 Lifetime Maximum 58 C 136 4 F 2008 11 13 22 26 02 Lifetime Minimum 0 C 32 F 2008 11 21 20 15 02 MAC Address User IP Access Point WLAN VLAN Channel Radio Signal dB Search tarme LS Monitoring Mesh Status The Monitor Mesh page can be used to view Smart Mesh topologies of any mesh trees present on your network Similar to the Mesh widget on the Dashboard this page also displays non meshing APs controlled by ZoneDirector and provides a number of action icons to troubleshoot and diagnose mesh related problems 227 Monitoring Your Wireless Network Detecting Rogue Access Points Figure 135 Reviewing Mesh status of APs using the Monitor Mesh page WIRELESS rx Ruckus ZoneDirector Dashboard Monitor Configure Administer Mesh This workspace shows the mesh status and mesh topology Q Mesh Topology Mesh 000000000011 gpm Access Points Signal 3 Description AP Group Channel IP Address Clients Action B E 4 10 8a 1f d1 fO System Default 149 11a n 40 192 168 40 64 0 d c0 c5 20 3b 91 f0 64 c 54 System Default 149 11a n 40 192 168 40 99 1 7 Diagnostics Search terms include all terms Include any of these ter
102. the AP detects ZoneDirector again through its Ethernet port it will set itself as a Root AP and then it will start accepting mesh association requests from Mesh APs e If you want the AP to be a Mesh AP power it on but do not reconnect it to the wired network When it does not detect ZoneDirector through its Ethernet port within 90 seconds it will search for other Root APs or Mesh APs and once mesh neighbor relationships are established form a mesh tree 277 Deploying a Smart Mesh Network Deploying a Wireless Mesh via ZoneDirector gt gt gt NOTE After an AP in its factory default state has been provisioned you need to reboot it to enable mesh capability NOTE If you are located in the United States and have a DFS capable AP that is expected to serve as a Root AP or eMAP with a non DFS capable Mesh AP as its downlink you will need to set the channel for the Root AP to one of the non DFS channels Specifically choose one of the following channels 36 40 44 48 149 153 157 161 165 This is due to the DFS capable AP s ability to use more channels than the non DFS capable AP which could result in the RAP choosing a channel that is not available to the MAP Alternatively go to Configure gt System gt Country Code and set the Channel Optimization setting to Optimize for Compatibility Repeat Steps 1 to 3 for each AP that you want to be part of your wireless mesh network After you complete p
103. the Guest Login Pace isse eee s vean sun abb ete der add 266 Creating A Custom Guest Pass FAMOUS cocer scoperte eed Sega bee 267 247 Managing Guest Access Configuring Guest Access Configuring Guest Access Using ZoneDirector s Guest Access features visitors to your organization can be allowed limited access to your wireless network using either an open and unsecured WLAN the secure Guest Pass authentication method or an Onboarding Portal for mobile devices The Onboarding Portal gives users the option to choose whether to connect to the open Guest WLAN or to self provision their devices to access the secure network using Zero IT activation This section describes how to configure a Guest WLAN and configure the settings and policies that control guest use of your network It is divided into the following three subsections to describe the different guest access methods e Creating a Guest WLAN e Onboarding Portal e Guest Pass Activation Figure 147 Configuring Guest Access Ruckus ZoneDirector Guest Access 2013 06 11 18 11 19 Help Toolbox Log Out ruckus Dashboard Monitor ROSATO Guest Access Enable Guest Access Use these features to set limits for guest pass access to your wireless network Onboarding Portal Enable Zero IT device registration from the Guest Portal Authentication Use guest pass authentication Allow users to create a single guest pass whi
104. the alarm email is first enabled the alarm recipient may receive a flood of alarm notifications This may cause the mail server to treat the email notifications as spam and to temporarily block the account NOTE After ZoneDirector is upgraded to software version 9 2 or later the alarm email notification settings must be reconfigured to include the mail server name and port number This will help ensure that ZoneDirector alarm recipients will continue to receive email notifica tions NOTE ZoneDirector sends email notifications for a particular alert only once unless 1 it is a new alert of the same type but for a different device or 2 existing alert logs are cleared YY 71 Configuring System Settings Enabling Network Management Systems Customizing Email Alarms that ZoneDirector Sends Using the Alarm Event section of the Configure Alarm Settings page you can choose which types of events will trigger ZoneDirector to send an email notification 1 Click Alarm Event to select deselect all alarm types 2 Select or deselect those for which you want or don t want to receive emails 3 Click Apply to save your changes When any of the selected events occur ZoneDirector sends an email notification to the email address that you specified in the Email Notification section i gt NOTE With the exception of the Lost contact with AP event ZoneDirector only sends one email alarm notification for each event I
105. the login page of guest users Refer to the picture shown below for the places where the changes will take effect ie t Title Welcome to the Guest Access login page Guest Pass Printout Customization To download a sample click here Name Description Actions V Default Guest Pass Printout in English Edit Clone Preview French Guest Pass Printout in French Edit Clone Preview Create New Delete 1 2 29 Search terms Include all terms C Include any of these terms 266 Managing Guest Access Working with Guest Passes Creating a Custom Guest Pass Printout The guest pass printout is a printable HTML page that contains instructions for the guest pass user on how to connect to the wireless network successfully The authenticated user who is generating the guest pass will need to print out this HTML page and provide it to the guest pass user A guest pass in English is included by default As administrator you can create custom guest pass printouts For example if your organization receives visitors who speak different languages you can create guest pass printouts in other languages To create a custom guest pass printout 1 Go to Configure Guest Access 2 Scroll down to the Guest Pass Printout Customization section bottom of the page 3 Click the click here link under the Guest Pass Printout Customization section title to download the sample guest pass printout in HTML format Save the HTML file to your compu
106. this AP radio will be used as a voice WLAN for Polycom Spectralink phones This option changes several AP radio settings such as DTIM BSS minrate and RTS CTS to improve voice quality with Spectralink phones For optimal VoWLAN voice quality also disable Self Healing and Background Scanning from the Configure Services page IP Mode Set IPv4 IPv6 or dual stack IPv4 IPv IP addressing mode 184 Setting Managing Access Po ints Working with Access Point Groups Description ChannelFly Enable this check box to allow ZoneDirector to disable ChannelFly on an AP if the AP s uptime is greater than the value entered for the AP group Thisfeature can be useful if ChannelFly causes client connection instability due to APs restarting and re running the ChannelFly scanning process The option is supported on specific 11n APs only Model Specific Control Use this section to configure max clients LEDs and port settings for all APs of each specific model that are members of the group See Modifying Model Specific Controls Group Settings The Group Settings section is used to move access points between groups See Modifying Access Point Group Membership Figure 110 Editing the System Default access point group settings System Defaut System default group for Access Points Channel Range Settings Radio B G N 2 4G W3 Vls Vl V 7 Vl a V e
107. time a client connects with an RSSI lower than the threshold value entered Go to Monitor gt All Events Activities to monitor these events Tunnel Configuration Only WLANs with Tunnel Mode enabled are affected See Advanced Options in the Managing a Wireless Local Area Network chapter for information on enabling Tunnel Mode fora WLAN To configure data encryption and filtering for tunneled WLANs 1 Go to Configure Services 2 Scroll down to the bottom of the page and locate the Tunnel Configuration section 3 Enable the check boxes next to the features you want to enable Enable tunnel encryption for tunneled traffic By default when WLAN traffic is tunneled to ZoneDirector only the control traffic is encrypted while data traffic is unencrypted When this option is enabled the Access Point will decrypt 802 11 packets and then use an AES encrypted tunnel to send them to ZoneDirector e Block multicast traffic from network to tunnel Prevents all non well known multi cast traffic from propagating on the tunnel e Block broadcast traffic from network to tunnel except ARP and DHCP Prevents all broadcast traffic other than Address Resolution Protocol and DHCP packets e Enable Proxy ARP of tunnel WLAN with rate limit threshold Reduces broadcast neighbor discovery packets ARP and ICMPv6 Neighbor Solicit over tunnels When ZoneDirector receives a broadcast ARP request for a known host it acts on behalf of the k
108. to four SNMP trap receivers on your network e Ifyou select SNMPv3 enter up to four trap receiver IP addresses along with authenti cation method passphrase and privacy encryption settings 4 Click Apply to save your changes 77 Configuring System Settings Enabling Network Management Systems Figure 45 Enabling SNMPv2 trap notifications SNMPv3 Agent ZoneDirector supports SNMPv3 agent V Enable SNMPv3 Agent Privilege User Authentication Auth Pass Phrase Privacy Privacy Phrase Read Only readonly MD5 v readonly None Read Write admin MD5 v adminadmin DES privacyphrase SNMP Trap Enter the SNMP Trap server IP where ZoneDirector will send SNMP Traps to V Enable SNMP Trap SNMP Trap Format SNMPv2 v Trap Server IP 172 17 16 159 Trap Server2 IP Trap Server3 IP Trap Server4 IP Telnet Server 7oneNirector sunnorts Telnet Server Figure 46 Enabling SNMP trap notifications with SNMPv3 SNMPv3 Agent ZoneDirector supports SNMPv3 agent V Enable SNMPv3 Agent Privilege User Authentication Auth Pass Phrase Privacy Privacy Phrase Read Only readonly MD5 v readonly None v Read Write admin MD5 v adminadmin DES privacyphrase SNMP Trap Enter the SNMP Trap server IP where ZoneDirector wil send SNMP Traps to V Enable SNMP Trap SNMP Trap Format SNMP v Trap Server IP Authentication Auth Pass Phrase 172 17 16 159 MD5 v authpassphrase MD5 MD5 m05
109. to more focused detailed views on elements of the network TIP You can minimize hide any of the tables or indicators on the Dashboard then reopen them by means of the Add Widget options in the lower left corner Widgets Widgets are Dashboard components each containing a separate indicator or table as part of the active dashboard Each widget can be added or removed to enhance your ZoneDirector Dashboard summary needs Tabs Click any of the four tabs Dashboard Configure Monitor and Administer to take advantage of related sets of features and options When you click a tab ZoneDirector displays a collection of tab specific buttons Each tab s buttons are a starting point for Ruckus Wireless network setup management and monitoring Buttons The left side column of buttons varies according to which tab has been clicked The buttons provide features that assist you in managing and monitoring your network Click a button to see related options in the workspace to the right Workspace The large area to the right of the buttons will display specific sets of features and options depending on which tab is open and which button was clicked Toolbox The drop down menu at the top right corner provides access to the Real Time Monitoring Auto Refresh and Network Connectivity tools used for diagnosing and monitoring your ZoneFlex network It also provides a tool to stop and start automatically refreshing the W
110. traffic to measure the downlink throughput from the AP to the client The test typically runs from 10 to 30 seconds When the test is complete the results appear below the Start button Information that is shown includes the downlink throughput in Mbps between your wireless device and the AP as well as the packet loss percentage during the test If the packet loss percentage is high which indicates poor wireless connection try moving your wireless device to another location and then run the tool again Alternatively contact your network administrator for assistance Diagnosing Poor Network Performance You can try the following diagnostic and troubleshooting techniques to resolve poor network performance 1 Go to Monitor Map View 2 Lookon the map for rogue APs If there is a large number and they belong to neighboring networks proceed to the next task 3 Go to Configure Access Points Editeach AP record to assign each device a channel that will not interfere with other nearby APs For example if you have three APs operating in the 2 4 GHz band you can manually set each one to a different non overlapping channel by selecting channel 1 6 and 11 from the Channel drop down list 318 Troubleshooting Starting a Radio Frequency Scan Starting a Radio Frequency Scan This task complements the automatic RF scanning feature that is built into the Ruckus ZoneDirector That automatic scan assesses one ra
111. user activity reviewing 217 Customizing Guest Login page 266 Customizing network security 138 D Dashboard overview 210 Dashboard Web interface explained 37 Deleting a User Record 240 Denial of Service DoS Protection 98 Description New WLAN creation 141 option values 141 Detecting rogue Access Points 228 Device Access Policies 105 Device Name 200 DGAF 172 DHCP 58 network address option 49 server customization 26 340 DHCP clients viewing 60 DHCP Option 82 147 189 DHCP Relay 81 146 DHCP server configuring 58 Diagnostics tools 319 disable ChannelFly 185 disabling status LEDs 187 Disconnecting specific client devices 112 Disconnecting users from the WLAN 310 DNS Server Registering ZoneDirector 29 downstream group addressed frame for warding 172 Dynamic PSK 145 234 expiration 174 Dynamic VLAN 146 192 E EAP using the built in server 153 EAP MD5 124 Ekahau 93 Email alarm notification activation 69 Ethernet port status 194 Event Log Level 68 Events monitoring 223 Events and alarms 67 External Antenna 201 external antenna 187 F Factory default state restoring ZoneDirector 297 Fail Over 55 Failed user connections 310 Failover force 58 Firewall open ports 32 Firmware upgrade 292 FlexMaster enabling 81 Performance Monitoring 73 Floorplan adding to Map View 204 Force DHCP 147 G Graphic file formats guest user login page 26
112. white list 108 Configuring Security and Other Services Controlling Network Access Permissions Figure 66 Creating a Client Isolation White List i Name Description Default Mode Actions Create Now Delete 30 000 Search terms Include all terms Include any of these terms Client Isolation White List User can configure the IP and MAC information of the reachable wired network hosts in the local network Clients on the port configured with this list are prevented from spoofing any IP in this list Name Description Actions whitelist1 Order Description MAC Address IPv4 Address Action m 1 allow printer access 00 01 02 03 04 05 192 168 40 3 Edit Clone 2f Save canca Create New Delete Create New Delete 0 0 0 Search terms 9 Include all terms Include any of these terms Precedence Policy User can define precedence policy lists and apply them to WLANs later This can make decision for wireless devices according to device access d To apply a Client Isolation White List to a WLAN 1 Go to Configure gt WLANs 2 Click Edit next to the WLAN you want to edit 3 In Wireless Client Isolation under Options select the level of client isolation you want to enforce e Isolate wireless client traffic from other clients on the same AP Enable client isolation on the same Access Point clients on the same subnet but connected to other APs wil
113. whitelist1 ation WLAN users are provided with wireless configuration installer after they log in e High Low Delete 1 1 1 Configuring Precedence Policies Use the Precedence Policy settings to define the priority order in which rate limiting and VLAN policies are applied to a WLAN To configure Precedence Policies 1 2 Go to Configure gt Access Control In the Precedence Policy section click Edit to modify the default policy or click Create New to create a new policy to be selectable from the WLAN configuration dialog Under Rules click Create New to create a new rule for this policy Select an Attribute VLAN or Rate Limiting to apply a precedence policy Select a Precedence Policy AAA Server Device Policy or WLAN Configuration and click up and down arrows to set the order in which policies will take precedence Click Save to save the rule You can create up to two rules per policy The rules will be applied in the order shown in the Order column 110 Configuring Security and Other Services Controlling Network Access Permissions 7 Click OK to save the precedence policy This policy is now available for selection in WLAN configuration Figure 68 Precedence Policy settings User can configure the IP and MAC information of the reachable wired network hosts in the local network Clients on the port configured with this list are prevented from spoofing any IP in this
114. with the required requester information Submit the CSR to a public CA for signing Receive a signed certificate from the CA Import the signed certificate into ZoneDirector Generating a Certificate Signing Request If you do not have an existing SSL certificate you will need to create a certificate signing request CSR file and send it to a certificate authority CA to purchase an SSL certificate The ZoneDirector Web interface provides a form that you can use to create the CSR file Fields with an asterisk are required entries Those without an asterisk are optional The Configure Certificate form allows you to perform the following actions e Generate a certificate signing request Import a signed certificate e View the currently installed certificate e Advanced Options link displays additional options Restore the default private key and certificate e Backup private key and certificate e Generate a new private key To create a certificate request file CSR 1 Go to Configure gt Certificate 2 In the Generate a Request section complete the following options e Common Name Enter ZoneDirector Fully Qualified Domain Name FQDN Typically this will be zonedirector your company com You can also enter ZoneDi rector s IP address e 9 192 168 0 2 ora familiar name by which the ZoneDirector will be accessed in your browser e g by device name such as ZoneDirector 299 Setting Administr
115. you want to bypass Apple Captive Network Assistance CNA on iDevices and OS X machines m F Web Authentication L Guest Access L Hotspot service m l 178 Managing Access Points In This Chapter Adding New Access Points to the Network Working with Access Point Groups Reviewing Current Access Point Policies Managing Access Points Individually Optimizing Access Point Performance 179 Managing Access Points Adding New Access Points to the Network Adding New Access Points to the Network If your staffing or wireless coverage needs increase you can add APs to your network easily and efficiently Depending on your network security preferences the new APs can be automat ically detected and activated or new APs may require per device manual approval before becoming active The Automatic AP Approval process is enabled by default automatically approving AP join requests If you prefer you can disable Automatic Approval If this is your preference ZoneDi rector will detect new APs alert you to their presence and then wait for you to manually approve their activation as detailed in this guide Figure 107 Automatic AP approval is enabled by default Deselect this option to manually approve each AP join request Access Point Policies Approval Automatically approve all join requests from APs To enhance wireless security deactivate thi
116. you want to import Access Point Groups This table lists your current AP groups and provides basic details about them Click Create New to add another AP group or click Edit to make changes to an E Name Description of Members Actions m System Default System default group for Access Points 2 Edit Clone 7 apgroup2 o Edit Clone E apgroup1 0 Edit Clone Restoring ZoneDirector to Default Factory Settings In certain extreme conditions you may want to re initialize ZoneDirector and reset it to factory default state In this state the network is almost ready for use but all your user guest log and other records accounts and preference configurations would need to be manually reconfig ured CAUTION When this procedure is complete you will need to redo a complete setup If ZoneDirector is on a live network a new IP address may be assigned to the system In this case the system can be discovered by a UPnP client application such as Windows My Network Places If there is no DHCP server on the connected network the system s default IP address is 192 168 0 2 with subnet mask 255 255 255 0 NOTE A complete set of instructions is available in the ZoneDirector Quick Start Guide QSG Before restoring ZoneDirector to factory default settings you should open and print out the OSG pages You can follow those instructions to set up ZoneDirector after restoring factory defaults To reset your ZoneDirector to factory d
117. 1 f0 2013 06 11 16 51 User 00 22 fb ad 1b 2e joins WLAN Rhastah1 from AP c0 c5 20 3b 91 f0 2013 06 11 16 44 User 00 2 b 2e joins WLAN Rhastah1 from AP cO c 91 2013 06 11 16 43 AP c0 c5 20 3b 91 f0 radio 11a n detects User 00 22 fb ad 1b 2e in WLAN Rhastah1 roams from AP 7982 2013 06 11 16 43 AP 7982 radio 11a n detects User 00 22 fb ad 1b 2e in WLAN Rhastah1 roams out to AP c0 c5 20 3b 91 f0 2013 06 11 16 34 AP 7982 radio 11a n detects User 00 1b 2e in WLAN Rhastah1 roams from AP cO c5 20 3b 91 f0 2013 06 11 16 34 AP c0 c5 20 3b 91 f0 radio 11a n detects User 00 22 fb ad 1b 2e in WLAN Rhastah1 roams out to AP 7982 User 5c ff 35 7f d2 20 leave WLAN Rhastah1 at AP cO c5 20 3b 91 f0 with Session Time 1338 48 sec RX Bytes 27790 TX Bytes 242557 2013 06 11 16 19 53 Low User 5c ff 35 7f d2 20 disconnects from WLAN Rhastah1 at AP cO c5 20 3b 91 f0 2013 06 11 15 57 35 Low User 5c ff 35 7f d2 20 joins WLAN Rhastah1 from AP c0 c5 20 3b 91 f0 User 5c ff 35 7f 42 20 leave WLAN Rhastah1 at AP cO c5 20 3b 91 f0 with Session Time 2244 03 sec RX Bytes 38058 TX Bytes 361984 User 5c ff 35 7f d2 20 disconnects from WLAN Rhastah1 at AP c0 c5 20 3b 91 f0 User 5c ff 2 20 joins WLAN Rhastah1 from AP cO c5 2 z AP c0 c5 20 3b 91 f0 radio 11a n detects User 00 22 fb ad 1b 2e in WLAN Rhastah1 roams from AP 7982 2013 06 11 16 19 53 Low 2013 06 11 15 42 51 Low 2013 06 11 2013 06 11 2013 06 11
118. 100 esse o nr epe xx be Mee mE RARE AVE RR ead 15 Zone Director s000 uw sve Rec en Pade ee fs Ine Redes 17 ZoneDirector 5000s 7 Sir veld Fae dd aaah ewe gee aber dees 20 Introduction to the Ruckus Wireless Network 0 0000 eee eee 24 Ensuring That APs Can Communicate with ZoneDirector 24 How APs Discover ZoneDirector on the Network 00 0 0 ee eee eee 25 How to Ensure that APs Can Discover ZoneDirector on the Network 26 Firewall Ports that Must be Open for ZoneDirector Communications 32 NAT Considerations sitet eoo EH Da c aret PCR be E 32 Installing ZoneDirector nre e e HR Rs 33 Accessing ZoneDirector s Command Line Interface lllssssssese 35 Using the ZoneDirector Web Interface sse 37 Navigating the Dashboard 00 eese 38 Using Indicator Widgets errad ia i a eee eee ee edd 39 Real Time Maohitorihg e dade torto poet A ee ans a o err ERU NR tas 42 Stopping and Starting Auto Refresh isses 44 Registering Your Product iz eel aA Eb ERE RA SOS EP Geen tad 44 Configuring System Settings System Configuration Overview isses ee 48 Changing the System Name 0000 ee 48 Changing the Network Addressing 000s 49 IPve Conhtig ration neuss ir eec ebbe EE ee ed 50 Enabling an Additional Management Interface 0 00 eee eee eee 51 Creating Static Route Entries 0 0 eee 53 Static Route Example i2 ig
119. 192 168 11 14 External IP Port 192 168 11 14 12223 IP Type DHCP Model 217025 cti SN 431002000037 fos Zag Version 9 5 0 0 14 of Authorized Client Devices Retries Drops 2 86 0 00 Non unicast gum Packets Bytes Received 11K 3 0 PUR Yu Packets Bytes Transmitted 1 9K 468 Auth LAN3 None LANA ME Ert None Up 100Mbps full POE IN LANS UPLINK AirTime totabusy RX TX 3 4 0 2 2 3 1 x Access Point Channel Signal 7982 MAP 1 99x N A Unknown m 195 Managing Access Points Reviewing Current Access Point Policies Reviewing Current Access Point Policies The Access Point Policies options allow you to define how new APs are detected and approved for use in WLAN coverage as well as policies on client distribution and communicating with ZoneDirector These policies are enforced on all APs managed by ZoneDirector unless a specific WLAN setting overrides them For example if you want to enable Load Balancing for most APs but disable it on specific WLANs you would enable it in the Access Point Policies section then disable it for the particular WLAN from the Configure gt WLANs page To review and revise the general AP policies follow these steps 1 Go to Configure Access Points 2 Review the current settings in Access Point Policies You can change the following settings e Approval This is enabled by default which means that all join requests from any ZoneFlex AP will be approved automati
120. 2 11 11b g 168 168 168 7 A SP Search terns include all terms Include any of these terms2 2 93 3 fy3 3 Currently Active WLAN Groups o Name Description WLANs NOTE If you want to use the same SSL certificate for both devices in a Smart Redundancy pair you can back up the certificate private key from one device and import it into the other See Working with SSL Certificates on page 299 for more information NOTE If you have two ZoneDirectors of the same model and license level Ruckus Wireless recommends using the Smart Redundancy feature If you have two ZoneDirectors of different models or different license levels you can use Limited ZD Discovery to provide limited redundancy however this method does not provide synchronization of the user database 57 Configuring System Settings Configuring the Built in DHCP Server p gt NOTE If you disable Smart Redundancy after it has been enabled both ZoneDirectors will revert to active state which could result in unpredictable network topologies Therefore Ruckus Wireless recommends first factory resetting the standby ZoneDirector before disabling Smart Redundancy NOTE If the active and standby ZoneDirector are on different IP subnets APs need to know the IP addresses of both ZoneDirectors to quickly find the active ZoneDirector after a Smart Redundancy failover You can do this by configuring the IP addresses of both devices on the Conf
121. 2 Gf A AEA SN 981202006357 Version 9 7 0 0 74 Radio 802 11a n Radio 802 11g n LAN Port Configuration Current Channel 149 Current Channel 1 LAN State Type ACCESS VLAN GUEST VLAN Dynamic VLAN DHC Channelization 40 Channelization 20 LAN1 Enabled Trunk 1 Disabled Dise WLAN Group Default WLAN Group Default LAN2 Enabled Trunk 1 Disabled Disz SpectraLink Compatibility Use Parent Configuration SpectraLink Compatibility Use Parent Configuration AN port status Deployed Maximum WLAN Group WLAN Number Background Scanning TX Power of Authorized Client Devices Retries Drops Non unicast Packets Bytes Received Packets Bytes Transmitted Wlans Data Packets Bytes Received Wlans Data Packets Bytes Transmitted Noise Floor PHY Errors 1 27 1 Deployed Maximum WLAN Group WLAN Number Enabled Background Scanning Auto TX Power 1 of Authorized Client Devices 0 0136 0 00 Retries Drops 1 23 Non unicast 3 5M 1 2G Packets Bytes Received 1 4N 708M Packets Bytes Transmitted 666K 39M Wlans Data Packets Bytes Received 648K 493M Wlans Data Packets Bytes Transmitted 112 Noise Floor 0 PHY Errors m 1 27 1 port Interface Dotix Logical Link Physical Link Label Enabled O etho None Down Down 10 100 LAN1 Asto 4 ethi None Down Down 10 100 1000 PoE L o 3 06 0 00 Neighbor APs 0 0252 Access Point Channg 411 129 10 8a 1f d1 f0 149 393K 95M 1 3K 139k 8 6K 1 1M 108 152 Path Score status 45 Connected
122. 333 Smart Mesh Networking Best Practices Mounting and Orientation of APs Mounting and Orientation of APs ZoneFlex APs are very tolerant to a variety of mounting and orientation options due to Ruckus Wireless use of its unique BeamFlex technology in which the RF signal is dynamically concentrated and focused towards the other end of the RF link The bottom line regarding orientation and placement is that during the planning phase it is advisable to use the Signal Quality as your benchmark as explained in the Signal Ouality Verification section Ensure that the Signal is better than 25 for trouble free operation For additional mounting details please also consult the Quick Setup Guide and the Wall and Ceiling Mounting Instructions that came in the AP box Indoor APs Typical Case Horizontal Orientation ZoneFlex indoor APs are typically oriented such that the top ofthe AP is pointing either straight up or straight down Figure 203 ZoneFlex indoor AP horizontal orientation Typical Horizontal Orientation v Ceiling mount dome v pointing straight down Wall mount dome pointing straight down Desktop pointing straight up 334 Smart Mesh Networking Best Practices Mounting and Orientation of APs Indoor APs Vertical Orientation A less typical vertical orientation may be used in certain cases where it is not possible for mechanical or aesthetic reasons to use the typical horizontal orientation In such cases i
123. 36 55 Low User 00 22 fb ad 1b 2e joins WLAN Rhastah1 from AP c0 c5 20 3b 91 f0 2013 06 11 17 35 49 Low User 00 22 fb ad 1b 2e joins WLAN Rhastah1 from AP cO c5 20 3b 91 f0 2013 06 11 17 32 22 Low User 00 22 fb ad 1b 2e joins WLAN Rhastah1 from AP cO c5 20 3b 91 f0 3 2013 06 11 17 28 55 Low User 00 22 fb ad 1b 2e joins WLAN Rhastah1 from AP c0 c5 20 3b 91 f0 2013 06 11 17 26 37 Low User 00 22 fb ad 1b 2e joins WLAN Rhastah1 from AP c0 c5 20 3b 91 f0 User Sc ff 35 7f 42 20 leave WLAN Rhastah1 at AP 7982 with Session Time 154 05 sec RX 1 1 32631 2013 06 11 17 26 05 Low PAEAN TORETE 2013 06 11 17 26 05 Low User 5c ff 35 7f d2 20 disconnects from WLAN Rhastah1 at AP 7982 If WLAN Connection Problems Persist If the previous technique fails to resolve the connection issues you may need to guide the user through a reset of their WLAN configuration This requires deleting the user record then creating a new user record after which the user must repeat the Zero IT Activation process to reactivate their device with ZoneDirector 1 2 Have the user log out of the WLAN Go to Configure gt Users The Internal User Database table appears displaying a list of current user accounts Locate the problematic user account in the table and click the check box to the left of the user s name Click Delete Click the Create New button to create a new user account for this user Enter a user name and password and choose a rol
124. 4 Customizing the Guest Login Page 00 eee 266 Creating a Custom Guest Pass Printout 0 0000 00 eee ee 267 Deploying a Smart Mesh Network Overview of Smart Mesh Networking css eee eee 270 Smart Mesh Networking Terms ie erenn gpcnopen aradt see 270 Supported Mesh Topologies 0 0 00 cee eee 271 Standard Topolegy o eee Why Aas di awa ede pee ees 271 10 10 Wireless Bridge Top logy 3 es aads owed cdivantw y nes eet RR RE 272 Hybrid Mesh Topology ixoscen ed uc acs ga tee EO pe SO MR ern 273 Deploying a Wireless Mesh via ZoneDirector ills 275 Step 1 Prepare for Wireless Mesh Deployment sess 275 Step 2 Enable Mesh Capability on ZoneDirector 00000000 275 Step 3 Provision and Deploy Mesh Nodes 0000 00 eee eee 277 Step 4 Verify That the Wireless Mesh Network Is Up isses 278 Understanding Mesh related AP Statuses 00 0000 lesse 279 Using the ZoneFlex LEDs to Determine the Mesh Status 281 On Single band ZoneFlex APs 0 0 eee 281 On Dual band ZoneFlex APs 0 1 see 282 Using Action Icons to Configure and Troubleshoot APs in a Mesh 283 Setting Mesh Uplinks Manually 000 0 00 eee eee eee eee 284 Troubleshooting Isolated Mesh APs 00000000 c eee eee eee 285 Understanding Isolated Mesh AP Statuses 00 02 5 0000 285 Recovering an Isolated Mesh
125. 5 Click OK to save your settings Be sure to communicate the role user name and password to the appropriate end user 258 Managing Guest Access Working with Guest Passes Generating and Printing a Single Guest Pass You can provide the following instructions to users with guest pass generation privileges A single guest pass can be used for one time login time limited multiple logins for a single guest user or can be configured so that a single guest pass can be shared by multiple users NOTE The following procedure will guide you through generating and printing a guest pass For instructions on how to generate multiple guest passes see Generating and Printing Multiple Guest Passes at Once on page 262 NOTE Before starting make sure that your computer is connected to a local or network printer To generate a single guest pass 1 On your computer start your Web browser 2 In the address or location bar type the URL of the ZoneDirector Guest Pass Generation page https zonedirector hostname or ipaddress guestpass 3 In User Name type your user name In Password type your password 5 Click Log In The Guest Information page appears On this page you need to provide information about the guest user to enable ZoneDirector to generate the guest pass Figure 156 Creating a Guest Pass rm Rucku S Guest Information x WIRELESS Creation Type O Single Multiple Full Name Valid for Days H
126. 6 Graphic file specifications guest user login page 266 Group Extraction 119 Group Settings 185 Guest Access Customization 266 Guest Access WLAN 141 Guest Pass custom 267 Guest Pass Access managing 248 Guest Pass Generation 255 Guest user login page adding a graphic 266 editing the welcome text 266 Guest users login page customization 266 Guest VLAN 192 H Hide SSID New WLAN creation 146 Hotspot 164 configuration 164 WISPr Smart Client 164 Hotspot 2 0 167 AP Venue Settings 203 Operator Profile 169 Service Provider Profile 168 WLAN 171 Hotspot 2 0 WLAN 142 Hotspot Service WISPr WLAN 142 Import Scripts 326 Importing the floorplan image 211 341 Improving AP RF coverage 205 Inactivity timeout 148 installation 33 Internal Heater enabling 187 internal heater 187 Internal user database using for authentication 238 IP Mode 184 L L2 MAC Access Control 103 L3 L4 Access Control 104 LAN Port Configuration monitoring 222 Language changing the Web interface language 291 LDAP 117 125 243 LEDs 16 18 License Upgrade 307 Limited ZD Discovery 196 Load Balancing 147 197 Load balancing 206 Log All Events Activities 67 Log settings changing 67 overview 67 Login failures 310 Login page guest use 266 Logs sorting contents 67 viewing 321 M MAC Authentication 123 143 RADIUS 123 MAC authentication bypass 165 192 malicious AP 229 Management A
127. 7055 has four front facing Ethernet ports and one rear port Model Specific Control Port Setting V Override Group Config Port Enable DHCP Opt82 Type VLAN 802 1X Lani gg a Access Port v UntagID 1 Members 1 Guest VLAN 1 Enable Dynamic VLAN Disabled um y Access Port UntagiD 1 Members 1 Guest VLAN Enable Dynamic VLAN Disabled LAN y oO Access Port UntagID 1 Members 1 Guest VLAN Enable Dynamic VLAN Disabled UM Access Port UntagiD 1 Members 1 Guest VLAN Enable Dynamic VLAN Disabled LANS m Trunk Port Untag ID 1 Members 1 4094 Guest VLAN Enable Dynamic VLAN Disabled F7 t 1 Ruckus Ruckus l WIRELESS 1 WIRELESS E i E i i i i i i LAN1 LAN2 LAN3 LAN4 1 LAN1 LAN2 LAN3 LAN4 Note The LAN5 port is located on zy the back panel M Hotspot 2 0 Settings DHCP Option 82 The DHCP Relay Agent Information Option Option 82 allows a DHCP Relay Agent to insert specific identification information into a request that is being forwarded to a DHCP server When this option is enabled for an Ethernet port or a WLAN SSID additional information will be encapsulated in DHCP option 82 and inserted into DHCP request packets This option supports the ability for a service provider to allocate IP addresses intelligently by considering information on the origin of the IP allocation request Table 25 DHCP Circuit ID sub option format Curcuit ID Indicator Interface VLAN
128. AP 000000 287 Best Practices and Recommendations 0 000 00 cee eee 288 Setting Administrator Preferences Changing the ZoneDirector Administrator User Name and Password 290 Setting Administrator Login Session Timeout 000000222 291 Changing the Web Interface Display Language 2 00 291 Upgrading ZoneDirector and ZoneFlex APs 0000s 292 Performing an Upgrade with Smart Redundancy 000 eee ee 293 Working with Backup Files 5 ete metere 294 Backing Up a Network Configuration ssssee ees 294 Restoring Archived Settings to ZoneDirector 00 20 2 0000 295 Restoring ZoneDirector to Default Factory Settings 0000 eee 297 Alternate Factory Default Reset Method narrer erare 298 Working with SSL Certificates noietu naea eee E 299 Basic Certificate Installation csse 299 Generating a Certificate Signing Request 0 cece eee eee eee 299 Importing am SSE Certificate 1i ketene eus A a be hte Gok eden 301 SSL Certificate Advanced Options 0000s 303 Using an External Server for Administrator Authentication 05 305 Upgrading the License Ls cte e epe etr o Pete 307 11 11 12 Upgrading the License with Smart Redundancy 00000 307 Troubleshooting Troubleshooting Failed User Logins 000 000 0000 eee 310 Fixing User Connec
129. AP The client s MAC address AP s MAC address and SSID are included in the trap notification EventClientJoin ruckusZDI A client has successfully joined an AP The client s MAC address the AP s MAC address and SSID are included in the trap notification EventClientJoinFai ruckusZDI A client has attempted and failed to join an led AP The client s MAC address the AP s MAC address and SSID are included in the trap notification ruckusZDEventClientJoinFai Aclient attempt to join an AP failed because ledAPBusy the AP was busy The client s MAC address AP s MAC address and SSID are included ruckusZDEventClientDisconn Aclient has disconnected from the AP The ect client s MAC address AP s MAC address and SSID are included 79 Configuring System Settings Enabling Network Management Systems Table 16 Trap notifications Trap Name Description ruckusZDEventClientRoamOut A client has roamed away from an AP The client s MAC address AP s MAC address and SSID are included ruckusZDEventClientRoamIn A client has roamed in to an AP The client s MAC address AP s MAC address and SSID are included ruckusZDEventClientAuthFai led A client authentication attempt has failed The client s MAC address AP s MAC address SSID and failure reason are included ruckusZDEventClientAuthori zationFailed A client authorization attempt to join an AP ha
130. AP SIM 2 N A 3 N A 4 N A Edit Clone Create New Delete Domain Name m mydomain com Create New H Advanced Options Create New Delete 1 1 1 Search terms 9 Include all terms Include any of these terms Create an Operator Profile To create an Operator Profile 1 Go to Configure Hotspot 2 0 Services 2 Click Create New under Operator Profiles 3 Configure the settings in Table 23 to create a Hotspot 2 0 Operator profile Table 23 Hotspot 2 0 Operator profile configuration options Option Description Name Enter a name for this Operator profile This name identifies the service operator when assigning an HS2 0 service to a HS2 0 WLAN Description Optional Enter a description for the service Venue Information Select venue group and venue type as defined in IEEE802 11u Table 7 25m n ASRA Option Additional steps required for access Select to indicate that the network requires a further step for access 169 Managing a Wireless Local Area Network Working with Hotspot Services Table 23 Hotspot 2 0 Operator profile configuration options Option Description Internet Option Specify if this HS2 0 network provides connectivity to the Internet Access Network Type Access network type private free public chargeable public etc as defined in IEEE802 11u Table 7 43b IP Address Type Select IP address type availability information as
131. AP s description if configured or the MAC address if no name or description is available Channel The channel that the neighbor AP is currently using Signal dB Signal strength Path Score status A higher score indicates better performance over the link between this AP and its neighbor Note that only ZoneFlex APs of the same radio type can mesh with one another If the AP is of a different radio type than the one you are currently viewing this field will display N A Unknown 226 Monitoring Your Wireless Network Monitoring Mesh Status Access Point Sensor Information If your APs include internal sensors ZoneDirector will display the AP s status in this section Temperature and orientation sensors are available on most Ruckus Wireless outdoor APs and orientation sensors are available on the ZoneFlex 7962 indoor AP Orientation This sensor displays the mounting orientation of the AP Three orientations are possible e Desktop Horizontal Mount e Ceiling Horizontal Mount e Wall Vertical Mount Figure 133 AP orientation sensor information Packets Bytes Transmitted 7 3M pkts 2 8G bytes Retries Opkts e Point Sensor Information Orientation Mounting Direction Desktop Horizontal Mount L C Clients MAC Address User IP Access Point WLAN VLAN Chanr D0 1R de R7 AR 5 twruckuclalee 70A MAP Formac TNet Radinc Nane 140 Temperature This sensor displays the temperature statistics as reported by
132. AX network connection is made to connect the AP to the Internet then to ZoneDirector enabling the creation of an LWAPP tunnel and providing 802 11 wireless services To upload a USB provisioning file to ZoneDirector 1 Go to Configure gt Access Points 2 Scroll down to Access Point USB Software Packages 3 Click Choose File and select the file to upload 4 Click OK to upload the file to ZoneDirector To provision an SmartPoint Access Point with USB software 1 Plug the 3G 4G LTE WiMAX USB modem into the SmartPoint AP s USB port 2 Connect the SmartPoint AP to ZoneDirector via wired L2 or L3 network 3 Once an LWAPP tunnel between the AP and ZoneDirector has been established ZoneDi rector automatically pushes the corresponding USB drivers network connection scripts and configuration files to the AP 4 The AP saves the files to its persistent storage 5 Disconnect the wired network connection then reboot the AP 6 Afterreboot the AP detects the appropriate drivers on its persistent storage goes through the 3G 4G LTE network connection process and establishes an LWAPP tunnel with Zone Director 7 ZoneDirector pushes the 802 11 wireless configuration to the AP 199 Managing Access Points Managing Access Points Individually 8 The AP implements the 802 11 wireless configuration and is ready to provide 802 11 wireless services 9 Awireless client connects to the AP s 802 11 wireless service and the data traff
133. C Address Authentica tion 143 A AAA servers 243 Access Controls 145 Access Point Policy approval 181 Access Point Policy options 196 Access Points adding new APs to the WLAN 180 managing individually 200 monitoring 219 monitoring individually 222 sensor information 227 working with AP Groups 183 Accounting Server 145 ACL 145 ACLs Management ACL 61 Actions individual APs 222 Activating Guest Pass Access 255 Active Client Detection 94 Active Directory 115 243 Adjusting AP Settings Map View 205 Administrator Login Session Timeout 291 AeroScout 92 AES option values 144 airtime 96 222 Alarms activating email notification 69 Algorithm New WLAN creation 143 All Events Activities Logs 67 AP Groups 183 AP markers overview 214 APs detecting rogue devices 228 placing markers on a floorplan map 212 restarting 326 verifying new APs 181 Archived ZoneDirector settings restoring 294 ARP Broadcast Filter 277 Assigning a Pass Generator role to a user 258 Authentication Server 144 Authentication Servers external 243 internal user database 238 Authentication settings testing 135 Authenticator 192 Authenticator MAC based 192 Authenticator Port based 192 Auto encryption algorithm 144 Auto Recovery 197 Automatic AP Approval 180 181 196 284 Automatically Generated User Certificates and Keys managing 242 Autonomous WLAN 142 Auto Proxy 148 339 Auto Refresh stopping
134. CL 61 Management VLAN 196 Managing current user accounts 240 Map View adding a floorplan 204 adjusting AP positions and settings 205 importing a floorplan 210 placing AP markers on a floorplan 212 requirements graphics 211 tools 213 Maps importing a floorplan image 211 Max Clients 147 187 197 max clients per AP 187 Mesh Mode 205 Mesh recovery SSID 287 Mesh Topology Detection 277 Mesh related Information 222 Microsoft Windows EAP requirements 154 Model Specific Control 185 Monitor overview 210 Monitoring individual clients 218 Real Time 42 Monitoring AP status 219 Monitoring Client Devices 111 Monitoring individual APs 222 Monitoring wired clients 219 Monitoring ZoneDirector overview 210 Multicast Filter 146 N Name ESSID New WLAN creation 141 option values 141 Neighbor APs 222 226 Network addressing changing 49 Network Connectivity 320 Network Diagnostics 319 New User Accounts adding new accounts 238 New User Roles creating 240 342 O Optimizing network coverage 230 orientation 227 Overview Map view 210 P Packet capture and analysis 323 Packet Inspection Filter 96 Passphrase New WLAN creation 144 Performance Analysis 218 monitoring APs 222 Performance test 312 Ping 319 Placing the Access Point markers 212 PoE Out Ports enabling 187 PoE Out ports 187 Policies Access Point specific 196 Poor network perfo
135. Connected Root AP 192 168 40 64 149 11a n 40 11 11g n 20 0 Kos os 22h 10m Search terms 9 Include al terms Include any of these terms Q120 0 2D1112 12 4 Currently Active WLANs oo 000000000011 Name ESSID Authentication Encryption Clients 9 7 0 0 build 74 Rhastah1 Rhastah1 open wpa2 1 db Overview Search terms 9 include all terms Include any of these terms ere of APs 2 of Authorized Client Devices 1 Most Active Client Devices eee of Total Client Devices 1 MAC Address IP Address User Usage of Rogue Devices 0 00 22 fb ad 1b 2e 192 168 40 21 140M of Rogue Devices 04294967295 tw Support ee Company Ruckus Wireless Registration Product Registration r E Email support ruckuswireless com R uckus Support URL http support ruckuswireless com The Widgets pane opens at the upper left corner of the Dashboard 3 Select any widget icon and drag and drop it onto the Dashboard to add the widget If you have closed a widget it appears in this pane 40 Widget icons Introducing Ruckus Wireless ZoneDirector Using the ZoneDirector Web Interface Figure 14 The widget icons appear at the top left corner of the Dashboard rx Ruckus ZoneDirector 2013 06 11 16 25 59 Help Toolbox Dashboard Monitor Configure Administer i aa Overview ee System Name ZoneDirector IP Address 192 168 40 100 MAC Address 00 13 11 01 01 01 Uptime 22h 14m Model 7201112 Licensed APs 12 S N 000000000011 Ver
136. DN and password appear The default port number 3268 should not be changed unless you have configured your AD server to use a different port e Global Catalog queries are directed to port 3268 while ordinary searches are received through port 389 If the port binds to 389 even with Global Catalog server the search includes only a single domain directory partition If the port binds to port 3268 the search includes all directory partitions in the forest If the server attempting to bind over port 3268 is not a Global Catalog server the server refuses the bind 3 Leave the Windows Domain Name field empty to search all domains in the forest NOTE Do NOT enter anything in the Windows Domain Name field If you enter a Windows Domain Name the search will be limited to that domain rather than the whole forest 116 Configuring Security and Other Services Using an External AAA Server 4 Enter an Admin DN distinguished name in Active Directory format name8xxx yyy 5 Enter the admin Password and re enter the same password for confirmation NOTE The Admin account need not have write privileges but must able to read and search all users in the database 6 Click OK to save changes 7 To test your authentication settings see Testing Authentication Settings on page 135 Figure 74 Active Directory with Global Catalog enabled 2 Help Toolbox Log Out ruckus Ma Ruckus ZoneDirector WIRELESS
137. DPSKs Select this option to limit the number of DPSKs each user can generate 1 4 10 Click OK to save your settings This WLAN is now ready to authenticate users using Dynamic Pre Shared Keys once their credentials are verified against either the internal database or an external RADIUS server 173 Managing a Wireless Local Area Network Working with Dynamic Pre Shared Keys Figure 103 Enabling Dynamic PSK for a WLAN ESSID DPSK WLAN Standard Usage For most regular wireless network usages 7 CUE Feee PONCIES ANG BCLEES COMETER WI Hotspot Service WISPr Hotspot 2 0 Autonomous eo pone aoa xe PAC nares nct mac Ares wpa 9 wear wPA Mixed WEP 64 40 bit wEP 128 104 bit None OTIP AES Auto 7 Enable captive portal Web authentication users will be redirected to a Web portal for authentication before they can access the WLAN Web Authentication Authentication Server Local Database Wireless Client Isolation T Enable Client Isolation White List None A list of reachable local wired hosts i e gateway printer etc Zero IT Activation 7 Enable Zero IT Activation s configuration installer after they log in V Enable Dynamic PSK with 62 characters passphrase E Limit D PSk generation per user to 1 devices Dynamic PSK Limit D PSK Setting Dynamic Pre Shared Key Expiration By default dy
138. Directory 243 RADIUS 243 Users Activating guest pass access 255 adding new accounts 238 creating new roles 240 disconnecting a user from the WLAN 310 failed WLAN logins 310 managing accounts 240 reviewing current activity 217 switching to 802 1X based security 153 switching to WEP based security 153 troubleshooting connection problems 310 Using Active Directory 243 Using an external RADIUS server 153 Using Map View to assess network perfor mance 204 Using the built in EAP server 153 Using the Map View 213 344 V Verifying Approving New APs 181 VLAN New WLAN creation 146 VLANs deploying a ZoneDirector WLAN 157 W Walled Garden 165 Web Authentication 144 activating 244 Web interface changing the language 291 Generated PSK Certs page 242 Roles and Policies 240 Web interface buttons explained 37 Web interface Dashboard explained 37 Web interface tabs explained 37 Web interface workspaces explained 37 Web Portal customizing 266 WEP WLAN Security 153 WEP Key New WLAN creation 144 WEP 128 option values 143 WEP 64 option values 143 WEP based security user requirements 153 Widgets 37 39 Wireless Client Isolation 144 165 Wireless networks overview 24 138 Wireless performance test tool 312 WLAN creation 140 optimizing coverage 230 recent events reviewing 217 WLAN Group 154 184 201 LAN network security customizing 138 LAN performance using M
139. E as the Vendor Class Identifier in option 60 and expect Zone Director IP information to be provided in DHCP option 43 Vendor Specific Info encapsulated with sub option code 03 the sub option code for ZoneDirector The RFC describes how vendors can encapsulate vendor specific sub option codes ranging from 0 to 255 Sub options are embedded in option 43 as TLV type length value blocks Ruckus Wireless Access points support non TLV format option 43 values with comma separated IP address strings for discovering ZoneDirectors and also TLV based option 43 encapsulation as specified in RFC 2132 For Zone Director information sub option code 03 e Type 0x03 e Length Count of the characters in the ASCII string Length must include the commas if there is more than one ZoneDirector specified Value A non null terminated ASCII string that is a comma separated list of ZoneDirector IP addresses For example If the there are two ZoneDirectors with IP addresses 192 168 0 10 and 192 168 0 20 then the value will be 192 168 0 10 192 168 0 20 and the length is 25 hex value 0x19 For FlexMaster information sub option code 01 e Type 0x01 e Length Count the number of characters in the ASCII string Length must include http plus all colons slashes and decimals in the complete URL e Value A non null terminated ASCII string that is a URL For example If the Flex Master URLis http 192 168 10 1 intune server the length is
140. Edit Profile Wireless access TDC Properties 2 xj Settings Specify the conditions that connection requests must match If connection requests match the conditions specified in this policy the associated profile will be applied to the connection Unless individual access permissions are specified in the user profile this policy controls access to the network If a connection request matches the specified conditions Deny remote access permission C Brant remote access permission DK Cancel Apply 132 Configuring Security and Other Services Using an External AAA Server Figure 84 On the Authentication tab of the Edit Dial in Profile dialog select Unencrypted authentication PAP SPAP Edit Dial in Profile BE Dial in Constraints IP Multilink Authentication Encryption Advanced Select the authentication methods you want to allow for this connection Microsoft Encrypted Authentication version 2 MS CHAP v2 User can change password after it has expired Microsoft Encrypted Authentication MS CHAP F Use ssward after it has expired Encrypted authentication CHAP Unencrypted authentication PAP SPAP Unauthenticated access r Allow clients to connect without negotiating an authentication method You have completed configuring Microsoft IAS for PAP authentication TACACS Terminal Access Controller Access Control System Plus TACACS is an Auth
141. Enabling this will override the AP Group settings made on Configuring AP Ethernet Ports on page 187 10 Click OK to save your settings 202 Managing Access Points Managing Access Points Individually Figure 121 Ethernet port configuration Override Group Config Uplink Selection Smart Mesh APs will automatically select the best uplink Manual Only selected APs can be used for uplink Model Specific Control Status LEDs E Override Group Config Disable Status LEDs Port Setting V override Group Config Port Enable DHCP_Opt82 Type VLAN LANI y OH Trunk Port v Untag ID 1 Members 1 4094 Guest VLAN Enable Dynamic VLAN LAN2 y m Trunk Port untagiD1 Members 1 4094 Guest VLAN Enable Dynamic VLAN m mmm LANI ALAN E _ I a 5 ce Hotspot 2 0 Settings Configuring Hotspot 2 0 Venue Settings for an AP If this Access Point will be serving a Hotspot 2 0 hotspot you can set the Venue Name for the venue at which the AP will be operating You can create up to two Venue Names two languages for the venue name To set the Hotspot 2 0 Venue Name for an AP 1 Go to Configure Access Points 2 Click the Edit link next to the AP you want to configure 3 Scroll down to the bottom and expand the Hotspot 2 0 Settings section 4 Click Create New to create a new venue name for this AP Select the language and enter the venue name in that language 5 Click
142. HCP Relay Figure 47 Creating a DHCP Relay server eT Ruckus ZoneDirector WIRELESS Dashboard Monitor MT T ME Administer DHCP Relay DHCP Servers This table lists external DHCP servers for the DHCP Relay Agent Name Description Actions dhcp Edit Clone m DHCP Relay Create New Deete 1 111 Search terms include all terms Include any of these terms To enable DHCP Relay for a WLAN 1 Go to Configure gt WLANs 2 If creating a new WLAN click Create New Otherwise click Edit for the WLAN you want to configure 3 Under Advanced Options when Tunnel Mode is enabled the DHCP Relay option becomes available 4 Under DHCP Relay select Enable DHCP relay agent with _ DHCP server and select the server you created earlier from the list 5 Click OK to save your changes 82 Configuring System Settings Enabling Bonjour Gateway Figure 48 Enabling DHCP Relay agent for a Tunnel Mode WLAN Zero IT Activation F Enable Zero IT Activation WLAN users are provided with wireless configuration installer after they log in Priority tigh Low E Advanced Options Accounting Server Disabled v Send Interim Update every 10 minutes Access Control L2 MAC No ACLs L3 4 IP address No ACLs X Device Policy None Precedence Policy Default e Call Admission Control Enforce CAC on
143. LAN by default 1 and all VLAN tagged traffic on VLANs 1 4094 will be seen when present on the network The default Untag VLAN for each port is VLAN 1 Change the Untag VLAN to Segment all ingress traffic on this Access Port to a specific VLAN e Redefine the Native VLAN on this Trunk Port to match your network configuration Trunk Ports Trunking is a function that mustbe enabled on both sides of a link If two switches are connected together for example both switch ports must be configured as trunk ports The Trunk Port is a member of all the VLANs that exist on the AP switch and carries traffic for all those VLANs between switches Access Ports All Access Ports are set to Untag VLAN 1 by default This means that all Access Ports belong to the native VLAN and are all part of a single broadcast domain To remove ports from the native VLAN and assign them to specific VLANs select Access Port and enter any valid VLAN ID in the VLAN ID field valid VLAN IDs are 2 4094 190 Managing Access Points Working with Access Point Groups The following table describes the behavior of incoming and outgoing traffic for Access Ports with VLANs configured Table 26 Access Ports with VLANs configured VLAN Settings Incoming Traffic from the Outgoing Traffic to the client client Access Port Untag All incoming traffic is native All outgoing traffic on the port is VLAN 1 VLAN VLAN 1 sent untagged Access Port Untag All i
144. LED Label State Introducing Ruckus Wireless ZoneDirector ZoneDirector Physical Features Meaning Status Solid Green Normal state Flashing Green ZoneDirector has not yet been configured Loginto the Web interface and then configure ZoneDirector using the setup wizard Solid Red ZoneDirector has shut down but is still connected to a power source Flashing Red ZoneDirector is starting up or shutting down Ethernet Link Solid Green or Amber The port is connected to a device Flashing Green or Amber The port is transmitting or receiving traffic Off The port has no network cable connected or is not receiving a link signal Ethernet Rate Amber The port is connected to a 1000Mbps device Green The port is connected to a 10Mbps or 100Mbps device 19 Introducing Ruckus Wireless ZoneDirector ZoneDirector Physic al Features ZoneDirector 5000 This section describes the following physical features of ZoneDirector 5000 Front Panel Features Front Panel Bezel Removed Control Panel Rear Panel Features Figure 3 ZoneDirector 5000 Front Panel Front Panel Features Table 5 ZoneDirector 5000 front panel features Feature Description Control Panel See Control Panel description below RJ45 Serial Port COM 2 Serial B port for accessing the ZoneDirector command line interface USB Port Not used Front Bezel Lock Remove this b
145. MHz of each channel in the spectrum used during transmission Channel Manually set the channel used by the AP radio Tx Power Manually set the maximum transmit power level relative to the calibrated power WLAN Group Specify a WLAN group for this radio Call Admission Control Disabled by default Enable Wi Fi Multimedia Admission Control WMM AC to support Polycom Spectralink VIEW certification See Advanced Options under Creating a WLAN for more information Spectralink Compatibility Disabled by default Enable this option if this AP radio will be used as a voice WLAN for Polycom Spectralink phones This option changes several AP radio settings such as DTIM BSS minrate and RTS CTS to improve voice quality with Spectralink phones from the Configure Services page F NOTE For optimal VoWLAN voice quality also disable Self Healing and Background Scanning WLAN Service Uncheck this check box to disable WLAN service entirely for this radio This option can be useful if you want dual band 802 11n APs to provide service only on the 5 GHz radio in order to reduce interference on the 2 4 GHz band for example You can also disable service for a particular WLAN at specific times of day or days of the week by setting the Service Schedule For more information see Advanced Options for creating a WLAN External Antenna External antenna configuration is available for the 2 4 GHz radio on the ZoneFlex 2942 and 2741 A
146. P in 10 seconds ignore unauthorized client statistics Enable Client Fingerprinting Awayson Aways off Specific Enable Auto Proxy configuration 208 Monitoring Your Wireless Network In This Chapter Reviewing the ZoneDirector Monitoring Options 000 eese 210 mporting a Map View Floorplan Image 0 0 eee 210 Using the Map View Tool 0 cccc0cs5 scene eme ik deus Rhen cR ee Rp a 213 Reviewing Current Alain sea ea qoem ehe beraten ee Rn Ve Run ecd 216 Reviewing Recent Network Events isssssssssss eee 217 Clearing Recent Events Activities iccesssscessasse esee abe ch b er hd 217 Reviewing Current User AGW esc ci t esce eis is Sot unb mine DEERE DS RR XE URS 217 anitoring Access Point StAtUs eccesso Rute etr adn dee ae Epor dg 219 eitonmerlndivisusl ABS cc noie ls kaha ded ee head wees Rasa Shae 222 SHORING Mesh SAWE ee sk seen tere PA MAE eee RAE eh eS 227 Detecting Rogie Access PONTE scread ke ker ber Rer ac Reve sce ee n e o 228 Evaluating and Optimizing Network Coverage 0 0000 e eee eee eee 230 onitoring System Ethernet Port Status ceci ies eee ee 231 209 Monitoring Your Wireless Network Reviewing the ZoneDirector Monitoring Options Reviewing the ZoneDirector Monitoring Options The following highlights key ZoneDirector tab options and what you can do with them e D
147. Ps for the 5 GHz radio on the ZoneFlex 7762 and for the 2 4 and 5 GHz radios in the 7782 E APs Once enabled enter a gain value in the range of 0 to 90dBi Radio Band ZoneFlex 7321 only Select 2 4 GHz or 5 GHz radio band for the 7321 APs 5 The Network Setting options allow you to configure the IP address settings of the AP IP Mode Select IPv4 only IPv only or dual IPv4 IPv addressing mode If you want the AP to keep its current IP address click Keep AP s Setting If the AP s IP address has not been set it will automatically attempt to obtain an IP address via DHCP 201 Managing Access Points Managing Access Points Individually e If you want the AP to automatically obtain its IP address settings from a DHCP server on the network clickthe DHCP option in Management IP You do not need to configure the other settings netmask gateway and DNS servers e Ifyou want to assign a static IP address to the AP click the Manual option next to Device IP Settings and then set the values for the following options IP Address Netmask Gateway Primary DNS Server Secondary DNS Server 6 If Smart Mesh is enabled see Deploying a Smart Mesh Network on page 269 the Advanced Options section lets you define the role this AP should play in the mesh network Auto Root AP Mesh AP or Disable default is Auto In most cases Ruckus Wireless recommends leaving this setting on Auto to reduce the ris
148. Reason No APs in manual uplink selection You have set uplink selection to Manual but none of the uplink APs you specified is available or reachable To resolve this go to the Configure gt Access Points page on the ZoneDirector Web interface and then click SmartSelection 285 Deploying a Smart Mesh Network Troubleshooting Isolated Mesh APs Table 36 Isolated Mesh AP statuses Status Possible Reason No APs within hop limit The AP cannot find other APs within the internally defined limit to the number of hops The hop limit mechanism helps ensure that mesh APs maintain reasonable network performance To resolve this add additional Root APs near this isolated Mesh AP Searching for uplinks The AP is still searching for uplinks This is usually a temporary state and is typically resolved automatically within 15 minutes as the mesh network stabilizes If there is a significant number of APs on the network it might take longer for the AP to resolve this Config error The AP attempted to establish the mesh uplink but was unsuccessful If you recently updated the mesh SSID and passphrase it is likely that your changes have not propagated correctly to this AP for example the AP was offline when you updated the mesh SSID and passphrase To resolve this follow the instructions in Recovering an Isolated Mesh AP on page 287 No APs with matching radio type The AP is unable to find an uplin
149. Reviewing Current Alarms Reviewing Current Alarms If an alarm condition is detected ZoneDirector will record it in the events log and if configured will send an email warning To review the current alarms and clear all resolved alarm records follow t 1 Go to Monitor All Alarms hese steps 2 When the All Alarms page appears the Alarms table lists the unresolved alarms the most recent at the top Figure 127 The All Alarms page CkU s ZoneDirector VIRELESS Monitor All Alarms 2013 06 11 17 36 29 Help Toolbox Log Out ruckus This workspace lists all uncleared alarms If all listed alarms have been cleared or are no longer valid click Clear AL I Alarms e Date Time Name Severity Activities Action 2013 06 10 18 14 27 ZD warm restart Medium System warm restarted with user reboot Clear 2013 06 10 15 55 29 AP Lost Contact High Lost contact with AP cO c5 20 3b 91 ft Clear 2013 05 21 20 38 08 AP Lost Contact High Lost contact with AP 04 4f aa 0c b1 00 Clear 2013 05 21 15 51 21 Rogue AP Detected High Anew Rogue 00 21 91 02 ef c5 with SSID Traling Taipei2 is detected Clear 2013 05 21 15 48 29 Rogue AP Detected High Anew Rogue 00 24 6c 5a 9a e1 with SSID WIFLY is detected Clear 2013 05 21 15 47 29 Rogue AP Detected High Anew Rogue 54 e6 fc e5 36 c4 with SSID TP LINK WR841N GRANDMOTHER is detected Clear 2013 05 21 15 44 21 Rogue AP Detected High Anew Rogue 5c d9 98 bb b1 be with SSID CHT
150. Ruckus Simply Better Wireless Ruckus Wireless ZoneDirector Release 9 7 User Guide Part Number 800 70505 001 Rev A Published December 2013 www ruckuswireless com About This Guide This guide describes how to install configure and manage the Ruckus Wireless ZoneDirector version 9 7 This guide is written for those responsible for installing and managing network equipment Consequently it assumes that the reader has basic working knowledge of local area networking wireless networking and wireless devices D gt Note If release notes are shipped with your product and the information there differs from the information in this guide follow the instructions in the release notes Most user guides and release notes are available in Adobe Acrobat Reader Portable Document Format PDF or HTML on the Ruckus Wireless Support Web site at http support ruckuswireless com Document Conventions Table 1 and Table 2 list the text and notice conventions that are used throughout this guide Table 1 Text Conventions Convention Description Example MONOSPACE Represents informationasit Device name gt appears on screen monospace bold Representsinformationthat Device name gt set you enter ipaddr 10 0 0 12 default font bold Keyboard keys software On the Start menu click All buttons and field names Programs italics Screen or page names Click Advanced Settings The Advanced Settings page
151. Save to save the entry and click OK to save the Venue Name settings for the AP 203 Managing Access Points Optimizing Access Point Performance Figure 122 Setting the Venue Name for a Hotspot 2 0 service AP Status LEDs Override Group Config Disable Status LEDs Port Setting V Override Group Config Port Enable DHCP Opt82 Type VLAN LNT y Trunk Port 4 Untag ID 1 Members 1 4094 Guest VLAN Enable Dynamic VLAN 4 UAN2 i Trunk Port Untag ID 1 Members 1 4094 Guest VLAN Enable Dynamic VLAN A a 73 7 Venue Name List E Language Venue Name Action l MW E Hotspot 2 0 Settings Chinese EBE Edit Clone English v Starbucks Save Cancet Create New Delete Optimizing Access Point Performance ZoneDirector through its Web interface allows you to remotely monitor and adjust key hardware settings on each of your network APs After assessing AP performance in the context of network performance you can reset channels and adjust transmission power or adjust the priority of certain WLANs over others as needed Assessing Current Performance Using the Map View REQUIREMENT The importing of a floorplan and placement of APs are detailed in Importing a Map View Floorplan Image on page 210 and Placing the Access Point Markers on page 212 1 Go to Monitor gt Map View If Map View displays a floor
152. Smart Mesh Networking Terms ooi anteaters dodo 270 Supported Mesh Topologles exces occu eeeme mese eere eden CR d ec Roe ee 271 Deploying a Wireless Mesh via ZoneDirector 000 275 Understanding Mesh related AP Statuses 0 000 cece esee 279 Using the ZoneFlex LEDs to Determine the Mesh Status sess 281 Using Action Icons to Configure and Troubleshoot APs in a Mesh 283 Setting Mesh Uplinks Manually coc cea css esee ioe toh aee aad ee Semen 284 Troubleshooting isolated Mesh APS joc cis die rr deeds E ERRHEPHER RM 285 Best Practices and Recommendations 0 0 ccc cece teen eens 288 269 Deploying a Smart Mesh Network Overview of Smart Mesh Networking Overview of Smart Mesh Networking A Smart Mesh network is a peer to peer multi hop wireless network wherein participant nodes cooperate to route packets In a Ruckus wireless mesh network the routing nodes that is the Ruckus Wireless APs forming the network or mesh nodes form the network s backbone Clients for example laptops and other mobile devices connect to the mesh nodes and use the backbone to communicate with one another and if permitted with nodes on the Internet The mesh network enables clients to reach other systems by creating a path that hops between nodes Smart Mesh networking offers many advantages e Smart Mesh networks are self healing If any one of the nodes fails the nodes note the block
153. TION If you do not select the Allow ZoneDirector Administration check box administra AN tors that are assigned this role will be unable to log into ZoneDirector even if all other settings are configured correctly 4 Test your authentication settings Configure AAA Servers Test Authentication Settings Specify AAA server to use Administer Preferences Authenticate with Auth Server Verify that the Fallback to admin name password if failed check box is selected Keeping this check box selected ensures that administrators will still be able to log into the ZoneDirector Web interface even when the authentication server is unavailable Congratulations You have completed setting up ZoneDirector to use external servers for administrator authentication Whenever a user with administrator privileges logs into the ZoneDirector Web interface an event will be recorded The following is an example of the event details that you will see Admin user name login authenticated by Authentication Server with Role 306 Setting Administrator Preferences Upgrading the License Upgrading the License Depending on the number of Ruckus Wireless APs you need to manage with your ZoneDirector you may need to upgrade your license as your network expands Contact your authorized Ruckus Wireless reseller to purchase an upgrade license Once you load the license via the Web interface it takes effect immediately Current license infor
154. WLAN Jeff Guest Key ONUCR RVOBR Remarks Max length is 64 Sharable Allow multiple guests to share a single guest pass Session Each guest re logs in after Mins Hed Next gt Ee Powered by Ruckus Wireless 6 On the Guest Information page fill in the following options Creation Type Choose Single to generate a single guest pass 259 Managing Guest Access Working with Guest Passes Full Name Type the name of the guest user for whom you are generating the guest pass Valid for Specify the time period when the guest pass will be valid Do this by typing a number in the blank box and then selecting a time unit Minutes Hours Days or Weeks WLAN Select the WLAN for this guest typically a guest WLAN Key Leave as is if you want to use the random key that ZoneDirector generated If you want to use a key that is easy to remember delete the random key and then type a custom key For example if ZoneDirector generated the random key OVEGS RZKKF you can change it to joe guest key Customized keys must be between one and 16 ASCII characters Each guest pass key must be unique and is distributed on all guest WLANs Therefore NOTE i gt you cannot create the same guest pass for use on multiple WLANs Remarks optional Type any notes or comments For example if the guest user is a visitor from a partner organization you can type the name of the organization Sharable Check this box
155. Wi Fi Auto is detected Clear 2013 05 21 15 42 48 Rogue AP Detected High Anew Rogue 14 da e9 5a 20 b4 with SSID ASUS is detected Clear 2013 05 21 15 41 08 Same Network Rogue AP Detected High Anew Same Network Rogue AP Rogue 74 91 12 2b ff a8 with 55ID 7025 wireless is first detected by AP 7982 Clear 2013 05 21 15 41 08 Rogue AP Detected High Anew Rogue 74 91 1a 2b ff a8 with SSID 7025 wireless is detected Clear 2013 05 21 15 35 26 Rogue AP Detected High Anew Rogue d8 c7 c8 79 0c 60 with SSID TWM WiFi is detected Clear 2013 05 21 15 20 01 Rogue AP Detected High Anew Rogue 78 44 76 f2 44 7e with SSID T is detected Clear 2013 05 21 15 11 23 Rogue AP Detected High Anew Rogue 10 bf 48 e5 e3 15 with SSID Z7 is detected Clear 2013 05 21 15 03 44 Rogue AP Detected High Anew Rogue 00 0d 0b cc 99 f9 with SSID OOODOBCCO99F8 is detected Clear 2013 05 21 15 02 02 Rogue AP Detected High Anew Rogue 00 e0 4c 81 96 c2 with SSID 0x2d20e69e97e58f23e8a19720699 is detected Clear Search terms Include all terms Include any of these terms ceara show More 1 15 e 636 3 Review the contents of this table The Activities column is especially informative 4 If a listed alarm condition has been resolved click the now active Clear link to the right You also have the option of clicking Clear All to resolve all alarms at one time 216 Monitoring Your Wireless Network Reviewing Recent Network Events Reviewing Recent Network Events You
156. ZoneDirector can scan the network periodically for rogue DHCP servers Enable rogue DHCP server detection 102 Configuring Security and Other Services Controlling Network Access Permissions Controlling Network Access Permissions ZoneDirector provides several options for controlling client access to your wireless networks and to other wired wireless network resources This section is divided into the following subsections according to the features on the Configure gt Access Control page e Creating Layer 2 MAC Address Access Control Lists e Creating Layer 3 Layer 4 IP Address Access Control Lists e Configuring Device Access Policies e Configuring Client Isolation White Lists e Configuring Precedence Policies e Blocking Client Devices Creating Layer 2 MAC Address Access Control Lists Using the Access Controls configuration options you can define Layer 2 MAC address ACLs which can then be applied to one or more WLANs upon WLAN creation or edit ACLs are either allow only or deny only that is an ACL can be set up to allow only specified clients or to deny only specified clients MAC addresses that are in the deny list are blocked at the AP not at ZoneDirector To configure an L2 MAC ACL 1 Go to Configure gt Access Control In L2 MAC Access Control click Create New Type a Name for the ACL Type a Description of the ACL Select the Restriction mode as either allow or deny
157. a wireless mesh topology to route client traffic between any member of the mesh and the wired network Meshing significantly reduces the cost and time requirements of deploying an enterprise class WLAN in addition to providing much greater flexibility in AP placement ZoneDirector also integrates network monitoring sophisticated user access controls inte grated Wi Fi client performance tools highly configurable guest access features and advanced security features within a single system User authentication can be accomplished using an internal user database or forwarded to an external Authentication Authorization and Accounting AAA server such as RADIUS or Active Directory Once users are authenticated client traffic is not required to pass through ZoneDi rector thereby eliminating bottlenecks when higher speed Wi Fi technologies are used This user guide provides complete instructions for using the Ruckus Wireless Web interface the wireless network management interface for ZoneDirector With the Web interface you can customize and manage all aspects of ZoneDirector and your ZoneFlex network 14 Introducing Ruckus Wireless ZoneDirector ZoneDirector Physical Features ZoneDirector Physical Features Three models of ZoneDirector are currently available ZoneDirector 1100 ZoneDirector 3000 and ZoneDirector 5000 This section describes the physical features of these ZoneDirector models ZoneDirector 1100 This section describ
158. adcast IPv multicast packet to each candidate address received from DHCP and DNS at the same time and waits for a response from any ZoneDirector that can respond The AP may receive multiple responses from DHCP and DNS if multiple ZoneDirector IP addresses have been configured on the DHCP server or DNS server 5 If the AP receives a response from a single ZoneDirector device it will attempt to register with that ZoneDirector device 6 Ifthe AP receives responses from multiple ZoneDirector devices it will attempt to register with the ZoneDirector that it previously registered with if any This ZoneDirector can be on the same local IP subnet or a different subnet The AP will have a preference for a ZoneDirector device that it previously registered with over a locally connected ZoneDirector 7 If this is the first time that the AP is registering with ZoneDirector it will attempt to register with the ZoneDirector device that has the lowest AP load The AP computes the load by subtracting the current number of APs registered with ZoneDirector from the maximum number of APs that ZoneDirector is licensed to support If the AP does not receive a response from any ZoneDirector device on the network it goes into idle mode After a short period of time the AP will attempt to discover ZoneDirector again by repeating the same discovery cycle The AP will continue to repeat this cycle until it successfully registers with a ZoneDirector
159. age and re route data e Smart Mesh networks are self organizing When a new node appears it becomes assimi lated into the mesh network In the Ruckus Wireless Smart Mesh network all traffic going through the mesh links is encrypted A passphrase is shared between mesh nodes to securely pass traffic When deployed as a mesh network Ruckus Wireless APs communicate with ZoneDirector through a wired LAN connection or through wireless LAN connection with other Ruckus Wireless access points NOTE For best practices and recommendations on planning and deploying a Ruckus Wireless i gt Smart Mesh network refer to Smart Mesh Networking Best Practices on page 329 Smart Mesh Networking Terms Before you begin deploying your Smart Mesh network Ruckus Wireless recommends getting familiar with the following terms that are used in this document to describe wireless mesh networks Table 32 Mesh networking terms Term Definition Mesh Node A Ruckus Wireless ZoneFlex AP with mesh capability enabled Root AP Root A mesh node that communicates with ZoneDirector through its Ethernet Access Point that is wired interface Mesh AP Mesh A mesh node that communicates with ZoneDirector through its wireless Access Point interface eMAP Ethernet An eMAP is a mesh node that is connected to its uplink AP through a Mesh AP wired Ethernet cable rather than wirelessly eMAP nodes are used to bridge wireless LAN segments toget
160. al IP Port 192 168 11 99 12223 IP Type DHCP Actions Model mn Wb e zo Woo cw e H S N 981202006357 Version 9 6 0 0 42 Radio 802 11a n Radio 802 11g n L Current Channel 157 Current Channel 11 Channelization 40 Channelization 20 WLAN Group Defaut WLAN Group Default Deployed Maximum WLAN Group WLAN Number 1 27 3 Deployed Maximum WLAN Group WLAN Number 112713 Background Scanning Enabled Background Scanning Enabled TX Power Ful TX Power Full of Authorized Client Devices 0 of Authorized Client Devices 0 Retries Drops 0 0510 0 00 Retries Drops 2 14 0 00 Non unicast 2 27 Non unicast 0 00 225 Monitoring Your Wireless Network Monitoring Individual APs Figure 132 The Spectrum Analysis page Ruckus ZoneDirector WIRELE Stop Monitoring Period of Time for Display 2 46 5G By Spectrum Analysis 2012 12 11 15 18 38 Help Toolbox LogOut ruckus Maj ss Show Items V Channel Indicators E Coor Bar Power dbm Power dbm 20 Instantaneous Samples View m 5300 5400 5500 5500 5700 5800 Frequency MHz CDF of Samples View 5300 5400 5500 5600 5700 5800 Frequency MHz Neighbor APs ZoneDirector uses several calculations to determine which APs are in proximity to one another This information can be useful in planning or redesigning your Smart Mesh topology or in troubleshooting link performance issues Details on neighbor APs include Access Point The
161. allocate up to 512 IP addresses including the one assigned to ZoneDirector The default value is 200 In Lease Time select a time period for which IP addresses will be allocated to DHCP clients Options range from six hours to two weeks default is one week If your APs are on different subnets from ZoneDirector click the check box next to DHCP Option 43 to enable Layer 3 discovery of ZoneDirector by the APs Click Apply NOTE If you typed an invalid value in any of the text boxes an error message appears and prompts you to let ZoneDirector automatically correct the value Click OK to change it to a correct value 59 Configuring System Settings Configuring the Built in DHCP Server Figure 31 The DHCP Server options loses connection the standby ZoneDirector will automatically take over s Enable Smart Redundancy Local Device IP Address 192 168 11 100 Peer Device IP Address Shared Secret Management IP Address Disabled Configured in Management Interface DHCP Server If a DHCP server does not exist on your network you can enable this function to provide DHCP service to clients V Enable DHCP server Starting IP 192 168 0 3 3 Number of IPs 200 L LeaseTime Oneweek v m DHCP Option 43 Layer 3 discovery protocol for AP to find ZoneDirector To view all IP addresses that have been assigned by the DHCP server click here Management
162. an be connected to a single Mesh AP to for example bridge a wired LAN segment inside a building to a wireless mesh outdoors In designing a mesh network connecting an eMAP to a Mesh AP extends the Smart Mesh network without expending a wireless hop and can be set on a different channel to take advantage of spectrum reuse 273 Deploying a Smart Mesh Network Supported Mesh Topologies Figure 165 eMAP Hybrid Mesh topology Root AP Mesh AP Y Pj Mesh B aet a 3 P Ethernet linked re Mesh AP Use the Monitor gt Mesh page to see a tree diagram of your Smart Mesh network Table 33 Mesh View icons Icon Meaning i Root AP RAP Pi Mesh AP MAP p eMesh AP eMAP You can also view the role of any AP in your mesh network from the Monitor gt Access Points page or from the Mesh Topology widget on the Dashboard 274 Deploying a Smart Mesh Network Deploying a Wireless Mesh via ZoneDirector Deploying a Wireless Mesh via ZoneDirector Deploying a wireless mesh via ZoneDirector involves the following steps Step 1 Prepare for Wireless Mesh Deployment Step 2 Enable Mesh Capability on ZoneDirector Step 3 Provision and Deploy Mesh Nodes Step 4 Verify That the Wireless Mesh Network Is Up Step 1 Prepare for Wireless Mesh Deployment Before starting with your wireless mesh deployment Ruckus Wireless recommends performing a number of tasks that can help ens
163. ance Pre Scanning RAPS setting allows pre scanning of DFS channels in the 5 GHz band to ensure the channel is clear of radar signals prior to transmitting on the channel If a channel is blocked by this feature it will be listed as DFS Block Radar in the AP monitoring page This setting affects select outdoor dual band 802 11n AP models only and has no impact on APs that do not support the feature The option will also only be available if the Country Code settings are configured to allow use of DFS channels see Setting the Country Code on page 64 AeroScout RFID Tag Detection AeroScout Tags are lightweight battery powered wireless devices that accurately locate and track people and assets AeroScout Tags which can be mounted on valuable equipment or carried by personnel send periodic data to the AeroScout Engine the software component of the AeroScout visibility system that produces accurate location and presence data If you are using AeroScout Tags in your organization you can use the APs that are being managed by ZoneDirector to relay data from the AeroScout Tags to the AeroScout Engine You only need to enable AeroScout tag detection on ZoneDirector to enable APs to relay data to the AeroScout engine 92 Configuring Security and Other Services Ekahau Tag Detection To enable AeroScout RFID tag detection on ZoneDirector 1 Go to Configure gt Services 2 Scroll down to the AeroScout RFID section near the
164. and starting 44 B Background Scanning 88 90 146 Backup Restore ZoneDirector 294 Band Selection ZoneFlex 7321 187 201 Blocked clients reviewing a list 114 Blocking client devices 111 Blocking specific client devices 113 Bonjour Gateway 83 Buttons Web interface explained 37 Bypass Apple CNA Feature Apple CNA Bypass 177 C Call Admission Control 145 184 201 Captive Portal 164 Changing an Existing User Account 240 Changing the event log level 68 Channel 184 201 Channel Mode 66 Channel optimization 65 Channel Range Settings 184 201 ChannelFly 88 185 disable per AP group 185 Channelization 184 201 205 Client devices monitoring 111 permanently blocking WLAN access 13 reviewing a list of blocked clients 114 temporarily disconnecting 112 Client Fingerprinting 147 Client performance monitoring 218 Client Tx Rx Statistics 147 Clients monitoring 218 Controlling Guest Pass Generation Privi leges 257 Country Code 64 Create New options Authentication Servers 243 Create New User internal database 238 create user 238 Creating a Guest Pass Generation User role 257 Creating a new WLAN Access VLAN 146 Algorithm 143 Description 141 Hide SSID 146 Method 143 Name ESSID 141 Passphrase 144 WEP key 144 Zero IT Activation 145 Creating a WLAN 140 Creating additional WLANs 150 Current Alarms reviewing 216 Current User accounts managing 240 Current
165. ant to monitor ZoneDirector s performance statistics from FlexMaster select Enable Performance Monitoring enter an update interval and click Apply This option is disabled by default Enabling Northbound Portal Interface Support The Northbound Portal interface allows the use of DPSKs on open authentication WLANs meant for public access By enabling the Northbound Portal Interface a wireless service provider can provide simple butsecure Wi Fi access without pre registration account setup or authentication ZoneDirector redirects authentication requests to an outside portal If access is granted ZoneDirector 73 Configuring System Settings Enabling Network Management Systems provides a unique dynamic PSK The DPSK can be delivered in a prov exe file which automat ically configures the user s device with the relevant wireless settings or displayed on the portal screen for manual entry To enable Northbound Portal interface support Go to Configure gt System gt Network Management Click Enable northbound portal interface support Enter a Password for API to portal communication Click Apply in the same section to save changes vr wr gt Configure the portal to display the key to the user or to push the prov exe file to the client Figure 42 Enabling Northbound Portal interface E Network Management FlexMaster Management Enter the FlexMaster server URL and set the time interval at which ZoneDirector will send s
166. any page in the Web interface 320 Troubleshooting Generating a Debug File Generating a Debug File CAUTION Do not start this procedure unless asked to do so by technical support staff If requested to generate and save a debug file follow these steps 1 Go to Administer gt Diagnostics 2 Select the items under Debug Components as directed by Ruckus technical support or check the box next to Debug Components to select all If they are already selected skip this step 3 If you are instructed to save only log information for a specific AP or client you can select the check box next to Debug log per AP s or client s mac address then enter the MAC address in the adjacent field Click Apply to save your settings In the Save Debug Info section click Save Debug Info When the File Download dialog box appears select Save File and click OK Ir Gee When the Save As dialog box appears pick a convenient destination folder type a name for the file and click Save 8 When the Download Complete dialog box appears click Close After the file is saved you can email it to the technical support representative NOTE The debug or diagnostics file is encrypted and only Ruckus Wireless support representatives have the proper tools to decrypt this file Viewing Current System and AP Logs You can display a list of recent ZoneDirector or AP activity logs from the ZoneDirector Web interface To view ZoneDi
167. ap View 204 N priority 145 206 security overview 139 LAN Service disabling 201 Usages 141 s z Z AE E LA LA blocking client devices 113 creating additional networks 150 failed user logins 310 WMM AC 145 184 201 Workspaces Web interface explained 37 WPA 143 WPA2 143 WPA Mixed 143 Z Zero IT 24 138 153 242 295 enabling 234 Zero IT Activation New WLAN creation 145 Zero IT for clients without Ethernet ports 237 ZoneDirector changing network addressing 49 changing system name 48 Installation 33 Monitoring options overview 210 overview 14 Physical features 15 restarting the device 326 restoring backup file contents 294 restoring to a factory default state 297 upgrading software 292 WLAN security explained 139 ZoneDirector management access 61 ZoneDirector wireless LAN deploying in a VLAN environment 157 ZoneFlex 7321 band selection 187 201 345 ZoneFlex APs upgrading software 292 346
168. ashboard Every time you log into ZoneDirector via the Web interface this collection of status indicators appears Use it as your regular network monitoring starting point Data are blue colored links that you can use to further drill down to focus on particular activities or devices e Real Time Monitoring To view network traffic resource utilization and usage statistics in real time use the Real Time Monitoring tool accessible via the Toolbox at the top of any page of the Web interface see Real Time Monitoring on page 42 e Monitor gt Map View provides a fast scan of key network factors APs legitimate neigh boring and rogue client devices and RF coverage You can see what devices are where in your floorplan and visually evaluate network coverage NOTE For Map View to work your computer must have Java version 7 installed If it is not installed ZoneDirector will notify you that you need to download it The latest version can be downloaded from www java com e Other Monitor tab options incorporated in the left column s buttons provide numeric data on WLAN performance and individual device activity As with the Dashboard some data entries are links that take you to more detailed information And finally the All Events Activities log displays the most recent actions by users devices and network in chronolog ical order e Configure Use the options in this tab to assess the current state of WLAN users any restricte
169. ation The AP can report RX EVM values or the RX LDPC indicator but not both When packet capture is invoked from the ZD UI the software selects RX EVM values Therefore the RX LDPC indicator is not reported and the LDPC indicator valid bit will be zero The RX LDPC indicator is available when invoking packet capture from the AP command line interface 325 Troubleshooting Importing a Script Importing a Script The Upload Scripts feature can be used to help Ruckus Support in diagnosing customer network issues remotely by allowing the administrator to upload a Ruckus created script to ZoneDirector themselves If instructed to do so by Ruckus Support go to Administer Diagnostics Import Scripts and click Choose File to upload a script to ZoneDirector Enabling Remote Troubleshooting The Remote Troubleshooting feature allows Ruckus support personnel to connect directly to a ZoneDirector deployed at a customers site for troubleshooting purposes Do not enable this feature unless instructed to do so by Ruckus support Figure 199 The Upload Scripts and Remote Troubleshooting features are used by Ruckus Support in diagnosing customer network issues remotely Search terms 9 Include all terms Include any of these terms Import scripts Click browse to choose script or manual No file chosen Remote Troubleshooting Start stop remote troubleshooting and clicking on the refresh will display status information when this
170. ation open the CSV file and edit the guest pass profile by filling out the following columns e Guest Name Type the name of the guest user one name per row e Remarks Optional Type any note or remarks about the guest pass e Key Type a guest pass key consisting of 1 16 alphanumeric characters If you want ZoneDirector to generate the guest pass key automatically leave this column blank 6 Go back to the Guest Information page and then complete steps 6 to 10 in Generating and Printing Multiple Guest Passes at Once above to upload the guest pass profile and generate multiple guest passes Monitoring Generated Guest Passes Once you have generated a pass for a guest you can monitor and if necessary remove it 1 Go to Monitor Generated Guest Passes 2 View generated guest passes 3 To remove a guest pass select the check box for the guest pass 4 Click the Delete button Figure 160 Viewing generated Guest Passes Generated Guest Passes These tables list the generated guest passes You can review the guest passes generated for your users You may also remove them if necessary Generated Guest Passes e C Guest Name Remarks Expires Session Creator Shared WLAN O Guest 1 Batch generation 2010 06 03 13 19 08 10 mins aaa Yes rrrr Guest 2 Batch generation 2010 06 03 13 19 08 10 mins aaa Yes rrr Guest 3 Batch generation 2010 06 03 13 19 08 10 mins aaa Yes rrr Guest 4 Batch generation 2010 06 03 13 19 08 10 mins aaa
171. ator Preferences Working with SSL Certificates NOTE Ruckus Wireless recommends using the FODN as the Common Name if possible If your network does not have a DNS server you may use ZoneDirector s IP address instead However note that some CA s may not allow this f you wish to access ZoneDirector from a public network via the internet you must use a Fully Qualified Domain Name FODN n all cases when using a familiar name there must be an appropriate private or public DNS entry to resolve the familiar name to ZoneDirector s IP address f you use a familiar name this name will be shown in the browser s URL whenever accessing ZoneDirector i e administrator interface standard captive portal and guest access captive portal Subject Alternative Name Optional Select either IP or DNS from the menu and enter either alternative IP addresses or alternate DNS names Organization Type the complete legal name of your organization for example Ruckus Wireless Inc Do not abbreviate your organization name Organization Unit Optional Type the name of the division department or section in your organization that manages network security for example Network Manage ment Locality City Type the city where your organization is legally located for example Sunnyvale State Province Type the state or province where your organization is legally located for example California Do not abbreviate the state or prov
172. bers 1 4094 MAC Address use mac Address of AP as User Name and Password Password User Name 8 Note The LANS port is located on the back panel m Ruckus WIRELESS LAN1 LAN2 LAN3 LAN4 Guest VLAN 1 Enable Dynamic VLAN Guest VLAN Enable Dynamic VLAN Guest VLAN Enable Dynamic VLAN Guest VLAN Enable Dynamic VLAN Guest VLAN Enable Dynamic VLAN ee iem rmm m Ruckus WIRELESS LAN1 LAN2 LAN3 LAN4 LJ Viewing AP Ethernet Port Status You can view the status of an AP s port configuration by going to Monitor Access Points and clicking on the MAC address of the AP 802 1X Supplicant Disabled Disabled Disabled Disabled m 194 Managing Access Points Working with Access Point Groups Figure 117 Viewing an AP s Ethernet port configuration Toolbox LogOut r Ruckus ZoneDirector WIRELESS Dashboard MIEL ME Configure Administer Access Points 74 91 1a 2b ff a0 oo Access Points This table lists detailed information about the selected access point such as the clients and events associated with it a pa Access Point Information Info WLANs m RuckusAP Status Connected Name ESSID BSSID Radio State Description Uptime 27m 21s ruckus1 74 91 1a 2b ff a8 802 11g n Up Location Connection Mode L3 IPv4 GPS Coordinates VLAN 1 Ly MAC Address 74 91 1a 2b ffia0 Associated Clients 0 IP Address
173. bottom of the page 3 Select the Enable AeroScout RFID tag detection check box 4 Click the Apply button in the same section to save your changes ZoneDirector enables AeroScout RFID tag detection on all its managed APs that support this feature Figure 54 AeroScout Tag detection option AeroScout RFID 7 Enable AeroScout RFID tag detection ahau Settings Enable Ekahau tag detection Ekahau Controller IP Address Ekahau Controller Port Active Client Detection The ZoneDirector monitors the currently active clients and will trigger a warning event when the active client s rssi is under the threshold 7 Enable client rssi detection with a threshold of 5 Tunnel Configuration Enable tunnel encryption for tunneled traffic V Block non well known v mutticast traffic from network to tunnel au Block broadcast traffic from network to tunnel except ARP and DHCP Enable Proxy ARP of tunnel WLAN rate limit threshold Range O 3000 pkts sec E NOTE Tag locations are not accurate if the 2 4 GHz band is noisy or if the AP setup is not optimal according to AeroScout documents For more information on AeroScout Tags and the AeroScout Engine refer to your AeroScout documentation Ekahau Tag Detection Utilizing Wi Fi wireless network as an infrastructure the Ekahau Real Time Location System locates and tracks assets with attached Ekahau Tags Ekahau Tags are sma
174. cally If you wantto manually review and approve the joining of new APs to the WLAN clear this check box e Limited ZD Discovery If you have multiple ZoneDirectors on the network and want specific APs to join specific ZoneDirectors you can limit ZoneDirector discovery To do this select the Limited ZD Discovery check box and then enter the IP addresses or FODN of the primary and secondary ZoneDirector units to which you want APs to join When Limited ZD Discovery is enabled APs will first attempt to join the primary ZoneDirector If they cannot find or are unable to join the primary ZoneDirector they will attempt to join the secondary ZoneDirector If still unsuccessful APs will stop attempting for a brief period of time and then they will restart the joining process They will repeat this process until they successfully join either the primary or secondary ZoneDirector NOTE If you have two ZoneDirectors of the same model and license level Ruckus Wireless i gt recommends using the Smart Redundancy feature If you have two ZoneDirectors of different models or different license levels you can use Limited ZD Discovery to provide limited redundancy however this method does not provide synchronization of the user database For information on Smart Redundancy configuration see Enabling Smart Redundancy on page 55 For information on N 1 redundancy using Limited ZD Discovery see Using Limited ZD Discovery for N 1 Redundancy
175. can if you prefer customize the automatic scanning of RF activity deactivate it if you feel it s not helpful or adjust the frequency if you want scans at greater or fewer intervals Note that Background Scanning must be enabled for ZoneDirector to detect rogue APs on the network To configure Background Scanning 1 Go to Configure gt Services 2 In the Background Scanning section configure the following options Run a background scan on the 2 4 GHz radio every Select this check box enter the time interval 1 65535 seconds default is 20 that you want to set between each scan e Runa background scan on the 5 GHz radio every Select this check box enter the time interval 1 65535 seconds default is 20 that you want to set between each scan 90 Configuring Security and Other Services Background Scanning NOTE If you want to disable Background Scanning clear the check box this should result in aminor increase in AP performance but removes the detection of rogue APs from ZoneDirector monitoring You can also decrease the scan frequency as less frequent scanning improves overall AP performance 3 Click the Apply button in the same section to save your settings Figure 52 Background scanning options Two modes are available to automatically adjust AP channels for self healing and performance optimization Background Scanning will change AP channel when interference is present Channetfly constantly monitors
176. canning Figure 53 Viewing whether Background Scanning is enabled for an AP 2013 05 21 12 42 58 Help Toolbox LogOut ruckus Maj uckus ZoneDirector WIRELESS Monitor Configure Administer Access Points c4 10 8a 1f d1 f0 o This table lists detailed information about the selected access point such as the clients and events associated with it Access Point Information m General Info WLANs Device Name 7982 Status Connected Root AP Name ESSID B Description 7982 Uptime 5d 21h 17m Rhastah1 c Location Connection Mode L3 IPv4 Rhastah1 c GPS Coordinates VLAN 1 MAC Address c4 10 8a 1f d1 fO Associated Clients 2 IP Address 192 168 40 64 External IP Port 192 168 40 64 12223 IP Type DHCP Actions Model 27982 Gf OF oO H S N 501155001774 Version 9 7 0 0 49 Radio 802 11a n Radio 802 11g n LAN Port Confi Current Channel 149 Current Channel 11 LAN State Channelization 40 Channelization 20 LAN1 Enabled WLAN Group Default WLAN Group Default LAN2 Enabled SpectraLink Compatibility SpectraLink Compatibility LAN Port Statu Deployed Maximum WLAN Group WLAN Number Deployed Maximum WLAN Group WLAN Number 1 Port Interfac Background Scanning o Scanning 0 etho TX Power X Power Uo eth of Authorized Client Devices 1 of Authorized Client Devices 1 Retries Drops A Men riniesck 0 0601 0 00 Retries Drops 4 K X Man ninicsck Radar Avoidance Pre Scanning 0 165 0 00 DELZ The Radar Avoid
177. certificate that you will receive from a certificate authority BEGIN CERTIFICATE MIIFVjCCBD6gAwIBAgIQLfaGugKukMumWhbVf5v4vDANBgkghkiG9wOBAQUFADCBs DELMAkGA1UEBhMCVVMXxFzAVBgNVBAOTD1ZlcmlTaWduLCBJbmMuMR8wHOYDVQOLBg EFBOQCBAORtMGSWwWJAYIKwWYBBQUHMAGGGGhOGHA6Ly9vY3NwLnZlcmlzaWduLmNvbTB DBggrBgEFBQCwAOY3aHROCDOvL1NWUINl1Y3VyZSlhaWEudmVyaXNpZ24uY29tL1NW UINlY3VyZTIwMDUtYWlhLmNlcjBuBggrBgEFBQCBDARiMGChXqBCMFOwWDBWFglpb WFnZzS9naWYwITAfMACGBSsOAwIaBBRLa7kolgYMu9BSOJsprESsHiyEFGDAmFiRodH RwOi8vbG9nby52ZXJpc21nbi5jb20vdnNsb2dvMS5naWYwDQYJKoZIhvcNAQEFBQA DggEBAI S2dmm kgPeVAlsIHmx 751040q8 fwehRDBmQDakiBvVXGZ5ZMnoc3DMyDjx0Sri91kPsn223CV3UVBZ0385 g1T4ikwXgcQ7WF 6QcUYOE6HK 4ZGcHermF 3 v3C1FoCjq zEu8 ZboU 3 EWbhG prGRA MR GdDI1dTPtSUG7 zWjXO5jC O0pykS18W q8hgO8kq30S8JzCwkqrX JfQ050NATJtgb YCAgwH3BuB9wqpRjUahTiK1V1 ju9bHB bFkMWIIMIXC1Js62JClWzwFgaGUS2DLE8xICQ3wUlez8RUPGnwSxAYtZ2N 7zDxYDP2tEi05j2cXY708mR3ni0C30 cem END CERTIFICATE 7 Copy the content of the signed certificate and then paste it into a text file Save the file You may now import the signed certificate into ZoneDirector Refer to the following section for instructions Importing an SSL Certificate After you receive the signed certificate from the Certificate Authority you must import it into ZoneDirector To import a signed certificate 1 Click on the Browse button and select the file that contains the certificat
178. ces Signal Quality Verification Figure 201 Root Placement eoooe eeooo0 0000o 0000o 00000 0000e0 Roots are evenly spaced Preferred e pei Roots are clumped together scenario O Mesh e If the customer s network utilizes a wireless backhaul technology for broadband access it is recommended to not mount the broadband wireless modem right next to a Ruckus Wireless AP A distance of 10 feet or more would be desirable Signal Quality Verification The above guidelines for planning will result in a well designed mesh However it is advisable to place the APs in the planned locations temporarily using a tripod stand or other means and actually checking the Signal Quality throughout the mesh network In addition once the mesh is deployed the Signal Quality should be periodically monitored to make sure the mesh is operating optimally Signal Quality is a measurement of the link quality of the MAP s uplink and is available on the ZoneDirector Web interface To view the Signal parameter in the Zone Director Web interface go to Monitor Access Points and click on the Mesh AP being tested click the MAC address to see the Access Point detail screen as shown in Figure 202 below There are two best practice observations that should be met Ensure Signal gt 25 The Signal value under Neighbor APs that shows Connected should be 25 or better If it is lower you need to bring the AP closer or move it to avoid an obstru
179. ch can be shared by multiple guests No authentication Terms of Use Show terms of use Terms of Use By accepting this agreement and accessing the wireless network you acknowledge that you are of legal age you have read and understood and agree to be bound by this agreement The wireless network service is provided by the property owners and is completely at their discretion Your access to the network may be blocked suspended or terminated at any time for any reason You agree not to use the wireless m network for any purpose that is A Redirect to the URL that the user intends to visit redirect tothe fouowingumi 0 Guest Pass Generation 248 Managing Guest Access Configuring Guest Access Creating a Guest WLAN If you want to allow guests temporary access to a controlled WLAN separate from your internal users the first step is to create a WLAN of the type Guest Access This WLAN can be configured to allow access only to a specific set of resources such as ZoneDirector s Zero IT activation address from which users can then activate their devices to gain access to the secure internal WLANs To create a Guest WLAN 1 Go to Configure gt WLANs 2 Under WLANs click Create New The Create New WLAN form appears 3 Enter a Name SSID for this WLAN that will be easy for your guests to remember e 9 Guest WLAN The Description field is opti
180. characters from char 33 to char 126 e n general the WLAN name is the same as the advertised SSID the name of the wireless network as displayed in the client s wireless configuration program However you can also separate the ESSID from the WLAN name by entering a name for the WLAN in the first field and a broadcast SSID in the second field In this way you can advertise the same SSID in multiple locations controlled by the same ZoneDirector while still being able to manage the different WLANs independently Each WLAN name must be unique within ZoneDirector while the broadcast SSID can be the same for multiple WLANs e Description Enter a brief description of the qualifications purpose for this WLAN e g Engineering or Voice WLAN Usage Types Each WLAN must be configured as one of the following five usage types e Standard Usage To create a WLAN with specific options choose Standard Usage e Guest Access Select a default Guest Access WLAN with open access and customizable encryption see Configuring Guest Access on page 248 Guest WLANs are subject to guest access policies such as redirection and subnet access restrictions 141 Managing a Wireless Local Area Network Creating a WLAN AN CAUTION When Guest Access or Wireless Client Isolation below is enabled the SpeedFlex Wireless Performance tool may not function properly For example SpeedFlex may be inac cessible to user
181. cit packets The PIF rate limiting threshold affects the following services e ARP Broadcast Filter for Mesh links see Optional Mesh Configuration Features e Proxy ARP for WLAN interfaces see Advanced Options under Creating a WLAN e Proxy ARP for Tunneled WLANs see Tunnel Configuration When Proxy ARP or ARP Broadcast Filter services are enabled the AP attempts to reduce neighbor discovery traffic over the air by replacing broadcast messages with unicast messages for known hosts When these packets are received for an unknown host the Packet Inspection Filter supplements this functionality by limiting the rate at which these packets are delivered 96 Configuring Security and Other Services Packet Inspection Filter Figure 58 Packet Inspection Filter IE Enable Ekahau tag detection Ekahau Controller IP Address Ekahau Controller Port Active Client Detection The ZoneDirector monitors the currently active clients and will trigger a warning event when the active client s rssi is under the threshold E Enabie client rssi detection with a threshold of 5 Aen Tunnel Configuration 7 Enable tunnel encryption for tunneled traffic Block non well known multicast traffic from network to tunnel Block broadcast traffic from network to tunnel except ARP and DHCP Enable Proxy ARP of tunnel WLAN rate limit threshold 0 Range O 3000 pkts sec Packet Inspecti
182. compromised or you need to use a stronger key Note that a new certificate must be generated and installed afterwards 303 Setting Administrator Preferences Working with SSL Certificates Figure 183 SSL Certificate Advanced Options Ei Advanced Options Restore to Default Certificate Private Key If needed you can discard the imported certificate and private key ZoneDirector will use factory default certificate key after restore and reboot Restore Back Up Private Key If you want to apply the same certificate from this ZoneDirector to other ZoneDirectors please back up the private key from this ZoneDirector and then apply it to other ZoneDirectors for certificate key pairing Back Up Private Key Back Up Certificates for Smart Redundancy If you want to apply the same certificate and private key from this ZoneDirector to peer ZoneDirectors please back up the certificate from this ZoneDirector and then apply it to peer ZoneDirectors Back Up Certificate Re generate private key of a specific key length Re generate a new private key of a specific key length This function is only needed when your certificate vendor only accepts 2048 key length instead of 1024 key length Warning The ZoneDirector wil be rebooted after re generating a new private key Private key length 1024 2048 create New Wildcard Certificate Installation A wildcard certificate is a generic certificate that can be used for devices in a speci
183. configurable e Protocol Enter a network protocol number 0 254 as defined by the IANA http www iana org assignments protocol numbers protocol numbers xhtml to allow or deny Otherwise select Any e Destination Port Enter a valid port number 1 65534 or port range e g 80 443 8 Click OK to save the ACL 9 Repeat these steps to create up to 32 L3 LA IP address based access control rules Figure 63 Configuring an L3 L4 access control list L3 4 IP address Access Control You can define L3 4 IP address access control lists and apply them to WLANs later Set up a L3 4 IP address access control list to allow or deny wireless devices based on their IP addresses Name Description Default Mode Actions Ij Baclt Deny all by default Edit Clone Name Description m Default Mode Defaut Action if no rule is matched Deny all by defaut Alow all by defaut Order Description Type Destination Address Application Protocol Destination Port Action 1 Allow Any 53 Edit Clone v 2 Allow Any 67 Edit Clone aw LE Allow 192 168 0 1 24 LC Ej Advanced Options Create New Delete 31 1 060 Search terms jm o 9 Include all terms Include any of these terms Configuring Device Access Policies In response to the growing numbers of personally owned mobile devices such as smart phones and tablets being brought into the network IT departments are requiring more sophisticated control over
184. ction such that the Signal value becomes 2596 or better For a more conservative design you may use 3596 as your Signal benchmark 332 Smart Mesh Networking Best Practices Signal Quality Verification Ensure Minimum 2 Uplink options for every MAP In addition under Neighbor APs it is best practice that there exists an alternate path for this mesh uplink This alternate path should also have a Signal of 25 or better Stated differently there should be at least 2 possible links that the MAP can use for uplink and both should have a Signal value of 2596 or better For a more conservative design you may use 35 as your Signal benchmark Figure 202 Check the signal quality from the ZoneDirector Web interface ZoneDirector Configure Administer 2013 06 11 18 41 46 Help Toolbox Log Out ruckus a Access Points c0 5 20 3b 91 f0 o This table lists detailed information about the selected access point such as the clients and events associated with it m KY Access Point Information General Info WLANs Device Name RuckusAP Status Connected Mesh AP 1 hop Name ESSID BSSID Radio State Description Uptime id21m Rhastah cO f8 802 11g n Up Location Connection Mode L3 IPv4 Rhastaht cO c5 ifc 802 11a n Up GPS Coordinates VLAN 1 MAC Address c0 5 20 3b 91 f0 Associated Clients 1 IP Address 192 168 40 99 External IP Port 192 168 40 99 12223 IP Type DHCP Actions Model m
185. ction configuration which may include the importation of certifi cates 152 Managing a Wireless Local Area Network Customizing WLAN Security Using the Built in EAP Server Requires the selection of Local Database as the authentication server If you are re configuring your internal WLAN to use 802 1X EAP authentication you normally have to generate and install certificates for your wireless users With the built in EAP server and Zero IT Wireless Activation certificates are automatically generated and installed on the end user s computer Users simply follow the instructions provided during the Zero IT Wireless Activation process to complete this task see Self Provisioning Clients with Zero IT on page 236 Once this is done users can connect to the internal WLAN using 802 1X EAP authentication Authenticating with an External RADIUS Server You can also use an external RADIUS server for your wireless client 802 1X EAP authentication An EAP aware RADIUS server is required for this application Also you might need to deploy your own certificates for wireless client devices and for the RADIUS server you are using In this case ZoneDirector works as a bridge between your wireless clients and the RADIUS server during the wireless authentication process ZoneDirector allows wireless clients to access the networks only after successful authentication of the wireless clients by the RADIUS server For information on configuri
186. d enter a Privacy phrase between 8 and 32 characters in length 4 Click Apply to save your changes 76 Configuring System Settings Enabling Network Management Systems Figure 44 Enabling the SNMPv3 agent SNMP RO community public SNMP RW community private SNMPv3 Agent ZoneDirector supports SNMPv3 agent Enable SNMPv3 Agent Privacy Phrase Authentication Auth Pass Phrase Privacy MD5 v readonly MD5 v adminadmin None v AES v privacyphrase Enter the SNMP Trap server IP where ZoneDirector wil send SNMP Traps to v Enable SNMP Trap SNMP Trap Format SNMPV3 X User Trap Server IP Authentication Auth Pass Phrase Privacy Privacy Phrase Enabling SNMP Trap Notifications If you have an SNMP trap receiver on the network you can configure ZoneDirector to send SNMP trap notifications to the server Enable this feature if you want to automatically receive notifications for AP and client events that indicate possible network issues see Trap Notifica tions That ZoneDirector Sends on page 78 To enable SNMP trap notifications 1 In the Network Management section of the System page scroll down to the bottom of the page Under SNMP Trap select the Enable SNMP Trap check box In SNMP Trap format select either SNMPv2 or SNMPv3 You can select only one type of trap receiver e Ifyou select SNMPv2 you only need to enter the IP addresses of up
187. d WLANs along with the settings for guest access user roles etc You can also combine this tab s options with those in the Administer tab to perform system diagnostics and other preventive tasks Importing a Map View Floorplan Image If your Ruckus ZoneDirector does not display a floorplan for your worksite when you open the Monitor tab Map View you can import a floorplan and place AP markers in relevant locations by following the steps outlined in this section The sample floorplan image cannot be deleted but it can be replaced with an actual floorplan image file and relabeled Then you can add additional floorplan maps for additional locations or floors You can import an unlimited number of floorplan images to ZoneDirector However the total file size of all imported floor maps is limited to 2MB on ZoneDirector 1100 and 10MB on ZoneDirector 3000 5000 An error message appears when these file size limits are reached Additionally the maximum file size per floorplan image is 512kb 200kb or smaller is recom mended 210 Monitoring Your Wireless Network Importing a Map View Floorplan Image Requirements A floorplan image in GIF JPG or PNG format The image should be monochrome or grayscale The file size should be no larger than 200kb in size The floorplan image should be ideally no larger than 10 inches 720 pixels per side Importing the Floorplan Image 1 Go to Configure gt Maps 2 Click Create New Th
188. d have the capacity and reliability required for your enterprise applications The best practices are summa rized below as a checklist for quick review 1 Do not mix 802 11n with 802 11g APs in your mesh They will NOT mesh Additionally dual band 11n APs will not mesh with single band 11n APs To ensure your APs will mesh with each other ensure they are all of the same radio type either all 802 119 all 802 11n single band or all 802 11n dual band APs 2 Avoid an excessive number of hops Ideally keep hop count to 3 or less 3 Having more RAPs is better for performance Ensure that there are RAPs near the middle of a coverage area so as to minimize the number of hops to reach a given MAP Where possible ensure that the RAPs are distributed evenly throughout the coverage area rather than clumped together Once the APs are mounted on a test basis or permanently use the Signal quality measure ment to ensure that the uplink signal quality from MAP to RAP is 25 or better Ideally there should be at least one alternate uplink path for each MAP for reliability and the signal quality of that alternate path should also be 25 or better 337 Smart Mesh Networking Best Practices Best Practice Checklist 338 Index Numerics 11n Only Mode 184 802 11d 147 802 1X authenticator 192 supplicant 193 user requirements 153 WLAN security 153 802 1X EAP option values 143 Windows OS requirements 154 802 1X EAP MA
189. d on all guest WLANs Therefore Profile csv If you have created a Guest Pass Profile see Creating a Guest Pass Profile on page 263 use this option to import the file e Sharable Select this option if you want to allow multiple users to share a single guest pass This option will only be available if you allowed multiple users to share a single guest pass on the Configure gt Guest Access page Session Enable this check box and select a time increment after which guests will be required to log in again If this feature is disabled connected users will not be required to re log in until the guest pass expires 262 Managing Guest Access Working with Guest Passes Figure 159 Generating multiple guest passes at once Ruckus Guest Information WIRELESS Creation Type Single O multiple Valid for WLAN Number or specified by profile below Profile csv Choose File To download a profile example Sharable E Allow multiple guests to share a single guest pass Session E Each guest re logs in after Mins or Powered by Ruckus Wireless If you want to be able to identify the guest pass users by their names for monitoring or auditing purposes in a hotel setting for example click Choose File and upload a guest pass profile instead See Creating a Guest Pass Profile below for more information Click Next The Guest Pass Generated page appears displaying the guest pass user names and expiration
190. d to create a WLAN group NOTE A default WLAN group called Default exists The first 27 WLANs that you create are automatically assigned to this Default WLAN group NOTE A WLAN Group can include a maximum of 27 member WLANs For dual radio APs each radio can be assigned to only one WLAN Group single radio APs can be assigned to only one WLAN Group The maximum number of WLAN groups that you can create depends on the ZoneDirector model 154 Managing a Wireless Local Area Network Working with WLAN Groups Figure 91 Maximum number of WLAN groups by ZoneDirector model ZoneDirector Model Max WLAN Groups ZoneDirector 1100 128 ZoneDirector 3000 1024 ZoneDirector 5000 2048 Creating a WLAN Group 1 Go to Configure gt WLANs 2 In the WLAN Groups section click Create New The Create New form appears 3 In Name type a descriptive name that you wantto assign to this WLAN group For example if this WLAN will contain WLANs that are designated for guest users you can name this as Guest WLAN Group 4 n Description optional type some notes or comments about this group 5 Under Group Settings select the check boxes for the WLANs that you want to be part of this WLAN group 6 In the VLAN override settings choose whether to override the VLAN configured for each member WLAN Available options include e No Change Click this option if you want the WLAN to keep the same VLAN tag default 1 e
191. dary controller 12 Click Apply to save your changes 13 Reboot the backup secondary ZoneDirector for all changes to take effect Administer gt Restart Restart The imported APs will be placed into AP Groups according to the settings that were backed up from the primary controller If the original AP Group or WLAN Group name does not exist on the destination controller the AP will be placed in the System Default AP Group WLAN Group 198 Managing Access Points Reviewing Current Access Point Policies Additionally you must make sure that the maximum number of APs is not exceeded Table 27 Max APs by ZoneDirector model Model Max APs per controller ZoneDirector 1100 150 ZoneDirector 3000 500 ZoneDirector 5000 1000 Importing a USB Software Package Ruckus ZoneFlex Access Points with USB ports SmartPoint APs can be configured to support a range of 3G 4G LTE and WiMAX wireless USB devices for non WiFi wireless connection to a service provider s network The ZoneDirector Web interface allows administrators to provision SmartPoint APs with the USB device configuration files directly through ZoneDirector providing a simple and straightforward provisioning process with minimal human intervention required Provisioning requires that the SmartPoint Access Points must be connected to the ZoneDirector acting as the provisioning server over the wired network After an AP is provisioned an automatic 3G 4G LTE WiM
192. dentally deleted when you customize the guest pass printout 267 Managing Guest Access Working with Guest Passes Table 31 Token Tokens that you can use in the guest pass printout Description GP GUEST NAME Guest pass user name GP GUEST KEY Guest pass key GP IF EFFECTIVE FR OM CREATION TIMI Ej If you set the validity period of guest passes to Effective from the creation time in the Guest Pass Generation section this token shows when the guest pass was created and when it will expire GP ELSEIF EFFECTIV E FROM FIRST USI Ej If you set the validity period of guest passes to Effective from first use in the Guest Pass Generation section this token shows the number of days during which the guest pass will be valid after activation It also shows the date and time when the guest pass will expire if not activated GP ENDIF EFFECTIVE This token is used in conjunction with either the GP ELSEIF EFFECTIVE FROM FIRS T USE or GP ENDIF EFFECTIVE token GP VALID DAYS Number of days for which the guest pass is valid GP VALID TIME Date and time when the guest pass expires GP GUEST WLAN Name of WLAN that the guest user can access 268 Deploying a Smart Mesh Network In This Chapter Overview of Smart Mesh Networking iisssssssse eee 270
193. di f System Default 157 11a n 40 192 168 40 64 1 d c0 c5 20 3b 91 f0 74 54 System Default 157 11a n 40 192 168 40 99 2 Search terms include all terms Include any of these terms 1 1 d 1 1 _Mutti hops SpeedFiex 3 1 2 2 0 316 Troubleshooting Measuring Wireless Network Throughput with SpeedFlex Figure 191 Multi Hop SpeedFlex test results SpeedFlex Wireless Performance Test Iv Downlink T Uplink 488Kbps pkt loss 196 e nnm Q 172 17 16 101 Complete Pam cem Ham imamom Hen emen eee men Allowing Users to Measure Their Own Wireless Throughput ZoneDirector provides another version ofthe SpeedFlex Wireless Performance Test application that does not require authentication This version can be accessed at http zonedirector ip address perf If you want wireless users to be able to measure their own wireless throughput you can provide this link to them along with the instructions below Before sending out these instructions remember to replace the zonedirector ip address variable with the actual ZoneDi rector IP address How to Measure the Speed of Your Wireless Connection The following instructions describe how you can use SpeedFlex a wireless performance test tool from Ruckus Wireless to measure the speed of your wireless connection to your access point 1 Make sure that your wireless device is connected only to the wireless network If your wireless
194. ding its IP address MAC address model number maximum number of licensed APs serial number software version number and others e Devices Overview Shows the number of APs being managed by ZoneDirector the number of authorized clients and the total number of clients connected to the managed APs authorized and unauthorized It also shows the number of rogue devices that have been detected by ZoneDirector e Usage Summary Shows usage statistics for the last hour and the last 24 hours e Mesh Topology Shows the mesh status and topology of all APs connected via mesh uplinks or downlinks e Most Active Client Devices Identifies the most active clients by MAC address IP address and user name Bandwidth usage is calculated in megabytes MB and is based on the total number of bytes sent Tx and received Rx by each client from the time it associated with the managed AP e Most Recent User Activities Shows activities performed by users on client machines e Most Recent System Activities Shows system activities related to ZoneDirector operation e Most Frequently Used Access Points Lists the access points that are serving the most client requests e Currently Active WLANs Shows details of currently active ZoneDirector WLANs e Currently Active WLAN Groups Shows details of available WLAN groups If you have not created any WLAN groups only the Default WLAN group appears e Currently Managed APs Shows details of access points that Zon
195. ding red X icon Rucku S ZoneDirector WIRELESS Dashboard Monitor Configure Administer 2013 06 11 16 22 49 Help Toolbox Log Out ruckus 49 3 1 System Overview 9 W Currently Managed APs System Name ZoneDirector MAC Address Model Status IP Address Channel Clients Action IP Address 192 168 40 100 c0 c5 20 3b 91 f0 zf7372 Connected Mesh AP 1 hop 192 168 40 99 149 11a n 40 1 11g n 20 1 CEFTA TYI MAC Address 00 13 11 01 01 01 c4 10 8a 1f d1 f0 217982 Connected Root AP 192 168 40 64 149 11a n 40 11 11g n 20 0 EFT EET Uptime 22h 10m Model 2D1112 Search terms Include al terms include any of these terms Licensed APs 12 Currently Active WLANs Sm 000000000011 Name ESSID Authentication Version 9 7 0 0 build 74 Rhastah1 Rhastaht open diee Overview La Search terms include all terms Include any of these terms of APs 2 pe of Authorized Client Devices 1 Most Active Client Devices e of Total Client Devices 1 MAC Address IP Address User Usage of Rogue Devices 0 00 22 fb ad 1b 2e 192 168 40 21 140M FL Usage Summary L 75 Support LO IE ihr 24hr e Company Ruckus Wireless 2 Max Concurrent Users 2 3 Registration Product Registration R uckus Bytes Transmitted 17M 1 3G Email support ruckuswireless com Average Signal 995 87x Support URL http support ruckuswireless com of Rogue Devices 04294967295 WIRELESS Add Widgets Real Time Monitoring Encryptio
196. dio frequency at a time every 20 seconds or so To manually start a complete radio frequency scan that assesses all possible frequencies in all devices at one time follow these steps 1 Go to Administer Diagnostics 2 Whenthe Diagnostics page appears look for the Manual Scan options and then click Scan CAUTION This operation will interrupt active network connections for all current users 3 Open the Dashboard or go to Monitor Map View to review the scan results This will include rogue device detection and an updated coverage evaluation Figure 192 The Diagnostics page EXZETUERTCERCTEN CITTE Rucku S ZoneDirector WIRELESS Dashboard Monitor Configure Administer Diagnostics Manual Scan Click this button to initiate a radio frequency scan ALERT This will immediately sample all active frequencies and may temporarily interfere with wireless network communication Save Debug Info If you request assistance from Ruckus Wireless technical support you may be asked to supply detailed debug information from ZoneDirector Click the Save Debug Info button to generate the debug log file and then save it to your computer Save Debug Info Debug Logs Debug Components T System Management E mesh E smart Redundance y Web Authentication RF Management 7 web Pages RADIUS El Hotspot Services aj Access Points ui Network Management 802 1x 7 web server
197. dit in the Default role row 3 In the Policies options clear the Allow Guest Pass Generation check box 4 Click OK to save your settings Users with default roles no longer have guest pass generation privileges Creating a Guest Pass Generation User Role To create a guest pass generator role that can be assigned to authorized users follow these steps 1 Go to Configure gt Roles 2 In the Roles table click Create New 3 When the Create New features appear make these entries e Name Enter a name for this role e g Guest Pass Generator e Description Enter a short description of this role s application Group Attributes This field is only available if you choose Active Directory as your authentication server Enter the Active Directory User Group names here Active Direc tory users with the same group attributes are automatically mapped to this user role Allow All WLANs You have two options 1 allow all users with this role to connect to all WLANs or 2 limit this role s users to specific WLANs and then pick the WLANs they can connect to NOTE When creating a guest pass generator Role you must ensure that this Role is given access to the Guest WLAN If you create a Role and allow guest pass generation but do not allow the Role access the relevant WLAN members of the Guest Pass Generator Role will still be unable to generate guest passes for the Guest WLAN e Guest Pass If you want users wi
198. e click the Network Management link to expand the section 72 Configuring System Settings Enabling Network Management Systems 4 Under FlexMaster Management select the Enable management by FlexMaster check box 5 n URL type the FlexMaster DNS host name or IP address of the FlexMaster server In Interval type the time interval in minutes at which ZoneDirector will send status updates to the FlexMaster server The default interval is 15 minutes 7 Click Apply The message Setting Applied appears You have completed enabling FlexMaster management on ZoneDirector For more information on how to configure ZoneDirector from the FlexMaster Web interface refer to the FlexMaster documentation Figure 41 The FlexMaster Management options Ej Network Management FlexMaster Management Enter the FlexMaster server URL and set the time interval at which ZoneDirector will send status updates to FlexMaster 7 Enable management by FlexMaster URL hittps 12 168 4 33 intune server Interval 45 minutes Performance Monitoring Reporting performance statistics to FlexMaster server E Enable performance monitoring Interval 5 minutes Northbound Portal Interface m J Enable northbound portal interface support Password SNMPv2 Agent ZoneDirector supports SNMPv2 agent Enter the Read Only and Read Write communities V Enable SNMP Agent m Monitoring ZoneDirector Performance from FlexMaster If you w
199. e in PEM format to upload it 2 If there are no intermediate CA certificates then click on the Import button to install the uploaded certificate NOTE ifthe certificate does not match the currently installed private key you will be prompted to upload the correct private key 301 Setting Administrator Preferences Working with SSL Certificates Figure 181 Importing a signed SSL Certificate Import Signed Certificate To show current certificate information click here Import a signed certificate file to replace current one Browse Import Signed Certificate j To show current certificate information click here Import a signed certificate file to replace current one mycert cert 1960 bytes Choose an import certificate type Import Cancel instal this certificate and then reboot C There wil be intermediate certificate needed to import Ruckus ZoneDirector WIRELESS Loading Certificate 3 IfyourZoneDirector certificate was issued by an intermediate CA then you must also import the intermediate CAS certificate as well as all other intermediate CA certificates in the path to the root CA In that event you would receive intermediate CA certificate download instructions from the certificate vendor To import an intermediate certificate e After selecting the end certificate click on the intermediate certificate import option e Click on the Import button to reveal the Import
200. e on ZoneDirector This table lists all current user accounts along with basic details You can add edit or delete user accounts You can also click the Print button to print out the First time Wireless Network Connection Guide for the user User Name Full Name Role Actions jdoe Default Edit Clone Print Default Create New Delete 31 1 1 Search terms 9 Include all terms Include any of these terms 239 Managing User Access Managing Current User Accounts Managing Current User Accounts ZoneDirector allows you to review your current user roster on the internal user database and to make changes to existing user accounts as needed Changing an Existing User Account 1 Go to Configure gt Users 2 When the Users features appear locate the specific user account in the Internal User Database panel and then click Edit 3 When the Editing user name form appears make the needed changes 4 Ifarole must be replaced open that menu and choose a new role for this user For more information see Creating New User Roles on page 240 5 Click OK to save your settings Be sure to communicate the relevant changes to the appropriate end user Deleting a User Record Go to Configure gt Users When the Users screen appears review the Internal User Database To delete one or more records click the check boxes next to those account records Click the now active Delete button mo
201. e to have ZoneDirector automatically generate a WEP key Passphrase WPA PSK methods only Click in this field and type the text of the passphrase used for authentication Options Web Authentication Available only with Open authentication Click the check box to require all WLAN users to complete a Web based login to this network each time they attempt to connect see Activating Web Authentication on page 244 Authentication Server When Web Authentication is active use this option to designate the server used to authenticate Web based user login When 802 1X or MAC Address authentication is active use this option to designate the server used to authenticate users without Web authentication Options include Local Database RADIUS server Active Directory and LDAP When one of these authentication server types is selected other than Local Database you will need to point ZoneDirector to the proper authentication server configured on the Configure AAA Servers page see Using an External Server for User Authentication on page 243 Wireless Client Isolation Enable Wireless Client Isolation to prevent all communication between WLAN clients and other local resources unless they are specifically allowed in a white list A Client Isolation White List must first be created on the Configure Access Control page before appearing here see Configuring Client Isolation White Lists on page 108
202. e 305 i NOTE For information on howto authenticate administrators using an external authentication e Allow All WLANs You have two options 1 Allow Access to all WLANs or 2 Specify WLAN Access If you select the second option you must specify the WLANs by clicking the check box next to each one This option requires that you create WLANs prior to setting this policy See Creating a WLAN on page 140 e Guest Pass If you want users with this role to have the permission to generate guest passes enable this option NOTE When creating a guest pass generator Role you must ensure that this Role is given access to the Guest WLAN If you create a Role and allow guest pass generation but do not allow the Role access the relevant WLAN members of the Guest Pass Generator Role will still be unable to generate guest passes for the Guest WLAN e Administration This option allows you to create a user role with ZoneDirector admin istration privileges either full access or limited access 5 When you finish click OK to save your settings This role is ready for assignment to authorized users 6 If you want to create additional roles with different policies repeat this procedure 241 Managing User Access Managing Automatically Generated User Certificates and Keys Figure 144 The Create New form for adding a role Roles Use these features to add new roles and apply policies You can also update existing role
203. e Configure gt Roles page create a Role named Student and enter student in the Group Attributes field Then you can select which WLANs you want this Role to have access to and decide whether this Role should have Guest Pass generation privileges and ZoneDirector administration privileges From here on any user associated to the Group student will be given the same privileges when he she is authenticated against your LDAP server To configure user roles based on LDAP group 1 Point ZoneDirector to your LDAP server Goto Configure AAA Servers e Click Edit next to LDAP e Enter IP address Port number Admin DN and Password 2 Enter the Key Attribute default uid 3 Click OK to save this LDAP server 119 Configuring Security and Other Services Using an External AAA Server 4 In Test Authentication Settings enter the User Name and Password for a known member of the relevant group 5 Click Test 6 Note the Groups associated with this user Figure 77 Test authentication settings Test Authentication Settings You may test your authentication server settings by providing a user name and password here Groups to which the user belongs will be returned and you can use them to configure the role Test Against openDir v User Name student Password e Show Password Success Groups associated with this user are student workgroup The user will be assigned a role of Default nu 7 Goto Config
204. e Create New form appears 3 In Name type a name to assign to the floorplan image that you will be importing Type a description as well if preferred 4 Click Browse The Choose File dialog box appears 6 Browse to the location of the floorplan image file select the file and then click Open to import it If the import is successful a thumbnail version of the floorplan will appear in the Map Image area Go to Monitor Map View to see this image You can now use the Map View to place the Access Point markers 211 Monitoring Your Wireless Network Importing a Map View Floorplan Image Figure 125 The Create New form for importing a floorplan image all Ruckus ZoneDirector WIRELESS Dashboard Monitor Configure Administer Maps Map Image Use this workspace to import your worksite floorplans Floorplan images should be no larger than 720x720 pixels and must be in PNG GIF or JPG format The maximum allowable total size is 2 MB F Name Description Size Actions Sample 52K Edit Clone Import a floorplan image file Choose File No file chosen Create New Delete 911000 Search terms 9 Include all terms Include any of these terms Placing the Access Point Markers After using the Configure gt Maps options to import your floorplan image you can use the Monitor tab s Map View to distribute markers that represent the APs to the correct locations This will give you a pow
205. e Options dialog box appears Under Available Options look for the 15 DNS Domain Name check box and then selecti it In the String value text box under Data Entry type your company s domain name Click Apply to save your changes NOS uto Click OK to close the Scope Options dialog box 29 Introducing Ruckus Wireless ZoneDirector Ensuring That APs Can Communicate with ZoneDirector Figure 7 Select the 015 DNS Domain Name check box and then type your company domain name in String value General Advanced Available Options Description 4 O 014 Merit Dump File Path name f4 015 DNS Domain Name DNS Domai LJ 016 Swap Server Address of c O 017 Root Path Path name f v b r Data entry String value rackusviireless coni Cancel App Step 2 Set the DNS Server IP Address on the DHCP Server 1 From Windows Administrative Tools open DHCP and then select the DHCP server you want to configure 2 If the Scope folder is collapsed click the plus sign to expand it 3 Right click Scope Options and then click Configure Options The General tab of the Scope Options dialog box appears 4 Under Available Options look for the 6 DNS Servers check box and then select it In the IP address box under Data Entry type your DNS servers IP address and then click Add If you have multiple DNS servers on the network repeat the same procedure to add the oth
206. e Windows 7 Vista 192 168 40 21 c0 c5 20 3b 91 f0 Rhastah1 149 802 11a n 99 Authorized X 9 9 Search terms include all terms Include any of these terms 612178 3 Events Activities ee ES Date Time Severity User Activities 2013 06 11 18 30 08 Low User 5c ff 35 7f 42 20 joins WLAN Rhastah1 from AP 7982 2013 06 11 18 30 24 Help Toolbox Log Out ruckus MIU ME Configure Administer Currently Active Clients This table lists all currently connected client devices Only those devices with a status of authorized are permitted access to the network To prevent an unauthorized client from attempting to connect to your network click Block To troubleshoot a problematic connection click Delete That client can then reconnect to the WLAN To show a list of blocked clients click here User Sc ff 35 7f 42 20 leave WLAN Rhastah1 at AP 7982 with Session Time 1315 51 sec RX 1 11 c acaba i Bytes 26177 TX Bytes 172627 2013 06 11 18 11 45 Low User 5c ff 35 7f d2 20 disconnects from WLAN Rhastah1 at AP 7982 2013 06 11 17 49 49 Low User 5c ff 35 7f 82 20 joins WLAN Rhastah1 from AP 7982 2013 06 11 17 48 33 Low User 00 22 fb ad 1b 2e joins WLAN Rhastah1 from AP c0 c5 20 3b 91 f0 2013 06 11 17 42 41 Low User 00 22 fb ad 1b 2e joins WLAN Rhastah1 from AP c0 c5 20 3b 91 f0 2013 06 11 17 38 01 Low User 00 22 fb ad 1b 2e joins WLAN Rhastah1 from AP c0 c5 20 3b 91 f0 2013 06 11 17
207. e accounting update interval in Send Interim Update every x minutes Valid Interim Update values are 0 1440 Setting the value to 0 disables periodic interim updates to the accounting server but client IP changes are still sent to the RADIUS Accounting server Access Controls Toggle this drop down list to select Access Control Lists L2 or L3 L4 Device Policy and Precedence Policy to apply to this WLAN An access control entry must be created before being available here For more information see Controlling Network Access Permissions on page 103 Call Admission Control Disabled by default Enable Wi Fi Multimedia Admission Control WMM AC to support Polycom Spectralink VIEW certification When enabled the AP announces in beacons if admission control is mandatory or not for various access categories and admits only the traffic streams it can support based on available network resources When network resources are not sufficient to provide this level of performance the new traffic stream is not admitted Call Admission Control is effective only when both AP and the client support WMM AC Ruckus APs are capable of handling hundreds of simultaneous clients but when it comes to VoIP traffic the number of VoIP calls needs to be policed to ensure adequate voice video quality Ruckus recommends limiting bandwidth allocation to six calls four active calls and two reserved for roaming on the 2 4 GHz radio and 10 calls on the 5 GHz radio seve
208. e are no APs selected to capture packets Please select APs from the left table v 00 24 82 3f 14 60 ZF 7363 ZF 7363 zf7363 Add to Capture APs 41 111 Search terms Include all terms Include any of these terms Upload scripts re rin erence sla nin imine Figure 198 Click Start to begin packet capture click Remove to remove APs from the list Packet Capture Use this feature to capture wireless packets during normal operation and save them in local files or stream them to Wireshark Radio 2 4GHz 5GHz Current Managed APs Capture APs MAC Address Device Name Description Model gt MAC Address Device Name Description Model 4 10 84 1f d1 f0 7982 MAP 7982 MAP 217982 04 4f aa 0c b1 00 7962 RAP 7962 RAP zf7962 Add to Capture APs 01100 ee Local Mode Capture a limited snapshot on each AP then Stop and Save to file Filter Search terms 9 Include al terms Include any of these terms Packets to from one IP or MAC address Streaming Mode bse wiresharks Remote Capture Option to connect to wlan50 or wlan51 Import scripts Click hrawee ta chance cerint ar maniial 324 Using Ruckus Custom Indicators Packets captured on Ruckus APs include some information that is not available when capturing from other Wi Fi devices This additional information is stored in the Per Packet Information PPI header that precedes the over the air content Troubleshooting Packet
209. e correct wireless setting on his her computer 4 To manually configure 802 1X EAP settings for non EAP capable client use use the wireless settings generated by ZoneDirector Working with WLAN Groups WLAN groups are used to specify which APs provide which WLAN services If your wireless network covers a large physical environment for example multi floor or multi building office and you want to provide different WLAN services to different areas of your environment you can use WLAN groups to do this For example if your wireless network covers three building floors 1st Floor to 3rd Floor and you need to provide wireless access to visitors on the 1st Floor you can do the following 1 Create a WLAN service for example Guest Only Service that provides guest level access only 2 Create a WLAN group for example Guest Only Group and then assign Guest Only Service WLAN service to Guest Only Group WLAN group 3 Assign APs on the 1st Floor where visitors need wireless access to your Guest Only Group Any wireless client that associates with APs assigned to the Guest Only Group will get the guest level access privileges defined in your Guest Only Service APs on the 2nd and 3rd Floors can remain assigned to the Default WLAN Group and provide normal level access NOTE Creating WLAN groups is optional If you do not need to provide different WLAN services to different areas in your environment you do not nee
210. e following procedure 1 Go to Configure gt WLANs 2 Locate the Bypass Apple CNA Feature section at the bottom of the page 3 Select any or all of the following WLAN types for which you want to bypass the Apple CNA feature e Web Authentication e Guest Access e Hotspot service 4 Click Apply to save your changes Figure 106 Enabling the Bypass Apple CNA Feature Authentication Server Local Database v Dynamic PSK To provide maximum security each user is assigned a unique pre shared key PSK when they activate their wireless access You can set when the PSK should expire at which time users will be prompted to reactivate their wireless access PSK Expiration Unlimited v ral Automatically remove expired D PSK entries and delete the relevant connected station Dynamic PSK Batch Generation DPSK batch generation provides two facilities to create multiple Dynamic PSKs at once You can specify the number of DPSK or upload a profile file csv which contains information necessary to create DPSKs Once the generation is done a result file will be downloaded for your reference To download an example of profile click here The maximum allowable number of DPSKs is 1000 Target WLAN Rhastah1 E Number to Dynamic VLAN or Upload a Create B 1D L Profile Haeo To download the new DPSK record click here Bypass Apple CNA Feature Select any of the following authentication mechanisms that
211. e from the drop down menu 311 Troubleshooting Measuring Wireless Network Throughput with SpeedFlex 6 Senda notification to the user with instructions on how to re configure their client and log into the WLAN again At the end of this process the user should be reconnected If problems persist they may originate in Windows or in the wireless network adapter Measuring Wireless Network Throughput with SpeedFlex SpeedFlex is a wireless performance tool included in ZoneDirector that you can use to measure the downlink throughput between ZoneDirector and a wireless client ZoneDirector and an AP and a wireless client and an AP When performing a site survey you can use SpeedFlex to help find the optimum location for APs on the network with respect to user locations CAUTION Before running SpeedFlex verify that the Guest Usage and Wireless Client Isolation options on the Configure gt WLANs gt Editing WLAN Name page are disabled The SpeedFlex Wireless Performance tool may not function properly when either or both of these options are enabled For example SpeedFlex may be inaccessible to users at http zonedirector ip address perf or SpeedFlex may prompt you to install the Speed Flex application on the target client even when it is already installed NOTE The following procedure describes how to run SpeedFlex from the ZoneDirector Web interface to measure a wireless client s throughput For instructions on
212. e the order in which rules are implemented click the up or down arrows in the Action column You can also Edit or Clone rules from the Action column To delete a rule select the box next to the rule and click Delete Click OK to save the access policy You can create up to 32 access policies one access policy per WLAN 106 Configuring Security and Other Services Controlling Network Access Permissions Figure 64 Creating a Device Access Policy Create New Delete 0 000 E Search terms 9 Include al terms Include any of these terms Device Access Policy User can define device access policy lists and apply them to WLANs later This can configure allow deny VLAN and rate limit for wireless devices based on their OS type Name Description Default Mode Actions apple only allow iOS and Mac OS only Deny all by default Edit Clone Linux only allow Linux OS only Deny all by default Edit Clone Name Deny iPhone and iPad m Description deny all iOS devices Default Mode Default Action if no rue is matched Deny all by defaut Allow all by default Rules 7 Order Description OS Type Type Uplink Downlink VLAN Action 1 Apple iOS Deny DISABLE DISABLE Edit Clone Create New E Advanced Options Delete Create New Delete 31 200 Search terms 9 Include all terms Include any of these terms Client Isolation White List User can configure the IP and MAC informa
213. e users one time login time limited multiple logins for a single guest user or can be configured so that a single guest pass can be shared by multiple users Additionally they can be batch generated if many short term guest passes need to be created frequently For more information on Guest Pass configuration see Working with Guest Passes on page 255 NOTE ZoneDirector 1100 can support up to 1 250 combined total users and guest passes in the internal database ZoneDirector 3000 licensed up to 250 APs can support up to 5 000 total users and guest passes while ZoneDirector 3000 licensed from 300 to 500 APs can support up to 10 000 ZoneDirector 5000 can support up to 1 000 APs and 20 000 users When the maximum number of PSKs that ZoneDirector supports has been reached the Web interface may be slower in responding to requests 253 Managing Guest Access Configuring System Wide Guest Access Policies Configuring System Wide Guest Access Policies The Enable Guest Access options allow the administrator to define the system wide guest access policies You can require guests to validate their guest pass accept terms of use and be redirected to a URL you specify 1 Go to Configure gt Guest Access The Guest Access page appears 2 Under Enable Guest Access select the Authentication type to use e Use guest pass authentication Redirect the user to a page requiring a valid guest pass before allowing the user to use the g
214. eDirector is currently managing e Currently Managed AP Groups Shows details of the System Default and user defined AP groups Click the button next to an AP group to expand the group to display all members of the AP group e Support Shows contact information for Ruckus Wireless support e Most Active Client Devices Shows the top five clients in terms of usage their IP addresses and MAC addresses and the user name Smart Redundancy Displays the status of primary and backup ZoneDirector devices if configured e AP Activities Shows a list of recent log events from APs Client Device Type Displays a pie chart of currently connected client devices by OS type as a percentage of the total 39 Introducing Ruckus Wireless ZoneDirector Using the ZoneDirector Web Interface RU Ckus ZoneDirector WIRELES Adding a Widget To add a widget 1 Go to the Dashboard 2 Click the Add Widgets link located at the bottom left corner of the Dashboard page Figure 13 The Add Widgets link is at the bottom left corner of the Dashboard s Dashboard Monitor Configure Administer deem Overview W Currently Managed APs ee System Name ZoneDirector IP Address MAC Address Uptime Model Licensed APs S N Version MAC Address Model Status IP Address Channel Clients Action 192 168 40 100 c0 c5 20 3b 91 f0 zf7372 Connected Mesh AP 1 hop 192 168 40 99 149 11a n 40 1 11g n 20 1 Boro 00 13 11 01 01 01 c4 10 8a 1f di fO zf7982
215. eb interface pages Help andLog Out Clicking Help launches the online Help which is an HTML based subset of the information contained in this User Guide Click Log Out to exit the Web interface 37 Introducing Ruckus Wireless ZoneDirector Using the ZoneDirector Web Interface Navigating the Dashboard The Dashboard offers a number of self contained indicators and tables that summarize the network and its current status Some indicators have fields that link to more focused detailed views on elements of the network Figure 12 The Dashboard nueia diea m Ruckus ZoneDirector WIRELESS Dashboard Monitor Configure Administer ae Overview System Name ZoneDirector ee KY Currently Managed APs ee MAC Address Model Status IP Address Channel Clients Action IP Address 192 168 40 100 c0 c5 20 3b 91 f0 zf7372 Connected Mesh AP 1 hop 192 168 40 99 149 11a n 40 1 11g n 20 1 EFTAL T MAC Address 00 13 11 01 01 01 4 10 8a 1f d1 f0 zf7982 Connected Root AP 192 168 40 64 149 11a n 40 11 11g n 20 0 A MP 4 M eo EJ Uptime 22h 10m Search terms 9 Include all terms Include any of these terms 1200 Model 7201112 Licensed APs 12 Currently Active WLANs eo Name ESSID Authentication Encryption Clients Rhastah1 Rhastah1 open wpa2 1 db Overview ee Search terms Include all terms Include any of these terms 01100 S N 000000000011 Version 9 7 0 0 build 74 of APs 2 of Authorized Clie
216. ection and manually set the mesh nodes to which an AP can connect Note that in most situations Ruckus Wireless recommends against manually changing the roles of APs in a mesh because it can result in isolated Mesh APs Figure 173 Setting Uplink Selection to Manual Advanced Options Mesh Mode Auto Mesh role is automatically assigned J Root AP Only runs as a root AP J Mesh AP Only runs as a mesh AP D Disable Uplink Selection 5 Smart Mesh APs will automatically select the best uplink Manual Only selected APs can be used for uplink 00 24 82 3f 14 60 802 11a n Signal 99 L 04 4f aa 0c b1 00 7962 RAP 802 11a n Signal 59 Show All APs Model Specific Control Status LEDs E Override Group Config Disable Status LEDs Port Setting V Override Group Config AN CAUTION Do not manually set a Mesh AP as a Root AP Only APs that are connected to ZoneDirector via Ethernet and on the same LAN segment should be configured as Root APs Mis configuring a Mesh AP or an eMAP as a Root AP can cause the AP to become isolated or in the case of eMAP can result in a network loop 284 Deploying a Smart Mesh Network Troubleshooting Isolated Mesh APs To set the mesh uplink for an AP manually 1 On the ZoneDirector Web interface click the Configure tab 2 On the menu click Access Points 3 Inthe Access Points table find the AP you want to restrict and click Edit under the Actions column The editing for
217. ector 3 The AP can hear the other AP at a minimum of 50dB which means the Access Points are very close to each other Note that the 2 4G and 5G radio bands are considered independently If all conditions are met the AP will reduce its power by half The other AP may or may not necessarily reduce its power simultaneously In general Ruckus does NOT recommend enabling this feature as it can lead to non optimal AP power levels With BeamFlex access points Ruckus general guidelines are to run access points at full power to maximize the throughput and SINR levels thus maximizing data rates and performance Automatic Channel Selection ZoneDirector offers two methods of automatic channel selection for spectrum utilization and performance optimization e ChannelFly e Background Scanning While Background Scanning must be enabled for rogue AP detection AP location detection and radio power adjustment either can be used for automatic channel optimization ChannelFly The main difference between ChannelFly and Background Scanning is that ChannelFly deter mines the optimal channel based on real time statistical analysis of actual throughput measure ments while Background Scanning uses channel measurement and other techniques to estimate the impact of interference on Wi Fi capacity based on progressive scans of all available channels 88 Configuring Security and Other Services Configuring Self Healing Options NOTE
218. ed a manual static IP address If you configured ZoneDirector to obtain its IP address from another DHCP server on the network the options for the built in DHCP server will not be visible on the System Configuration page 58 gt Configuring System Settings Configuring the Built in DHCP Server Enabling the Built in DHCP server NOTE Ruckus Wireless recommends that you only enable the built in DHCP server if there are no other DHCP servers on the network ZoneDirector s internal DHCP server can service only a single subnet the one it s in and not other VLANs that may be associated with client WLANs If you enable the built in DCHP server Ruckus Wireless also recommends enabling the rogue DHCP server detector For more information refer to Rogue DHCP Server Detection on page 101 1 Click the Configure tab The System page appears 2 Under the DHCP Server section select the Enable DHCP check box 3 In Starting IP Address type the first IP address that the built in DHCP server will allocate to DHCP clients The starting IP address must be on the same subnet as the IP address assigned to ZoneDirector If the value that you typed is invalid an error message appears and prompts you to let ZoneDirector automatically correct the value Click OK to automat ically correct the entry In Number of IPs type the maximum number of IP addresses that you want to allocate to requesting clients The built in DHCP server can
219. ed to the ZoneDirector and APs Tagging Management Traffic to a VLAN Assigning management traffic to a specific management VLAN can provide benefits to the overall performance and security of a network If your network is designed to segment management trafficto a specific VLAN and you want to include ZoneDirector s AP management traffic in this VLAN you can set the parameters in the ZoneDirector system configuration NOTE Assigning management traffic to a VLAN makes automatic AP provisioning more complicated and should not be undertaken without a thorough understanding of your own network configuration as well as the ZoneFlex wireless deployment Configuring a manage ment VLAN is not required Access ports in a native VLAN can be used as the management VLAN rather than actually configuring a management VLAN To assign ZD AP management traffic to a management VLAN 1 Go to Configure Access Points 2 In Access Point Policies click VLAN ID next to Management VLAN and enter the VLAN ID in the field provided Click Apply to save your settings Go to Configure System In Device IP Settings enter the VLAN ID in the Access VLAN field If you are using an additional management interface for ZoneDirector enter the same ID in the Access VLAN field for the additional management interface pu ope c 7 Click Apply to save your settings NOTE ZoneDirector will need to be rebooted after changing management VLAN setti
220. een upgraded and the license levels match the Smart Redundancy indicator displays Active Connected or Standby Connected 308 Troubleshooting In This Chapter Troubleshooting Failed User Logins ssssssssse eee Fina seri onnectpDE 1 cer scis bbs dis pe ais ie REP pe Rad eae aed ees ede Measuring Wireless Network Throughput with SpeedFlex 0 00 00 eee Diagnosing Poor Network Performance Starting s Radio Frequency SEAD co esoe ra nic oe Whee ees tete wade eee a Using the Ping and Traceroute Tools avs ected es eese gen dd CEST aU a SOU NE MONTRTILTELOLLL LLL oink ti ade SLE SL PT Viewing Current System and AP Logg ere tc i e ete e a edd Packet Capture and Anglusls soprar ippa anea ees de ep we pa eae Ses deus Restarting aneocess PONE ees ened ecce kic gs AAAS SESS HEA EP QS Restarting Aone nein scenes ee Fee Re beoe Kelas Read Mid ad wee as 309 Troubleshooting Troubleshooting Failed User Logins Troubleshooting Failed User Logins SUMMARY This troubleshooting topic addresses the problems that network users might have with configuring their client devices and logging into your ZoneFlex WLAN Upon the completion of the Setup Wizard ZoneDirector automatically activates a default internal WLAN for authorized users A key benefit of the internal WLAN is the Zero IT configuration which enables new users to self activate their wireless client devices with lit
221. efault settings 1 Go to Administer gt Backup 297 Setting Administrator Preferences Restoring ZoneDirector to Default Factory Settings 2 When the Backup Restore page appears look for Restore Factory Settings and click the button 3 Owing to the drastic effect of this operation one or more confirmation dialog boxes will appear Click OK to confirm this operation 4 When this process begins you will be logged out of the Web interface 5 When the reset is complete the Status LED is blinking green indicating that the system is in the factory default state After you complete the Setup Wizard the Status LED will be steady green Figure 179 The Restore to Factory Settings section WE Ruckus ZoneDirector WIRELESS Dashboard Monitor Configure Administer Back up Restore Back Up Configuration Click Back Up to save an archive file of your current ZoneDirector configuration This archive will simplify system recovery if needed Back up Restore Configuration If you need to restore the system configuration click Browse and then select the backup file that contains the settings that you want to restore No fte chosen Restore to Factory Settings If needed you can restore ZoneDirector to its factory settings which will delete all settings that you have configured You wil need to manually set up ZoneDirector again For more information see the online help Restore to Factory Settings Alternate Factory
222. el Mode is enabled DHCP Relay only applies to Tunnel Mode WLANs Typically when mobile stations acquire IP addresses through DHCP the DHCP request and acknowledgement traffic is broadcast to any devices in the same Layer 2 environment With Tunnel Mode WLANs this traffic flood is wasteful in terms of bandwidth and computing power When DHCP Relay is enabled on a WLAN the ZoneDirector relay agent converts DHCP Discover Request traffic to unicast UDP packets and sends them to the DHCP servers then delivers DHCP Offer Ack messages from the DHCP server back to the client The traffic flow is as follows 1 Client sends DHCP discover broadcast AP tunnels this DHCP discover frame to ZoneDirector DHCP Relay Agent sends unicast DHCP discover packet to DHCP server DHCP server sends DHCP offer to Relay Agent on ZoneDirector ZoneDirector sends DHCP Offer back to the AP AP sends this Offer to client Ox ug PR WN By reducing broadcast flooding this option allows for higher client capacity in tunneled WLANs designed for VoIP phones for example It also allows for DHCP discovery across multiple subnets and limits DHCP broadcasts to client s AP tunnel and radio To configure DHCP Relay for tunneled WLANs 1 Go to Configure DHCP Relay 2 Click Create New 3 Enter a Name and IP address for the server 4 Click OK to save your changes The new server appears in the list 81 Configuring System Settings Configuring D
223. eless bandwidth has to be shared between the uplink and the downlink This degrades performance of a Mesh AP as compared to a Root This problem is mitigated somewhat by dual radio APs when the uplink and downlink traffic can be sent received on two separate radios Placement and Layout Considerations Utilize two or more RAPs To prevent having a single point of failure it is always best to have 2 or more RAPs so that there are alternate paths back to the wired network More roots are better The more Root APs in the design the higher the performance Therefore as far as possible try to wire as many APs as is convenient Design for max 3 hops Avoid an excessive number of hops in your mesh topology In general the goal should be to have the lowest number of hops provided other consider ations like Signal gt 25 are met Limiting the number of hops to 3 or less is best practice Place a Root towards the middle of a coverage area to minimize the hops required to reach some MAPs If there are multiple Roots ensure that the Roots are distributed evenly throughout the coverage area not clumped up close together in one area Shown in Figure 201 is an ideal scenario along with a not so ideal scenario Of course the whole purpose of mesh is to provide coverage in areas that are hard to wire therefore the ideal may not be possible But as far as possible evenly spaced Root APs are preferable 331 Smart Mesh Networking Best Practi
224. ement applications so that existing management applications can still be used to manage ZoneDirector with SNMPv3 enabled NOTE For a list of the MIB variables that you can get and set using SNMP check the related SNMP documentation on the Ruckus Wireless Support Web site at http support ruckuswireless com documents If your network uses SNMPv2 To enable SNMPv2 management 1 Go to Configure gt System Scroll down to the bottom of the page and click the Network Management link to open the Network Management section 2 Under the SNMPv2 Agent section select the Enable SNMP Agent check box 3 Enter the following information n SNMP RO community required set the read only community string Applications that send SNMP Get Requests to ZoneDirector to retrieve information will need to send this string along with the request before they will be allowed access The default value is public n SNMP RW community required set the read write community string Applications that send SNMP Set Requests to ZoneDirector to set certain SNMP MIB variables will need to send this string along with the request before they will be allowed access The default value is private e n System Contact type your email address optional n System Location type the location of the ZoneDirector device optional 4 Click Apply to save your changes 75 Configuring System Settings Enabling Network Management Systems
225. entication Authorization and Accounting protocol used to authenticate ZoneDirector administrators ZoneDirector admins can be assigned any of the same three administration privilege levels that can be set manually on the Configure gt Roles page Super Admin Perform all configuration and management tasks e Operator Admin Change settings affecting single AP s only e Monitoring Admin Monitoring and viewing operation status only TACACS is an extensible AAA protocol that provides customization and future development features and uses TCP to ensure reliable delivery The daemon should listen at port 49 which is the login port assigned for the TACACS protocol To authenticate ZoneDirector admins using a TACACS AAA server 1 Go to Configure AAA Servers 2 In Authentication Accounting Servers click Create New 3 Enter a Name for the TACACS server and select TACACS for Type 4 Enter the server s IP address and do not change the Port setting from the default port 49 in general 133 Configuring Security and Other Services Using an External AAA Server 5 In TACACS Service enter a string of up to 64 characters This name must match the name of the service configuration table on the TACACS server Click OK to save your changes Figure 85 Configuring a TACACS AAA server Autnencucation Accounting ervers P Authentication Accounting Servers This table lists all authentication mechanisms that can be u
226. epeated authentication failures for 30 seconds Intrusion Detection and Prevention ZoneDirector uses background scan results to detect rogue 802 11 access points If the rogue access point is spoofing a managed AP s SSID or MAC address or is found on the wired network it will be flagged as malicious Rogue detection requires backgroud scanning to be enabled m 7 Enable report rogue devices 8 Report all rogue devices Report only malicious rogue devices of type SSID Spoofing Same Network MAC Spoofing User Blocked Protect the network from malicious rogue access points Rogue DHCP Server Detection ZoneDirector can scan the network periodically for rogue DHCP servers E Enable rogue DHCP server detection See Detecting Rogue Access Points on page 228 for more information on monitoring and handling rogue devices Rogue DHCP Server Detection A rogue DHCP server is a DHCP server that is not under the control of network administrators and is therefore unauthorized When a rogue DHCP server is introduced to the network it could start assigning invalid IP addresses disrupting network connections or preventing client devices from accessing network services It could also be used by hackers to compromise network security Typically rogue DHCP servers are network devices such as routers with built in DHCP server capability that has been enabled often unknowingly by users ZoneDirector has a rogue DHCP server detection
227. eploying a Ruckus Wireless Smart Mesh network refer to Smart Mesh Networking Best Practices on page 329 288 Setting Administrator Preferences In This Chapter Changing the ZoneDirector Administrator User Name and Password 290 Changing the Web Interface Display Language 2 00000 e eee 291 Upgrading ZerieDirector and ZoneFlex APs ccro ccc ede eee ehh ee eee 292 Working with Backup Files is iesu ederet RR RR dhe ees 294 Restoring ZoneDirector to Default Factory Settings 00000 297 Working with SSL Cenititetes iuccueseecccenmhe tee R RR RET ROLE RR ae PERRO so 299 Using an External Server for Administrator Authentication 0 0 305 Upgrading the License Lc se esee ee tg osito et dtes eve ob dub ub dee aes 307 289 Setting Administrator Preferences Changing the ZoneDirector Administrator User Name and Password Changing the ZoneDirector Administrator User Name and Password You should change your ZoneDirector administrator login password on a monthly basis but the administrator user name should be changed only if necessary password if failed check box is disabled you will be unable to edit the user name and password To edit the user name and password 1 Select the Fallback to admin name password if failed check box to enable the user name and password boxes 2 Change the user name and password 3 Clear the
228. er DNS servers Click Apply to save your changes Click OK to close the Scope Options dialog box 30 Introducing Ruckus Wireless ZoneDirector Ensuring That APs Can Communicate with ZoneDirector Figure 8 Select the 006 DNS Servers check box and then type your DNS server s IP address in the Data entry section General Advanced Available Options Description 4 CO 005 Name Servers Array of nan I 006 DNS Servers Array of DN LJ 007 Log Servers Array of MIT CO 008 Cookie Servers Array of coo v gt r Data entry Server name pe IP address 172 15 T7 54 Add Remove Down Step 3 Register the ZoneDirector IP Addresses with a DNS Server After you complete configuring the DHCP server with DNS related information you need to register the IP addresses of ZoneDirector devices on the network with your DNS server The procedure for this task depends on the DNS server software that you are using Information on configuring the built in DNS server on Windows is available at http support microsoft com kb 814591 NOTE When your DNS server prompts you for the corresponding host name for each ZoneDirector IP address you MUST enter zonedirector This is critical to ensuring that the APs can resolve the ZoneDirector IP address After you register the ZoneDirector IP addresses with your DNS server you have completed this procedure APs on the network should now be ab
229. erate the registration request file csv Save the file and then go to https support ruckuswireless com register to upload the device registration file If you need to create an account first go to https support ruckuswireless com get access now Name John Doe Email jdoe aaa com Registration Phone 12341234 p Company Name aaa emen fa Your ZoneDirector is now registered with Ruckus Wireless 45 Introducing Ruckus Wireless ZoneDirector Registering Your Product 46 Configuring System Settings In This Chapter System Configuration Overview 1 0 0 e 48 Changing the System Name 0 e 48 Changing the Network Addressing n suasusu cece eee 49 Enabling an Additional Management Interface 0 isses 51 Creating Static Route Entries de eese qr Lane OPEN E AIRES 53 EnablingsSmart Red ndangcy ssi deir tings se hans Seine aston eae ae ses 55 Configuring the Built in DHCP Server ee 58 Controlling ZoneDirector Management Access esee 61 Settingthe System Time cssc bois eR RUE DRE PR UG SR HERD 63 Setting the Country Gode 04 asiento obe E andre aah edhe dune ned ate ee A 64 Changing the System Log Settings eee 67 Setting Up Email Alarm Notifications isses 69 Enabling Network Management Systems isses eee 72 Configuring DACP Relays an iret Lh RA PERPE IEEE AN RS MER 81 Enabling Bonjour Gateway 83 47 Configuring System Settin
230. ered AP Approval Limited ZD Discovery Only connect to the following ZoneDirector Configure Primary and Secondary ZD Settings to AP Primary ZoneDirector Addr Secondary ZoneDirector Addr Prefer Primary ZD Keep AP s Primary and Secondary ZD Settings Management VLAN Keep AP s setting VLAN ID 10 Load Balancing Disable Enable Balances the number of clients across adjacent APs LWAPP message MTU 1450 To limit the maximum transmission unit size between ZoneDirector and AP 3 Auto Recovery AP reboots if disconnected from ZoneDirector for more than 35 Minutes How Dynamic VLAN Works Dynamic VLAN can be used to automatically and dynamically assign wireless clients to different VLANs based on RADIUS attributes Dynamic VLAN Requirements e A RADIUS server must have already been added to ZoneDirector e WLAN authentication method must be set to 802 1X MAC address or 802 1X MAC address To enable Dynamic VLAN for a WLAN 1 Go to Configure gt WLANs Click Edit next to the WLAN you want to configure 2 In Authentication Server select the RADIUS server that you configured on the AAA Servers page 3 Expand the Advanced Settings section and click the Enable Dynamic VLAN box next to Access VLAN 4 Click OK to save your changes 161 Managing a Wireless Local Area Network Deploying ZoneDirector WLANs in a VLAN Environment Figure 97 Enabling Dynamic VLAN
231. erful monitoring tool building s make sure you place the access point markers on the correct floorplan i gt NOTE If you have imported multiple floor plans representing multiple floors in your 1 Have the list of APs handy with MAC addresses and locations Go to Monitor Map View if it is not already in view Look in the upper left corner for AP marker icons There should be one for each AP with a tiny red question mark at the top 4 Look at the MAC address notation under the marker icon to identify a marker 5 Drag each marker icon from the upper left corner into its correct location on the floorplan When you finish you can make immediate use of the Map View to optimize your wireless coverage as detailed in Optimizing Access Point Performance on page 204 212 Monitoring Your Wireless Network Using the Map View Tools Using the Map View Tools If your worksite floorplan has been scanned in and mapped with APs the Map View will display a graphical image of your physical Ruckus network AP distribution Figure 126 Elements on the Map View f i 2010 11 22 15 48 04 Help Toolbox LogOut ruckus Maj Ruckus ZoneDirector WIRELESS Monitor Map View 2 4GHz SGHz None x oe 7942 MAP Pantry 10 0 J 1 uy 20m A Search j signal 76 7 Open siehe v There are a number of helpful features built into the Map View as noted here and marked in the
232. ernal User Database ensin yar ire e a E AO ets egeret 238 Managing Current User Accounts 000 eee eee 240 Changing an Existing User Account 000 eee eee eee 240 Deleting a User Records couv dne dares aes eee RC dee BERT e OR 240 Creating New User Roles eee gitea erior ee peEHENL E 240 Managing Automatically Generated User Certificates and Keys 242 Using an External Server for User Authentication 000000 243 Activating Web Authentication seser cL rh We A RE eae art 244 Managing Guest Access Configuring Guest Access osse ss seed Ta ee ERRARE GRE ER 248 Creating a Guest WLAN 00 ee e 249 Onboarding Portal skis eta ead bate Lah parse KR RIED E PAM Ng 251 Guest Pass Activation sa ctcwadbestagundhondedels worthy d epa seg vite s deed 253 Configuring System Wide Guest Access Policies esses 254 Working with Guest Passes ssssssssssse s 255 Activating Guest Pass Generation 0 000 255 Controlling Guest Pass Generation Privileges 0000000 257 Creating a Guest Pass Generation User Role 000000005 257 Assigning a Pass Generator Role to a User Account 258 Generating and Printing a Single Guest Pass 0000005 259 Generating and Printing Multiple Guest Passes at Once 262 Monitoring Generated Guest Passes il sess 264 Configuring Guest Subnet Access 2 2 00 es 26
233. ery 30 days Authenticate using the admin name and password Authenticate with Auth Servet tacacs plus v V Fallback to admin name password if failed Admin Name ruckus Current Password New Password Confirm New Password Administrator Session Timeout Timeout interval 439 minutes Testing Authentication Settings The Test Authentication Settings feature allows you to query an AAA server for a known authorized user and return Groups associated with the user that can be used for configuring Roles within ZoneDirector After you have configured one or more authentication servers in ZoneDirector perform this task to ensure that ZoneDirector can connect to the authentication server and retrieve the groups attributes that you have configured for each user account NOTE If testing against a RADIUS server this feature uses PAP or CHAP depending on the RADIUS server configuration and the choice you made in RADIUS RADIUS Accounting above Make sure that either PAP or CHAP is enabled on the Remote Access Policy assuming Microsoft IAS as the RADIUS server before continuing with testing authentication settings 1 On the Configure gt AAA Servers page locate the Test Authentication Settings section 2 Select the authentication server that you want to use from the Test Against drop down menu 3 In User Name and Password enter an Active Directory LDAP or RADIUS user name and passw
234. es the following physical features of ZoneDirector 1100 e Buttons Ports and Connectors Front Panel LEDs Figure 1 ZoneDirector 1100 Buttons Ports and Connectors Table 1 describes the buttons ports and connectors on ZoneDirector 1100 Table 1 Buttons ports and connectors on ZoneDirector 1100 Label Description Power Press this button to power on ZoneDirector 10 100 1000 Ethernet Two auto negotiating 10 100 1000Mbps Ethernet ports For information on what the two Ethernet LEDs indicate refer to Table 2 Console DB 9 port for accessing the ZoneDirector command line interface 15 Introducing Ruckus Wireless ZoneDirector ZoneDirector Physical Features Table 1 Buttons ports and connectors on ZoneDirector 1100 Label Description Reset Use the Reset button to restart ZoneDirector or to reset it to Front Panel LEDs factory default settings e To restart ZoneDirector press the Reset button once for less than two seconds Toreset ZoneDirector to factory default settings press and hold the Reset button for at least five 5 seconds For more information refer to Alternate Factory Default Reset Method on page 298 WARNING Resetting ZoneDirectorto factory default settings will erase all configuration changes that you made Table 2 describes the LEDs on the front panel of ZoneDirector 1100 Table 2 ZoneDirector 1100 front panel LEDs LED Label State Meaning Po
235. es whose networks or services are accessible via this AP Up to five NAI realm entries can be created Each NAI realm entry can contain up to four EAP methods Each EAP method can contain up to four authentication types Domain Name List List of domain names of the entity operating the access network Up to five entries can be created Roaming Consortium List List of Organization Identifiers included in the Roaming Consortium list as defined in IEEE802 11u dot11RoamingConsortiumTable Up to two Roaming Consortium entries can be created 3GPP Cellular Network Information Contains cellular information such as network advertisement information to assist a 3GPP station in selecting an AP for 3GPP network access as defined in Annex A of 3GPP TS 24 234 v8 1 0 Up to eight entries can be created 4 Click OK to save your changes 5 Continue to Create an Operator Profile 168 Managing a Wireless Local Area Network Working with Hotspot Services Figure 100 Creating a Service Provider Profile Create New Delete 91 3 3 Search terms Include all terms Include any of these terms Service Provider Profiles H es i Name Description Hotspot 2 0 Services Service Provider 1 Service Provider Profile 1 Service Provider 2 Service Provider Profile 2 Name Encoding EAP Method Action NAI Realm 1 RFC 4282 1 EAP AKA 2 N A 3 N A 4 N A Edit Clone NAI Realm 2 UTF 8 1 E
236. ess Control This table lists the specific IP addresses which are allowed access to the ZoneDirector Click Create New to add another IP address or click Edit to make changes to an existing entry Name IP address Actions Create New D 5 Enable the check box next to Enable Smart Redundancy 6 Enter the IP address of the backup unit under Peer Device IP Address if known If you have configured Limited ZD Discovery under Configure gt Access Points gt Access Point Policies you must identify the IP address of both ZoneDirectors that the APs should connect to when Smart Redundancy is active If the Limited ZD Discovery and Smart Redundancy information you enter is inconsistent a warning message will be displayed asking you to confirm Note that Ruckus recommends using the Smart Redundancy feature instead of the Limited ZD Discovery feature whenever possible 56 Configuring System Settings Enabling Smart Redundancy 7 Enter a Shared Secret for two way communication between the two ZoneDirectors up to 15 alphanumeric characters 8 Click Apply to save your changes and prompt ZoneDirector to immediately attempt to discover its peer on the network 9 If discovery is successful the details of the peer device will be displayed to the right 10 If discovery is unsuccessful you will be prompted to retry discovery or continue configuring the current ZoneDirector 11 Install the second ZoneDirector and complete the
237. ete you will be prompted to import AP configurations from additional backup files 4 When finished click Import ZoneDirector will import all AP configurations from any backup files selected and reboot automatically You must wait for the reboot process to complete before being able to log back into ZoneDirector 5 When the reboot process is complete the restored APs appear in the Access Points table at the top of the page 296 rx Ru Ckus ZoneDirector Setting Administrator Preferences Restoring ZoneDirector to Default Factory Settings Figure 178 Importing AP lists only from a backup file 2011 11 14 16 53 52 Help Toolbox Log Out ruckus WIRELESS Access Points Dashboard Monitor Configure Administer Access Points Access Points This table lists access points that have already been approved to join the network or are pending approval E MAC Address Device Name Description Channel TX Power WLAN Group Approved Actions O4 4f aa 0c b1 00 7962 MAP 7962 MAP Auto 11a n Auto Auto 11g n Auto Auto 11a n 11g n 11a n 11g n Yes Edit L 00 24 82 3f 14 60 7363 RAP 7363 RAP 11a n 11g n 11a n 11g n 11a n 11g n Yes Edit Use Group Configuration Delete 91200 Search terms 9 Include all terms Include any of these terms If you need to import the APs configuration click Browse and then select the backup file that contains the settings that
238. ezel lock to remove the front bezel and gain access to the hard drive bays 20 Introducing Ruckus Wireless ZoneDirector ZoneDirector Physical Features Front Panel Bezel Removed Figure 4 ZoneDirector 5000 front panel bezel removed Table 6 ZoneDirector 5000 front panel bezel removed Number Feature 1 ESD ground strap attachment 2 Hard drive bays not used 3 Control panel 4 RJ45 serial port for accessing the ZoneDirector command line interface 5 USB port not used Control Panel Figure 5 Control panel buttons and indicators 21 Introducing Ruckus Wireless ZoneDirector ZoneDirector Physical Features Table 7 ZoneDirector 5000 control panel Number Feature 1 Power button System reset button System status LED Fan status LED MJR alarm not used NMI pin hole button factory reset button Chassis ID button 2 3 4 5 Critical alarm not used 6 7 8 9 NIC 1 NIC 2 activity LED 10 HDD activity LED not used 11 PWR alarm LED not used 12 Minor alarm Amber system unavailable OFF system available Rear Panel Features Figure 6 ZoneDirector 5000 rear panel features ENEEEEENEH ELLEELLE LS B nan n Table 8 Rear panel features Number Feature 1 Alarms cable connector not used 2 Two low profile PCle add in cards not used 22 Number Introducing Ruckus Wireles
239. f ChannelFly Compared to Background Scanning ChannelFly takes considerably longer for the network to settle down If you will be adding and removing APs to your network frequently Background Scanning may be preferable Additionally if you have clients that do not support the 802 11h standard ChannelFly may cause significant connectivity issues during the initial capacity assessment stage You can enable disable ChannelFly per band If you have 2 4 GHz clients that do not support 802 11h Ruckus recommends disabling ChannelFly for 2 4 GHz but leaving it enabled for the 5 GHz band To configure the self healing options 1 Goto Configure Services 2 Review and change the following self healing options e Automatically adjust AP radio power to optimize coverage where interference is present Enable automatic radio power adjustment based on Background Scanning e Automatically adjust 2 4 GHz channels using Background Scanning ChannelFly e Automatically adjust 5 GHz channels using Background Scanning 89 Configuring Security and Other Services Background Scanning ChannelFly 3 Click the Apply button in the same section to save your changes Figure 51 Self Healing options r 2013705721 12 51 25 1 Help I Toolbox 1 Log Out ruckus I Ruckus ZoneDirector WIRELESS Configure Administer Self Healing ZoneDirector utilizes built in network self healing diagnostics and tuning tools to maximize wireless ne
240. f the same event happens again no alarm will be sent until you clear the alarm on the Monitor gt All Alarms page On the other hand ZoneDirector sends a new alarm notification each time the Lost contact with AP event occurs Enabling Network Management Systems ZoneDirector supports several external network management systems including Ruckus Wire less FlexMaster server SNMPv2 SNMPv3 and Telnet server These options are configured from the Configure gt System page by expanding the Network Management link The following section describes how to enable these network management systems Enabling Management via FlexMaster If you have a Ruckus Wireless FlexMaster server installed on the network you can enable FlexMaster management to centralize monitoring and administration of ZoneDirector and other supported Ruckus Wireless devices This version of ZoneDirector supports the following FlexMaster deployed tasks Firmware upgrade for both ZoneDirector and the APs that report to them e Reboot e Backup of ZoneDirector settings e Performance monitoring When the FlexMaster management option is enabled you will still be able to access the ZoneDirector Web interface to perform other management tasks By default FlexMaster management is disabled To enable FlexMaster management 1 Click Configure gt System 2 Scroll down to the bottom of the page 3 If you see Network Management section is collapsed at the bottom of the pag
241. fers to the methodology used to compute RF coverage signal i e heat map based on the current environment AP Icons Each AP marker has variable features that help indicate identity and status A normal AP marker displays the description of the AP and the number of users that are currently associated with the AP ZF 7363 1 users 2 An unplaced AP marker displays a question mark above the icon A rogue AP displays a smaller red icon Q imprinted with a bug 214 Monitoring Your Wireless Network Using the Map View Tools A bug icon with a lock on it indicates a rogue AP with security enabled In a Smart Mesh network an isolated AP displays a red X above the icon When Smart Mesh is enabled a circled number appears next to the AP icon to indicate that it is a Mesh AP The number indicates the number of hops from this Mesh AP to the Root AP When Smart Mesh is enabled a blue square with an arrow indicates that it is a Root AP with active downlinks Dotted lines that connect this AP to other APs indicate the active downlinks When Smart Mesh is enabled a gray square dimmed with an arrow indicates that itis a Root AP without any active downlinks An AP with a red square with an arrow indicates this is an eMAP An eMAP uses its wired Ethernet interface as its uplink and can mesh with other Mesh APs through its wireless interface 215 Monitoring Your Wireless Network
242. fic domain This is useful for Smart Redundancy installations where you have two ZoneDirectors You can purchase and install two certificates or use a wildcard certificate When you try to import a wildcard certificate the ZoneDirector will notify you that it does not have the matching private key At this point click on the click here link to import the private key Once the private key is imported try to import the certificate again The ZoneDirector will prompt you for the host name Enter the hostname and ensure that your DNS server is configured to resolve that name to the IP address of ZoneDirector Wildcard Certificates In Smart Redundancy With Captive Portals In order to prevent redirect loops when deploying SSL certificates in a Smart Redundant configuration with Guest Access Web Portal and Hotspot captive portals use the following wildcard certificate procedure 1 Purchase or generate a self signed wildcard certificate such as acompany com and install it on both ZoneDirectors in the Smart Redundant pair 2 In DNS add 3 host IP entries similar to the following e management acompany com 192 168 0 100 This is the FQDN you wish to use for reaching the shared virtual management interface and is mapped to its configured IP address e primary zd acompany com 192 168 0 98 This is the FQDN for the primary ZD controller and its physical IP address e backup zd acompany com 192 168 0 99 This is the FQDN for the backup ZD con
243. following procedure will guide you through generating and printing multiple guest a Single Guest Pass on page 259 i gt NOTE Before starting make sure that your computer is connected to a local or network printer To generate and print multiple guest passes at the same time 1 2 On your computer start your Web browser In the address or location bar type the URL of the ZoneDirector Guest Pass Generation page https zonedirector hostname or ipaddress guestpass In User Name type your user name 4 In Password type your password Click Log In The Guest Information page appears On this page you need to provide information about the guest users to enable ZoneDirector to generate the guest passes On the Guest Information page fill in the following options Creation Type Click Multiple Valid for Specify the time period during which the guest passes will be valid Do this by typing a number in the blank box and then selecting a time unit Days Hours or Weeks e WLAN Select one of the existing WLANs with which the guest users will be allowed to associate e Number Select the number of guest passes that you want to generate ZoneDirector will automatically populate the names of each user Batch Guest 1 Batch Guest 2 and so on to generate the guest passes you cannot create the same guest pass for use on multiple WLANs i NOTE Each guest pass key must be unique and is distribute
244. function is enabled in real time 7 start remote troubleshooting NN 1 Restarting an Access Point One helpful fix for network coverage issues is to restart individual APs To do so follow these steps 1 Go to Monitor gt Access Points 2 When the Access Points page appears look in the Currently Managed APs table for the particular Access Point record The Status column should display Connected i 3 Click the Restart icon The Status column now displays Disconnected along with the date and time when ZoneDirector last communicated with the AP After restart is complete and the Ruckus ZoneDirector detects the active AP the status will be returned to Connected 326 Troubleshooting Restarting ZoneDirector Restarting ZoneDirector There are three restart options 1 to disconnect and then reconnect the Ruckus ZoneDirector from the power source 2 to follow this procedure which simultaneously shuts down ZoneDi rector and all APs then restarts all devices and 3 a restart of individual APs detailed in Restarting an Access Point NOTE If you have made any configuration changes Ruckus Wireless recommends shutting down ZoneDirector to ensure that all configuration changes are saved and remain after reboot Performing a Restart may cause ZoneDirector to lose configuration changes if you forgot to click Apply after making changes and navigate away from a configuration page for
245. g Auto 0 0 0 0 IA 192 EA143 16 APS 212942 Isolated Mesh AP Config error Auto 192 168 2 14 Fil aA 192 E A 43 19 AP 22942 Approval Pending Auto 0 0 0 0 v 92 00 33 1C AP000028 212925 Isolated Mesh AP Config error Auto A sh terms Include all terms C Include any of these terms Recent User Activities 1 10 10 3 Goo Time 112 20 01 44 08 Medium 112 20 01 44 07 Medium 112 20 01 44 06 Medium Severity User Activities jyang User jyang of WLAN corporate encountered low signal jyang AP Warehouse NW radio 112 n detects User jyang in WLAN corporate roams from AP Warehouse NE jyang AP Warehouse NE radio 112 n detects User jyang in WLAN corporate roams out to AP Warehouse NW 112 20 01 44 112 20 01 44 05 Low 00 Low jyang User jyang disconnects from WLAN corporate at AP Warehouse NE bob User bob idle timeout and is disconnected from WLAN corporate at AP Warehouse NE The Network Connectivity window opens Click Ping to ping the IP address or Trace Route to diagnose the number of hops to the IP address Figure 194 Network Connectivity dialog Network Connectivity Trouble shoot your network connectivity IP Address Ping Trace Route You can also access the Ping and Traceroute tools by clicking the troubleshooting icon for an AP or client on the Monitor Access Points and Monitor Currently Active Clients pages or via the Toolbox drop down menu available from
246. grace period after disconnection during which clients will not need to re authenticate Enter a number in minutes between 1 and 144 000 In Authentication Server select the AAA server that you wantto use to authenticate users Options include Local Database and any AAA servers that you configured on the Configure gt AAA Servers page If a RADIUS server is selected an additional option appears Enable MAC authentication bypass no redirection Enabling this option allows users with registered MAC addresses to be transparently authorized without having to log in A user entry on the RADIUS server needs to be created using the client MAC address as both the username and password The MAC address format is a single string of characters without punctuation n Accounting Server if you have an accounting server set up select the server from the list and configure the frequency in minutes at which accounting data will be retrieved e n Wireless Client Isolation choose whether clients connected to this Hotspot WLAN should be allowed to communicate with one another locally See Advanced Options in the Creating a WLAN section for a description of the same feature for non Hotspot WLANs Configure optional settings as preferred n Location Information enter Location ID and Location Name WISPr attributes as specified by the Wi Fi Alliance n Walled Garden enter network destinations URL or IP address that users can access wit
247. gs System Configuration Overview System Configuration Overview The majority of ZoneDirector s general system settings can be accessed from the Configure System page in the Web interface A basic set of parameters is configured during the Setup Wizard process These parameters and others can be customized on this page navigate away from the page or your changes will not be saved j NOTE When making any changes in the Web interface you must click Apply before you Changing the System Name When you first worked through the Setup Wizard you were prompted for a network recogniz able system name for ZoneDirector If needed you can change that name by following these steps 1 Go to Configure System 2 In System Name under Identity delete the text and then type a new name The name should be between 6 and 32 characters in length using letters numbers underscores and hyphens Do not use spaces or other special characters The first character must be a letter System names are case sensitive 3 Click Apply to save your settings The change goes into effect immediately Figure 22 The Identity section on the Configure System page 2013 06 11 16 32 00 Help Toolbox LogOut ruckus Maj rx Ruckus ZoneDirector WIRELESS Dashboard Monitor Configure Administer m System Identit System Name zoneDirector Device IP Settings If ZoneDirector is on a IPv6 network you can turn on its IPv6 su
248. h screen 275 Deploying a Smart Mesh Network Deploying a Wireless Mesh via ZoneDirector Figure 166 Enable Mesh in Configure Mesh rk Ruckus ZoneDirector WIRELESS 2013 06 11 18 17 20 Help Toolbox Log Out ruckus Dashboard Monitor Configure Administer Mesh Mesh Settings Mesh capability allows you to deploy your access points without using wires Mesh Name ESSID es 000000000011 MeshPassphrase rC7z5OLRXyEhLUOv1VwLfIf2Q1JYVj ARP Broadcast Filter ARP Broadcast Filter is used to minimize or limit the amount of broadcast ARPs on the network Enable ARP Broadcast Filter Mesh Topology Detection The system wil trigger a warning event when the following threshold is exceeded Fl Enable mesh hop count detection with a threshold of 5 Hops 7 Enable mesh downtinks detection with a threshold of 5 Downlinks To enable mesh capability 1 Log into the ZoneDirector Web interface 2 Click the Configure tab 3 On the menu click Mesh 4 Under Mesh Settings select the Enable Mesh check box isolating nodes If you want to disable Smart Mesh once it has been enabled you will have to factory reset ZoneDirector or disable mesh for each AP as described in Managing Access Points Individually on page 200 f CAUTION You cannot disable Smart Mesh once you enable it This is by design to prevent 5 n Mesh Name ESSID type a name for the mesh network Alternatively d
249. hastah1 roams out to AP 7982 User 5c ff 35 7f 42 20 leave WLAN Rhastah1 at AP 7982 with Session Time 1109 15 sec RX Bytes 35684 TX Bytes 172947 2013 06 11 12 45 01 Low User 5c ff 35 7f d2 20 disconnects from WLAN Rhastah1 at AP 7982 2013 06 11 16 19 53 Low 2013 06 11 15 42 51 Low 2013 06 11 12 45 02 Low Search terms 9 Include all terms Include any of these terms Clear AL Show More J 1 15 x 2500 67 Configuring System Settings Changing the System Log Settings Customizing the Current Log Settings You can review and customize the log settings by following these steps 1 Go to Configure gt System 2 Scroll down to Log Settings 3 Make your selections from these syslog server options e Event Log Level Select one of the three logging levels Show More Warning and Critical Events or Critical Events Only e Remote Syslog To enable syslog logging select the Enable reporting to remote syslog server at check box and then type the IP address in the box provided 4 Click Apply to save your settings The changes go into effect immediately Figure 38 The Log Settings options Country Code Different countries have different regulations on the usage of radio channels To ensure that ZoneDirector is using an authorized radio channel select the correct country code for your location Country Code United states On the 5 0 GHz band certain channels won t be utilized
250. he AP Solid amber notavailable on No mesh downlink and some models No client is associated with the AP Fast blinking green At least one mesh downlink exists and At least one client is associated with the AP Slow blinking green At least one mesh downlink exists and No client is associated with the AP 281 Deploying a Smart Mesh Network Using the ZoneFlex LEDs to Determine the Mesh Status Signal Air Quality LED Figure 170 Behavior of the Signal Air Quality LED LED Color Behavior Root AP eMAP Mesh AP Solid green N A Connected to a Root AP or another Mesh AP Signal quality is good Fast blinking green N A Connected to a Root AP or another Mesh AP Signal quality is fair or poor Slow blinking green N A The AP is searching for an uplink Off This is a Root AP or eMAP N A On Dual band ZoneFlex APs i gt NOTE On dual band ZoneFlex APs mesh networking is enabled only on the 5 GHz radio The following dual band ZoneFlex AP models currently support mesh networking ZoneFlex 7363 7372 7762 S T 7761 CM 7782 7962 and 7982 Refer to the following sections for information on how to check these dual band APs for their mesh status ZoneFlex 7762 and 7782 On ZoneFlex 7762 APs including 7762 S and 7762 T and 7782 including 7782 O 7782 S and 7782 E the STATUS LED indicates the AP s mesh status See the table below for more information Figure 171 Behavior of the Status
251. he Web interface Language English Administrator Name Password Change the administrator name if needed and password Ruckus Wireless recommends that you change your admin password every 30 days Authenticate using the admin name and password Authenticate with Auth Server None Fallback to admin name password if failed Admin Name Current Password New Password Confirm New Password Administrator Session Timeout Timeout interval 439 minutes Setting Administrator Login Session Timeout By default administrators logged into the Web interface are automatically logged out after 30 minutes of inactivity This timeout can be configured with a value between 1 and 1440 minutes 24 hours To change the admin idle timeout period enter a new value in Administer gt Preferences gt Timeout interval and click Apply Changing the Web Interface Display Language Depending on your preferences you can change the language in which the Web interface is displayed in your Web browser The default is English This change only affects how the Web interface appears and does not modify either OS system or browser settings which are managed through other processes 1 Goto Administer gt Preferences 2 When the Preferences page appears choose your preferred language from the Language drop down menu NOTE This only affects how the ZoneDirector Web interface appears and does not modify either the operati
252. hen gage PUE 189 Designating Ethernet Port Type 00 00 00 c cece eee 190 Using Port Based 802 1X essc Vette eet eee te ree gere 191 Viewing AP Ethernet Port Status ebbe beer ene Need 194 Reviewing Current Access Point Policies 0000 eee eee eee eee 196 Using Limited ZD Discovery for N 1 Redundancy 0000005 197 Importing a USB Software Package cece eee eens 199 Managing Access Points Individually 0 00 200 Configuring Hotspot 2 0 Venue Settings for an AP 203 Optimizing Access Point Performance 0 00 cece cece 204 Assessing Current Performance Using the Map View 000 204 Improving AP RE Coverage sss zov dede eased quU ERR ERE e e eet 205 Assessing Current Performance Using the Access Point Table 205 Adjusting AP Settings ous sius hued nt dd os ate gabe dae T RUE DR e euen ate 205 Prioritizing WEAN TrafflG sh erred ach ira en hd RN RE 206 I GadlBalaneirig 4 e prebere Ihe ee ues 206 6 Monitoring Your Wireless Network Reviewing the ZoneDirector Monitoring Options 004 210 Importing a Map View Floorplan Image ssssssss sees 210 REQUIFEMENTS see eter o EUR EEE E UICE ODER 211 Importing the Floorplan Image sssssssssesse 211 Placing the Access Point Markers 0 cee cece eee see 212 Using the Map View Tools eas age vag x EU EE OS REO GOR ek Be 213 APICONS rae Sx REVERSE
253. her 270 Deploying a Smart Mesh Network Supported Mesh Topologies Table 32 Mesh networking terms Term Definition Mesh Tree Each Mesh AP has exactly one uplink to another Mesh AP or Root AP Each Mesh AP or Root AP could have multiple Mesh APs connecting to it Thus the resulting topology is a tree like topology A single ZoneDirector device can manage more than one mesh tree There is no limit to the number of trees in a mesh The only limitation on how many mesh trees the ZoneDirector can manage is dependent on the number of APs a ZoneDirector can manage For example a ZoneDirector 1106 can manage one mesh tree of 6 APs two mesh trees of 3 APs each or three mesh trees of 2 APs each Hop The number of wireless mesh links a data packet takes from one Mesh AP to the Root AP For example if the Root AP is the uplink of Mesh AP 1 then Mesh AP 1 is one hop away from the Root AP In the same scenario if Mesh AP 1 is the uplink of Mesh AP 2 then Mesh AP 2 is two hops away from the Root AP A maximum of 8 hops is supported Supported Mesh Topologies Smart Mesh networks can be deployed in three types of topologies Standard Topology e Wireless Bridge Topology e Hybrid Mesh Topology Standard Topology The standard Smart Mesh topology consists of ZoneDirector and a number of Root APs and Mesh APs In this topology ZoneDirector and the upstream router are connected to the same wired LAN segment You can extend
254. hout going through authentication A Walled Garden is a limited environment to which an unauthenticated user is given access for the purpose of setting up an account After the account is established the user is allowed out of the Walled Garden URLs will be resolved to an IP address up to 35 Users will not be able to click through to other URLs that may be presented on a page if that page is hosted on a server with a different IP address Avoid using common URLs that are translated into many IP addresses such as www yahoo com as users may be redirected to re authenticate when they navigate through the page 165 Managing a Wireless Local Area Network Working with Hotspot Services e n Restricted Subnet define L3 4 IP address access control rules for the hotspot service to allow or deny wireless devices based on their IP addresses e Under Advanced Options enable Intrusion Prevention to temporarily block hotspot clients that fail repeated authentication attempts 9 Click OK to save the hotspot settings The page refreshes and the hotspot service you created appears in the list You may now assign this hotspot service to the WLANs that you want to provide hotspot Internet access as described in Assigning a WLAN to Provide Hotspot Service Figure 98 Creating a Hotspot service WISPr Smart Client Support None Enabled Only WISPr Smart Client allowed Login Page Redirect unauthenticated user to http loginpage m
255. how to run SpeedFlex from a wireless client for users refer to Allowing Users to Measure Their Own Wireless Throughput on page 317 NOTE SpeedFlex is unable to measure the throughput between two devices if those two devices are not on the same VLAN or the same subnet To measure the throughput of an AP or a client from the Web interface 1 Find out the MAC address of the AP or wireless client that you want to use for this test procedure 2 If you are testing client throughput verify that the wireless client is associated with the AP that you want to test 3 Logintothe ZoneDirector Web interface You can use the wireless clientthat you are testing or another computer to log in to the Web interface 4 If you want to test AP throughput click Monitor gt Access Points If you want to test client throughput click Monitor Currently Active Clients 312 Troubleshooting Measuring Wireless Network Throughput with SpeedFlex 5 In the list of APs or clients look for the MAC address of the AP or wireless client that you want to test and then click the SpeedFlex link on the same row The SpeedFlex Wireless Performance Test interface loads showing a speedometer and the IP address of the AP or client that you want to test want to test for example if the wireless client is using a static IP address the SpeedFlex link j NOTE If ZoneDirector is unable to determine the IP address of the wireless client that y
256. ic is tunneled to ZoneDirector through the LWAPP tunnel Figure 119 Importing a USB software package Access Point Policies Approval Automatically approve all join requests from APs To enhance wireless security deactivate this option This means you must manually allow each newly discovered AP Limited ZD Discovery Only connect to the following ZoneDirector 9 Configure Primary and Secondary ZD Settings to AP IP or domain name is acceptable Primary ZoneDirector Addr Secondary ZoneDirector Addr Prefer Primary ZD Keep AP s Primary and Secondary ZD Settings Management VLAN yeepAPssetting VLAN ID Load Balancing Disable Enable Balances the number of clients across adjacent APs Tunnel MTU 1500 g To limit the maximum transmission unit size between ZoneDirector and AP range 850 1500 Auto Recovery V AP reboots if disconnected from ZoneDirector for more than 45 Minutes Access Point USB Software Packages This table lists supported Access Point USB Software Packages Click Browse to add another AP USB Software Package Delete to delete an existing AP USB Software Package No USB Software Package has been imported Import a new USB Software Package Note chosen Managing Access Points Individually You can add a description or change the channel selection transmit power and Ethernet port settings of a managed access point by editing the AP s parameters Additio
257. ick Delete to delete the selected items The selected PSKs and Certificates are deleted from the system A user with a deleted PSK or a deleted certificate will not be able to connect to the wireless network without obtaining a new key or a new certificate 242 Managing User Access Using an External Server for User Authentication Using an External Server for User Authentication Once your wireless network is set up you can instruct ZoneDirector to authenticate wireless users using your existing Authentication Authorization and Accounting AAA server The following types of AAA servers are supported e Active Directory LDAP e RADIUS RADIUS Accounting The ZoneDirector Web interface provides a sample template for each of the AAA server types These templates can be customized to match your specific network setup or you can create new AAA server objects and add them to the list To use an external authentication server 1 Go to Configure gt AAA Servers The Authentication Accounting Servers page appears 2 Clickthe Create New linkin the Authentication Accounting Servers table or click Edit next to the relevant server type in the list 3 When the Create New form or Editing form appears make the following entries n Name type a descriptive name for this authentication server for example Active Directory e n Type verify that one of the following options is selected Active Directory If you select
258. ient Devices cc ns e en ette e e ee eee ee 111 Using an External AAA Server eee 115 Active Directoy i is dures seu e ERR di Abad Rates TS DAP E E A dest E E EE der ous ost enact de ETE OE os at 117 RADIUS RADIUS Accounting esee teaa E eed oe ii 120 TACA CS Fe rubet a a a M liad sat dra see Loo e totg 133 Testing Authentication Settings eee 135 Managing a Wireless Local Area Network Overview of Wireless Networks isses 138 About Ruckus Wireless WLAN Security 0000000000000 cee eee eee eee 139 Creating a WLAN tcrcs ube EVER eb eo en EE OE CE 140 GeneraliOptions s teu iie bm ie se aged ab Dee hag Sea DIR NES 141 WLAN Usage Types icem eot e apre ordeo reper ed hadas 141 Authentication Method iia aa e a a e 143 Encryption Options aiara e REP ert data a EA N 143 Advanced Options sasian ect edet ete eg TA 145 Creating a New WLAN for Workgroup Use 0 00 cree 150 Customizing WLAN Sec rity i cisco exe E HERE AEN Ra 150 Reviewing the Initial Security Configuration iiseeesess 150 Fine Tuning the Current Security Mode 0 0 00 151 Switching to a Different Security Mode 0 151 Using the Built in EAP Semer ie ceoai e pesce IRE o DEUM 153 Authenticating with an External RADIUS Server iisssssssss llle 153 If You Change the Internal WLAN to WEP or 802 1X 20 000s 153 Working with WLAN Groups se rimer oper nini IRA II 154 Creating a WEAN Group ikee sth
259. if Optimize for Compatibility or Optimize for Interoperability is selected otherwise all available channels will be utilized Channel Optimization 9 Optimize for Compatibility Optimize for Interoperability Optimize for Performance Channel Mode T Aow indoor channels allows ZoneFiex Outdoor APs to use channels regulated as indoor use only Log Settings Event Log Level 9 show More Warning and Critical Events Critical Events Only Remote Syslog Enable reporting to remote syslog server at IP Address m Remote Syslog Advanced Settings E Network Management Configuring Remote Syslog Advanced Settings Advanced Syslog settings allow you to override the default Facility Name and Priority Level of messages sent to the syslog server In this way users can separate different kinds of syslogs according to the facility name on the syslog server side To configure remote syslog advanced settings 1 Go to Configure gt System 2 Scroll down to Log Settings and expand the Remote Syslog Advanced Settings section 3 In ZoneDirector Settings set the facility name as follows e Keep Original Retain the original facility name e local0 local7 Specify facility name 4 Setthe priority level as follows e All Include all syslog messages e O emerg 1 alert 2 crit 3 err 4 warning 5 notice 6 info 7 debug Lower numbers indicate higher priority The syslog server will only receive logs
260. igure gt Access Points gt Limited ZD Discovery page Specify one ZoneDirector as Primary the other as Secondary Alternatively you can specify the IP addresses of both ZoneDirectors through DHCP Option 43 see Option 2 Customize Your DHCP Server on page 26 Forcing Failover to the Backup ZoneDirector After Smart Redundancy has been enabled you can view the status of both the primary and backup units from the Dashboard by dragging the Smart Redundancy widget onto the workspace Figure 30 The Smart Redundancy widget Seep Smart Redundancy eoo Local State Active Peer State Connected Standby Local Device IP Address 168 168 168 16 Peer Device IP Address 168 168 168 73 Management IP Address Disabled Config Modified Time 2010 07 29 11 51 53 Force Failover Failover The Failover button can be used to force a role reversal making the standby ZoneDirector the active unit This widget also displays the state active standby or disconnected of both devices as well as their IP addresses and the Management IP address if configured Configuring the Built in DHCP Server ZoneDirector comes with a built in DHCP server that you can enable to assign IP addresses to devices that are connected to it ZoneDirector s DHCP server will only assign addresses to devices that are on its own subnet and part of the same VLAN if VLANs are assigned Note that before you can enable the built in DHCP server ZoneDirector must be assign
261. ile holds 2 MB of packet data On 11g APs each file holds 1 MB Whenever one file reaches its limit the other file is cleared and begins filling Due to memory limitations the capture files are cleared after they are retrieved by the Save command and before each new capture session and they are not retained on the AP between reboots In streaming capture mode packet data from the 2 4 GHz and 5 GHz radios are available simultaneously on AP interfaces wlan100 and wlan101 respectively The streams can be accessed using Wireshark s remote interface capture option The Windows version of Wireshark e g v1 2 10 supports this option Linux versions may not Both output modes support packet filtering In local capture mode the AP accepts a packet filter expression and applies it before storing the file In streaming mode Wireshark accepts a capture filter expression and sends it to a daemon running on the AP which applies it before streaming Both modes allow compound filter expressions conforming to the pcap filter syntax which is described at http www manpagez com man 7 pcap filter Local Capture To capture packets to a local file for external analysis 1 Choose 2 4 GHz or 5 GHz radio you can only capture packets on one radio at a time 2 Select one or more APs from the list and click Add to Capture APs The APs you selected are moved from the Currently Managed APs table on the left side to the new Capture APs table on the right
262. ince name Country Select your country or region from the pull down menu 3 Click Apply A dialog box appears and prompts you to save the CSR file myreq csr that you have just created 4 Save the file to your computer Figure 180 Generating a CSR file te 2013 04 15 14 46 17 Help Toolbox Log Out ruckus Maj uckus ZoneDirector WIRELESS Dashboard Monitor BUDE Administer SSL Certificate Generate a request Create a new certificate request For more information click here Common Name zdi example com Subject Alternative Name p e Organization Ruckus Wireless Organization Unit Engineering Locality City Sunnyvale State Province Californial Country United States Iz Import Signed Certificate To show current certificate information click here Import a signed certificate file to replace the current certificate or import the backup certificate file from another ZoneDirector for 300 Setting Administrator Preferences Working with SSL Certificates 5 Go to a certificate authority s Web site and follow the instructions for purchasing an SSL certificate 6 When you are prompted for the certificate signing request copy and paste the content of the text file that you saved to your local computer and then complete the certificate purchase After the certificate authority approves your CSR you will receive the SSL certificate via email The following is an example of a signed
263. ing AP Configuration Settings Only You can also restore previously saved access point configurations from a backup file without restoring any other ZoneDirector configuration settings This feature can be useful in deploying N 1 redundancy For example if three ZoneDirector 1100 controllers are deployed in different locations and with one ZoneDirector 3000 serving as a backup you can use this feature to export AP lists from the three ZD1100s and import them one by one into the ZD3000 For more information on N 1 redundancy deployment see Using Limited ZD Discovery for N 1 Redundancy on page 197 To restore an AP list from a backup file without altering ZoneDirector settings 1 Go to Configure Access Points 2 Under the Access Points table click the Browse button near the line that begins If you need to import the APs configuration 3 Browse to a previously saved backup file select the file and click Open The page refreshes and the name of the backup file you selected is displayed along with the option to either import this file and reboot or import this file and continue importing additional files before reboot e Toimportthis file only select Import this backup file and then reboot ZoneDirector will reboot after loading your AP list e Toimport this file and continue importing AP lists from other backup files select Import this backup file and additional backup file s Then click Import When the import is compl
264. ingle LAN port must be a trunk port and is therefore not configurable For ZoneFlex 7025 7055 the LAN5 Uplink port on the rear of the AP is defined as a Trunk Port and is not configurable The four front facing LAN ports are configurable For all other APs you can configure each port individually as either a Trunk Port Access Port or General Port See Designating Ethernet Port Type on page 190 for more information 8 If Smart Mesh is not enabled choose whether this port will serve as an 802 1X Authenti cator or Supplicant or leave 802 1X settings disabled default See Using Port Based 802 1X on page 191 for more information 9 Click Apply to save your changes Figure 112 The ZoneFlex 7982 has two Ethernet ports LAN1 and LAN2 Network Setting IP Mode IPv4 and IPv6 Model Specific Control 257922 oo Max Clients Alow Max 100 clients to associate with this AP Status LEDs E Disable Status LEDs Port Setting Port Enable DHCP_Opt82 Type VLAN Lat E m TrunkPortt untagiD1 Members 1 4094 Guest VLAN Enable Dynamic VLAN uM yj au Trunk Port v UntagiD 1 Members 1 4094 Guest VLAN Enable Dynamic VLAN Group Settings Members go Member Device Name Description Model Approved E Qj 04 4f aa 0c b1 00 7962 RAP 7962 RAP 207962 Yes m D di f0 7982 MAP 7982 MAP 217982 Yes RuckusAP z17363 Yes 188 Managing Access Points Working with Access Point Groups Figure 113 The ZoneFlex 7025
265. iously In Authentication Server select the RADIUS server used to authenticate users Optionally enable Proxy ARP for this Hotspot 2 0 WLAN see Advanced Options under Creating a WLAN 171 Managing a Wireless Local Area Network Working with Dynamic Pre Shared Keys e f Proxy ARP is enabled you also have the option to disable downstream group addressed frame forwarding by selecting the DGAF option This option prevents stations from forwarding group addressed multicast broadcast frames and converts group addressed DHCP and ICMPv 6 router advertisement packets from layer 2 multi cast to unicast 7 Click OK to save your changes Figure 102 Creating a Hotspot 2 0 WLAN Hotspot 2 0 WLAN ESSID Hotspot 2 0 WLAN Hotspot 2 0 WLAN Standard Usage For most regular wireless network usages Guest Access Guest access policies and access control will be applied dice WISPr Hotspot 2 0 m Algorithm Q as Options Hotspot 2 0 Operator HS20 Operator 1 Authentication Server Ruckus RADIUS Wireless Client Isolation None Local wireless dients associated with the same AP will be unable to communicate with one another locally Q Full wireless cients will be unable to communicate with each other or access any of the restricted subnets Zero IT Activation E Enable Zero IT Activation WLAN users are provided with wireless configuration installer after they log in
266. iple guests No authentication m Terms of Use Show terms of use Terms of Use By accepting this agreement and accessing the wireless network you acknowledge that you are of legal age E you have read and understood and agree to be bound by this agreement The wireless network service is provided by the property owners and is completely at their discretion Your access to the network may be blocked suspended or terminated at any time for any reason You agree not to use the wireless network for any purpose that is Redirection Redirect to the URL that the user intends to visit gt Redirect to the following URL Guest Pass Generation Working with Guest Passes Guest passes are temporary privileges granted to guests to access your wireless LANs ZoneDirector provides many options for customizing guest passes controlling who is allowed to issue guest passes and controlling the scope of access to be granted Activating Guest Pass Generation You can grant authenticated users the privilege to generate guest passes Do the following 1 Go to Configure Guest Access The Guest Access page appears 2 Scroll down to the Guest Pass Generation section 3 In Authentication Server select the authentication server that you want to use to authen ticate users who want to generate guest passes e Ifyou configured an AAA server RADIUS Active Directory or LDAP on the Configure gt AAA Servers page
267. irected to a Web portal for authentication before they can access the WLAN Authentication Server Local Database v Wireless Client isolation T Enable Client Isolation White List all wired hosts A list of reachable local wired hosts i e gateway printer etc Zero IT Activation zs Zero IT Activation LAN users are provided with wireless configuration installer after they log in Dynamic PSK Zoe Dynamic PSK with 62 characters passphrase Limit D PSK V Limit D PSK generation per user to 1 devices Priority 9 High Low HR Advanced Options Create New Delete 51 1 1158 z You have completed enabling Zero IT for this WLAN At this point any user with the proper credentials username and password and running a supported operating system can self provision his her computer to securely access your wireless LANs Clients that Support Zero IT Zero IT Activation can be used with most modern operating systems including Windows 7 Vista XP Apple OS X Apple iOS Windows Phone and Android OS For Windows 7 Vista or Mac notebook clients with Ethernet ports the user simply connects to the ZoneDirector activation URL and runs the self activation script On Windows XP the user must generally be logged in as an Administrator with registry edit privileges It is possible to allow WinXP clients to run prov exe the Zero IT application without being logged in as Administrator To do this an admin
268. ireless Local Area Network Overview of Wireless Networks Overview of Wireless Networks Once you have completed the ZoneDirector Setup Wizard you have a fully functional wireless network based on two secure WLANs if you enabled the optional guest WLAN with access for authorized users and guests The default WLAN provides Zero IT connectivity to allow users to automatically provision their client devices with WLAN settings the first time they connect The guest WLAN provides visitors to your organization with a connection to the Internet but not to your internal corporate network There are several scenarios in which you will want to create additional WLANS in addition to the default internal and guest WLANs e To limit certain WLANs to groups of qualified users to enhance security and efficiency for example an Engineering WLAN with a closed roster of users e To configure a specific WLAN with different security settings For example you may need a WLAN that utilizes WEP encryption for wireless devices that only support WEP key encryption e To create special WLANs with different settings for specific purposes For example a VoIP WLAN for voice traffic with Background Scanning and load balancing disabled or a student WLAN that is only available during school hours In the first scenario specific WLANs esp regarding authentication and encryption algorithm can be set up that support specific groups of users This requires a two s
269. is 138 x 40 pixels and the maximum file size is 20KB Browse rk Ruckus WIRELESS Guest Access Customization 265 Managing Guest Access Working with Guest Passes Customizing the Guest Login Page You can customize the guest user login page to display your corporate logo and to note helpful instructions along with a Welcome title If you want to include a logo you will need to prepare a Web ready graphic file in one of three acceptable formats JPG GIF or PNG Make sure that the logo file does not exceed the following e Length Two inches on any side File size 20kB To customize the guest login page 1 Go to Configure Guest Access 2 Scroll down to the Web Portal Logo section 3 If your logo is ready for use click Browse to open a dialog box that you can use to import the logo file ZoneDirector will notify you if the file is too large 4 Scroll down to the Guest Access Customization section 5 Optional Delete the text in the Title field and type a short descriptive title or welcome message 6 Click Apply to save yoursettings ASettings applied confirmation message appears Figure 162 The Guest Access Customization options Web Portal Logo Upload your logo to show it on the Web portal pages The recommended image size is 138 x 40 pixels and the maximum file size is 20KB WIRELESS Pe E wi RUCKUS Guest Access Customization Use this feature to customize
270. is which methods of authentication and encryption to use for both internal users and guests Authentication options include e Open e 802 1X EAP e MAC Address e 802 1X EAP MAC Address Encryption options depend on which type of authentication is chosen Open authentication allows the use of WPA WEP or no encryption Open authentication WPA2 encryption WLANs also known as WPA Personal are the most common type of WLAN and should be the default configuration if there are no special requirements for authentication or encryption The 802 1X EAP WPA Enterprise authentication method provides effective authentication regardless of whether you deploy WEP WPA WPA2 or no encryption and requires a back end authentication server You can also choose to authenticate clients by MAC address MAC address authentication requires a RADIUS server and uses the MAC address as the user login name and password The 802 1X EAP MAC Address authentication option allows clients to authenticate to the same WLAN using either MAC address or 802 1X authentication However this requires that the supplicant support this feature which no public domain supplicants currently do All client authentication options Open 802 1X MAC and 802 1X MAC are detailed in Creating a WLAN on page 140 and you can learn how to apply them to your WLANs in the same section 139 Managing a Wireless Local Area Network Creating a WLAN Creating a WLAN To
271. island 0CB100 2013 05 21 15 17 10 Search terms include al terms Include any of these terms Remove 31 1 69 User Blocked Rogue Devices e E MACAddress Channel Radio Type Encryption SSID Last Detected E 50 67 10 38 ce 77 1 802 11g n malicious AP User bocked Encrypted CHT Wi Fi Auto 2013 05 21 15 13 24 Search terms Include al terms Include any of these terms Remove 91 1 0 m Evaluating and Optimizing Network Coverage If there are gaps or dead spots in your worksite WLAN coverage you can use ZoneDirector to assess network RF coverage and then reposition APs to enhance coverage 1 2 Go to Monitor Map View If Map View displays a floorplan with active device symbols you can assess the performance of individual APs in terms of coverage See Importing a Map View Floorplan Image on page 210 for information on setting up the Map View ou Fw For the Coverage option click 2 4 GHz or 5 GHz When the heat map appears look for a Signal scale in the upper right corner of the map Note the color range especially colors that indicate low coverage Look at the floorplan and evaluate the current coverage Moving the APs into More Efficient Positions You can now move the APs into more efficient positions 1 Todo so click and drag individual AP markers on the Map View floorplan until your RF coverage coloration is optimized You may need to acquire additional APs to fill i
272. istrator must change the following two registry settings for the non admin users groups on each WinXP machine HKLM SYSTEM CurrentControlSet Control Class 4D36E972 E325 11CE BFC1 08002BE10318 gt Allow user to define value and create subkey e HKLM SOFTWARE Microsoft WZCSVC Parameters Interfaces gt Add total rights permission Additionally you must enable permission to modify WZC Windows Zero Configuration for the users groups by creating a new security template and applying the template to the account using MMC Microsoft Management Console 235 Managing User Access Enabling Automatic User Activation with Zero IT For clients running Mac OS X the user must be logged in as an administrator for Zero IT activation to work Self Provisioning Clients with Zero IT To self provision a computer to the wireless LAN use the following procedure 1 2 Connect the computer to the wired LAN using an Ethernet cable Open a Web browser and enter the Activation URL in the navigation bar http zonedirector s IP address activate AWLAN Connection Activation Web page appears Enter User Name and Password and click OK If the user name and password are confirmed and the computer is running a supported operating system an automated script will launch Figure 140 Zero IT automatic activation 4 5 RU Chus WLAN Connection Activation WIRELESS User Name Password Run the prov exe scri
273. it for example When two ZoneDirectors are connected in a Smart Redundancy configuration the Standby ZD will send heartbeats and the Active will send discovers at 6 second intervals If after 15s no reply is seen the ZDs will make a decision if it is disconnected with its peer and the Standby ZD will change to Active When the two ZoneDirectors are communicating again one Active ZD will change to the Standby role and an auto synchronization process will be started There is a timestamp to judge sync from which ZD to sync the latest one to the peer The timestamp is updated by configuration behavior They will continue trying to communicate sending discover messages every 6 seconds to peers until the ZDs are communicating again when they will determine Active Standby roles based on 1 most managed APs and or 2 lower MAC address Configuring ZoneDirector for Smart Redundancy For management convenience both ZoneDirectors in a Smart Redundancy deployment can be managed via a single shared IP address In this situation three IP addresses would need to be configured e Primary ZoneDirector real address e Backup ZoneDirector real address e Management address 55 Configuring System Settings Enabling Smart Redundancy p All configuration changes are made to the active ZoneDirector and synchronized to the standby unit The user can access the Web interface from any of the three IP addresses however not all configuration
274. ith ZoneDirector How APs Discover ZoneDirector on the Network 1 When an AP starts up it sends out a DHCP discovery packet to obtain an IP address 2 The DHCP server responds to the AP with the allocated IP address If you configured DHCP Option 43 see Option 2 Customize Your DHCP Server on page 26 the DHCP offer response will also include among others the IP addresses of ZoneDirector devices on the network along with the address of the DNS server that can help resolve the ZoneDirector IP addresses 3 After the AP obtains an IP address it first attempts to contact a ZoneDirector whose IP address has been pre configured on the AP If an AP has a pre configured ZoneDirector IP address it will always use an L3 LWAPP lightweight access point protocol discovery message to attempt to discover the pre configured primary secondary ZoneDirector e An AP with a pre configured ZoneDirector IP address will only attempt to discover the pre configured ZoneDirector s and will skip the DHCP DNS last joined ZoneDirector steps If it is unable to contact its pre configured ZoneDirector it will enter sulk state and will remain in an idle discover sulk loop until it receives a response from a pre configured primary or secondary ZoneDirector 4 If a primary secondary ZoneDirector IP address has not been configured on the AP the AP next attempts to build a list of candidate ZoneDirectors by sending an L3 discovery request IPv4 subnet bro
275. itional WISPr 1 0 hotspot service to provide public access to users via its WLANs In addition to ZoneDirector and its managed APs you will need the following to deploy a hotspot e Captive Portal A special Web page typically a login page to which users that have associated with your hotspot will be redirected for authentication purposes Users will need to enter a valid user name and password before they are allowed access to the Internet through the hotspot Open source captive portal packages such as Chillispot are available on the Internet For a list of open source and commercial captive portal software visit http en wikipedia org wiki Captive portalitSoftware Captive Portals and e RADIUS Server A Remote Authentication Dial In User Service RADIUS server through which users can authenticate For installation and configuration instructions for the captive portal and RADIUS server soft ware refer to the documentation that was provided with them After completing the steps below you will need to edit the WLAN s for which you want to enable Hotspot service ZoneDirector supports up to 32 WISPr Hotspot service entries each of which can be assigned to multiple WLANs To create a Hotspot service 1 Go to Configure gt Hotspot Services 2 Click Create New The Create New form appears 3 In Name enter a name for this hotspot service You will need to choose this name from a list when creating a WLAN to serve this hotspot
276. itional regulatory domains For optimal performance of Apple iOS devices it is recommended that you enable this option Please be aware that some legacy embedded devices such as wireless barcode scanners may not operate properly if this option is enabled This option is enabled by default for any WLANs created on ZoneDirector version 9 6 or later and disabled by default for any WLANs created running earlier versions If upgrading from a previous version to 9 6 or later existing WLANS will retain their original settings DHCP Option 82 When this option is enabled and an AP receives a DHCP request from a wireless client the AP will encapsulate additional information such as VLAN ID AP name SSID and MAC address into the DHCP request packets before forwarding them to the DHCP server The DHCP server can then use this information to allocate an IP address to the client from a particular DHCP pool based on these parameters See also DHCP Option 82 on page 189 for information on enabling this option for Ethernet ports Force DHCP Enable this option to force clients to obtain a valid IP address from DHCP within the specified number of seconds This prevents clients configured with a static IP address from connecting to the WLAN Additionally if a client performs Layer 3 roaming between different subnets in some cases the client sticks to the former IP address This mechanism optimizes the roaming experience by forcing clients to request a new IP add
277. ive VLANs A native VLAN is a VLAN that allows the user to designate untagged frames going in out of a port to a specific VLAN 157 Managing a Wireless Local Area Network Deploying ZoneDirector WLANs in a VLAN Environment For example if an 802 10 port has VLANs 1 20 and 30 enabled with VLAN 1 being the native VLAN frames on VLAN 1 that egress exit the port are not given an 802 10 header i e they are plain Ethernet frames Frames which ingress enter this port and have no 802 10 header are assigned to VLAN 1 Traffic from WLANs configured with access VLANs 20 and 30 is tagged with an 802 10 header containing the respective VLAN assignment before being forwarded to its destination on the Ethernet network e Connecting ZoneDirector and any Access Points APs to trunk ports on the switch e Verifying that those trunk ports are on the same native VLAN Example configuration Figure 94 VLAN 20 is used for internal clients VLAN 30 is used for guest clients and Management VLAN configuration is optional Figure 4 Sample VLAN configuration 802 1Q L2 L3 Switch id Trunk ports Corp VLAN 20 N Guest VLAN 30 Tagged with VLANs 20 30 and optionally Management VLAN WLAN 2 You must ensure that switch ports are configured properly to pass the VLAN traffic necessary for ZoneDirector AP and client communications In the sample VLAN scenario above the switch ports would need to be configured as follows
278. ive spectral sweeps of the entire 2 4 5Ghz frequency band Frequently occurring points are marked red moderately occurring points are marked yellow and occasionally occurring points are marked green To view spectrum analysis data for an access point 1 Goto Monitor Access Points and clickthe MAC address of the AP to view the AP detailed information page 224 Monitoring Your Wireless Network Monitoring Individual APs 2 Click the Spectrum Analysis icon in the Actions table APs that do not support this feature do not display this icon 3 The Spectrum Analysis display opens in a new window 4 Select 2 4G or 5G to choose the frequency band for which spectrum analysis data will be collected and click Start Monitoring to begin Figure 131 APs that support spectrum analysis display an extra icon in the Actions table 12 Help Toolbox Log Out ruckus Ruckus ZoneDirector WIRELESS Dashboard MAZIM Configure Administer Access Points c0 c5 20 3b 91 f0 o Access Points This table lists detailed information about the selected access point such as the clients and events associated with it Q Access Point Information General Info M Device Name 7372 Mesh Status Connected Mesh AP 1 hop Description St Bernard Mesh Uptime th 6m Location Connection Mode L3 IPv4 GPS Coordinates VLAN 1 MAC Address 0 c5 20 3b 91 f0 Associated Clients 0 IP Address 192 168 11 99 Extern
279. k AP with the same radio type Ruckus Wireless Smart Mesh APs must use the same radio type to be able connectto each other via the mesh network For example an 802 11n Mesh AP will only connect to another 802 11n AP and an 802 11b g Mesh AP will only connect to another 802 11b g AP To resolve this place additional wired APs or Mesh APs that use the same radio type near this AP 286 Deploying a Smart Mesh Network Troubleshooting Isolated Mesh APs Recovering an Isolated Mesh AP When a Mesh AP becomes isolated it begins broadcasting a recovery SSID named island last 6 digits of AP s MAC address gt which you can use to connect directly to the AP and make configuration changes Note that this SSID is not bridged to the local network for security reasons To perform these procedures you will need e Anotebook computer with wireless capability If you are running Windows XP on the computer make sure that either the WPA2 patch or Service Pack 3 is installed e The current ZoneDirector mesh configuration steps for obtaining this information are provided below An SSH client such as PuTTY or OpenSSH Atext editor such as Notepad Step 1 Obtain the Mesh SSID and Passphrase 1 On the ZoneDirector Web interface click the Configure tab and then click Mesh on the menu 2 Under Mesh Settings copy the contents of the Mesh Name and Mesh Passphrase fields into a text editor Figure 174 The Mesh Name and Mesh Pa
280. k behind a NAT Network Address Translation device When ZoneDirector is deployed on an isolated private network where NAT is used administrators can manually configure a port mapping table on the NAT device to allow remote access into ZoneDirector This allows APs to establish an LWAPP connection with ZoneDirector as well as allowing remote HTTPS and SSH management access to ZoneDirector Table 11 lists the ports that must be open for trans NAT communications Specifically the following ports must be mapped to ZoneDirector private IP address on the NAT device s port mapping table ports 21 22 80 443 12222 12223 Note that there are some limitations with this configuration including e SpeedFlex performance test tool will not work ZoneDirector needs to know the IP addresses of the APs 32 Introducing Ruckus Wireless ZoneDirector Installing ZoneDirector Deploying two ZoneDirectors behind the same NAT in a Smart Redundancy configuration requires creation of two port forwarding rules one for each ZoneDirector physical IP address and that the APs are configured with both ZoneDirectors public IP addresses as primary and secondary ZD IPs An active ZoneDirector behind NAT will be unable to perform upgrades to the standby ZoneDirector on the other side of the NAT device Installing ZoneDirector Basic installation instructions are included in the Quick Start Guide that shipped with your ZoneDirector The steps are summarized be
281. k of isolating a Mesh AP Select Disable if you do not want this AP to be part of your mesh network 7 If this AP is a Mesh AP and you want to manually set which APs can serve as its uplinks select the Manual radio button under Advanced Options gt Uplink Selection default is Smart The other APs in the mesh appear below the selection 8 Select the check box next to each AP that you want to allow the current AP to use as an uplink off or unavailable the AP status on the Monitor gt Access Points page will appear as Isolated r NOTE If you set Uplink Selection for an AP to Manual and the uplink AP that you selected is Mesh AP See Troubleshooting Isolated Mesh APs on page 285 for more information Figure 120 Manual uplink selection for APs in a mesh Advanced Options Mesh Mode Auto Mesh role is automatically assigned Root AP Only runs as a root AP Mesh AP Only runs as a mesh AP Disable Uplink Selection Smart Mesh APs will automatically select the best uplink Manual Only selected APs can be used for uplink 7100 24 82 3f 14 60 802 11a n Signal 99 7 04 4f aa 0c b1 00 7962 RAP 802 11a n Signal 59 Show All APs Model Specific Control Status LEDs 7 override Group Config Disable Status LEDs Port Setting V Override Group Config 9 Ifyou select Override Group Config in the Port Setting section a new section opens where you can customize the Ethernet port behavior for this AP
282. khaul link is using a restricted indoor only channel 66 Configuring System Settings Changing the System Log Settings Changing the System Log Settings ZoneDirector maintains an internal log of current events and alarms This file has a fixed capacity at a certain level ZoneDirector will start deleting the oldest entries to make room for the newest This log is volatile and the contents will be deleted if ZoneDirector is powered down If you want a permanent record of all logging activities you can set up your syslog server to receive log contents from ZoneDirector and then use the Web interface to direct all logging to the syslog server as detailed in this topic Reviewing the Current Log Contents 1 Go to Monitor All Events Activities 2 Review the events and alarms listed below NOTE Log entries are listed in reverse chronological order with the latest logs at the top of the list 3 Click a column header to sort the contents by that category 4 Click any column twice to switch chronological or alphanumeric sorting modes Figure 37 The All Events Activities page fay sete Ruckus ZoneDirector WIRELESS Dashboard MUGA Configure Administer All Events Activities This workspace displays the most recent records in ZoneDirector s internal log file For information on saving this information to a syslog server see the Online Help E Events Activities e J Date Time Severity User Activities 2013
283. ks on page 161 for more information e Hide SSID Activate this option if you do not want the ID of this WLAN advertised at any time This will not affect performance or force the WLAN user to perform any unnecessary tasks e Tunnel Mode Select this check box if you want to tunnel the WLAN traffic back to ZoneDirector Tunnel mode enables wireless clients to roam across different APs on different subnets If the WLAN has clients that require uninterrupted wireless connection for example VoIP devices Ruckus Wireless recommends enabling tunnel mode NOTE Note that Wireless Distribution System WDS clients for example MediaFlex 7211 2111 adapters do not work when the ZoneDirector WLAN is in Tunnel Mode NOTE When tunnel mode is enabled on a WLAN multicast video packets are blocked on that WLAN Multicast voice packets however are allowed e Proxy ARP When enabled on a WLAN the AP provides proxy service for stations when receiving neighbor discovery packets e g ARP request and ICMPv6 Neighbor Solicit messages and acts on behalf of the station in delivering ARP replies When the AP receives a broadcast ARP Neighbor Solicit request for a known host the AP replies on behalf of the host If the AP receives a request for an unknown host it forwards the request at the rate limit specified in the Packet Inspection Filter e DHCP Relay Enable DHCP Relay agent to convert broadcast DHCP messages to unicast in T
284. l AAA Server on page 115 To authenticate ZoneDirector administrators using an AAA server 1 Set up Group Attributes on the AAA server e RADIUS e Ruckus Wireless private attribute Vendor ID 25053 Vendor Type Attribute Number 1 Ruckus User Groups Value Format group attr1 group attr2 group attr3 e Cisco private attribute if your network is using a Cisco access control server Vendor ID 9 Vendor Type Attribute Number 1 Cisco AVPair Value Format shell roles group attrl group attr2 group attr3 e Active Directory or LDAP e Set up administrator groups e Populate these groups with users to whom you want to grant administrator access One way to do this is to edit each user s Member of profile and add the group to which you want the user to belong Remember the group names that you set you will enter this information when you create administrator roles in ZoneDirector see Step 3 e TACACS See TACACS on page 133 for more information 305 Setting Administrator Preferences Using an External Server for Administrator Authentication Set up ZoneDirector to use an AAA server Configure AAA Servers Create an Administrator Role in ZoneDirector Configure Roles Allow access to all specific WLANs Allow deny Guest Pass Generation Ensure that Allow ZoneDirector Administration is enabled and choose the level of administration privileges you want to allow for this role CAU
285. l still be able to communicate e Isolate wireless client traffic from all hosts on the same VLAN subnet Prevent clients from communicating with any other hosts on the same subnet or VLAN other than those listed on the Client Isolation Whitelist If this option is chosen you must select a Whitelist from the drop down list of those you created on the Configure Access Control page 4 Click OK to save your changes 109 Configuring Security and Other Services Controlling Network Access Permissions Figure 67 Web Authentication Authentication Server Wireless Client Isolation Zero IT Activation Priority H Advanced Options Create New Selecting a Client Isolation White List ESSID New Name Standard Usage For most regular wireless network usages Guest Access Guest access policies and access control will be apptied Hotspot Service WISPr Hotspot 2 0 Autonomous Open 802 1x EAP MAC Address 802 1x EAP MAC Address wpa wpa2 wra mixed wEP 64 40 bit wEP 128 104 bit None Enable captive portal Web authentication Users will be redirected to a Web portal for authentication before they can access the WLAN Local Database El V Isolate wireless client traffic from other clients on the same AP M Isolate wireless client traffic from all hosts on the same VLAN subnet whitelist v equ No WhiteList ay and other allowed hosts i
286. le MAC authentication bypass Use device MAC address as username and password See err errr err nee m gm m Ruckus WIRELESS m Ruckus A WIRELESS LAN1 LAN2 LAN3 LAN4 LAN1 LAN2 LAN3 LAN4 Note The LAN5 port is located on the back panel L m J r AP Ethernet Port as Supplicant You can also configure a port to act as a supplicant and force it to authenticate itself to an upstream authenticator port Until the AP has successfully done so the state of the authenti cator port is closed and packets from the AP or stations behind it will be dropped at the authenticator port In this configuration it is expected that the connected authenticator port is configured with the following characteristics e Asa Trunk Port to pass all VLAN packets and e n port based authentication mode Each AP is allowed to configure a maximum of one Ethernet port as an 802 1X supplicant and the supplicant port must be a Trunk Port 193 Managing Access Points Working with Access Point Groups Figure 116 Configuring an AP Ethernet port as an 802 1X Supplicant Model Specific Control Port Setting V Override Group Config Port Enable DHCP Opt82 Type LAN1 vi Trunk Port Access Port ES Access Port General Port c Trunk Port VLAN Untag ID 1 Members 1 4094 Untag ID 1 Members 1 Untag ID 1 Members 1 Untag ID 1 Members 1 99 Untag ID 1 Mem
287. le to discover ZoneDirector on another subnet 31 Introducing Ruckus Wireless ZoneDirector Ensuring That APs Can Communicate with ZoneDirector Firewall Ports that Must be Open for ZoneDirector Communications Depending on how your network is designed you may need to open firewall ports on any firewalls located between ZoneDirector FlexMaster or the access points The following table lists the ports that need to be open for different types of communications Table 11 Firewall ports that must be open for ZoneDirector communications Communication Ports ZoneDirector Web UI access TCP destination ports 80 and 443 HTTP and HTTPS AP gt ZoneDirector LWAPP UDP destination ports 12222 and 12223 AP gt ZoneDirector SpeedFlex UDP port 18301 AP gt ZoneDirector AP TCP port 21 the firewall must be stateful for PASV firmware upgrade FTP transfers ZoneDirector gt ZoneDirector TCP destination port 443 and port 33003 Smart Redundancy ZoneDirector gt FlexMaster TCP destination port 443 registration inform firmware upgrade FlexMaster gt ZoneDirector TCP destination port as specified in FM Inventory management interface Device Web Port Number Mapping ZoneDirector CLI access TCP destination port 22 SSH TACACS server lt gt TCP destination port 49 TACACS default ZoneDirector NAT Considerations Beginning with version 9 2 ZoneDirector can be deployed in a private networ
288. list Name Description Actions whitelist1 whitelist1 Edit Clone Create New Delete 31 1 00 Search terms Include al terms Include any of these terms Precedence Policy User can define precedence policy lists and apply them to WLANs later This can make decision for wireless devices according to device access policy and data source precedence Description Actions Default Edit Clone Create New Delete 91 1 00 Search terms 9 Include all terms Include any of these terms Blocked This table lists client devices that are blocked from the WLAN To unblock a client and allow it to access the WLAN delete it from the list To view a list of currently active clients click here Ir Client MAC Address F 18 34 51 42 bf 58 Unbiock 914 06 Search terms 9 Include all terms Include any of these terms Blocking Client Devices When users log into a ZoneDirector network their client devices are recorded and tracked If for any reason you need to block a client device from network use you can do so from the Web interface The following subtopics describe various tasks that you can perform to monitor block and unblock client devices manually from the ZoneDirector Web interface Note the following considerations when managing the Blocked Clients list The block list is system wide and is applied to all WLANs in addition to any per WLAN ACLs If a MAC address is li
289. ll battery powered devices that can be mounted on equipment or carried by personnel and send out periodic Ekahau Blink frames Wi Fi Access Points receive and forward the Ekahau Blink frames to the Ekahau RTLS Controller which calculates accurate locations for the tags 93 Configuring Security and Other Services Active Client Detection To enable Ekahau tag detection on ZoneDirector Go to Configure Services Scroll down to the Ekahau Settings section near the bottom of the page Select the Enable Ekahau tag detection check box Enter the Ekahau Controller IP address and Ekahau Controller Port m moo Click the Apply button in the same section to save your changes ZoneDirector enables Ekahau tag detection on all its managed APs that support this feature Figure 55 AeroScout Tag detection option AeroScout RFID E Enable AeroScout RFID tag detection Ekahau Settings Enable Ekahau tag detection Ekahau Controller IP Address Ekahau Controller Port Active Client Detection The ZoneDirector monitors the currently active clients and will trigger a warning event when the active client s rssi is under the threshold 7 Enabie client rssi detection with a threshold of m Tunnel Configuration 7 Enable tunnel encryption for tunneled traffic V Block non well known v muticast traffic from network to tunnel E Block broadcast traffic from network t
290. low 1 Our RR CUN Connect and discover ZoneDirector using UPnP Universal Plug and Play e On Windows 7 you may need to Turn on network discovery in the Network and Sharing Center Advanced Sharing Settings Double click the ZoneDirector icon when UPnP displays it or Point your Web browser to ZoneDirector s IP address default 192 168 0 2 Run the Setup Wizard to create an internal and optionally a guest WLAN Distribute APs around your worksite connect them to power and to your LAN Begin using your ZoneFlex network 33 Introducing Ruckus Wireless ZoneDirector Installing ZoneDirector Figure 9 Discover ZoneDirector using UPnP Y My Network Places File Edit View Favorites Tools Help Qe T M P J search gt Folders Address E My Network Places gt AL C1100 D1685F Local Network Network Tasks R ZoneDirector 1000 cal Network ig Add a network place e View network connections WindowsApps on Shei File f Set up a home or small Server Samba shei MSN office network Local Network The Internet 2 Set up a wireless network for a home or small office gh View workgroup computers Hide icons For networked UPnP devices Other Places R G Desktop 3 My Computer My Documents Cj Shared Documents amp y Printers and Faxes Details 34 Introducing Ruckus Wireless ZoneDirector Accessing ZoneDirector s Command Line Interface Figure 10
291. lready have a device name for this AP it will take the host name from DHCP and display this name in events logs and other Web interface elements See your DHCP server documentation for instructions on Option 12 configuration Option 3 Register ZoneDirector with a DNS Server If you register ZoneDirector with your DNS server supported APs that request IP addresses from your DHCP server will also obtain DNS related information that will enable them to discover ZoneDirector devices on the network Using the DNS information they obtained during the DHCP request APs will attempt to resolve the ZoneDirector IP address or IP addresses using zonedirector DNS domain name To register ZoneDirector devices with DNS server Step 1 Set the DNS Domain Name on the DHCP Server Step 2 Set the DNS Server IP Address on the DHCP Server Step 3 Register the ZoneDirector IP Addresses with a DNS Server NOTE The following procedures describe how to customize a DHCP server running on Microsoft Windows Server If your DHCP server is running on a different operating system the procedure may be different Step 1 Set the DNS Domain Name on the DHCP Server 1 From Windows Administrative Tools open DHCP and then select the DHCP server that you want to configure I9 If the Scope folder is collapsed click the plus sign to expand it 3 Right click Scope Options and then click Configure Options The General tab of the Scop
292. m appears below your selection 4 Under Advanced Options Uplink Selection select the Manual radio button The other APs in the mesh appear below the selection 5 Select the check box for each AP that the current AP can use as uplink NOTE If you set Uplink Selection for an AP to Manual and the uplink AP that you selected is off or unavailable the AP status on the Monitor gt Access Points page will appear as Isolated Mesh AP 6 Click OK to save your settings Troubleshooting Isolated Mesh APs Isolated Mesh APs are those that were once managed by ZoneDirector but are now unreach able They are up and running and constantly searching for mesh uplinks but are unable to connect to any root AP You can check if you have any isolated mesh APs on the network by checking the Monitor gt Access Points page NOTE A mesh network is dynamic in nature Before attempting to resolve any mesh related issue please wait 15 minutes to allow the mesh network to stabilize Some mesh related issues are automatically resolved once the mesh network stabilizes Understanding Isolated Mesh AP Statuses There are five possible reasons for a mesh AP to become isolated The table below lists all possible Isolated Mesh AP statuses that may appear on the Monitor gt Access Points page and provides possible reasons for the isolation and the recommended steps for resolving the issue Table 36 Isolated Mesh AP statuses Status Possible
293. m o o When the Deletion Confirmation dialog box appears click OK to save your settings The records are removed from the internal user database Creating New User Roles ZoneDirector provides a Default role that is automatically applied to all new user accounts This role links all users to the internal WLAN and permits access to all WLANs by default As an alternative you can create additional roles that you can assign to selected wireless network users to limit their access to certain WLANS to allow them to log in with non standard client devices or to grant permission to generate guest passes You can then edit the default role to disable the guest pass generation option To create a new user Role 1 Go to Configure Roles The Roles and Policies page appears displaying a Default role in the Roles table 2 Click Create New below the Roles table 3 Enter a Name and a short Description for this role 4 Choose the options for this role from the following 240 Managing User Access Creating New User Roles Group Attributes Fill in this field only if you are creating a user role based on Group attributes extracted from an Active Directory or LDAP server see Group Extraction on page 119 Enter the User Group name here Active Directory LDAP users with the same group attributes are automatically mapped to this user role server refer to Using an External Server for Administrator Authentication on pag
294. mation description PO number status etc is displayed on the Web interface NOTE The system does not reboot or reset after a license is imported To import a new license file 1 Go to Administer License 2 Click Choose File and select your license file 3 Once you select your license file and close the Browse window ZoneDirector immediately attempts to validate and install the license Figure 184 The License page 3 01 12 56 49 Help Toolbox Log Out admin Ruckus ZoneDirector WIRELESS Dashboard Monitor Configure Administer License License Upgrade Preferences Back up Your current license is 25 AP Management which supports 25 APs and 5000 clients Restart Feature Sales Order Number Status Actions Upgrade dummy2 PO2 Active Delete dummy3 POS Inactive Delete License Import a new license Diagnostics Choose File No file chosen Registration Upgrading the License with Smart Redundancy When two ZoneDirectors are deployed in a Smart Redundancy configuration upgrading the license on one will cause the Smart Redundancy indicator to display disconnected as both devices need to have the same license number To upgrade the licenses on two Smart Redundancy ZoneDirectors 1 On the active ZoneDirector go to Administer License and upgrade your license 2 Repeat for the standby ZoneDirector 307 Setting Administrator Preferences Upgrading the License 3 After both have b
295. may not begin with a number Full Name Enter the assigned user s first and last name The user name can be up to 64 characters including special characters and spaces e Password Enter a unique password for this user 4 32 characters in length using a combination of letters numbers and special characters including characters from char 33 to char 126 Passwords are case sensitive Confirm Password Re enter the same password for this user guest passes in the internal database ZoneDirector 3000 and ZoneDirector 5000 can support up to 10 000 total users and guest passes When the maximum number of PSKs that ZoneDi rector supports has been reached the Web interface may be slower in responding to requests r NOTE ZoneDirector ZoneDirector 1100 can support up to 1 250 combined total users and 4 Ifyou have created roles that enable non standard client logins or that gather staff members into workgroups open the Role menu and then choose the appropriate role for this user For more information on roles and their application see Creating New User Roles on page 240 5 Click OK to save your settings Be sure to communicate the user name and password to the appropriate end user Figure 143 The Create New form for adding users to the internal database 2013 06 11 18 04 33 Help Toolbox Log Out ruckus Ruckus ZoneDirector WIRELESS Dashboard Monitor SUD Administer Users Internal User Databas
296. mic PSK Batch Generation section 3 In Target WLAN select one of the existing WLANs with which the users will be allowed to associate Only WLANs with DPSK enabled will be listed 4 In Number to Create select the number of dynamic PSKs that you want to generate ZoneDirector will automatically populate the names of each user BatchDPSK User 1 BatchDPSK User 2 and so on to generate the dynamic PSKs 175 Managing a Wireless Local Area Network Working with Dynamic Pre Shared Keys 5 If you want to be able to identify the dynamic PSK users by their names for monitoring or auditing purposes in a school setting for example click Browse and upload a batch dynamic PSK profile instead See Creating a Batch Dynamic PSK Profile below for more information 6 Click Generate ZoneDirector generates the dynamic PSKs and then the following message appears To download the new DPSK record click here 7 Clickthe click here link in the message to download a CSV file that contains the generated dynamic PSKs You have completed generating the dynamic PSKs for your users Using a spreadsheet application for example Microsoft Excel open the CSV file and view the generated dynamic PSKs The CSV file contains the following columns e User Name e Passphrase e WLAN Name e MAC Address e Expiration accesses the WLAN using the dynamic PSK that has been assigned to him the MAC address NOTE The MAC address column sho
297. mpany vireless network which you can use to access both the World Wide Web and Internet and to check your personal email Your guest pass key is Joe Guest Key This guest pass is valid until Tuesday March 09 2010 4 13 45 PM Connect your wireless ready PC to this network ruckus Guest as detailed in the instructions printed below Before you start please review the following requirements Requirements m A wireless network ready computer W The corporate guest network name m The guest pass a text key Connecting Using your guest pass to connect requires a series of two procedures 1 connecting your PC to the company guest network then 2 logging in as a qualified guest Finding the Wireless Guest Network On your PC Windows desktop check the system tray for a Wireless Connection icon the tool tip reads Wireless Network Connection name Right click this icon and choose View Available Wireless Networks When the Wireless Network Connection window appears the guest WLAN will be listed Select the WLAN guest network various neighbor nets may also be listed and click Connect 261 Managing Guest Access Working with Guest Passes Generating and Printing Multiple Guest Passes at Once You can provide the following instructions to users with guest pass generation privileges passes For instructions on how to generate a single guest pass see Generating and Printing j NOTE The
298. ms fi 1 1 d 1 1 01200 Detecting Rogue Access Points Rogue unauthorized APs pose problems for a wireless network in terms of airtime conten tion as well as security Usually a rogue AP appears in the following way an employee obtains another manufacturer s AP and connects it to the LAN to gain wireless access to other LAN resources This would potentially allow even more unauthorized users to access your corporate LAN posing a security risk Rogue APs also interfere with nearby Ruckus Wireless APs thus degrading overall wireless network coverage and performance ZoneDirector s rogue AP detection options include identifying the presence of a rogue AP categorizing it as either a known neighbor AP or as a malicious rogue and locating it on your worksite floorplan prior to its physical removal To detect a rogue AP 1 Goto Monitor gt Rogue Devices You can also click the of Rogue Devices link from the Devices Overview widget on the Dashboard Figure 136 Rogue devices indicator Je Devices Overview 2 of APs of Authorized Client Devices 1 of Total Client Devices 1 of Rogue Devices 2 2 When the Monitor gt Rogue Devices page appears three tables are listed 228 M 7 Monitoring Your Wireless Network Detecting Rogue Access Points Currently Active Rogue Devices Lists all currently detected rogue APs e Known Recognized Rogue Devices Lists rogue APs that have been marked as known ty
299. n wpa2 e Q1100 Clients 1 The Real Time Monitoring tool provides a convenient at a glance overview of performance statistics such as CPU and memory utilization number of APs and clients on the network and number of packets transmitted To view the Real Time Monitoring page locate the Toolbox link at the top of the page and select Real Time Monitoring from the pull down menu You can also access the Real Time Monitoring page from the Monitor Real Time Monitoring tab Figure 16 Select Real Time Monitoring from the Toolbox 2012 07 12 16 19 56 Help Toolbox Log Out ruckus en l Real Time Mojjtoring Real Time Mor Model Status IP Address Clients Action 217962 Connected Root AP 192 168 11 2 1 EFT AET 217982 Disconnected 2012 07 12 16 16 20 192 168 11 22 r include al terms Include any of these terms 01200 ee Name Description APs Clients Status Action Like the Dashboard you can drag and drop Widgets onto the Real Time Monitoring page to customize the information you want to see 42 Introducing Ruckus Wireless ZoneDirector Using the ZoneDirector Web Interface Figure 17 The Real Time Monitoring screen 2010 11 15 16 32 05 Help Toolbox Log Out ruckus Rucku S ZoneDirector WIRELESS Stop Monitoring Period of Time for Display 9 Five mins One hour One day Finish a i r i iUi CPU Util o amp of Authorized Client Devices o dum BEN
300. n Detection and Prevention ZoneDirectors intrusion detection and prevention features rely on background scanning results to detect rogue access points connected to the network and optionally prevent clients from connecting to malicious rogue APs Rogue Access Points A Rogue Access Point is any access point detected by a ZoneDirector managed access point that is not part of the ZoneFlex network managed by ZoneDirector Rogue devices are detected during off channel scans background scanning and are simply other access points that are not being managed by ZoneDirector e g an access point at a nearby coffee shop a neighbor s apartment or shopping mall Typically rogue access points are not a threat however there are certain types that do pose a threat that will be automatically identified by ZoneDirector as malicious rogue APs The three automatically identified malicious access point categories are as follows e SSID Spoofing These are rogue access points that are beaconing the same SSID name as a ZoneDirector managed access point They pose a threat as someone may be attempting to use them as a honey pot to attract your clients into their network to attempt hacking or man in the middle attacks to exploit passwords and other sensitive data 99 Configuring Security and Other Services Configuring Wireless Intrusion Prevention e Same Network These are rogue access points that are detected by other access points as transmitti
301. n Model gt There are no APs selected to capture packets Please select APs from the P 00 24 82 3f 14 60 7363 RAP 7363 RAP 217363 left table Add to Capture APs 61 11 display of current system and AP logs System Logs To show current System logs click here Save System Log Nov 3 14 55 20 ruckus syslog Mesh AP 7962 MAP 04 4 0c b1 00 disconnects from AP 7363 RAP600 24 82 3 14 60 3 Nov 3 14 55 20 ruckus syslog Mesh AP 7962 MAPG04 4f aa 0c b1 00 disconnects from AP 7363 RAP800 24 82 3 14 60 Nov 3 14 55 20 ruckus syslog Root AP 7363 RAP 00 24 82 3 14 60 accepts Mesh AP 7962 MAP804 4 aa 0c b1 00 connection Nov 3 14 55 20 ruckus syslog Root AP 7363 RAP600 24 82 3 14 60 accepts Mesh AP 7962 MAP604 4f aa 0c b1 00 connection Nov 3 14 55 20 ruckus syslog Mesh AP 7962 MAPG04 4f aa 0c b1 00 disconnects from AP 7363 RAP800 24 82 3 14 60 Nov 3 14 55 20 ruckus syslog Mesh AP 7962 MAPG04 4f aa 0c b1 00 disconnects from AP 7363 RAPG600 24 82 3 14 60 Nov 3 14 55 17 ruckus syslog Root AP 7363 RAP 00 24 82 3 14 60 accepts Mesh AP 7962 MAP604 4f aa 0c b1 00 connection Nov 3 14 55 17 ruckus syslog Root AP 7363 RAP 00 24 82 3 14 60 accepts Mesh AP 7962 m MAPQ04 4f 8a 0c b1 00 connection Previous First 1 2 3 Last Next AP Logs To show current APs logs click here Oct 31 08 49 22 ruckus syslog AP 7363 RAPG00 24 82 3f 14 60 joins with uptime 124 s Oct 31 08 49 35 ruckus syslog
302. n active and three reserved for roaming Enable this feature if you want this WLAN to serve as a VoIP WLAN to support Spectralink phones You will also need to enable Call Admission Control on any APs supporting this WLAN from the Configure gt Access Points page 145 Managing a Wireless Local Area Network Creating a WLAN e Rate Limiting Rate limiting controls fair access to the network When enabled the network traffic throughput of each network device i e client is limited to the rate specified in the traffic policy and that policy can be applied on either the uplink or downlink Toggle the Uplink and or Downlink drop down lists to limit the rate at which WLAN clients upload download data The Disabled state means rate limiting is disabled thus traffic flows without prescribed limits e Multicast Filter When enabled for a WLAN all client multicast traffic will be dropped at the AP Broadcast and unicast frames remain unchanged e Access VLAN By default all wireless clients associated with APs that ZoneDirector is managing are segmented into a single VLAN with VLAN ID 1 If you wantto tag this WLAN traffic with a different VLAN ID enter a valid VLAN ID 2 4094 in the box Select the Enable Dynamic VLAN check box to allow ZoneDirector to assign VLAN IDs on a per user basis Before enabling dynamic VLAN you need to define on the RADIUS server the VLAN IDs that you want to assign to users See How Dynamic VLAN Wor
303. n create a subset of access points with different settings from the default settings e Modifying Access Point Group Membership Lastly you can easily move access points between groups as described in this section AP group configuration settings can be overridden by individual AP settings For example if you want to set the transmit power to a lower setting for only a few specific APs leave the Tx Power Adjustment at Auto in the System Default AP Group then go to the individual AP configuration page Configure gt Access Points gt Edit AP MAC address and set the Tx Power setting to a lower setting Figure 109 Maximum number of AP groups by ZoneDirector model ZoneDirector Model Max AP Groups ZoneDirector 1100 32 ZoneDirector 3000 256 ZoneDirector 5000 512 Modifying the System Default AP Group If you want to apply global settings to all access points that are controlled by ZoneDirector you can modify the settings of the System Default AP group and apply them to all ZoneDirector controlled APs at once To modify the System Default Access Point group and apply global configuration settings 1 Go to Configure Access Points 183 Managing Access Points Working with Access Point Groups 2 Inthe Access Point Groups section locate the System Default access point group and click the Edit button on the same line The Editing System Default form appears 3 Modify any of the settings in Table 24 that y
304. n icons Icon Icon Name Action i System Info Generate a log file support txt containing system information on this AP PA Configure Gotothe Configure Access Points page and edit the configuration settings for this AP Nu Mesh View Open a Mesh View screen with this AP highlighted in a Mesh tree that also shows the uplink and downlink APs connected to this AP a SpeedFlex Launch the SpeedFlex performance test tool to measure uplink downlink speeds to from this AP Troubleshoot Troubleshoot connectivity issues using Ping and Traceroute NN Restart Initiate a reboot of this AP A Recover Recover an isolated Mesh AP 283 Deploying a Smart Mesh Network Setting Mesh Uplinks Manually Icon Icon Name Action 4 Allow Allowthis AP to be managed by ZoneDirector This icon will only appear if you have disabled automatic approval under Access Point Policies on the Configure gt Access Points page a9 RF Info Generates a log file called info txt containing radio frequency data that can be used for troubleshooting the RF environment Setting Mesh Uplinks Manually In a wireless mesh network the default behavior of Mesh APs is to connect automatically to a mesh node either Mesh AP or Root AP that provides the highest throughput This automatic connection is called Smart Uplink Selection If you want to shape your mesh network or force a certain topology you will need to disable Smart Uplink Sel
305. n large coverage gaps 230 Monitoring Your Wireless Network Monitoring System Ethernet Port Status 2 Note the new physical locations of relocated AP markers 3 After physically relocating the actual APs in accordance with Map View repositioning reconnect each AP to a power source When ZoneDirector has recalibrated the Map View after each AP restart you can assess your changes and make further adjustments as needed Monitoring System Ethernet Port Status To view the status of ZoneDirector s Ethernet ports go to Monitor System Info The table displays the MAC address Interface ID physical link status link speed and total packets bytes received transmitted on the port since last restart Figure 138 Monitoring system Ethernet port information 2012 12 13 13 53 32 Help Toolbox Log Out ruckus rx Ru Ckus ZoneDirector WIRELESS Dashboard Monitor Configure Administer System Ethernet Info This table lists system ethernet information Q System ethernet e Port MAC Address Interface Physical Link Speed Input pkts Input bytes Output pkts Output bytes O 00 13 11 01 01 01 ethd up 1000Mbps 5 3M 439M 5 6M 2 7G 1 00 13 11 01 01 02 eth1 up 100Mbps 5 2M 2 6G System Info 231 Monitoring Your Wireless Network Monitoring System Ethernet Port Status 232 Managing User Access In This Chapter Enabling Automatic User Activation with Zero IT isses 234 Adding New U
306. n name Configuring Microsoft IAS for PAP Authentication If you are using Microsoft Internet Authentication Service IAS as your RADIUS server and PAP authentication you will need to configure your user group profiles to use only PAP authenti cation rather than the default MS CHAP If you selected CHAP under RADIUS RADIUS Accounting you do not need to configure IAS for PAP authentication To configure user group profiles for PAP authentication 1 From the Internet Authentication Service main page select the user or group for which you want to configure PAP authentication IS Right click the user or group and select Properties to open the user group name Properties dialog box On the Properties dialog box click Edit Profile The Edit Dial in Profile dialog box opens Click the Authentication tab at the top of the screen Select Unencrypted authentication PAP SPAP Click OK Repeat this procedure for additional users or groups S OO Uo RO 131 Configuring Security and Other Services Using an External AAA Server Figure 82 On the Microsoft IAS page right click the user group and select Properties File Action view Help e amx EB B Internet Authentication Service Local RADIUS Clients W E Remote Access Logging Move Up oP Remote Access Policies Move Down Gi I Connection Request Processing hu Rename Properties Help Figure 83 On the Properties page click
307. n spaces to provide two ZoneDirector IP addresses 192 168 0 10 and 192 168 0 20 Configure Vendor Class Identifier and Vendor Specific Info sub options on Microsoft DHCP server Configure vendor class for Ruckus Wireless Access Points 1 IntheServer Manager window right clickthe IPv4 icon and choose Define Vendor Classes from the menu 2 In the DHCP Vendor Classes dialogue click Add to create a new vendor class 3 Enter the value to describe the option class space e g RuckusWirelessAP Optionally you can also enter a description 4 Add the VCI string in the ASCII field and click OK The new vendor class is created and appears in the DHCP Vendor Class dialogue list Click Close to close the dialogue 5 Right click the newly created vendor class and select Set Predefined Options 6 Predefinethe ZoneDirector sub option type for the newly created vendor class This section defines the code and format of the sub option code 03 for ZoneDirector and comma separated IP addresses in ASCII text string 7 Configure the option with a value either at the server level scope level or at Reservation just like any other DHCP option using Configure Options Advanced 28 Introducing Ruckus Wireless ZoneDirector Ensuring That APs Can Communicate with ZoneDirector NOTE You can also optionally configure DHCP Option 12 Host Name to specify host names for APs Then when an AP joins ZoneDirector and ZoneDirector does not a
308. nally you can manually assign an IP address or disable WLAN service entirely for a specific radio Configuring any of these settings for an individual AP overrides settings configured in AP Groups To edit the parameters of an access point 1 Go to Configure gt Access Points 2 Findthe AP to edit in the Access Points table and then click Edit under the Actions column 3 Edit any of the following e Device Name Enter a descriptive name for the AP for easy identification in ZoneDi rector tables and Dashboard widgets Names can consist of up to 64 letters numbers hyphens and underscores Note however that only the first 17 characters of the device name will be displayed in the Events Activities tables 200 Managing Access Points Managing Access Points Individually Description Enter a description for the AP This description is used to identify the AP in the Map View Location Enter a recognizable location for the AP GPS Coordinates Enter GPS coordinates for location on Google Maps if using FlexMaster Group Select an AP group from the list if you want to place this AP into a group other than the system default group 4 By clicking Override Group Config and changing the default values the following parameters can be configured independently for each AP radio Channel Range Settings Deselect any channels that you do not want the AP to use in channel selection Channelization Sets the channel width 20 or 40
309. namic pre shared keys do not expire You can control when the PSK expires at which time the users will be prompted to reactivate their wireless access To set the dynamic PSK expiration Go to Configure gt WLANs 1 2 3 In the Dynamic PSK section select the PSK expiration time Range includes one day to unlimited never expires Optionally enable the check box to Automatically remove expired D PSK entries and delete the relevant connected station If this option is unchecked expired DPSKs will remain in the system though unusable after expiration and clients using an expired DPSK can remain connected until the user disconnects from the WLAN Click the Apply button that is in the same section The new setting goes into effect immediately 174 Managing a Wireless Local Area Network Working with Dynamic Pre Shared Keys Figure 104 Dynamic PSK expiration options EE arabe rb Ep UP Activation URL https 192 168 40 100 activate Authentication Server Local Database Ed Dynamic PSK To provide maximum security each user is assigned a unique pre shared key PSK when they activate their wireless access You can set when the PSK should expire at which time users wil be prompted to reactivate their wireless access PSK Expiration Two weeks x m Automatically remove expired D PSK entries and delete the relevant connected station Dynamic PSK Batch Generation DPSK batch generation provides two facilities
310. ncoming traffic is sentto the Only traffic belonging to the VLAN 2 4094 VLANs specified specified VLAN is forwarded All other VLAN traffic is dropped General Ports General ports are user specified ports that can have any combination of up to 20 VLAN IDs assigned Enter multiple valid VLAN IDs separated by commas or a range separated by a hyphen Using Port Based 802 1X 802 1X authentication provides the ability to secure the network and optionally bind service policies for an authenticated user 802 1X provides logical port control and leverages the EAP authentication and RADIUS protocols to allow the network policy to be effectively applied in real time no matter where the user connects to the network AP Ethernet ports can be individually configured to serve as either an 802 1X supplicant authenticating the AP to an upstream authenticator switch port or as an 802 1X authenticator receiving 802 1X authentication requests from downstream supplicants A single port cannot provide both supplicant and authenticator functionality at the same time NOTE If mesh mode is enabled on ZoneDirector the 802 1X port settings will be unavailable for any APs that support mesh The ZoneFlex 7025 does not support mesh so 802 1X settings will remain available for those access points even when mesh is enabled However the 802 1X settings are only available from the Editing Access Point dialogue not from AP Groups Therefore if you want to use
311. ndoor APs may also be wall mounted vertically Examples of vertical mounting are shown in Figure 204 Figure 204 ZoneFlex indoor AP vertical orientation Vertical Orientation Vertical Orientation 335 Smart Mesh Networking Best Practices Mounting and Orientation of APs Outdoor APs Typical Horizontal Orientation Outdoor APs are typically mounted in a horizontal orientation as shown in Figure 205 A less typical orientation would be vertically mounted Figure 205 Outdoor AP typical horizontal orientation Outdoor AP Horizontal Orientation Elevation of RAPs and MAPs In addition to orientation it is important to also pay attention to the elevation of an AP for reliable mesh operation More specifically large differences in elevation should be avoided So whether you are deploying an indoor mesh an outdoor mesh or a mixed indoor outdoor mesh you should ensure that as far as convenient and possible MAPs and RAPs should all be at a similar elevation from the ground For example for an indoor outdoor mesh if all your indoor RAPs and MAPs are at ceiling height standard 15 foot ceiling then you would not want to mount the outdoor MAPs on 40 foot poles You would want to keep all MAPs and RAPs at around the same elevation from the ground 336 Smart Mesh Networking Best Practices Best Practice Checklist Best Practice Checklist Following the mesh best practices will ensure that your mesh is well designed an
312. nels will be utilized Channel Optimization Optimize for Compatibility Optimize for Interoperability O Optimize for Performance Channel Mode Allow indoor channels allows ZoneFlex Outdoor APs to use channels regulated as indoor use only Log Settings Event Log Level show More Warning and Critical Events Critical Events Only m Remote Syslog Enable reporting to remote syslog server at IP Address Apply E Network Management Channel Optimization If your Country Code is set to United States an additional configuration option Channel Optimization is shown This feature allows you to choose whether additional DFS Dynamic Frequency Selection channels in the 5 GHz band should be available for use by your APs Note that these settings only affect Ruckus Wireless APs that support the extended DFS channel list Channel Optimization settings are described in the following table Table 14 Channel Optimization settings for US Country Code Setting Description Use this setting when Optimize for Compatibility DFS capable ZoneFlex APs are You have a mixture of APsthat support limited to the same channels as all DFS channels and other Ruckus APs other APs non DFS channels only that do not support DFS channels in a Smart Mesh configuration Optimize for Interoperability ZoneFlex APs are limited to non DFS You have only DFS capable APs in channels plus four DFS channels your network or Smar
313. ng a RADIUS server for client authentication see RADIUS RADIUS Accounting on page 120 CAUTION If your wireless network is using EAP external RADIUS server for client authentica tion and you have Windows Vista clients make sure that they are upgraded to Vista Service Pack 1 SP1 SP1 includes fixes for client authentication issues when using EAP external RADIUS server If You Change the Internal WLAN to WEP or 802 1X If you replace the default WPA configuration of the internal WLAN your users must reconfigure the wireless LAN connection settings on their devices This process is described in detail below and can be performed when logging into the WLAN as a new user If Switching to WEP based Security 1 Each user should be able to repeat the Zero IT Wireless Activation process and install the WEP key by executing the activation script 2 Alternatively they can manually enter the WEP key text into their wireless device connection settings If Switching to 802 1X based Security 1 Applies only to the use of the built in EAP server Each user should be able to repeat the Zero IT Wireless Activation process and download the certificates and an activation script generated by ZoneDirector 153 Managing a Wireless Local Area Network Working with WLAN Groups VU NE 2 Each user must first install certificates to his her computer 3 Each user must then execute the activation script in order to configure th
314. ng system or Web browser settings 3 Click Apply to save your settings The changes go into effect immediately 291 Setting Administrator Preferences Upgrading ZoneDirector and ZoneFlex APs Y v Upgrading ZoneDirector and ZoneFlex APs Check the Ruckus Wireless Support Web site on a regular basis for updates that can be applied to your Ruckus Wireless network devices to ZoneDirector and all your ZoneFlex APs After downloading any update package to a convenient folder on your administrative PC you can complete the network upgrade of both ZoneDirector and APs by following the steps detailed below NOTE Upgrading ZoneDirector and the APs will temporarily disconnect them and any associated clients from the network To minimize network disruption Ruckus Wireless recom mends performing the upgrade procedure at an off peak time CAUTION If ZoneDirector is running a software version or earlier than version 9 5 and you wantto upgrade to version 9 7 you will need to upgrade itto version 9 5 first and then upgrade it to version 9 7 If you try to upgrade directly to 9 7 from a version earlier than 9 5 the upgrade will fail see ZoneFlex 9 7 Release Notes for more information Go to Administer gt Upgrade Under the Software Upgrade section click Browse The Browse dialog box appears Browse to the location where you saved the upgrade package and then click Open BUD NS When the upgrade file name a
315. ng traffic on your internal network They are detected by ZoneDirector managed access points seeing packets coming from a similar MAC address to one of those detected from an over the air rogue AP Similar MAC addresses are 4 5 MAC address lower or higher than the detected over the air MAC address e MAC spoofing These are rogue access points that are beaconing the same MAC address as a ZoneDirector managed access point They pose a threat as someone may be attempting to use them as a honey pot to attract your clients into their network to attempt hacking or man in the middle attacks to exploit passwords and other sensitive data The last type of malicious rogue device is User Marked These are devices that are manually marked as malicious rogues by a ZoneDirector administrator using the Mark as Malicious button on the Monitor Rogue Devices page When enabling Protect the network from malicious rogue access points feature which requires background scanning to be enabled ZoneDirector will begin to instruct access points to use the next off channel scan to begin sending broadcast de auth packets with the MAC address cloned from the identified Malicious Rogue AP This attempts to trick the clients into disconnecting over and over making a connection to the malicious rogue AP very challenging for clients that acknowledge broadcast de auth packets To configure intrusion detection and prevention options 1 In the Intrusion Detection and Pre
316. ngs 159 Managing a Wireless Local Area Network Deploying ZoneDirector WLANs in a VLAN Environment 8 Go to Administer gt Restart and click Restart to reboot ZoneDirector CAUTION When configuring or updating the management VLAN settings make sure that AN the same VLAN settings are applied on the Configure gt Access Points gt Access Point Policies gt Management VLAN page if APs exist on the same VLAN as ZoneDirector Figure 95 Configuring management VLAN for ZoneDirector System Identity 5 Device IP Settings If ZoneDirector is on a IPv6 network you can turn on its IPv6 support Enable IPv6 Support If ZoneDirector was assigned static network addressing click Manual and make the correct entries If you click DHCP no Manual IPv4 Configuration manual DHCP IP Address 192 168 40 100 Netmask 255 255 255 0 Gateway 192 168 40 1 Primary DNS Server 192 168 40 1 Secondary DNS Server ACCESS VLAN 10 Management Interface 160 Managing a Wireless Local Area Network Deploying ZoneDirector WLANs in a VLAN Environment Figure 96 Configuring management VLAN for APs Search terms 9 Include al terms Include any of these terms Access Point Policies s Automatically approve all join requests from APs To enhance wireless security deactivate this option This means you must manually allow each newly discov
317. nown host to send out unicast ARP replies at the rate limit specified If ZoneDirector 95 Configuring Security and Other Services Packet Inspection Filter receives a broadcast ARP request for an unknown host it will forward it to the tunnel to all APs according to the rate limit threshold set in the Packet Inspection Filter see Packet Inspection Filter on page 96 4 Click Apply in the same section to save your changes Set tunnel configuration parameters for all WLANs with tunnel mode enabled Figure 57 AeroScout RFID Enable AeroScout RFID tag detection Ekahau Settings Enable Ekahau tag detection Ekahau Controller IP Address Ekahau Controller Port IB Active Client Detection The ZoneDirector monitors the currently active clients and will trigger a warning event when the active client s rssi is under the threshold E Enable client rssi detection with a threshold of 5 Tunnel Configuration Enable tunnel encryption for tunneled traffic V Block non well known v mutticast traffic from network to tunnel Block broadcast traffic from network to tunnel except ARP and DHCP Enable Proxy ARP of tunnel WLAN rate limit threshold 0 Range O 3000 pkts sec Packet Inspection Filter The Packet Inspection Filter PIF allows configuration of rate limits for broadcast neighbor discovery IPv4 Address Resolution Protocol and IPv6 Neighbor Soli
318. nt Devices 1 Most Active Client Devices eee of Total Client Devices 1 MAC Address IP Address User Usage of Rogue Devices 0 00 22 fb ad 1b 2e 192 168 40 21 140M pure Summary op Support ee OS 2d Company Ruckus Wireless A Max Concurrent Users 2 3 Registration Product Registration R u Cc KU S Bytes Transmitted 17M 1 36 Email support ruckuswireless com WIRBLERR Average Signal 35 99x 87 Support URL http support ruckuswireless com of Rogue Devices 04294967295 Add Widgets NOTE Some indicators may not be present upon initial view The Add Widgets feature located atthe bottom left area ofthe screen enables you to show or hide indicators See Using Indicator Widgets on page 39 NOTE You can sort the information in ascending or descending order that appears on the dashboard by clicking the column headers Some widgets such as Currently Managed APs can also be customized to hide columns so that the tables do not run off the page Click the Edit Columns button to customize the widget according to your preferences 38 Introducing Ruckus Wireless ZoneDirector Using the ZoneDirector Web Interface Using Indicator Widgets Dashboard widgets represent the indicators displayed as part of the active dashboard Indi cator widgets can be added or removed to enhance your ZoneDirector summary needs The following indicators are provided e System Overview Shows ZoneDirector system information inclu
319. nt information details Heading Description General Displays general information on the client including AP and WLAN connected to channel and signal strength indication Performance Displays a graphical view of client performance The Performance analysis graph plots the estimated capacity and actual throughput over time Limitation the capacity curve is updated only when the AP transmits packets containing at least 1024 bytes of data Events Displays a client specific subset of the events in the All Events Activities table 218 Monitoring Your Wireless Network Monitoring Access Point Status Figure 128 Viewing individual client information and performance statistics eT Dashboard Monitor Configure Administer Clients 00 22 fb ad 1b 2e This shows the detailed information about the selected client including the events associated with it rk Ruckus ZoneDirector WIRELESS 9 General e MAC Address 00 22 fb ad ib 2e OS Type Windows 7 Vista Currently Active Clients Host Name TDCJayF j Chien User Auth Method OPEN WLAN Rhastah1 VLAN 1 IP Address 192 168 40 21 Access Point c0 c5 20 3b 91 f0 Lj BSSID C0 c5 20 3b 91 fc Connect Since 2013 06 11 11 35 48 Channel 149 Channelization 40 Radio 802 11a n Signal 3 89 Received from client 371K pkts 23M bytes Transmitted to client 334K pkts 125M bytes TX drops due to retry failure 15 pkts illi Performance Display span
320. nt to enable Zero IT Activation 3 Enable WPA or WPA2 not WPA Mixed selecting WPA Mixed will disable the Zero IT option Enter a passphrase This passphrase will only be used for administrator testing you will not need to provide this passphrase to end users Enable Zero IT Activation 6 Optionally enable Dynamic PSK if your WLAN s authentication and encryption methods support it Open authentication and WPA or WPA2 encryption only see Working with Dynamic Pre Shared Keys on page 172 for more information Ifthe Authentication Method is 802 1X or MAC Address select which Authentication Server to authenticate users against If you are not using an external server for authentication you can use ZoneDirector internal database Note the Activation URL in the Zero IT Activation section further down the page Click OK to save your settings 234 Managing User Access Enabling Automatic User Activation with Zero IT Figure 139 Enabling Zero IT for a WLAN g Itandard Usage For most regular wireless network usages Guest Access Guest access policies and access control will be applied Hotspot Service WISPr Hotspot 2 0 Autonomous 2 dren Shared O 802 1x EAP MAC Address D 802 1x EAP MAC Address CO wPA wPA2 WPA Mixed WEP 64 40 bit WEP 128 104 bit None m OTIP AES Auto testing123 Web Authentication 7 Enable captive portal Web authentication Users will be red
321. nternal WLAN incorporates a WPA based authentication passphrase and the AES encryption algorithm and utilizes dynamic pre shared keys To review the default WLAN configurations and the available options customize the existing WLAN setup or replace it with a totally different configuration review the following procedures Reviewing the Initial Security Configuration 1 Go to Monitor WLANs 2 The Currently Active WLANs table lists the WLANs created during the setup process when you worked through the ZoneDirector Setup Wizard You can review the details of a WLAN s configuration by clicking the WLAN name See Figure 90 3 You have three options for the internal WLAN 1 continue using the current configuration 2 fine tune the existing security mode or 3 replace this mode entirely with a different authentication and encryption method The two WLAN editing processes are described separately below 150 Managing a Wireless Local Area Network Customizing WLAN Security Figure 90 Viewing WLAN security configurations from the Monitor gt WLANs page 1 2013 05 21 13 26 40 Help Toolbox Log Out ruckus i all Ruckus ZoneDirector WIRELESS Dashboard Monitor Configure Administer WLANs These tables list 1 currently active WLANs 2 currently active WLAN Groups and 3 an up to date record of WLAN events activities Click on a WLAN name link WLAN Group name link or MAC address link for more details
322. ntication mechanisms that you want to bypass Apple Captive Network Assistance CNA on iDevices and OS X machines Web Authentication Guest Access Hotspot service Enabling Bypass Apple CNA Feature Some Apple iOS and OS X clients include a feature called Captive Network Assistant Apple CNA which allows clients to connect to an open captive portal WLAN without displaying the login page When a client connects to a wireless network the CNA feature launches a pre browser login utility and it sends a request to a success page on the Apple website If the success page is returned the device assumes it has network connectivity and no action is taken However this login utility is not a fully functional browser and does not support HTML HTML5 PHP or other embedded video In some situations the ability to skip the login page for open WLANs is a benefit However for other guest or public access designs the lack of ability to control the entire web authentication process is not desirable 177 Managing a Wireless Local Area Network Enabling Bypass Apple CNA Feature ZoneDirector provides an option to work around the Apple CNA feature if it is not desirable for your specific deployment With CNA bypass enabled captive portal web based authenti cation login must be performed by opening a browser to any unauthenticated page http to get redirected to the login page To enable Apple CNA bypass use th
323. o association This information can then be used by the client to automatically select an appropriate network based on the services provided and the conditions under which the user can access them In this way rather than being presented with a list of largely meaningless SSIDs to choose from the Hotspot 2 0 client can automatically select and authenticate to an SSID based on the client s configuration and services offered or allow the user to manually select an SSID for which the user has login credentials ZoneDirector s Hotspot 2 0 implementation complies with the IEEE 802 11u standard and the Wi Fi Alliance Hotspot 2 0 Technical Specification 167 Managing a Wireless Local Area Network Working with Hotspot Services Enabling Hotspot 2 0 service on ZoneDirector requires the following three steps e Create a Service Provider Profile e Create an Operator Profile e Create a Hotspot 2 0 WLAN Create a Service Provider Profile To create a Service Provider Profile 1 Go to Configure Hotspot 2 0 Services 2 Click Create New under Service Provider Profiles 3 Configure the settings in Table 22 to create a Service Provider profile Table 22 Hotspot 2 0 Service Provider profile configuration Option Description Name Enter a name for this Service Provider profile Description Optional Enter a description NAI Realm List List of network access identifier NAI realms corresponding to SSPs or other entiti
324. o nothing to accept the default mesh name that ZoneDirector has generated 6 In Mesh Passphrase type a passphrase that contains atleast 12 characters This passphrase will be used by ZoneDirector to secure the traffic between Mesh APs Alternatively click Generate to generate a random passphrase with 32 characters or more 7 In the Mesh Settings section click Apply to save your settings and enable Smart Mesh You have completed enabling mesh capability on ZoneDirector You can now start provisioning and deploying the APs that you want to be part of your wireless mesh network 276 Deploying a Smart Mesh Network Deploying a Wireless Mesh via ZoneDirector Optional Mesh Configuration Features The following settings are disabled by default and are not necessary for standard mesh configuration These settings can be used to fine tune your mesh network to prevent issues such as excessive broadcast ARP Address Resolution Protocol requests traffic looping and excessive number of mesh hops ARP Broadcast Filter The ARP Broadcast filter is designed to reduce IPv4 Address Resolution Protocol ARP and IPv6 Neighbor Discovery Protocol NDP broadcasts over the air Once enabled access points will sniff ARP NDP responses and maintain a table of IP addresses to MAC address entries When the AP receives an ARP NDP broadcast request from a known host the AP converts the broadcast request packet into a unicast request by replacing the broadcast
325. o on the ZoneFlex 2942 Once enabled enter a gain value in the range of 0 to 90dBi e Radio Band ZoneFlex 7321 only Select 2 4 GHz or 5 GHz radio band for the 7321 APs e Port Settings See Configuring AP Ethernet Ports Configuring AP Ethernet Ports You can use AP groups to control Ethernet ports on all APs of a certain model Then if you want to override the port settings for a specific AP you can do so as explained in the Managing Access Points Individually section below To configure Ethernet ports for all APs of the same model 1 Go to Configure Access Points 2 In Access Point Groups click Edit next to the group you want to configure 3 Locate the Model Specific Control section and select the AP model that you want to configure from the list 4 In Port Setting select Override System Default The screen changes to display the Ethernet ports on the AP model currently selected 5 Deselect the check box next to Enable to disable this LAN port entirely All ports are enabled by default 6 Select DHCP_Opt82 if you want to enable this option for this port see DHCP Option 82 187 Managing Access Points Working with Access Point Groups 7 For any enabled ports you can choose whether the port will be used as a Trunk Port an Access Port or a General Port The following restrictions apply All APs must be configured with at least one Trunk Port For single port APs e g ZoneFlex 2741 the s
326. o strong that it really belongs on this AP The APs maintain these desired client limits and enforce them once they reach the limits by withholding probe responses and authentication responses on any radio that has reached its limit Key points on load balancing e These rules apply only to client devices the AP always responds to another AP that is attempting to set up or maintain a mesh network e Load balancing does not disassociate clients already connected e Load balancing takes action before a client association request reducing the chance of client misbehavior e The process does not require any time critical interaction between APs and ZoneDirector e Provides control of adjacent AP distance with safeguards against abandoning clients 206 Managing Access Points Optimizing Access Point Performance e Can be disabled on a per WLAN basis for instance in a voice WLAN load balancing may not be desired due to voice roaming considerations e Background scanning must be enabled on the WLAN for load balancing to work To enable Load Balancing globally 1 Go to Configure Access Points 2 In Access Point Policies click the Enable button next to Load Balancing Figure 123 Enable Load Balancing globally for all APs and WLANs Create New Delete 91 1 00 Search terms include all terms Include any of these terms Access Point Policies Approval 7 Automatically approve all join requests from APs To
327. o tunnel except ARP and DHCP Enable Proxy ARP of tunnel WLAN rate limit threshold e Range O 3000 pkts sec Active Client Detection Enabling active client detection allows ZoneDirector to trigger an event when a client with a low signal strength joins the network To enable active client detection 1 Go to Configure gt Services and scroll down to the Active Client Detection section 2 Click the check box next to Enable client detection and enter an RSSI threshold below which an event will be triggered 3 Click Apply to save your changes 94 Configuring Security and Other Services Tunnel Configuration Figure 56 Enabling active client detection AeroScout RFID E Enable AeroScout RFID tag detection Ekahau Settings E Enable Ekahau tag detection Ekahau Controller IP Address Ekahau Controller Port Active Client Detection The ZoneDirector monitors the currently active clients and will trigger a warning event when the active client s rssi is under the threshold E Enable client rssi detection with a threshold of 5 unnel Configuration Enable tunnel encryption for tunneled traffic E Block broadcast traffic from network to tunnel except ARP and DHCP F V Block non well known v muticast traffic from network to tunnel m m Enable Proxy ARP of tunnel WLAN rate limit threshold 0 Range O 3000 pkts sec A low severity event is now triggered each
328. ole that refers to this WLAN and assign that role to the relevant user accounts e Enter the WEP key in the network configuration on the client device Fixing User Connections If any of your users report problematic connections to the WLAN the following debugging technique may prove helpful Basically you will be deleting that user s client from the Active Clients table in the Ruckus ZoneDirector and when their client connection automatically renews itself any previous problems will hopefully be resolved To fix the connection of an active client 1 Go to Monitor gt Currently Active Clients 2 In the Clients table locate the problematic client and click the Delete button A on the same row 310 3 4 5 Troubleshooting Fixing User Connections The client will be immediately disconnected from the WLAN Be sure not to block the client If you do accidentally block a client go to Configure Access Control to unblock From the client computer refresh the list of wireless networks and attempt to log in again After one to two minutes the Clients table will refresh and display the client again Figure 185 The Currently Active Clients page Ruckus ZoneDirector WIRELESS D Currently Active Clients rN lents e MAC Address OS Type User IP Access Point WLAN Channel Radio Signal Status Action 5e ff 35 7f d2 20 Android 4 10 8a 1f d1 f0 Rhastah1 11 802 11g n N A Authorized XX 00 22 fb ad 1b 2
329. on Filter Enable Neighbor Discovery Packets ARP and ICMPv6 Neighbor Solicit rate limit threshold 0 Range 3000 pkts sec 97 Configuring Security and Other Services Configuring Wireless Intrusion Prevention Configuring Wireless Intrusion Prevention ZoneDirector provides several built in intrusion prevention features designed to protect the wireless network from security threats such as Denial of Service DoS attacks and intrusion attempts These features called Wireless Intrusion Prevention System WIPS allow you to customize the actions to take and the notifications you would like to receive when each of the different threat types is detected DoS Protection Two options are provided to protect the wireless network from Denial of Service attacks To configure the DoS protection options 1 Go to Configure gt WIPS 2 In the Denial of Service DoS section configure the following settings Protect my wireless network against excessive wireless requests If this capability is activated excessive 802 11 probe request frames and management frames launched by malicious attackers will be discarded e Temporarily block wireless clients with repeated authentication failures for seconds If this capability is activated any clients that repeatedly fail in attempting authentication will be temporarily blocked for a period of time 10 1200 seconds default is 30 Clients temporarily blocked by the Intr
330. on LAN Port Deployed Maximum WLAN Group WLAN Number 1 27 1 Deployed Maximum WLAN Group WLAN Number 1 27 1 Port Int Background Scanning Enabled Background Scanning Enabled 0 etl TX Power Auto TX Power Auto etl of Authorized Client Devices 1 of Authorized Client Devices 0 223 Monitoring Your Wireless Network Monitoring Individual APs Figure 130 Monitoring an AP s performance dia Peter select Display Sand 2402 sonz Display span to mins nour day B Estimated capacity E Downtink Throughput I uptink Throughput kbps m ES aF pollution 15 40 16 50 17 00 17 10 17 20 17 30 17 40 E authorized ctients Other aps Spectrum Analysis Spectrum analysis provides two real time views of the RF environment using data generated by the AP to chart power levels across the 2 4 and 5GHz frequency bands e Instantaneous Samples View top view The instantaneous samples plot provides a real time display of signal power across the entire 2 4 or 5GHz frequency bands The plot is color coded based on the signal power within each part of the frequency band Red represents stronger signals while weaker signals are closer to blue e CDF of Samples View bottom view This graph displays the concentration of signal power readings within each portion of the frequency band in a cumulative distribution format The CDF plot is color coded based upon the frequency with which each point is observed during consecut
331. onal 4 Under Type select Guest Access 5 Since this is a Guest network the only Authentication Option available is Open 6 Choose an Encryption Method that provides the best compromise between security and compatibility based on the kinds of client devices that you expect your guests will use 7 Ifyou want your internal wireless traffic to have priority over guest traffic set the Priority to Low 8 Under Advanced Options select the options to enable for this WLAN For more information on WLAN advanced options see Advanced Options on page 145 e Optionally enable a Grace Period disabled by default and enter a value in minutes to allow disconnected users a grace period after disconnection during which clients will not need to re authenticate 9 Click OK to save your changes 249 Managing Guest Access Configuring Guest Access Figure 148 Create a Guest Access WLAN ESSID New Name Guest Access Guest access Hotspot 2 0 wpa wpa2 wPA Mixed WEP 64 40 bit wEP 128 104 bit None Wireless Client Isolation None Local wireless dients associated with the same AP will be unable to communicate with one another locally 9 Full wireless dients will be unable to communicate with each other or access any of the restricted subnets Priority 9 High Low H Advanced Options Create New Detete 1 110 Search terms 9 Include all terms Include an
332. ons Encryption choices include WPA WPA2 WPA Mixed WEP 64 WEP 128 and None WPA and WPA2 are both encryption methods certified by the Wi Fi Alliance and are the recommended encryption methods WEP has been proven to be easily circumvented and Ruckus Wireless recommends against using WEP if possible Method WPA Standard Wi Fi Protected Access with either TKIP or AES encryption WPA2 Enhanced WPA encryption that complies with the 802 11i security standard WPA Mixed Allows mixed networks of WPA and WPA2 compliant devices Use this setting if your network has a mixture of older clients that only support WPA and TKIP and newer client devices that support WPA2 and AES Note that selection of WPA Mixed disables the ability to use Zero IT for this WLAN WEP 64 Provides a lower level of encryption and is less secure using shared key 40 bit WEP encryption WEP 128 Provides a higher level of encryption than WEP 64 using a shared 104 bit key for WEP encryption However WEP is inherently less secure than WPA None No encryption communications are sent in clear text CAUTION If you set the encryption method to WEP 64 40 bit or WEP 128 104 bit and you are using an 802 11n AP for the WLAN the WLAN will operate in 802 119 mode Algorithm Only for WPA or WPA2 encryption methods TKIP This algorithm provides greater compatibility with older client devices but retains many of the security weaknesses of WEP Therefore if yo
333. operability non DFS channels plus channels 52 56 58 60 e Optimize for Performance all DFS non DFS channels including 100 104 108 112 116 120 124 128 132 136 140 Channel Mode Some countries restrict certain 5 GHz channels to indoor use only For instance Germany restricts channels in the 5 15 GHz to 5 25 GHz band to indoor use When ZoneFlex Outdoor APs and Bridges with 5 GHz radios ZoneFlex 7762 7782 7761 CM and 7731 are set to a country code where these restrictions apply the AP or Bridge can no longer be set to an indoor only channel and will no longer select from amongst a channel set that includes these indoor only channels when SmartSelect or Auto Channel selection is used unless the administrator configures the AP to allow use of these channels For instance if the AP is installed in a challenging indoor environment such as a warehouse the administrator may want to allow the AP to use an indoor only channel These channels can be enabled for use through the AP CLI or ZoneDirector Web interface by configuring Configure gt System gt Country Code gt Channel Mode and checking Allow indoor channels allows ZoneFlex Outdoor APs to use channels regulated as indoor use only If you have a dual band ZoneFlex Indoor AP functioning as a RAP with dual band ZoneFlex Outdoor APs functioning as MAPs the mesh backhaul link must initially use a non indoor only channel Your ZoneFlex Outdoor MAPs may fail to join if the mesh bac
334. options are available from the standby device NOTE If you will be deploying the two ZoneDirectors on different Layer 3 networks you must ensure that Port 443 and Port 33003 are open in any routers and firewalls located between the two ZoneDirectors To enable Smart Redundancy 1 Login to the Web interface of the ZoneDirector you will initially designate as the primary unit 2 Go to Configure System and set a static IP address under Device IP Settings if not already configured 3 Click Apply You will need to log in again using the new IP address if changed 4 On the same Configure gt System page locate the Smart Redundancy section Figure 28 Enable Smart Redundancy f Static Route This table lists the specific IPv4 static route Name Subnet Gateway Actions Create New D Smart Redundancy Enable Smart Redundancy to ensure continued operation of your network in the event of a ZoneDirector failure or power loss If the active ZoneDirector loses connection the standby ZoneDirector will automatically take over vi Enable Smart Redundancy Local Device IP Address 192 168 11 100 Peer Device IP Address 192 168 11 101 Shared Secret mysecret Management IP Address 192 168 11 102 Configured in Device iP Settings gt Management interface m DHCP Server To enable DHCP server Manual mode must be selected in Device IP Settings and Smart Redundancy must be disabled Management Acc
335. or e nthe case of EAP payload this is generated by a wireless client and encapsulated in the RADIUS access request packet e Inthe case of a state attribute it indicates that an access request packet is a response to the last received access challenge packet by copying the state AVP unmodified e As for the class attribute it is parsed and stored from an access accept packet and then subsequently used in accounting request packets 125 Configuring Security and Other Services Using an External AAA Server RADIUS Authentication attributes Table 17 RADIUS attributes used in authentication WLAN Type Attributes 802 1X MAC Sent from ZoneDirector in Access Request messages Auth e 1 User name 4 NAS IP Address optional prefer sending NAS ID 5 NAS Port 6 Service Type hard coded to be Framed User 2 12 Framed MTU hard coded to be 1400 30 Called Station ID user configurable 31 Calling Station ID format is sta s mac 32 NAS Identifier user configurable 61 NAS Port Type hard coded to be 802 11 port 19 77 Connection Info indicates client radio type gt 79 EAP payload gt 24 State if radius access challenge in last received radius msg from AAA 80 Message Authenticator 95 NAS IPv address if using talking to an IPv6 RADIUS server Ruckus private attribute e Vendor ID 25053 e Vendor Type Attribute Number 3 Ruckus SSID 126 Configuring Security and Other Ser
336. or has detected any rogue DHCP servers When a rogue DHCP server is detected the following event appears on the All Events Activities page Rogue DHCP server on IP address has been detected If the check box is cleared ZoneDirector will not generate these events Rogue DHCP server detection only works on the ZoneDirector s management IP subnet Figure 61 Enabling Rogue DHCP server detection 1 i 2013 05 21 12 46 26 Help Toolbox Log Out ruckus i FE Ruckus ZoneDirector WIRELESS Dashboard Monitor Configure Administer Wireless Intrusion Detection and Prevention System Denial of Service DoS ZoneDirector utilizes built in mechanisms to protect against common wireless network intrusions Protect my wireless network against excessive wireless requests V Temporarily block wireless clients with repeated authentication failures for 30 Intrusion Detection and Prevention ZoneDirector uses background scan results to detect rogue 802 11 access points If the rogue access point is spoofing a managed AP s SSID or MAC address or is found on the wired network it wil be flagged as malicious Rogue detection requires backgroud scanning to be enabled E Enable report rogue devices Report all rogue devices Report only malicious rogue devices of type SSID Spoofing Same Network _ MAC Spoofing L User Blocked Protect the network from malicious rogue access points Rogue DHCP Server Detection
337. or Web interface pages automatically refresh themselves periodically depending on activity You can pause auto refresh on any page in the Web interface from the Toolbox After clicking Stop Auto Refresh ZoneDirector pauses automatic updating of all widgets on the current page and the refresh icons on the widgets are disabled greyed out To restart auto refresh click Start Auto Refresh from the Toolbox Figure 18 Stopping and starting automatic page refreshing 2011 09 23 11 39 12 Help Toolbox Log Out ruckus dress Channel Clients Action f8 11 8 J Figure 19 The Refresh icon on all widgets is disabled when auto refresh is stopped 2011 09 23 11 42 32 Help Toolbox Log Out ruckus Mesh Mode IP Address Channel Clients Action Disabled 192 168 11 8 Z Auto 192 168 11 4 149 11a n 40 11 11g n 20 0 EFT AE TY Registering Your Product updates and important notifications and to make it easier to receive support in case you need to contact Ruckus for customer assistance You can register your ZoneDirector along with all of your APs in one step using ZoneDirector s Registration form i NOTE Ruckus Wireless encourages you to register your ZoneDirector product to receive register after all APs have been installed If you register ZoneDirector before installing the APs F NOTE To ensure that all registration information for all of your APs is included be sure to the registration will not include AP
338. ord 135 Configuring Security and Other Services Testing Authentication Settings 4 Click Test If ZoneDirector was able to connect to the authentication server and retrieve the configured groups attributes the information appears at the bottom of the page The following is an example of the message that will appear when ZoneDirector authenticates successfully with the server Success Groups associated with this user are group name This user will be assigned a role of role If the test was unsuccessful there are three possible results other than success that will be displayed to inform you if you have entered information incorrectly e Admin invalid e User name or password invalid e Search filter syntax invalid LDAP only These results can be used to troubleshoot the reasons for failure to authenticate users from an AAA server through ZoneDirector 136 Managing a Wireless Local Area Network In This Chapter Overview of Wireless Networks 00 00 0c ccc e About Ruckus Wireless WLAN Securify sirce rrian ao iat is eee Creating a WLAN Glistomizing WLAN Sect ii pico tgo 465 obs hber teet QE ES PEE eet Working with WLA bits C TI Deploying ZoneDirector WLANs in a VLAN Environment sess Working with Hotspot SSriees sess cereus reps eet eee d eto dis Working with Dynamic Pre Shared Keys eee 138 139 140 150 154 157 164 172 137 Managing a W
339. ore settings from one ZoneDirector unitto another note that wireless clients reporting to the AP managed by the first ZoneDirector unit will need to go through Zero IT activation again to obtain new client certificates Zero IT activation is enabled by default therefore no manual configuration is required from you Restore everything except system name and IP address settings for failover deploy ment at the same site Select this option to import settings saved from a primary to a backup ZoneDirector for Smart Redundancy deployment 295 Setting Administrator Preferences Working with Backup Files p NOTE In addition to system name and IP address this option restores everything except for the following configuration settings 1 VLAN settings 2 Management IP address and VLAN settings 3 Smart Redundancy settings 4 DHCP server settings 5 Session timeout 6 Limited ZD Discovery and Management VLAN settings in Access Point Policies Restore only WLAN settings access control list roles and users use this as a template for different sites Select this option if you want to use the backup file as a configuration template 5 Click the Restore button ZoneDirector restores the backup file During this process ZoneDirector automatically logs you out of the Web interface When the restore process is complete ZoneDirector automatically restarts and your wireless network will be ready for use again Restor
340. ork Working with Hotspot Services 1 Go to Configure gt WLANs 2 In the WLANs section look for the WLAN that you want to assign as a hotspot WLAN and then click the Edit link that is on the same row The Editing WLAN name form appears 3 In Type click Hotspot Service WISPr 4 In Hotspot Services select the name of the hotspot service that you created previously 5 Click OK to save your changes Figure 99 Assigning a Hotspot service to a Hotspot WLAN General Options Name ESSID Hotspot 1 ESSID Hotspot 1 Description Standard Usage For most regular wireless network usages Guest Access Guest access policies and access control will be applied Hotspot Service WISPr Hotspot 2 0 Autonomous m Authentication Options Method open Encryption Options D wea wpa2 wPA Mixed WEP 64 40 bit wEP 128 104 bit None Hotspot Services Hotspot 1 Priority High Low H Advanced Options Create New Delete 91 1 00 Search terms Include all terms Include any of these terms WLAN Groups Creating a Hotspot 2 0 Service Hotspot 2 0 is a newer Wi Fi Alliance specification that allows for automated roaming between service provider access points when both the client and access gateway support the newer protocol Hotspot 2 0 aims to improve the experience of mobile users when selecting and joining a Wi Fi hotspot by providing information to the station prior t
341. orm client load balancing for this WLAN service Applies to this WLAN only Load balancing may be active on other WLANs Configuring Client Isolation White Lists When Wireless Client Isolation is enabled on a WLAN all communication between clients and other local devices is blocked at the Access Point To prevent clients from communicating with other nodes the Access Point drops all ARP packets from stations on the WLAN where client isolation is enabled and which are destined to IP addresses that are not part of a per WLAN white list You can create exceptions to client isolation such as allowing access to a local printer for example by creating Client Isolation White Lists To create a Client Isolation White List 1 2 3 4 Go to Configure Access Control In the Client Isolation White List section click Create New Enter a Name and optionally a description for the access policy In Rules you can create multiple device specific rules for each device to be white listed e Description Description of the device e MAC Address Enter the MAC address of the device Pv4 Address Enter the IP address of the device Click Save to save the rule you created To change the order in which rules are implemented select the order from the drop down menu in the Order column You can also Edit or Clone rules from the Action column To delete a rule select the box next to the rule and click Delete Click OK to save the
342. ot 2 0 Services Operator Profiles Name Description HS2 0 Operator 1 H52 0 Operator 1 HS2 0 Operator 1 HS2 0 Operator 1 Group Residential Type Hotel or Motel v Additional step required for accesss Network Authentication Type Acceptance of terms and conditions On line enrollment supported HTTP HTTPS redirection redirect URL login mydomain com DNS redirection Vi Vi vi vi V Internet Option Specified with connectivity to internet Free Public Access Network Type IP Address Type IPv4 Address Single NATed private address IPv6 Address Not available E Operator Friendly Name Language Name r1 English OperatorName Create New Create a Hotspot 2 0 WLAN After you create a HS2 0 service you need to specify the WLANs to which you want to deploy the hotspot configuration To configure an existing WLAN to provide hotspot service do the following 1 2 Go to Configure gt WLANs In the WLANs section look for the WLAN that you want to assign as a HS2 0 WLAN and then click the Edit link that is on the same row The Editing WLAN name form appears In Type click Hotspot 2 0 El NOTE 802 1X EAP is the only authentication method and WPA2 AES is the only encryption method available when you select Hotspot 2 0 for WLAN type 4 In Hotspot 2 0 Operator select the name of the Operator profile that you created prev
343. ou for that client does not appear on the Currently Active Clients page 6 Choose UDP or TCP from the Protocol drop down list Only one type of traffic can be tested at a time 7 If you are testing AP throughput you have the option to test both Downlink and Uplink throughput Both options are selected by default If you only wantto test one of them clear the check box for the option that you do not want to test 8 Click the Start button e If the target client does not have SpeedFlex installed a message appears in the ZoneDirector administrator s browser informing you that the SpeedFlex tool has to be installed and running on the client before the wireless performance test can continue Click the OK button on the message download the appropriate SpeedFlex version Windows Mac or Android from http ZoneDirector IP Address perf and email it to the user or instruct the user to go to http lt ZoneDirector IP Address perf to download and install it See Allowing Users to Measure Their Own Wireless Throughput on page 317 After SpeedFlex is installed and running on the client click Start again to continue with the wireless performance test A progress bar appears below the speedometer as SpeedFlex generates traffic to measure the downlink or uplink throughput One throughput test typically runs for 10 30 seconds If you are testing both Downlink and Uplink options the two tests take about one minute to complete
344. ou can log into regardless of which ZoneDirector is the active unit This shared management IP address must be configured identically on both ZoneDirectors see Configuring ZoneDirector for Smart Redundancy on page 55 To enable an additional management interface 1 Go to Configure System 2 Locate the Management Interface section and click the check box next to Enable IPv4 Management Interface or Enable IPv6 Management Interface 3 Enter the IP Address Netmask and Access VLAN information for the additional interface If IPv6 enter Prefix Length instead of Netmask 51 Configuring System Settings Enabling an Additional Management Interface 4 Optional If you wantto configure this management interface with a different gateway from the gateway configured under Device IP Settings select Default gateway is connected with this interface and enter the gateway IP address in the field provided Enable this option if you want to change the default gateway of the ZoneDirector to be in your management subnet Changing the default gateway to be in the management subnet will cause all traffic to be routed via this gateway 5 Click Apply to save your settings If the Management Interface is to be shared by two Smart Redundancy ZoneDirectors repeat steps 1 5 for the other ZoneDirector Figure 25 vi Enabling an additional management interface Enable IPv6 Support IPv4 Configuration
345. ou want to apply to the System Default AP group and click OK to save your changes Table 24 Access Point group settings Setting Description Name The System Default group name cannot be changed you can edit this field when creating editing any other AP group Description The System Default description cannot be changed you can edit this field when creating editing any other AP group Channel Range Settings To limit the available channels for 2 4 GHz 5 GHz Indoor and 5 GHz Outdoor channel selection deselect any channels that you do not want the APs to use Channelization Select Auto 20M Hz or 40MHz channel width for either the 2 4 GHz or 5 GHz radio Channe Select Auto or manually assign a channel for the 2 4 GHz or 5 GHz radio Tx Power Allows you to manually set the transmit power on all 2 4 GHz or 5 GHz radios default is Auto 11n Only Mode Force all 802 11n APs to accept only 802 11n compliant devices on the 2 4 GHz or 5 GHz radio If 11n only Mode is enabled all older 802 11b g devices will be denied access to the radio WLAN Group Specify which WLAN group this AP group belongs to Call Admission Control Disabled by default Enable Wi Fi Multimedia Admission Control WMM AC to support Polycom Spectralink VIEW certification See Advanced Options under Creating a WLAN for more information Spectralink Compatibility Disabled by default Enable this option if
346. oups e Max Clients Set the maximum number of clients that can associate per AP Note that different AP models have different maximum client limitations The dual band ZoneFlex 7982 for example can support up to 512 clients on both radios while the ZoneFlex 7025 can support only up to 100 clients Internal Heater Enable internal heaters specific AP models only NOTE For the internal heater to be operational ZoneFlex 7762 APs must be powered by the supplied PoE injector and its associated power adapter or a standard 802 3at PSE For the PoE Out port to be operational ZoneFlex 7762 APs must be powered by the supplied PoE injector and its associated power adapter e PoE Out Ports Enable PoE out ports specific ZoneFlex AP models only NOTE If your ZoneDirector country code is set to United Kingdom an additional Enable 5 8 GHz Channels option will be available for outdoor 11n APs Enabling this option allows the use of restricted C band channels These channels are disabled by default and should only be enabled by customers with a valid license to operate on these restricted channels e Disable Status LEDs When managed by ZoneDirector you can disable the external LEDs on certain ZoneFlex models such as the 7300 series APs This can be useful if your APs are installed in a public location and you don t want to draw attention to them e External Antenna External antenna configuration is available for the 2 4 GHz radi
347. ow When the Editing Internal options appear look at the two main categories Authentica tion Options and Encryption Options If you click an Authentication Option Method such as Open or 802 1X different sets of encryption options are displayed e Open allows you to configure a WPA or WEP based encryption or none if you re so inclined After selecting a WPA or WEP level you can then enter a passphrase or key text of your choosing e 802 1X EAP allows you to choose from all available encryption methods but you do not need to create a key or passphrase Instead users will be authenticated against ZoneDirectors internal database or an external RADIUS server MAC Address allows you to use an external RADIUS server to authenticate wireless clients based on their MAC addresses Before you can use this option you need to add your external RADIUS server to ZoneDirector s Configure gt AAA Servers page You also need to define the MAC addresses that you want to allow on the RADIUS server e 802 1X EAP MAC Address allows the use of both authentication methods on the same WLAN Depending on your Authentication Option Method selection review and reconfigure the related Encryption Options 6 Review the Advanced Options to change any settings as needed When you are finished click OK to apply your changes NOTE Replacing your WPA configuration with 802 1X requires the users to make changes to their Ruckus wireless conne
348. owners and is completely at their discretion Your access to the network may be blocked suspended or terminated at any time for any reason You agree not to use the wireless network for any purpose that is 4 Redirect to the URL that the user intends to visit Redirect to the folowing URL p TEM E When a client connects to the Open Guest WLAN for the first time the Onboarding Portal page is displayed The screen displays the following two options e Guest Access Register Device download Zero IT activation file 251 Managing Guest Access Configuring Guest Access Figure 150 The Onboarding Portal for mobile devices Ruckus Onboarding Portal Register Device SS If the user clicks the Guest Access button the process is the same as when connecting to a Guest WLAN and all settings on the Guest Access configuration page will be put into effect Figure 151 Guest Access welcome and terms of use screens nil VIRGIN 3G 4 20 PM 9717 ui VIRGIN 3G 4 20 PM ft ruckus Welcome to the Guest Access login page Terms of Use By accepting this agreement and accessing the wireless network you acknowledge that you are of legal age you have read and understood and agree to be bound by this agreement The wireless network service is provided by the property owners and is completely at their discretion Your access to the network may be blocked
349. pically neighbor APs e User Blocked Rogue Devices Lists devices that have been marked as malicious by the user Review the Currently Active Rogue Devices table The following types of Rogue APs generate an alarm when ZoneDirector detects them if the alarm has been enabled from the Configure Alarms page e AFP A normal rogue AP This rogue AP has not yet been categorized as malicious or non malicious malicious AP SSID spoof A malicious rogue AP that uses the same SSID as ZoneDi rector s AP also known as an Evil twin AP malicious AP MAC spoof A malicious rogue AP that has the same BSSID MAC as one of the virtual APs managed by ZoneDirector e malicious AP Same Network A malicious rogue AP that is connected to the same wired network malicious AP User Blocked A rogue AP that has been marked as malicious by the user To mark an AP as malicious click Mark as Malicious This AP will now be blocked and listed in the User Blocked Rogue Devices table The malicious rogue AP protection mechanism enabled from the Configure WIPS Intrusion Detection and Prevention page is automatically applied to all rogue APs categorized as malicious whether user blocked or another type If a listed AP is part of another known neighbor network click Mark as Known This identifies the AP as posing no threat while copying the record to the Known Recognized Rogue Devices table To locate rogue APs that do pose a threat to
350. plan with active device symbols you can assess the performance of individual APs in terms of coverage For detailed information on the Map View see Using the Map View Tools on page 213 2 In the Coverage options select 2 4 GHz or 5 GHz to view coverage for the radio band 3 When the heat map appears look for the Signal 96 scale in the upper right corner of the map 4 Note the overall color range especially colors that indicate low coverage 204 Managing Access Points Optimizing Access Point Performance 5 Look at the floorplan and evaluate the current coverage You can make adjustments as detailed in the following procedure Improving AP RF Coverage 1 Click and drag individual AP markers to new positions on the Map View floorplan until your RF coverage coloration is optimized There may be a need for additional APs to fill in large coverage gaps 2 When your adjustments are complete note the new locations of relocated AP markers 3 Afterphysically relocating the actual APs according to the Map View placements reconnect the APs to a power source 4 Torefresh the ZoneDirector Map View run a full system RF Scan as detailed in Starting a Radio Frequency Scan on page 319 5 When the RF scan is complete and ZoneDirector has recalibrated the Map View you can assess your changes and make further adjustments as needed Assessing Current Performance Using the Access Point Table 1 Go to Monitor
351. planning your mesh network You will need calculate the number of total APs Root APs and Mesh APs that are needed to provide adequate coverage and performance for a given property Performing a site survey to determine the coverage for your particular installation environment is essential Once the coverage area is sufficiently covered with Root APs to meet your bandwidth and throughput requirements you will need to adjust the number and placement to compensate for APs that will serve as Mesh APs If you plan to support Internet grade connections for casual web browsing plan for a design that delivers 1Mbps of throughput in the entire coverage area For enterprise grade connec tions plan for 10Mbps of throughput WiFi is a shared medium of course so this aggregate bandwidth will be shared amongst the concurrent users at any given time In other words if the network is designed to support 10Mbps it would support 1 user at 10Mbps or 10 users at 1Mbps each In reality due to 330 Smart Mesh Networking Best Practices Placement and Layout Considerations statistical multiplexing just like the phone system the fact that not all users are using the network concurrently if you use an oversubscription ratio of 4 1 such a network could actually support 40 users at 1Mbps In a Smart Mesh network the Root AP RAP has all its wireless bandwidth available for downlink because the uplink is wired For Mesh APs MAPs the available wir
352. potential throughput and will change channels to learn optimize throughput and avoid interference V Automatically adjust 2 4GHz channels using Background Scanning z V Automatically adjust 5GHz channels using Background Scanning Background Scanning Background scans are performed by APs to evaluate radio channel usage The process is progressive one frequency is scanned at a time This scanning enables rogue device detection AP locationing and self healing V Run a background scan on 2 4GHz radio every 2000 seconds V Run a background scan on 5GHz radio every 2000 seconds To view all WLANs with background scanning off click here Radar Avoidance Pre Scanning Enable Radar Avoidance Pre Scanning Apply AeroScout RFID Enable AeroScout RFID tag detection e NOTE You can also disable Background Scanning on a per WLAN basis from the Configure gt WLANS page To disable scanning for a particular WLAN click the Edit link next to the WLAN for which you want to disable scanning open Advanced Options and click the check box next to Disable Background Scanning To see whether Background Scanning is enabled or disabled for a particular AP go to Monitor gt Access Points and click on the AP s MAC address The access point detail screen displays the Background Scanning status for each radio 91 Configuring Security and Other Services Radar Avoidance Pre S
353. ppears in the text field the Browse button becomes the Upgrade button 5 Click Upgrade ZoneDirector will automatically log you out of the Web interface run the upgrade and then restart itself When the upgrade process is complete the Status LED on ZoneDirector is steadily lit You may now log back into the Web interface as Administrator NOTE The full network upgrade is successive in sequence After ZoneDirector is upgraded it will contact each active AP upgrade it and then restore it to service CAUTION The AP uses FTP to download firmware updates from ZoneDirector If you have an access control list ACL or firewall between ZoneDirector and the AP make sure that FTP traffic is allowed to ensure that the AP can successfully download the firmware update 292 Setting Administrator Preferences Upgrading ZoneDirector and ZoneFlex APs Figure 176 The Upgrade page n Ruckus ZoneDirector WIRELESS Dashboard Monitor Configure Administer Upgrade Current Software Your current software version is 9 7 0 0 build 197 To see the access points that can be managed click here Restart Software Upgrade Upgrade Important Before the upgrade process starts ZoneDirector will prompt you to save a backup of the ZoneDirector settings Save the backup file to your local disk To start the software upgrade of ZoneDirector and all associated APs click Browse and then select the upgrade package When Browse is replaced by
354. pport 7 Enable IPv6 Support If ZoneDirector was assigned static network addressing click Manual and make the correct entries If you click DHCP no Manual entries are IPv4 Configuration 9 manual DHCP IP Address 192 168 40 100 Netmask 255 255 255 0 Gateway 192 168 40 1 Primary DNS Server 192 168 40 1 Secondary DNS Server ACCESS VLAN 1 48 Configuring System Settings Changing the Network Addressing Changing the Network Addressing If you need to update the IP address and DNS server settings of ZoneDirector follow the steps outlined below CAUTION As soon as the IP address has been changed applied you will be disconnected from your Web interface connection to ZoneDirector You can log into the Web interface again by using the new IP address in your Web browser 1 Go to Configure System 2 Review the Device IP Settings options Figure 23 The Device IP options EXCZEZUNETCERCTEN CITTP WIRELESS rx Ru Ckus ZoneDirector Dashboard Monitor Configure Administer m System System Identity WLAN System Name ZoneDirector Device IP Settings If ZoneDirector is on a IPv6 network you can turn on its IPv6 support E Enable IPv6 Support If ZoneDirector was assigned static network addressing click Manual and make the correct entries If you click DHCP no Manual entries ar IPv4 Configuration 9 manual DHCP IP Address 192 168 40 100 Netmask 255 255 255 0 Gateway 192
355. pt to automatically configure this computer s wireless settings for access to the secure internal WLAN If you are not running a supported operating system you can manually configure wireless settings by clicking the link at the bottom of the page see Provisioning Clients that Do Not Support Zero IT on page 237 236 Managing User Access Enabling Automatic User Activation with Zero IT Figure 141 Corporate WLAN configuration Ruckus Corporate WLAN ee Configuration To set up your wireless network connection follow these oes not start in five 2 Disconnected 17 Connecting Connected v problem or would like to manually set up your Powered by Ruckus Wireless You have completed Zero IT configuration for this user Repeat this procedure to automatically configure all additional users of your internal WLAN Self Provisioning Clients without Ethernet Ports Many mobile devices such as iOS Windows Phone and Android smartphones can also use Zero IT Activation This is done using the Onboarding Portal which is described in Onboarding Portal on page 251 Provisioning Clients that Do Not Support Zero IT If your users are connecting with clients running earlier versions of Windows Linux or other operating systems that do not support Zero IT provisioning users must manually configure wireless settings A manual configuration page displays the settings needed for manual configuration 237 Managing
356. r click here Management Access Control This table lists the specific IP addresses which are allowed access thre ZoneDirector Click Create New to add another IP address or click Edit to make changes to an existing entry Name IPaddress Actions Create New Delete System Time Click Refresh to update the time displayed on this page Click Sync Time with Your PC to manually synchronize the internal ZoneDirector clock with your administrative PC clock Your current system time is Mon May 23 2011 15 57 03 GMT 0800 Taipei Standard Time J Use NTP to synchronize the ZoneDirector clock automatically Figure 34 Creating a new ZoneDirector management ACL DHCP Option 43 Layer 3 discovery protocol for AP to find ZoneDirector To view all IP addresses that have been assigned by the DHCP server click here Management Access Control This table lists the specific IP addresses which are allowed access to the ZoneDirector Click Create New to add another IP address or click Edit to make changes to an existing entry P Name IP address Actions Create New Delete System Time Click Refresh to update the time displayed on this page Click Sync Time with Your PC to manually synchronize the internal ZoneDirector clock with your administrative PC clock Your current system time is Mon May 23 2011 15 57 03 GMT 0800 Taipei Standard Time II Lice AFTD bn mimnhennion tha TannMienntas niani s
357. re encrypting their traffic with their own unique DPSK DPSKs can be created in bulk and manually distributed to users and devices or ZoneDirector can auto configure devices with a DPSK when they connect to the network for the first time using Zero IT Activation see Enabling Automatic User Activation with Zero IT Enabling Dynamic Pre Shared Keys on a WLAN To use DPSK for client authentication you must enable it for a particular WLAN if you did not enable it during the initial ZoneDirector Setup Wizard process To enable DPSK for a WLAN 1 Go to Configure gt WLANs Either Edit an existing WLAN or Create New to open the WLAN configuration form Under Type select Standard Usage Under Authentication Options Method select MAC Address or Open Under Encryption Options Method select WPA or WPA2 not WPA Mixed as selecting WPA Mixed will disable the Zero IT activation option Ur o fe m 6 Under Encryption Options Algorithm select TKIP or AES not Auto as selecting Auto will disable the Zero IT activation option 7 If using MAC Address authentication choose an Authentication Server to authenticate clients against either Local Database or RADIUS Server 8 Ensure that the Zero IT Activation check box is enabled 9 Nextto Dynamic PSK enable the check box next to Enable Dynamic PSK Select a DPSK passphrase length between 8 and 62 characters Limit DPSK By default each authenticated user can generate multiple
358. reboots if disconnected from ZoneDirector for more than 55 Minutes Access Point USB Software Packages Using Limited ZD Discovery for N 1 Redundancy ZoneDirector s Smart Redundancy feature see Enabling Smart Redundancy can only be m used with two ZoneDirectors of the same model and license number If you want to deploy one ZoneDirector as a backup controller for multiple primary controllers for example using a ZD3000 as a backup for several ZD1100s in remote locations you can use Limited ZD Discovery to achieve limited N 1 redundancy 197 Managing Access Points Reviewing Current Access Point Policies gt NOTE Using Limited ZD Discovery for redundancy purposes does not synchronize the user database guest database or DPSKs To deploy multiple ZoneDirectors in a limited redundancy configuration 1 On each primary ZoneDirector go to Configure gt Access Points gt Access Point Policies and locate the Limited ZD Discovery section 2 Activate the check box next to Only connect to the following ZoneDirector Enter the IP address of the primary ZoneDirector the one you are currently configuring in Primary ZoneDirector Addr 4 Enter the IP address of the backup ZoneDirector in Secondary ZoneDirector Addr 5 Optional Enable the check box next to Prefer Primary ZD This ensures that the AP will revert to its primary controller after connection to the primary has been restored 6 Click Appl
359. rector always maintains the correct time configure an NTP server and point ZoneDirector to the NTP server s IP address as described in Setting the System Time on page 63 NOTE WLAN service schedule times should be configured based on your browser s current timezone If your browser and the target AP WLAN are in different timezones configure the on off times according to the desired schedule according to your local browser For example if you wanted a WLAN in Los Angeles to turn on at 9 AM and your browser was set to New York time please configure the WLAN service schedule to enable the WLAN at noon When configuring the service schedule all times are based on your browser s timezone setting e Auto Proxy The Auto Proxy feature automatically configures client browsers with Web proxy settings when the user joins the wireless network Clients locate the proxy script according to the Web Proxy Autodiscovery Protocol WPAD WPAD uses discovery methods such as DNS and DHCP Option 252 to locate the configuration file To use this feature you must designate where the wpad dat file is to be stored Click Choose File to upload a wpad dat file conforming to the WPAD protocol to ZoneDirector or select External Server and enter the IP address of the external DHCP DNS server where the file is stored e Internet Explorer supports DNS and DHCP Option 252 while Firefox Chrome and Safari support the DNS method only e If the wpad dat file is
360. rector system logs 1 Go to Administer Diagnostics and locate the System Logs section 2 Click the Click Here link next to To show current System logs The log data is displayed in the text box beneath the link 3 Click the Save System Log button to save the log as a compressed tar file To view AP logs 1 Go to Administer Diagnostics and locate the AP Logs section 2 Click the Click Here link next to To show current AP logs The log data is displayed in the text box beneath the link 321 Troubleshooting Viewing Current System and AP Logs Figure 195 Viewing System and AP logs Figure 196 UI Debug Components V system Management V Mesh V Smart Redundancy V Web Authentication V RF Management Web Pages V RADIUS V Hotspot Services V Access Points V Network Management W 802 1x Web Server V 802 11 W Dynamic VLAN Debug log per AP s or client s mac address e g aa bb ocdd ee ff System Logs To show current System logs click here AP Logs To show current APs logs click here Packet Capture Use this feature to capture wireless packets during normal operation and save them in local files or stream them to Wireshark 2 4GHz 9 GHz Current Managed APs Capture APs MAC Address Device Name Descriptio
361. ress Client Tx Rx Statistics Enable this option to ignore unauthorized client statistics and report only statistics from authorized clients in device view and other reports This can be useful for service providers who are more interested in accounting statistics after authorization than in all wireless client statistics For example a Hotspot WLAN can be configured to allow unauthorized clients to connect and traverse any walled garden web pages without adding to transmission statistics until after authorization Client Fingerprinting When this option is enabled ZoneDirector will attempt to identify client devices by their Operating System device type and Host Name if available This makes identifying client devices easier in the Dashboard Client Monitor and Client Details screens 147 Managing a Wireless Local Area Network Creating a WLAN Service Schedule Use the Service Schedule tool to control which hours of the day or days of the week to enable disable WLAN service For example a WLAN for student use at a school can be configured to provide wireless access only during school hours Click on a day of the week to enable disable this WLAN for the entire day Colored cells indicate WLAN enabled Click and drag to select specific times of day You can also disable a WLAN temporarily for testing purposes for example NOTE This feature will not work properly if ZoneDirector does not have the correct time To ensure ZoneDi
362. ress Optional If you know the MAC address of the device that the user will be using type it here 5 Go back to the Dynamic PSK Batch Generation section and then complete steps 4 to 6 in Generating Multiple Dynamic PSKs above to upload the batch dynamic PSK profile and generate multiple dynamic PSKs Figure 105 DPSK batch generation Activation URL https 192 168 40 100 activate Authentication Server Local Database v Dynamic PSK To provide maximum security each user is assigned a unique pre shared key PSK when they activate their wireless access You can set when the PSK should expire at which time users wil be prompted to reactivate their wireless access PSK Expiration Two weeks i Automatically remove expired D PSK entries and delete the relevant connected station Dynamic PSK Batch Generation DPSK batch generation provides two facilities to create multiple Dynamic PSKs at once You can specify the number of DPSK or upload a profile file csv which contains information necessary to create DPSKs Once the generation is done a result file will be downloaded for your reference To download an example of profile click here The maximum allowable number of DPSKs is 1000 Target WLAN Rhastahi v Number to Create 5 Dynamic VLAN ID or Upload a Profile No file chosen To download the new DPSK record click here Bypass Apple CNA Feature Select any of the following authe
363. rmance diagnosis 318 Port based 802 1X Authenticator 192 authenticator 192 Dynamic VLAN 192 guest VLAN 192 MAC based Authenticator 192 Port based Authenticator 192 supplicant 193 Prefer Primary ZD 196 Preference tab use 290 Priority 145 206 Proxy ARP 95 146 171 PSK Setting key expiration 174 PSK lifetime settings 174 R Radar Avoidance Pre Scanning 92 Radio Band ZoneFlex 7321 187 201 Radio frequency scans starting a scan 319 radio statistics 222 RADIUS 119 120 243 using an external server 153 using for authentication 243 RADIUS RADIUS Accounting 120 RADIUS attributes 125 RAPS 92 Rate Limiting 145 146 Real Time Monitoring 42 210 Recent events overview 217 Recovery SSID 287 Redundancy 55 Registration 44 remote syslog advanced settings 68 Remote Troubleshooting 326 restarting a ZoneDirector 326 Restarting an Access Point 326 Restoring AP configuration settings only 296 Restoring archived settings 294 Reviewing AP policies 196 Reviewing current alarms 216 RF see also Radio frequencies RFID tags 92 Rogue APs detecting 228 Rogue DHCP Server Detection 101 Roles creating 240 Roles options Allow all WLANs 240 Description 240 Group attributes 240 Guest Pass 240 Name 240 S Scanning radio frequencies 319 Security 139 overview 138 139 Security configuration reviewing 150 Self Healing 88 Sensor information 223 227 343 Service Schedule
364. rovisioning and deploying all mesh nodes verify that the wireless mesh has been set up successfully Step 4 Verify That the Wireless Mesh Network Is Up After you complete deploying all mesh nodes to their locations on the network you can check the Map View on the ZoneDirector Web interface to verify that mesh associations have been established and mesh trees formed 1 On the Zone Director Web interface click the Monitor tab and then click Map View on the menu The Map View appears and shows the mesh nodes that are currently active See Importing a Map View Floorplan Image on page 210for instructions on importing a map 2 Checkif all the mesh nodes that you have provisioned and deployed appear on the Map View 3 Verify that a mesh network has been formed by checking if dotted lines appear between the mesh nodes These dotted lines identify the neighbor relationships that have been established in the current mesh network NOTE If your mesh spans multiple ZoneDirectors it is possible for a node to be associated to a different ZoneDirector than its parent or children 278 Deploying a Smart Mesh Network Understanding Mesh related AP Statuses Figure 167 Dotted lines indicate that these APs are part of the wireless mesh network The symbols next to the AP icons indicate whether the AP is a Root AP Mesh AP or eMAP Refer to the following table Table 34 Map View AP icons p An AP with the upward pointing
365. s Using an External AAA Server 5 Enter the Windows Domain Name e g domain ruckuswireless com 6 Click OK Figure 73 Enable Active Directory for a single domain 2012 07 12 20 37 52 Help Toolbox LogOut ruckus Mal m Ru Ckus ZoneDirector WIRELESS Dashboard Monitor Configure Administer Authentication Accounting Servers Authentication Accounting Servers This table lists all authentication mechanisms that can be used whenever authentication is needed Name Type Actions Ruckus AD Active Directory Edit Clone Active Directory LDAP RADIUS RADIUS Accounting TACACS m Enable Global Catalog support 192 168 11 17 389 Windows Domain Name aomain ruckuswireles 4mple domain ruckuswireless com AAA Servers Create New Delete 1 1 18 Search terms Include all terms Include any of these terms Test Authentication Settings For single domain authentication admin name and password are not required Multi Domain Active Directory Authentication For multi domain AD authentication an Admin account name and password must be entered so that ZoneDirector can query the Global Catalog To enable Active Directory authentication for multiple domains 1 On the Configure gt AAA Servers page in the Editing Active Directory form select the Global Catalog check box next to Enable Global Catalog support 2 The default port changes to 3268 and the fields for Admin
366. s which are listed in this table Name Description Actions Defauit Allow Access to All WLANs Edit Clone Allow All WLANs low access to all WLANs Specify WLAN access WLANs Rhastah1 Q1100 Search terms 9 Include all terms Include any of these terms Allow guest pass generation 7 Atow ZoneDirector Administration 9 Create New Delete 911000 Search terms Include all terms Include any of these terms Managing Automatically Generated User Certificates and Keys With Ruckus Zero IT wireless activation a unique key or certificate is automatically generated for a user during the activation process More precisely for a WLAN configured with WPA or WPA2 and Dynamic PSK enabled a unique and random key phrase is generated for each wireless user Similarly for a WLAN configured with 802 1X EAP authentication a unique certificate for each wireless user is created When using the internal user database automatically generated user certificates and keys are deleted whenever the associated user account is deleted from the user database In the case of using Windows Active Directory LDAP or RADIUS as an authentication server you can delete the generated user keys and certificates by following these steps 1 Go to Monitor Generated PSK Certs The Generated PSK Certs page appears 2 Select the check boxes for the PSKs and Certificates that you want to delete 3 Cl
367. s Control Lists In addition to L2 MAC based ACLs ZoneDirector also provides access control options at Layer 3 and Layer 4 This means that you can configure the access control options based on a set of criteria including Destination Address Application Protocol Destination Port To create an L3 L4 IP address based ACL 1 moe ou e Go to Configure Access Control In L3 4 IP address Access Control click Create New Type a Name for the ACL Type a Description for the ACL In Default Mode set the default access privilege allow all or deny all that you want to grant all users by default In Rules click Create New or click Edit to edit an existing rule Define each access policy by configuring a combination of the following Type The access privilege allow or deny that this policy grants 104 Configuring Security and Other Services Controlling Network Access Permissions e Destination Address Enter an IP subnet and netmask of the network target to which you want to allow or deny access IP address must be in the format A B C D M where M is the subnet mask Otherwise select Any For example if you enter 192 168 0 1 24 the rule would allow or deny the entire Class C subnet To allow deny a single host use 32 as the netmask e Application If you select a specific application from the menu the Protocol and Destination Port options are automatically filled with the relevant values and are not
368. s ZoneDirector ZoneDirector Physical Features Feature Three full length PCle add in cards not used Power supply 2 backup AC power Power supply 1 primary AC power RJ45 serial port COM2 serial B Video connector not used USB 0 and 1 1 on top sO 0 NIOJ a BY Ww USB 2 and 3 3 on top 10 GbE NIC 1 connector 11 GbE NIC 2 connector 12 Two ground studs used for DC input system Table 9 NIC status LEDs LED Color LED State NIC State Green Amber Left Off 10Mbps Green 100Mbps Amber 1000Mbps Green Right On Active connection Blinking Transmit Receive activity 23 Introducing Ruckus Wireless ZoneDirector Introduction to the Ruckus Wireless Network Introduction to the Ruckus Wireless Network Your new Ruckus Wireless network starts when you disperse a number of Ruckus Wireless access points APs to efficiently cover your worksite After connecting the APs to ZoneDirector through network hubs or switches running through the Setup Wizard and completing the Zero IT setup you have a secure wireless network for both registered users and guest users end users to automatically self configure wireless settings on Windows and Mac OS clients as I NOTE Zero IT refers to ZoneDirector s simple setup and ease of use features which allow well as many mobile devices including iOS Windows Phone and Android OS devices After using
369. s at http zonedirector ip address perf orSpeedFlex may prompt you to install the SpeedFlex application on the target client even when it is already installed Before using SpeedFlex verify that both Guest Usage and Wireless Client Isolation options are disabled For more information on SpeedFlex refer to Measuring Wireless Network Throughput with SpeedFlex on page 312 e Hotspot Service WISPr Create a Hotspot WLAN A Hotspot service must first have been created Configure gt Hotspot Services before it will be available for selection See Creating a Hotspot Service on page 164 e Hotspot 2 0 Create a Hotspot 2 0 WLAN A Hotspot 2 0 Operator must first have been created Configure gt Hotspot 2 0 Services before it will be available for selection See Creating a Hotspot 2 0 Service on page 167 e Autonomous Autonomous WLANs are special WLANs designed to continue providing service to clients when APs are disconnected from ZoneDirector See Autonomous WLANs on page 142 Autonomous WLANs The Autonomous WLAN usage type supports Open authentication and WPA WPA2 WPA Mixed WEP or no encryption only In this configuration client authentication association requests are processed at the access point and are not forwarded to ZoneDirector The AP maintains connections to authorized clients and continues providing wireless service after disconnection from ZoneDirector NOTE If AP Auto Recovery is enabled
370. s failed The client s MAC address AP s MAC address and SSID are included ruckusZDEventAPcoldstart An AP has been cold started ruckusZDEventAPwarmstart An AP has been warm started ruckusZDEventAPclientValve Triggered when an AP s online client limit has been exceeded ruckusZDEventAPCPUvalve An AP s CPU utilization has exceeded the set value ruckusZDEventAPMEMvalve An AP s memory utilization has exceeded the set value ruckusZDEventSmartRedundan The standby Smart Redundancy cyChangetoActive ZoneDirector has failed to detect its active peer system changed to active state ruckusZDEventSmartRedundan The active Smart Redundancy ZoneDirector cyActiveConnected has detected its peer and is in active connected state ruckusZDEventSmartRedundan cyActiveDisconnected The active Smart Redundancy ZoneDirector has not detected its peer and is in active disconnected state ruckusZDEventSmartRedundan cyStandbyConnected The standby ZoneDirector has detected its peer and is in standby connected state ruckusZDEventSmartRedundan cyStandbyDisconnected The standby ZoneDirector has not detected its peer and is in standby disconnected state 80 Configuring System Settings Configuring DHCP Relay Configuring DHCP Relay ZoneDirector s DHCP Relay agent improves network performance by converting DHCP broad cast traffic to unicast to prevent flooding the Layer 2 network when Layer 3 Tunn
371. s granted You can view the actual authentication method used MAC address or EAP from the Monitor Currently Active Clients page Figure 81 The Monitor gt Currently Active Clients page shows the actual authentication method used for clients in an 802 1X EAP MAC Address authentication WLAN e Clients 1 MAC Address User lP Access Point WLAN VLAN Channel Radio Signal Status Auth Method Action 00 19 5b ef 5b 8d station 74 91 1a 2b f4 50 frank md5 None 1 802 11 b g 99 Authorized EAP x 92521 Search terms Include all terms O Include any of these terms oti Ne Using 802 1X with EAP MD5 EAP MD5 differs from other EAP methods in that it only provides authentication of the EAP peer to the EAP server but not mutual authentication ZoneDirector supports 802 1X authen tication with EAP MD5 using either ZoneDirector internal database or an external RADIUS server To configure a WLAN for EAP MD5 authentication 1 Go to Configure gt WLANs and click the Edit link next to the WLAN you would like to configure 2 Under Authentication Options Method select 802 1X EAP 3 Under Encryption Options Method select None 4 Under Authentication Server select either Local Database or a previously configured RADIUS server from the list 5 Click OK to save your changes 124 Configuring Security and Other Services Using an External AAA Server RADIUS Attributes Ruckus products communicate with an external RADIUS
372. s option This means you must manually alow each newly discovered AP Limited ZD Discovery 7 Only connect to the following ZoneDirector 8 Configure Primary and Secondary ZD Settings to AP IP or domain name is acceptable Primary ZoneDirector Addr i Secondary ZoneDirector Addr Prefer Primary ZD Keep AP s Primary and Secondary ZD Settings Management VLAN Q9 Keep AP s setting VLANID Load Balancing Disable Enable Balances the number of clients across adjacent APs Tunnel MTU 1500 To limit the maximum transmission unit size between ZoneDirector and AP range 850 1500 Auto Recovery yr AP reboots if disconnected from ZoneDirector for more than 46 Minutes m Access Point USB Software Packages This table lists supported Access Point USB Software Packages Click Browse to add another AP USB Software Package Delete to delete an existing AP USB Software Package No USB Software Package has been imported Import a new USB Software Package No file chosen Connecting the APs to the Network 1 Place the new APs in the appropriate locations 2 Write down the MAC address on the bottom of each device and note the specific location of each AP as you distribute them 3 Connect the APs to the LAN with Ethernet cables NOTE If using Gigabit Ethernet ensure that you use Cat5e or better Ethernet cables 180 Managing Access Points Adding New Access Points to the Network
373. s private attribute e Vendor ID 25053 e Vendor Type Attribute Number 3 Ruckus SSID 8021X MAC Specific to Interim Update and Stop messages Auth e 8 Ruckus private attribute e Vendor ID 25053 e Vendor Type Attribute Number 2 Ruckus Sta RSSI e 42 Input Octets e 43 Output Octets e 44 Session ID e 46 Session Time e 47 Input Packets e 48 Output Packets e 52 Input Gigawords only appears when received bytes gt 4 GB e 53 Output Gigawords only appears when transmitted bytes gt 4 GB e 55 Event Timestamp 802 1X MAC Specific to Stop messages Auth e 49 Terminate Cause user request lost carrier lost service session timeout admin reset admin reboot supplicant restart idle timeout 129 Configuring Security and Other Services Using an External AAA Server Table 18 RADIUS attributes used in Accounting WLAN Type Attribute 802 1X MAC Auth Sent from RADIUS server in Accept messages e 1 User name e 25 Class e 85 Acct interim interval e 27 Session timeout amp 29 Termination action Session timeout event becomes a disconnect event or re authentication event if termination action indicates 1 radius request For Dynamic VLAN application e 64 Tunnel Type value only relevant if it is 13 VLAN e 65 Tunnel Medium Type value only relevant if it is 6 802 as in all 802 media plus Ethernet e 81 Tunnel Private Group ID this is the VLAN ID assignment
374. s throughput results for each hop as well as the aggregate throughput from ZoneDirector to the final AP in the tree 315 Troubleshooting Measuring Wireless Network Throughput with SpeedFlex To measure throughput across multiple hops in a Smart Mesh tree available for 11n APs only SpeedFlex to clients is supported for all ZoneFlex APs j NOTE Note that SpeedFlex for mesh links is unsupported for 802 11g APs this feature is 1 Go to Monitor gt Mesh or open the Mesh Topology widget on the Dashboard 2 Locate the AP whose throughput you want to measure and click the SpeedFlex icon on the same row as that AP The SpeedFlex icon changes to an icon with a green check mark and the Multi Hops SpeedFlex button appears 3 Click Multi Hops SpeedFlex The SpeedFlex utility launches in a new browser window Select Uplink Downlink or both default is both and click Start to begin Note that multi hop SpeedFlex takes considerably longer to complete than a single hop If you want to complete the test faster deselect either Uplink or Downlink and test one direction at a time Figure 190 Running Multi Hop SpeedFlex in a mesh tree MP MR rm Ruckus ZoneDirector WIRELESS Dashboard Monitor Configure Administer Mesh This workspace shows the mesh status and mesh topology KY Mesh Topology Mesh 000000000011 e JU Access Points Signal 35 Description AP Group Channel IP Address Clients Action Diagnostics Eg ca 10 8a tf
375. save your changes If you want to filter more specific settings see Advanced LDAP Filtering NOTE The Admin account need not have write privileges but must able to read and search all users in the database Figure 75 Creating a new LDAP server object in ZoneDirector WIRELESS E Rucku S ZoneDirector AAA Servers Dashboard Monitor 2013 06 11 17 05 38 Help Toolbox LogOut ruckus B Configure Administer Authentication Accounting Servers Authentication Accounting Servers This table lists all authentication mechanisms that can be used whenever authentication is needed IP Address Base DN Admin DN Admin Password Confirm Password Key Attribute Search Filter Create New Name Type Actions Active Directory 9 LpAP radius RADIUS Accounting TACACS 192 168 2 5 389 dc ldap dc com example dc idap dc com uid admin de idap dc_ To query multiple OUs enter an Admin DN and Password with full search and read privileges example uid admin dc ldap dc com luid example uid objectciass example objectClass Person show more Delete 30 0 0 Advanced LDAP Filtering A search string in LDAP format conforming to RFC 4515 can be used to limit search results For example objectClass Person limits the search to those whose objectClass attribute is equal to Person More complicated examples are shown when you mouse over the
376. sed whenever authentication is needed F Name Type Actions F radius1 RADIUS Edit Clone tacacs plus Active Directory LDAP rapius RADIUS Accounting TACACS 172 17 12 49 Shared Secret Confirm Secret m TACACS Service Create New Delete 1100 Search terms 9 Include al terms Include any of these terms Test Authentication Settings You may test your authentication server settings by providing a user name and password here Groups to which the user belongs will be returned and you can use them to configure the role Test Against Local Database v User Name Password p Show Password es Once your TACACS server is configured on the AAA Servers page you can select it from the list of servers used to authenticate ZoneDirector administrators on the Administer Prefer ences page 134 Configuring Security and Other Services Testing Authentication Settings Figure 86 Select TACACS for ZoneDirector administrator authentication 2013 06 11 17 16 31 Help Toolbox Log Out ruckus Ruckus ZoneDirector WIRELESS Dashboard Monitor Configure Administer Preferences Language Preferences Select the display language that you want to use on the Web interface Language English Administrator Name Password Change the administrator name if needed and password Ruckus Wireless recommends that you change your admin password ev
377. ser Accounts to ZoneDirector leslie eese 238 Managing Current User ANCCODIES x eub eeemdesiee sock es beiden s bx ARE eu ques 240 Creating Mew UserRoles seissy iage pete ian ko oko ee RO Re e ee Bes 240 Managing Automatically Generated User Certificates and Keys 242 Using an External Server for User Authentication 00 000 eee eee 243 Activating Web Authenticatibhi es socso cies cci re me PON E De po a dade 244 233 Managing User Access Enabling Automatic User Activation with Zero IT Enabling Automatic User Activation with Zero IT Ruckus Wireless Zero IT Activation allows network users to self activate their devices for secure access to your wireless networks with no manual configuration required by the network administrator Once your ZoneFlex network is set up you need only direct users to the Activation URL and they will be able to automatically authenticate themselves to securely access your wireless LAN Before enabling Zero IT make sure you have at least one of each of the following configured A WLAN configured Configure gt WLANs A user Role with access to this WLAN Configure gt Roles A User with this role assigned that exists in either the internal database or an external RADIUS Active Directory or LDAP server Configure gt Users To enable Zero IT activation do the following 1 Go to Configure gt WLANs 2 Click Edit on the WLAN where you wa
378. sers 2 Click the Delete button in the Action column in a specific user row The entry is deleted from the Active Current Client list and the listed device is disconnected from your Ruckus Wireless WLAN 112 Ruckus WIRELESS AN Currently Active Clients Configuring Security and Other Services Controlling Network Access Permissions Figure 70 Click the Delete button to temporarily delete a client The client will be able to reconnect 2013 06 11 16 59 09 Help Toolbox Log Out ruckus ZoneDirector Monitor Currently Active Clients This tabie lists all currently connected client devices Only those devices with a status of authorized are permitted access to the network To prevent an unauthorized client from attempting to connect to your network click Block To troubleshoot a problematic connection click Delete That client can then reconnect to the WLAN To show a list of blocked clients click here Clients e MAC Address OS Type Access Point WLAN Channel Radio Signal 35 Status E i 959 5c ff 35 7f d2 20 Android 4 10 8a 1f di fO Rhastah1 149 802 11a n N A Authoriz 00 22 fb ad 1b 2e Windows 7 Vista 192 168 40 21 cO c5 b 91 f0 Rhastah1 149 802 11a n 84 Authoriz Search terms include al terms include any of these terms 012220 Events Activities lt Date Time Severity User Activities 2013 06 11 16 55 09 Low User 00 22 fb ad 1b 2e joins WLAN Rhastah1 from AP c0 c5 20 3b 9
379. server as a RADIUS client Packets from Ruckus products are called access request or accounting request messages The RADIUS server in turn sends an access challenge access accept or access reject message in response to an access request and an accounting response message in response to an accounting request RADIUS Attribute Value Pairs AVP carry data in both the request and the response messages The RADIUS protocol also allows vendor specific attributes VSA to extend the functionality of the protocol The following tables list the RADIUS attributes used in these messages between ZoneDirector and the RADIUS RADIUS Accounting server based on which type of authentica tion is used for the WLAN Table 17 lists the attributes used in authentication and Table 18 lists those used in accounting ZoneDirector will terminate a user session if it receives a Change of Authorization Disconnect Message COA DM from the RADIUS server The COA DM message may be used when a client changes service levels For instance a new user may initially connect to a free low rate service on one WLAN When they purchase access on a higher rate service RADIUS will send a COA DM message to ZoneDirector causing the user to re connect to an alternative WLAN COA DM may also be used to remove a client if a user exceeds their total bandwidth allowance or time on the network Notation gt below indicates this value is generated external to AP ZoneDirect
380. service 4 In WISPr Smart Client Support select whether to allow WISPr Smart Client support e None default e Enabled Enable Smart Client support NOTE The WISPr Smart Client is not provided by Ruckus you will need to provide Smart Client software hardware to your users if you select this option 164 Managing a Wireless Local Area Network Working with Hotspot Services e Only WISPr Smart Client allowed Choose this option to allow only clients that support WISPr Smart Client login to access this hotspot If this option is selected a field appears in which you can enter instructions for clients attempting to log in using the Smart Client application e Smart Client HTTP Secure If Smart Client is enabled choose whether to authenticate users over HTTP or HTTPS In Login Page under Redirection type the URL of the captive portal the page where hotspot users can log in to access the service Configure optional settings as preferred e In Start Page configure where users will be redirected after successful login You could redirect them to the page that they want to visit or you could set a different page where users will be redirected for example your company website e In User Session configure session timeout and grace period both disabled by default Session Timeout Specify a time limit after which users will be disconnected and required to log in again Grace Period Allow disconnected users a
381. sion 9 7 0 0 build 74 of APs Devices Overview 2 of Authorized Client Devices 1 of Total Client Devices KY Currently Managed APs MAC Address Model Status IP Address Channel Clients Ac c0 c5 20 3b 91 f0 zf7372 Connected Mesh AP 1 hop 192 168 40 99 149 11a n 40 1 11g n 20 1 I c4 10 8a 1f di fO zf7982 Connected Root AP 192 168 40 64 149 11a n 40 11 11g n 20 0 d Search terms include al terms Include any of these terms Currently Active WLANs Name ESSID Authentication Encryption Rhastah1 Rhastahl open wpa2 Search terms Include all terms Include any of these terms GA Most Active Client Devices ooo MAC Address IP Address User Usage of Rogue Devices 0 00 22 fb ad 1b 2e 192 168 40 21 140M and Usage Summary e Support oo 1hr 24hr 2 Company Ruckus Wireless Max Concurrent Users 2 Registration Product Registration Ruckus Bytes Transmitted 17M Email support ruckuswireless com WIRELESS Average Signal 35 99 Support URL http support ruckuswireless com of Rogue Devices 04294967295 4 Click Finish in the Widgets pane to close it Removing a Widget To remove a widget from the Dashboard click the O icon for any of the widgets currently open on the Dashboard The Dashboard refreshes and the widget that you removed disappears from the page 41 Introducing Ruckus Wireless ZoneDirector Using the ZoneDirector Web Interface Figure 15 To remove a widget click the correspon
382. small area This is by design to prevent flooding a large network with multicast traffic However in some situations a user may want to offer Bonjour services from one VLAN to another ZoneDirector s Bonjour Gateway feature addresses this requirement by providing an mDNS proxy service configurable from the Web interface to allow administrators to specify which types of Bonjour services can be accessed from to which VLANs In order for the Bonjour Gateway to function the following network configuration requirements must be met e The target networks must be segmented into VLANs e VLANs must be mapped to different SSIDs The controller must be connected to a VLAN trunk port 83 Configuring System Settings Enabling Bonjour Gateway Additionally if the VLANs to be bridged by the gateway are on separate subnets the network has to be configured to route traffic between them Creating a Bonjour Gateway Rule The Bonjour Gateway is essentially a list of rules for mapping services from one VLAN to another To configure rules for bridging Bonjour services across VLANs 1 2 3 Go to Configure Bonjour Gateway Click Create New in the Bridge Service table to create a new Bonjour service rule In the Create New form configure the following options Bridge Service Select the Bonjour service from the list e From VLAN Select the VLAN from which the Bonjour service will be advertised To VLAN Select the VLAN to which
383. ssphrase you will use to configure the AP WIRELESS rk Ruckus ZoneDirector Dashboard Monitor Configure Administer Mesh Mesh Settings Mesh capability allows you to deploy your access points without using wires Enable Mesh Mesh Name ESSID 4esh 000000000011 Mesh Passphrase fc7Z5OLRXyEhLUOV1VwLIIf2Q1JYVj Generate ARP Broadcast Filter ARP Broadcast Filter is used to minimize or limit the amount of broadcast ARPs on the network E Enable ARP Broadcast Filter Step 2 Ensure that the AP s Mesh Mode is set to Auto 1 Goto Configure gt Access Points and click the Edit link next to the AP you want to recover 2 Under Advanced Options gt Mesh Mode select Auto and click OK Step 3 Locate the AP s Mesh Recovery SSID 1 In your notebooks wireless connection list locate the Mesh recovery SSID The SSID will be named island xxxxxx where xxxxxx is the last 6 digits of the AP s MAC address 287 Deploying a Smart Mesh Network Best Practices and Recommendations 2 Connectto this WLAN using WPA and the passphrase ruckus admin password gt The admin password is the same as that used to log into ZoneDirector 3 You can now access the AP s Web interface by entering the AP s recovery IP address 169 254 1 1 in the browser Note that because the AP is still in ZoneDirector managed state you cannot make configura tion changes via the Web interface Therefore you will need to proceed to the next s
384. sted in the system wide block list it will be blocked even if it is an allowed entry in an ACL Thus the block list takes precedence over an ACL MAC addresses that are in the deny list are blocked at the AP not at ZoneDirector Monitoring Client Devices 1 Go to the Dashboard if it s not already in view 2 Under Devices Overview look at of Total Client Devices 111 Configuring Security and Other Services Controlling Network Access Permissions Figure 69 The Device Overview widget d Devices Overview of APs 2 of Authorized Client Devices 1 of Total Client Devices 1 of Rogue Devices 2 3 Click the current number which is also a link The Currently Active Clients page on the Monitor tab appears showing the first 15 clients that are currently connected to ZoneDi rector If there are more than 15 currently active clients the Show More button atthe bottom of the page will be active To display more clients in the list click Show More When all active clients are displayed on the page the Show More button disappears 4 To block any listed client devices follow the next set of steps Temporarily Disconnecting Specific Client Devices Follow these steps to temporarily disconnect a client device from your WLAN The user can simply reconnect manually if they prefer This is helpful as a troubleshooting tip for problematic network connections 1 Look at the Status column to identify any Unauthorized u
385. stem Settings Setting the Country Code Figure 35 The System Time options This table lists the specific IP addresses which are allowed access to the ZoneDirector Click Create New to add another IP address or click Edit to make changes to an existing entry Name IP address Actions Create New System Time Click Refresh to update the time displayed on this page Click Sync Time with Your PC to manually synchronize the internal ZoneDirector clock with your administrative PC clock Your current system time is Monday November 21 2011 2 57 46 PM iy Use NTP to synchronize the ZoneDirector clock automatically NTP Server ntp ruckuswireless com Select time zone for your location GMT Western Europe Time London Lisbon Casablanca E Syne Time with Your PC Apply Country Code Different countries have different regulations on the usage of radio channels To ensure that ZoneDirector is using an authorized radio channel select the correct country code for your location Country Code United States v On the 5 0 GHz band certain channels won t be utilized if Optimize for Compatibility or Optimize for Interoperability is selected otherwise all available channels will be utilized Channel Optimization Optimize for Compatibility Optimize for Interoperability Optimize for Performance Channel Mode Allow indoor channels allows ZoneFlex Outdoor APs to use channels regula
386. stem Settings Setting Up Email Alarm Notifications Figure 40 The Alarm Settings page va npuaru muni Onripure Aumua Alarm Settings Email Notification Use these features to send email notifications when alarms are triggered in ZoneDirector V Send an email message when an alarm is triggered Email Address myemail9 gmail com From Email Address myemail9 gmail com SMTP Server Name smtp gmail com SMTP Server Port 587 SMTP Authentication Username myemail gmail com SMTP Authentication Password DIL Confirm SMTP Authentication Password sssceeseeee m SMTP Encryption Options Alarm Event o AlarmEvent E Rogue AP Detected Temporary license expired a Incomplete Primary Secondary IP Settings E user Blocked AP Detected E Rogue Device Detected Temporary license wil expire Smart Redundancy State Changed V AP Lost Contact Same Network Rogue AP Detected Smart Redundancy Active Connected ssip spoofing AP Detected E AaA Server Unreachable E Smart Redundancy Standby Connected i mac spoofing AP Detected V AP Has Hardware Problem El Smart Redundancy Active Disconnected El Rogue DHCP Server Detected V Uplink AP Lost Smart Redundancy Standby Disconnected NOTE If the Test button is clicked ZoneDirector will attempt to connect to the mail server for 10 seconds If it is unable to connect to the mail server it will stop trying and quit NOTE When
387. stored on ZoneDirector only one file can be uploaded and this file applies to all WLANs that use the ZD stored file e Up to 8 wpad dat files can be saved on external servers in addition to the single wpad dat file that can be stored on ZoneDirector NOTE If Wireless Client Isolation ACLs or Web Guest Captive Portal are enabled on the WLAN an additional ACL may be required to allow wireless clients to access the Web proxy server and ZD Captive Portal redirection page For more information refer to the Auto Proxy Application Note available from support ruckuswireless com e Inactivity Timeout Enter a value in minutes after which idle stations will be disconnected 1 to 500 minutes 148 Managing a Wireless Local Area Network Creating a WLAN Figure 88 Advanced options for creating a new WLAN Advanced Options Accounting Server Disabled xi Send interim Update every 10 minutes Access Control L2 MAC No ACLs v 3 4 1P address No ACLs v Device Policy None v Precesence Policy Default E Call Admission Control T Enforce CAC on this WLAN when CAC is enabled on the radio Rate Limiting Uplink Disabled v Downink Disabled v Per Station Traffic Rate Multicast Filter Drop multicast packets from associated clients ACCESS VLAN VLAN ID lr 1 L Enable Dynamic VLAN Hide SSID E Hide SSID in Beacon Broadcasting Closed System Tunnel Mode 7
388. subnet It will be able to find and communicate with ZoneDirector once you reconnect it to the other subnet NOTE If you use this method make sure that you do not change the IP address of ZoneDirector l after the AP discovers and registers with it If you change the ZoneDirector IP address the AP will no longer be able to communicate with it and will be unable to rediscover it Option 2 Customize Your DHCP Server NOTE The following procedure describes how to customize a DHCP server running on i gt Microsoft Windows If your DHCP server is running on a different operating system the procedure may be different 26 Introducing Ruckus Wireless ZoneDirector Ensuring That APs Can Communicate with ZoneDirector Configuring the DHCP Server for ZoneDirector AP Communication To customize your DHCP server you need to configure DHCP Option 43 043 Vendor Specific Info with the IP address of the ZoneDirector device on the network When an AP requests an IP address the DHCP server will send a list of ZoneDirector IP addresses to the AP If there are multiple ZoneDirector devices on the network the AP will automatically select a ZoneDirector to register with from this list of IP addresses RFC 2132 describes DHCP Option 60 and Option 43 DHCP Option 60 is the Vendor Class Identifier VCI The VCI is a text string that identifies a vendor type of a DHCP client All Ruckus Wireless Access Points are configured to send Ruckus CP
389. t Isolation White List all wired hosts A list of reachable local wired hosts i e gateway printer etc Zero IT Activation V Enable Zero IT Activation WLAN users are provided with wireless configuration installer after they log in Priority tigh Low H Advanced Options Create New Delete 1 1 1 Search terms 9 Include all terms Include anv of these terms You have completed configuring the WLAN to authenticate users by MAC address from a RADIUS server 123 Configuring Security and Other Services Using an External AAA Server Using 802 1X EAP MAC Address Authentication With the 802 1X EAP MAC Address authentication method clients configured with either open or EAP MD5 authentication methods are both supported on the same WLAN The encryption method is limited to none and an external RADIUS server is required NOTE This option will only work if you have a supplicant that supports this behavior and currently no known public domain supplicants support this behavior When ZoneDirector authenticates a client MAC authentication is checked first followed by the EAP process When the client tries to associate if MAC authentication succeeds the client is authorized directly and allowed to pass traffic without any further EAP authentication required IF MAC authentication fails the EAP authentication process begins and the client must provide a valid EAP account before access i
390. t Mesh is not supported by Centrino systems may enabled and you are confidentthat all not be compatible with other wireless clients support DFS channels wireless NICs 65 Configuring System Settings Setting the Country Code Table 14 Channel Optimization settings for US Country Code Setting Description Use this setting when Optimize for Performance ZoneFlex APs can use all available You have only DFS capable APs in DFS and non DFS channels without your network you are not concerned regard for compatibility or with DFS compatibility of client interoperability devices and you want to make the maximum use of all possible available channels gt NOTE If you are located in the United States and have a DFS capable ZoneFlex AP that is expected to serve as a Root AP or eMAP with a non DFS capable Mesh AP as its downlink you will need to set the Channel Optimization setting to Optimize for Compatibility This is due to the DFS capable AP s ability to use more channels than the non DFS capable APs which could result in the RAP choosing a channel that is not available to the MAP Alternatively manually set the channel for the Root AP to one of the non DFS channels Specifically choose one of the following channels 36 40 44 48 149 153 157 161 165 The channels available for AP use are the following e Optimize for Compatibility 36 40 44 48 149 153 157 161 165 non DFS channels e Optimize for Inter
391. t VLAN Default disabled When a station fails to authenticate to this port it will be assigned to this guest VLAN with access to Internet but not to internal resources Dynamic VLAN Default disabled Dynamically assign VLANs based on the policies set on the RADIUS server Authenticator Select the RADIUS server from the list A RADIUS server must be selected to set this port as a MAC based authenticator 5 Enable MAC authentication bypass Enable this option to allow AAA server queries using the MAC address as both the user name and password If MAC authentication is unsuc cessful the normal 802 1X authentication exchange is attempted 192 Managing Access Points Working with Access Point Groups Figure 115 Enabling Guest VLAN and Dynamic VLAN on a MAC based 8602 1X Authenticator port Secondary DNS Server Model Specific Control Port Setting VI Override Group Config Port Enable DHCP Opt82 Type VLAN 802 1X LNI ui y Access Port UntagiD 1 Members 1 Authenticator MAC Based LAN F Access Port v UntagiD 1 Members 1 Guest VLAN Enable Dynamic VLAN Disabled UNS a Access Port UntagID 1 Members 1 Guest VLAN Enable Dynamic VLAN Disabled X LAN4 y AccessPort UntagID1 Members 1 Guest VLAN Enable Dynamic VLAN Disabled X LANS Trunk Port Untag ID 1 Members 1 4094 Guest VLAN Enabie Dynamic VLAN Disabled X Authenticator authentication Server Ruckus RADIUS w Accounting Server None v Enab
392. t be just the part of your email address before the symbol or it might be your complete email address If you are using a free email service such as Hotmail or Gmail you typically have to type your complete email address SMTP Authentication Password Type the password that is associated with the user name above Confirm SMTP Authentication Retype the password you typed above to Password confirm SMTP Encryption Options If your mail server uses TLS encryption click the SMTP Encryption Options link and then select the TLS check box Additionally select the STARTTLS check box that appears after you select the TLS check box Check with your ISP or mail administrator for the correct encryption settings that you need to set e f using a Yahoo email account STARTTLS must be disabled e f using a Hotmail account both TLS and STARTTLS must be enabled 4 To verify that ZoneDirector can send alarm messages using the SMTP settings you config ured click the Test button e f ZoneDirector is able to send the test message the message Success appears at the bottom of the Email Notification page Continue to Step 5 e fZoneDirector is unable to send the test message the message Failed appears at the bottom of the Email Notification page Go back to Step 3 and then verify that the SMTP settings are correct 5 Click Apply The email notification settings you configured become active immediately 70 Configuring Sy
393. tatus updates to FlexMaster L Enable management by FiexMaster URL https intune server Interval 45 minutes Performance Monitoring Reporting performance statistics to FlexMaster server 7 Enable performance monitoring Interval 5 minutes Northbound Portal Interface m V Enable northbound portal interface support Password SNMPv2 Agent ZoneDirector supports SNMPv2 agent Enter the Read Only and Read Write communities V Enable SNMP Agent Configuring SNMP Support ZoneDirector provides support for Simple Network Management Protocol SNMP v2 and v3 which allows you to query ZoneDirector information such as system status WLAN list AP list and clients list and to set a number of system settings using a Network Management System NMS or SNMP MIB browser You can also enable SNMP traps to receive immediate notifications for possible AP and client issues 74 Configuring System Settings Enabling Network Management Systems Enabling the SNMP Agent The procedure for enabling ZoneDirector s internal SNMP agent depends on whether your network is using SNMPv2 or SNMPv3 SNMPv3 mainly provides security enhancements over the earlier version and therefore requires you to enter authorization passwords and encryption settings instead of simple clear text community strings Both SNMPv2 and SNMPv3 can be enabled at the same time The SNMPv3 framework provides backward compatibility for SNMPv1 and SNMPv2c manag
394. tected by radio the 5 strongest signal detector AP with be listed as a subtree of this device and sorted by RSSI Received Signal Strength Indication number 2013 05 21 15 21 09 Help Toolbox Log Out ruckus Q Q Currently Active Rogue Devices e MAC Address DeviceName Location Channel Radio Type Encryption SSID Last Detected RSSI Action f y 50 67 10 38 ce 77 1 802 11g n malicious AP User biocked Encrypted CHT Wi Fi Auto 2013 05 21 15 13 24 q Unmark Maticious E 52 67 10 38 ce 77 1 802 11g n AP Open CHT Wi Fi HiNet 2013 05 21 15 17 04 Mark As Known Mark As Malicious U 78 44 76 f2 44 7e 10 802 11g n AP Encrypted T 2013 05 21 15 20 01 Mark As Known Mark As Malicious fa 8 01 11 25 00 9e 6 802 11g n AP Encrypted GARUDABB 2013 05 21 15 00 22 Mark As Known Mark As Malicious Q9 00 0d 0b cc 99 f9 5 802 11b g AP Encrypted OO0DOBCC99F8 2013 05 21 15 03 44 Q9 Mark As Known Mark As Malicious f y b0 48 7a di 6a dc 1 802 11b g AP Encrypted Liu Family 2013 05 21 15 02 02 q Mark As Known Mark As Malicious E 74 91 1a 2b ff a8 7 802 11g n malicious AP Same Network Encrypted 7025 wireless 2013 05 21 15 11 41 Mark As Known Mark As Malicious Search terms Include all terms Include any of these terms g 7 20 ShowMore 1 14 Le 45 Known Recognized Rogue Devices e 7 MACAddress Channel Radio Type Encryption SSID Last Detected 7 04 4f aa 4c b1 07 157 802 11a n AP Encrypted
395. ted as indoor use only Setting the Country Code Different countries and regions maintain different rules that govern which channels can be used for wireless communications Setting the Country Code to the proper regulatory region ensures that your ZoneFlex network does not violate local and national regulatory restrictions ZoneDi rector s Web interface can be used to define the country code for all APs under its control To set the Country Code to the proper location 1 Go to Configure System 2 Locate the Country Code section and choose your location from the pull down menu 3 Click Apply to save your settings m 64 Configuring System Settings Setting the Country Code Figure 36 The Country Code settings Your current system time is Monday November 21 2011 2 57 46 PM y Use NTP to synchronize the ZoneDirector clock automatically NTP Server ntp ruckuswireless com Select time zone for your location GMT Western Europe Time London Lisbon Casablanca Iz Sync Time with Your PC Apply Country Code Different countries have different regulations on the usage of radio channels To ensure that ZoneDirector is using an authorized radio channel select the correct country code for your location Country Code United States E On the 5 0 GHz band certain channels won t be utilized if Optimize for Compatibility or Optimize for Interoperability is selected otherwise all available chan
396. tep and connect to the AP s CLI to make changes Step 4 Connect to the AP and update its Mesh settings 1 Launch your SSH client and enter the IP address 169 254 1 1 2 Loginto the AP via SSH using the same user name and password that you use to log into the ZoneDirector Web interface 3 Enter the command set meshcfg ssid current ssid where current ssid is the SSID that the mesh network is currently using 4 Enter the command set meshcfg passphrase current passphrase where current passphrase is the passphrase that the mesh network is currently using I NOTE To paste text into PuTTY press ctrl v to paste then click the right mouse button 5 Enter the command set mesh auto If there are multiple ZoneDirectors on the network you may need to specify which ZoneDirector the AP should connect to using the command set director ip Zone Director s IP address 7 Ifamanagement VLAN is used for ZoneDirector AP managementtraffic enter the following command set ipaddr wan vlan vlan ID 8 Enter the command reboot to restart the AP with the new configuration changes 9 Close the SSH client You have completed recovering the isolated mesh AP You should be able to manage this AP again shortly Please wait at least 15 minutes to allow the mesh network to stabilize and then try managing this AP again via ZoneDirector Best Practices and Recommendations For recommendations and best practices in planning and d
397. tep process 1 create the custom WLAN and link it to qualified user accounts by roles and 2 assist all qualified users to prepare their client devices for custom WLAN connection As a result you will have the default WLAN for authorized internal users a guest WLAN for visitors and any needed WLANs that fulfill different wireless security or user segmentation requirements The maximum number of WLANs configurable per ZoneDirector controller are as follows Table 19 Max WLANs by ZoneDirector model Model Max WLANs ZoneDirector 1100 128 ZoneDirector 3000 1024 ZoneDirector 5000 2048 On older single band APs ZF 2942 2741 7025 the maximum number of WLANs deployable per AP radio is eight If an AP is in mesh mode the maximum number of WLANs deployable per radio is six since the mesh uses two SSIDs On newer single band APs ZF 7321 7341 7343 and all dual band ZoneFlex APs the maximum number of service WLANs deployable per AP radio is 27 These APs support maximum 32 SSIDs per radio but five are reserved two mesh SSIDs and one each for monitor recovery and scan 138 Managing a Wireless Local Area Network About Ruckus Wireless WLAN Security CAUTION Deploying a large number of WLANs per AP will have a performance impact Ruckus Wireless recommends deploying no more than eight WLANs per AP radio About Ruckus Wireless WLAN Security One of the first things you should decide for each WLAN you create
398. ter 4 Using a text or HTML editor customize the guest pass printout Note that only ASCII characters can be used You can do any or all of the following e Reword the instructions Translate the instructions to another language e Customize the HTML formatting The guest pass printout contains several tokens or variables that are substituted with actual data when the guest pass is generated When you customize the guest pass printout make sure that these tokens are not deleted For more information on these tokens see Guest Pass Printout Tokens on page 267 5 Gobackto the Guest Pass Printout Customization section and then click Create New The Create New form appears 6 In Name type a name for the guest pass printout that you are creating For example if this guest pass printout is in Spanish you can type Spanish In Description optional add a brief description of the guest pass printout 8 Click Browse select the HTML file that you customized earlier and then click Open ZoneDirector copies the HTML file to its database 9 Click Import to save the HTML file to the ZoneDirector database You have completed creating a custom guest pass printout When users generate a guest pass the custom printout that you created will appear as one of the options that they can print see Figure 157 Guest Pass Printout Tokens Table 31 lists the tokens that are used in the guest pass printout Make sure that they are not acci
399. ter a Name for this access route 1 2 3 4 Enter a Subnet in the format A B C D M where M is the netmask 5 Enter the Gateway address 6 Click OK to save your changes You can create up to 4 static route entries Figure 26 Creating a static route entry Static Route This table lists the specific IPv4 static route Name Subnet Gateway Actions Name static route 1 Subnet 41 1 0 24 m Gateway 192 168 11 2 Create New Smart Redundancy Enable Smart Redundancy to ensure continued operation of your network in the event of a ZoneDirector failure or power loss If the active ZoneDirector loses connection the standby ZoneDirector wil automatically take over Enable Smart Redundancy Local Device IP Address 192 168 40 100 Peer Device IP Address 53 Configuring System Settings Creating Static Route Entries Static Route Example As an example in a network where the APs are connected to ZoneDirector via a cable modem termination system the APs are in a different subnet and not found via the default gateway A static route would therefore be needed to allow ZoneDirector to AP connectivity See Figure 27 Figure 27 A static route is needed when APs are reachable only through a non default gateway Defewlt Gateway Zone Director Static Route 10 9 250 0 24 via 10 9 0 15 DHCP Server HF 10 9 250 0 24 7761 0M 7761 0M 7363 7363
400. th this role to have permission to generate guest passes check this option 4 Click OK to save your settings This new role is ready for application to authorized users 257 Managing Guest Access Working with Guest Passes Figure 155 Create a guest pass generator Role A test test Edit Clone m Guest Pass Generator has gues pass generation privileges Aow access to all WLANs Specify WLAN access r3 TNet ruckus Video54 TNet Radius Hotspot Corporate TNet 5G 7 TNet Zero IT Allow guest pass generation E Alow ZoneDirector Administration 9 Super Admin Perform all configuration and management tasks Operator Admin Change settings affecting single AP s only Monitoring Admin Monitoring and viewing operation status only m Create New Delete 31 4 4 Search terms Include all terms Include any of these terms 4 Assigning a Pass Generator Role to a User Account This procedure details the procedure for assigning a guest pass generator role to a user account 1 2 3 4 Go to Configure gt Users At the bottom of the Internal User Database click Create New When the Create New form appears fill in the text fields with the appropriate entries Open the Role menu and choose the assigned role for this user NOTE You can edit an existing user account and reassign the guest pass generator role if you prefer
401. the Web interface to set up user accounts for staff and other authorized users your WLAN can be put to full use enabling users to share files print check email and more And as a bonus guest workers contractors and visitors can be granted limited controlled access to a separate Guest WLAN with minimal setup You can now fine tune and monitor your network through the Web interface which enables you to customize additional WLANs for authorized users manage your users monitor the network s security and performance and expand your radio coverage if needed Ensuring That APs Can Communicate with ZoneDirector Before ZoneDirector can start managing an AP the AP must first be able to discover ZoneDi rector on the network when it boots up This requires that ZoneDirector s IP address be reachable by the AP via UDP IP port numbers 12222 and 12223 even when they are on different subnets This section describes procedures you can perform to ensure that APs can discover and register with ZoneDirector a DHCP server If APs are assigned static IP addresses they must be using a local DNS server that you can configure to resolve the ZoneDirector IP address using zonedirector DNS domain name or zonedirector if no domain name is defined on the DNS server r NOTE This guide assumes that APs on the network are configured to obtain IP addresses from 24 Introducing Ruckus Wireless ZoneDirector Ensuring That APs Can Communicate w
402. the number of minutes after which ZoneDirector will attempt to reconnect to the primary RADIUS server after failover to the backup server 121 Configuring Security and Other Services Using an External AAA Server Figure 78 Enable backup RADIUS server radius Active Directory LDAP 9 rapius RADIUS Accounting TACACS pap cusp Epe Backup RADIUS support 10 10 10 100 1812 AAA Servers DHCP Relay 10 10 10 101 1812 Create New Delete 0 000 Test authentication settings against backup RADIUS server Help Toolbox Log Out ruckus Figure 79 Ruckus ZoneDirector WIRELESS I m Dashboard Monitor RA Authentication Accounting Servers Authentication Accounting Servers This table lists all authentication mechanisms that can be used whenever authentication is needed F Name Type Actions al radius1 Edit Clone Create New Delete 1 1 10 Search terms Include al terms Include any of these terms Test Authentication Settings You may test your authentication server settings by providing a user name and password here Groups to which the user belongs wil be returned and you can use them to configure the role Test Against radius z Test Server First Servef second Server User Name username 122 Configuring Security and Other Services Using an
403. the reach of your wireless network by forming and connecting multiple mesh trees see Figure 163 to the wired LAN segment In this topology all APs connected to the wired LAN are considered Root APs and any AP not connected to the wired LAN is considered a Mesh AP 271 Deploying a Smart Mesh Network Supported Mesh Topologies Figure 163 Mesh standard topology Mesh AP eV Mesh AP Mesh AP Wireless Bridge Topology If you need to bridge isolated wired LAN segments you can set up a mesh network using the wireless bridge topology In this topology ZoneDirector and the upstream router are on the primary wired LAN segment and another isolated wired segment exists that needs to be bridged to the primary LAN segment You can bridge these two wired LAN segments by forming a wireless mesh link between the two wired segments as shown in Figure 164 below 272 Deploying a Smart Mesh Network Supported Mesh Topologies Figure 164 Mesh wireless bridge topology Root AP Mesh AP e Hybrid Mesh Topology A third type of network topology can be configured using the Hybrid Mesh concept Ethernet connected Mesh APs eMAP enable the extension of wireless mesh functionality to a wired LAN segment An eMAP is a special kind of Mesh AP that uses a wired Ethernet link as its uplink rather than wireless An eMAP is not considered a Root AP despite the fact that it discovers ZoneDirector through its Ethernet port Multiple eMAPs c
404. the service should be made available Notes Add optional notes for this rule Click OK to save your changes Repeat for any additional rules Select the check box next to Enable Bonjour gateway and click the Apply button Figure 49 Create a new Bonjour Gateway rule 2013 05 16 13 12 31 Help Toolbox LogOut ruckus Mag FE Ruckus ZoneDirector WIRELESS Dashboard Monitor Configure Administer Bonjour Gateway Bonjour Gateway Enable Bonjour gateway You can add new services and rules here Bridge Service From VLAN Create New Delete 30 000 Search terms 9 Include al terms Include any of these terms Bonjour Gateway 84 Configuring System Settings Enabling Bonjour Gateway Example Network Setup The following example illustrates how ZoneDirector s Bonjour Gateway can be used to allow users to access Bonjour resources on different VLANs in a school setting where access to certain resources must generally be separated between teachers and students but where sharing may sometimes be necessary Assume a network with three VLANs mapped to separate SSIDs all on separate subnets or multicast domains The three segments host different devices for different users Classroom SSID VLAN 100 WEP authentication includes an iMac desktop for file sharing and iOS Sync for backup and an Apple TV attached to a projector e Teachers SSID VLAN 200 802 1X authentication
405. this WLAN when CAC is enabled on the radio Rate Limiting Uptink Disabled Downink Disabled v Per Station Traffic Rate E Multicast Filter 7 Drop mutticast packets from associated clients ACCESS VLAN VLAN ID 4 Enable Dynamic VLAN Hide SSID hide SSID in Beacon Broadcasting Closed System Tunnel Mode unnel WLAN traffic to ZoneDirector ded for VoIP dients and PDA devices DHCP Relay able DHCP relay agent with DHCP Server 1 v HCP server Background Scanning F Do not perform background scanning for this WLAN service Any radio that supports this WLAN will not perform background scanning Load Balancing E Do not perform client load balancing for this WLAN service Applies to this WLAN only Load balancing may be active on other WLANs Max Clients Allow only up to 100 clients per AP radio to associate with this WLAN 802 11d E support for 802 11d DHCP antinn R IE ee nien nesis on RE m D Enabling Bonjour Gateway Bonjour is Apple s implementation of a zero configuration networking protocol for Apple devices over IP It allows OS X and iOS devices to locate other devices such as printers file servers and other clients on the same broadcast domain and use the services offered without any network configuration required Multicast applications such as Bonjour require special consideration when being deployed over wireless networks Bonjour only works within a single broadcast domain which is usually a
406. this option you also need to enter the IP address of the AD server its port number default is 389 and its Windows Domain Name LDAP If you select this option you also need to enter the IP address of the LDAP server its port number default is 389 and its LDAP Base DN RADIUS If you select this option you also need to enter the IP address of the RADIUS server its port number default is 1812 and its shared secret RADIUS Accounting If you select this option you also need to enter the IP address of the RADIUS Accounting server its port number default is 1813 and its shared secret 4 Additional options appear depending on which AAA server Type you have selected See the respective server type for more information 5 Click OK to save this server entry The page refreshes and the AAA server that you added appears in the list of authentication and accounting servers Note that input fields differ for different types of AAA server ZoneDirector only displays the option to enable Global Catalog support if Active Directory is chosen for example and only offers backup RADIUS server options if RADIUS or RADIUS Accounting server is chosen Also note that attribute formats vary between AAA servers 243 Managing User Access Activating Web Authentication gt Ruckus ZoneDirector WIRELESS NOTE If you want to test your connection to the authentication server enter an existing user name and password
407. tion of the reachable wired network hosts in the local network Clients on the To apply a Device Access Policy to a WLAN 1 oc RO N Go to Configure gt WLANs To edit an existing WLAN click Edit next to the WLAN you want to edit Expand the Advanced Options and locate the Access Control section In Device Policy select the policy you created from the list Click OK to save your changes 107 Configuring Security and Other Services Controlling Network Access Permissions Figure 65 Applying a device access policy for a WLAN Priority High Low E Advanced Options J Accounting Server Disabled v Send Interim Updateevery 10 minutes Access Control L2 MAC No ACLs L3 4 1P address No ACLs v 3 Device Policy Deny i0s Precedence Policy Default e Call Admission Control Enforce C Acua when CAC is enabled on the radio E Rate Limiting Uptink Disabled Downtink Disabled v Per Station Traffic Rate Multicast Filter Drop multicast packets from associated clients ACCESS VLAN VLAN ID Enable Dynamic VLAN Hide SSID Hide SSID in Beacon Broadcasting Closed System Tunnel Mode 7 Tunnel WLAN traffic to ZoneDirector Recommended for VolP dients and PDA devices Proxy ARP Enable Proxy ARP Background Scanning F Do not perform background scanning for this WLAN service any radio that supports this WLAN will not perform background scanning Load Balancing E Do not perf
408. tions cere He re t et ere A IRR ER dead 310 If WLAN Connection Problems Persist aaua auauua uiraa 311 Measuring Wireless Network Throughput with SpeedFlex 312 Using SpeedFlex in a Multi Hop Smart Mesh Network suse 315 Allowing Users to Measure Their Own Wireless Throughput 317 Diagnosing Poor Network Performance eese 318 Starting Radio Frequency Sean c eet e o theta 319 Using the Ping and Traceroute Tools 0 0 0 eee eee 319 Ge rdtinga Debug Fil n ix peganta eg vo de ER e ER og NARS 321 Viewing Current System and AP Logs iissssssss esse 321 Packet Capture and Analysis ops sis scere reniei ip rre tindi eee ee 323 local Captute s tubes a Neo Om a O QE HER EN med 323 Streaming MOde ctr x pu bu TERR OVE RR DIE NS 324 Importirig aScript dette Prob ARS tw aee va oe e P rains 326 Enabling Remote Troubleshooting sisse 326 Restartingan Access Point za sioe piirin e ba grade aoe Pe aid V Re xa 326 Restarting Zon Director 5 35 2s sevo ee REMEDIA PRESA ns 327 Smart Mesh Networking Best Practices Choosing the Right AP Model for Your Mesh Network 00 00005 330 Calculating the Number of APs Required iiie 330 Placement and Layout Considerations 00 00 cee eee eee 331 Sighal Quality Verification sv 2 Ehe eee eb aie M egere ute 332 Mounting and Orientation of APS iissssssss ee 334 Indoor APs Typical Case Hori
409. tle or no assistance from the IT department Zero IT client device configuration requires that the client be running a compatible operating system and using a wireless network adapter that implements WPA encryption If you and your WLAN users run into initial connection failures when using the Zero IT configuration and login almost all of the problems have two key causes e Your users client devices are running another OS or running a version of Windows pre XP SP2 This includes XP SP1 e Your users client devices are using wireless network adapters without a WPA implementa tion The following list of options may be applicable based on your client system s qualifications e Option 1 If Windows XP SP2 Vista 7 is on the client machine check the wireless network adapter to verify the implementation of WPA e Option 2 Upgrade to Windows 7 and if needed acquire a wireless network adapter with WPA support Once these changes are made your users can attempt Zero IT activation again e Option 3 If an older version of Windows is in use or if another OS is being used the user must manually enter the Ruckus WPA passphrase in their network configuration see Provisioning Clients that Do Not Support Zero IT on page 237 e Option 4 If the client s OS cannot be upgraded and the wireless adapter is limited to WEP you will need to do the following e Create an additional WLAN for non standard client connections then create a R
410. to allow multiple users to share a single guest pass This option will only be available if you allowed multiple users to share a single guest pass on the Configure gt Guest Access page Session Enable this check box and select a time increment after which guests will be required to log in again If this feature is disabled connected users will not be required to re log in until the guest pass expires Click Next The Guest Pass Generated page appears In the drop down menu select the guest pass instructions that you want to print out If you did not create custom guest pass printouts select Default 9 Click Print Instructions A new browser page appears and displays the guest pass instruc tions At the same time the Print dialog box appears 10 Selectthe printerthat you wantto use and then click OK to print the guest pass instructions You have completed generating and printing a guest pass for your guest user Figure 157 The Guest Pass Generated page with customized key RUC ku S Guest Pass Generated WIRELESS Here is the generated guest pass for Joe Guest This guest pass is valid for 1 day once activated and has to be activated before Sunday April 19 2009 5 14 44 PM Print Instructions 260 Managing Guest Access Working with Guest Passes Figure 158 Sample guest pass printout Connecting as a Guest to the Corporate Wireless Network Greetings Joe Guest You have been granted access to the co
411. to create multiple Dynamic PSKs at once You can specify the number of DPSK or upload a profile file csv which contains information necessary to create DPSKs Once the generation is done a result file will be downloaded for your reference To download an example of profile click here The maximum allowable number of DPSKs is 1000 Target WLAN Rhastah v Number to Create 5 Dynamic VLAN ID or Upload a Profile No file chosen To download the new DPSK record click here Bypass Apple CNA Feature Select any of the following authentication mechanisms that you want to bypass Apple Captive Network Assistance CNA on iDevices and OS X machines Web Authentication Guest Access Hotspot service NOTE If you change the dynamic PSK expiration period the new expiration period will only be applied to new PSKs Existing PSKs will retain the expiration period that was in effect when the PSKs were generated To force expiration go to Monitor Generated PSK Certs Generating Multiple Dynamic PSKs If you will be generating DPSKs frequently for example to configure school owned laptops in batch you may want to generate multiple DPSKs at once and distribute them to your users in one batch Before performing this procedure check your WLAN settings and make sure that the Dynamic PSK check box is selected To generate multiple dynamic PSKs 1 Go to Configure gt WLANs 2 Scroll down to the Dyna
412. traffic over guest WLAN traffic for example you can set the WLAN priority in the WLAN configuration settings to high or low By default all WLANs are set to high priority To set a specific WLAN to lower priority 1 Go to Configure gt WLANs 2 Click the Edit link next to the WLAN for which a lower priority will be set 3 Select Low next to Priority and click OK Load Balancing Enabling load balancing can improve WLAN performance by helping to spread the client load between nearby access points so that one AP does not get overloaded while another sits idle The load balancing feature can be controlled from within ZoneDirector s Web interface to balance the number of clients per radio on adjacent APs Adjacent APs are determined by ZoneDirector at startup by measuring the RSSI during channel scans After startup ZoneDi rector uses subsequent scans to update the list of adjacent radios periodically and when a new AP sends its first scan report When an AP leaves ZoneDirector immediately updates the list of adjacent radios and refreshes the client limits at each affected AP Once ZoneDirector is aware of which APs are adjacent to each other it begins managing the client load by sending desired client limits to the APs These limits are soft values that can be exceeded in several scenarios including 1 when a client s signal is so weak that it may not be able to support a link with another AP and 2 when a client s signal is s
413. troller and its physical IP address 304 gt Setting Administrator Preferences Using an External Server for Administrator Authentication 3 When you import the wildcard certificate into the ZoneDirectors you will be prompted to enter the host name make sure you use the same host name as you will advertise in DNS for that ZoneDirector the default is the same configured ZoneDirector name NOTE Currently it is not possible to support this configuration with the Hotspot captive portal when it is being used for Zero IT activation through the ZoneDirector because the FODN for the activate URL is identical on both ZoneDirectors To achieve this use the Onboarding Portal feature for Zero IT activation Using an External Server for Administrator Authentication ZoneDirector supports additional administrator accounts that can be authenticated using an external authentication server such as RADIUS LDAP Active Directory or TACACS Three types of administrative privileges can be assigned to these administrator accounts e Super Admin Allows all types of configuration and management tasks e Operator Admin Allows AP configuration only e Monitoring Admin Allows monitoring operations only This section provides basic instructions for setting up ZoneDirector to authenticate additional administrator accounts with an external authentication server For more information on AAA server configuration see Using an Externa
414. twork performance automatically adjust AP radio power to optimize coverage when interference is present Two modes are available to automatically adjust AP channels for seif healing and performance optimization Background Scanning will change AP channel when interference is present Channelfly constantly monitors potential throughput and will change channels to learn optimize throughput and avoid interference V Automatically adjust 2 4GHz channels using Background Scanning v V Automatically adjust 5GHz channels using Background Scanning Background Scanning Background scans are performed by APs to evaluate radio channel usage The process is progressive one frequency is scanned at a time This scanning enables rogue device detection AP locationing and self healing V Run a background scan on 2 4GHz radio every 2000 seconds V Run a background scan on 5GHz radio every 2000 seconds To view all WLANs with background scanning off click here Radar Avoidance Pre Scanning Background Scanning Using Background Scanning ZoneDirector regularly samples the activity in all Access Points to assess RF usage to detect rogue APs and to determine which APs are near each other for mesh optimization These scans sample one channel at a time in each AP so as not to interfere with network use This information is then applied in AP Monitoring and other ZoneDirector monitoring features You
415. u select TKIP encryption 11n devices will be limited to 11g transfer rates Furthermore the Wi Fi Alliance will be mandating the removal of TKIP so it should not be used 143 Managing a Wireless Local Area Network Creating a WLAN AN AN AES This algorithm provides enhanced security over TKIP and is the only encryption algorithm supported by the 802 11i standard Choose AES encryption if you are confident that all of your clients will be using 802 11i compliant NICs Auto Automatically selects TKIP or AES encryption based on the client s capabilities Note that since it is possible to have clients using both TKIP and AES on the same WLAN only unicast traffic is affected broadcast traffic must fall back to TKIP therefore transmit rates of broadcast packets from 11n APs will be at lower 11g rates CAUTION If you set the encryption algorithm to TKIP and you are using an 802 11n AP for the WLAN the WLAN will operate in 802 11g mode CAUTION If you set the encryption algorithm to TKIP the AP will only be able to support up to 26 clients When this limit is reached additional clients will be unable to associate with the AP WEP Key Passphrase WEP Key WEP methods only Click in the Hex field and type the required key text If the key is for WEP 64 encryption the key text must consist of 10 hexadecimal characters If it is for WEP 128 encryption enter a key 26 characters in length Alternatively click Generat
416. uben nia sihs 62 Configuring System Settings Setting the System Time Setting the System Time The internal clock in ZoneDirector is automatically synchronized with the clock on your administration PC during the initial setup You can use the Web interface to check the current time on the internal clock which shows up as a static notation in the Configure tab workspace If this notation is incorrect you can re synchronize the internal clock to your PC clock immedi ately by clicking the Sync Time with Your PC button A preferable option is to link your ZoneDirector to an NTP server as detailed below which provides continual updating with the latest time 1 Go to Configure gt System 2 In the System Time features you have the following options e Refresh Click this to update the ZoneDirector display a static snapshot from the internal clock e Synch Time with your PC Now If needed click this to update the internal clock with the current time settings from your administration PC e Use NTP Enabled by default Clear this check box to disable this option or enter the DNS name or IP address of your preferred NTP server to use a different one Select time zone for your location Choose your time zone from the drop down menu Setting the proper time zone ensures that timestamps on log files are in the proper time zone 3 Click Apply to save the results of any resynchronization or NTP links 63 Configuring Sy
417. uest WLAN e Ifyou want multiple guests to be able to use the same guest pass simultaneously select the Allow multiple users to share a single guest pass check box e No authentication Do not require redirection and guest pass validation 3 Under Terms of Use select the Show terms of use check box to require the guest user to read and accept your terms of use prior to use Type or cut and paste your terms of use into the large text box 4 Under Redirection select one of the following radio buttons to use not use redirection Redirect to the URL that the user intends to visit Allows the guest user to continue to their destination without redirection Redirect to the following URL Redirect the user to a specified Web page entered into the text box prior to forwarding them to their destination When guest users land on this page they are shown the expiration time for their guest pass 5 Click Apply to save your settings 254 Managing Guest Access Working with Guest Passes Figure 153 The Guest Access page rm i ECE ee Ruckus ZoneDirector WIRELESS Dashboard Monitor Configure Administer Guest Access Enable Guest Access m Use these features to set limits for guest pass access to your wireless network Onboarding Portal Enable Zero IT device registration from the Guest Portal Authentication Use guest pass authentication 7 Aow users to create a single guest pass which can be shared by mult
418. unnel Mode WLANs For more information see Configuring DHCP Relay on page 81 Background Scanning Background scanning enables the Ruckus Wireless access points to continually scan for the best least interference channels and adjust to compensate However disabling Background Scanning may provide better quality lower latency for 146 Managing a Wireless Local Area Network Creating a WLAN time sensitive applications like voice conversations If this WLAN will be used primarily as a voice network select this check box to disable Background Scanning for this WLAN You can also disable Background Scanning per radio see Background Scanning on page 90 Load Balancing Client load balancing between APs is disabled by default on all WLANs To disable load balancing for this WLAN check this box Ruckus Wireless recommends disabling load balancing on WLANs used for voice For more information see Load Balancing on page 206 Max Clients Limit the number of clients that can associate with this WLAN per AP radio default is 100 You can also limit the total number of clients per AP using the AP Groups settings See Modifying Model Specific Controls on page 186 for more information 802 11d The 802 11d standard provides specifications for compliance with additional regulatory domains countries or regions that were not defined in the original 802 11 standard Enable this option if you are operating in one of these add
419. ur Wireless Network Monitoring Access Point Status This column displays the public IP and port number for APs connected via Layer 3 behind a NAT device VLAN The VLAN ID if configured Channel Displays the channel number and channel width On dual band APs details for each radio are shown Clients The number of clients currently connected to this AP Action These icons allow you to configure and troubleshoot APs individually See Using Action Icons to Configure and Troubleshoot APs in a Mesh on page 283 Events Activities This table displays an AP related subset of the information on the Monitor All Events Activities page 221 Monitoring Your Wireless Network Monitoring Individual APs Monitoring Individual APs When you click on the MAC address of any AP the Monitor gt Access Points page changes to a detailed view of information related to that AP The Monitor Access Points MAC Address page provides the following details on the specific AP Table 30 AP Information details Heading Description General Displays general information on the AP including software version IP address and model number Info Displays uptime clients and mesh status Actions Action icons provide tools for managing the AP see Using Action Icons to Configure and Troubleshoot APs in a Mesh On supported APs an additional Spectrum Analysis icon launches the spectrum analysis tool
420. ure Roles and create a Role based on this User Group see Creating New User Roles on page 240 e Click the Create New link in the Roles section e Inthe Group Attributes field enter Group attributes exactly as they were returned from the Test Authentication Settings dialog e Specify WLAN access Guest Pass generation and ZoneDirector administration privi leges as desired for this Role At this point any user who logs in and is authenticated against your LDAP server with the same Group credentials will automatically be assigned to this Role RADIUS RADIUS Accounting Remote Authentication Dial In User Service RADIUS user authentication requires that Zone Director know the IP address port number and Shared Secret of the RADIUS RADIUS Accounting server When an external RADIUS RADIUS Accounting server is used for authenti cation or accounting user credentials can be entered as a standard username password combination or client devices can be limited by MAC address If using MAC address as the authentication method you must enter the MAC addresses of each client on the AAA server and any clients attempting to access your WLAN with a MAC address not listed will be denied access A RADIUS RADIUS Accounting server can be used with 802 1X MAC authentication Web authentication captive portal and Hotspot WLAN types To configure a RADIUS RADIUS Accounting server entry in ZoneDirector 1 Go to Configure AAA Servers 2
421. ure 93 Assign a WLAN group to an AP 74 91 1a 2b ff a0 RuckusAP Latitude Longitude example 37 3881398 122 0258633 System Default v E Override Group Config Radio B G N 2 4 GHz Channelization E override Group Config Auto Channel Override Group Config Auto TX Power WLAN Group Override Group Config Guest WLAN Group v Call Admission Control Override Group Config OFF WLAN Service V Enable WLAN service for this radio Network Setting F Override Group Config IPv4 and IPv6 IPv4 Manual DHCP 9 Keep AP s Setting IP Address 192 168 11 14 Viewing a List of APs That Belong to a WLAN Group 1 Go to Monitor gt WLANs 2 Under Currently Active WLAN Groups click the WLAN group name for which you want to view the member AP list 3 Onthe page that loads look for the Member APs section All APs that belong to this WLAN group are listed Deploying ZoneDirector WLANs in a VLAN Environment NOTE Configuring VLANs for ZoneDirector Access Points and wireless clients is not required for normal operation and should not be undertaken without a thorough understanding of your network s VLAN environment and switch port configuration You can set up a ZoneDirector wireless LAN as an extension of a VLAN network environment by tagging wireless client traffic to specific VLANs Qualifications include the following e Verifying that the VLAN switch supports nat
422. ure a smooth deployment Ensure that the APs that will form the mesh are of the same radio type e 802 11g APs can only mesh with other 11g APs Single band 11n APs can only mesh with other single band 11n APs e Dual band 11n APs can only mesh with other dual band 11n APs Plan Your Wireless Mesh Network Survey your deployment site decide on the number of APs that you will deploy including the number of Root APs and Mesh APs and then create a simple sketch of where you will deploy each Root AP and Mesh AP Remember that Root APs need to be connected to ZoneDirector via their Ethernet ports Make sure thatthe Root AP locations can be wired easily if cabling is not yet available Make Sure That Your Access Points Support Mesh Networking Verify that the access points that you are planning to include in your wireless mesh network all provide mesh capability Note that only firmware versions 6 0 0 0 and later for both ZoneFlex and ZoneDirector support mesh networking Enable Auto Approval If you do not want to have to manually approve the join requests from each mesh AP when they start forming the wireless mesh you can enable Auto Approval For instructions on how to enable Auto Approval see Adding New Access Points to the Network on page 180 Step 2 Enable Mesh Capability on ZoneDirector If you did not enable mesh capability on ZoneDirector when you completed the Setup Wizard you can enable it on the Configure gt Mes
423. usion Prevention feature are not added to the Blocked Clients list under Monitor Access Control 3 Click Apply to save your changes 98 Configuring Security and Other Services Configuring Wireless Intrusion Prevention Figure 59 Denial of Service DoS prevention options Suites disi 2013 05721 12 46 26 1 Help 1 Toolbox 1 toz out ucus RUCKUS ZoneDirector WIRELESS Dashboard Monitor Administer Wireless Intrusion Detection and Prevention System Denial of Service DoS ZoneDirector utilizes built in mechanisms to protect against common wireless network intrusions E Protect my wireless network against excessive wireless requests V Temporarily block wireless clients with repeated authentication failures for 30 seconds Intrusion Detection and Prevention ZoneDirector uses background scan results to detect rogue 802 11 access points If the rogue access point is spoofing a managed AP s SSID or MAC address or is found on the wired network it will be flagged as malicious Rogue detection requires backgroud scanning to be enabled 7 Enable report rogue devices Report all rogue devices Report only malicious rogue devices of type SSID Spoofing _ Same Network _ MAC Spoofing User Blocked Protect the network from malicious rogue access points Rogue DHCP Server Detection ZoneDirector can scan the network periodically for rogue DHCP servers Enable rogue DHCP server detection Intrusio
424. vention section configure the following settings e Enable report rogue devices Enabling this check box allows ZoneDirector to include rogue device detection in logs and email alarm event notifications Report all rogue devices Send alerts for all rogue AP events Report only malicious rogue devices of type Select which event types to report Protect the network from malicious rogue access points Enable this feature to automatically protect your network from network connected rogue APs SSID spoofing APs and MAC spoofing APs When one of these rogue APs is detected and this check box is enabled the Ruckus AP automatically begins sending broadcast de authentica tion messages spoofing the rogue s BSSID MAC to prevent wireless clients from connecting to the malicious rogue AP This option is disabled by default 2 Click the Apply button that is in the same section to save your changes 100 Configuring Security and Other Services Configuring Wireless Intrusion Prevention Figure 60 Intrusion Prevention options 2013 05 21 12 46 26 Help Toolbox LogOut ruckus Mal RU Ckus ZoneDirector WIRELESS Dashboard Monitor Administer Wireless Intrusion Detection and Prevention System Denial of Service DoS ZoneDirector utilizes built in mechanisms to protect against common wireless network intrusions E Protect my wireless network against excessive wireless requests Temporarily block wireless clients with r
425. ver type Active Directory In Active Directory objects are organized in a number of levels such as domains trees and forests At the top of the structure is the forest A forest is a collection of multiple trees that share a common global catalog directory schema logical structure and directory configura tion In a multi domain forest each domain contains only those items that belong in that domain Global Catalog servers provide a global list of all objects in a forest ZoneDirector support for Active Directory authentication includes the ability to query multiple Domain Controllers using Global Catalog searches To enable this feature you will need to enable Global Catalog support and enter an Admin DN distinguished name and password Depending on your network structure you can configure ZoneDirector to authenticate users against an Active Directory server in one of two ways e Single Domain Active Directory Authentication e Multi Domain Active Directory Authentication Single Domain Active Directory Authentication To enable Active Directory authentication for a single domain 1 Go to Configure gt AAA Servers 2 Click the Edit link next to Active Directory 3 Do not enable Global Catalog support 4 Enter the IP address and Port of the AD server The default Port number 389 should not be changed unless you have configured your AD server to use a different port 115 Configuring Security and Other Service
426. vice access policy and data source precedence Name Create New Search terms Blocked Clients This table lists client devices that are blocked from the WLAN To unblock a client and allow it to access the WLAN delete it from the list To view a list of currently active clients click here v ocking a previously blocked client ssa ay uae n Deete 912206 Include all terms Include any of these terms Description Actions Edit Clone Delete 814 006 9 Include all terms Include any of these terms Client MAC Address dc 2b 61 13 f7 72 114 Configuring Security and Other Services Using an External AAA Server Using an External AAA Server If you want to authenticate users against an external Authentication Authorization and Accounting AAA server you will need to first configure your AAA server then point ZoneDi rector to the AAA server so that requests will be passed through ZoneDirector before access is granted This section describes the tasks that you need to perform on ZoneDirector to ensure ZoneDirector can communicate with your AAA server NOTE For specific instructions on AAA server configuration refer to the documentation that is supplied with your server ZoneDirector supports four types of AAA server e Active Directory e DAP e RADIUS RADIUS Accounting e TACACS A maximum of 32 AAA server entries can be created regardless of ser
427. vices Using an External AAA Server Table 17 RADIUS attributes used in authentication WLAN Type Attributes 8021X MAC Sent from RADIUS server in Access Accept messages Auth 1 User name 25 Class 27 Session timeout amp 29 Termination action Session timeout event becomes a disconnect event or re authentication event if termination action indicates 1 radius request 85 Acct interim interval For Dynamic VLAN application e 64 Tunnel Type value only relevant if it is 13 VLAN e 65 Tunnel Medium Type value only relevant if it is 6 802 as in all 802 media plus ethernet e 81 Tunnel Private Group ID this is the VLAN ID assignment per RFC this is between 1 and 4094 Administrator Authentication Ruckus private attribute e Vendor ID 25053 e Vendor Type Attribute Number 1 Ruckus User Groups e Value Format group attr1 group attr2 group attr3 Cisco private attribute Vendor ID 9 e Vendor Type Attribute Number 1 Cisco AVPair e Value Format shell roles group attr1 group attr2 group_attr3 127 Configuring Security and Other Services Using an External AAA Server Table 17 RADIUS attributes used in authentication WLAN Type Attributes WISPr Web Additional attributes supported in WISPr WLANs generic attributes NOT Auth Guest the same as non WISPr 802 1X Access e e 1 User name 2 Password or 3 CHAP Password 4 NAS IP Address 6
428. viewing Current User Activity You can monitor current wireless users on a per client basis by doing the following 1 Go to Monitor gt Currently Active Clients 2 When the Currently Active Clients page appears review the table for a general survey 3 Click any client device MAC address link to monitor that client in more detail Additionally you can perform a number of actions on individual clients from this page including blocking unauthorized clients deleting clients from the table which will allow them to attempt to reconnect testing throughput using SpeedFlex and testing connectivity using Ping and Traceroute To review blocked clients go to Configure Access Control Blocked Clients 217 Monitoring Your Wireless Network Reviewing Current User Activity Monitoring Individual Clients You can monitor individual wireless clients by clicking on the MAC address of any connected client from the Currently Active Clients page the All Events Activities page and other tables where client information is displayed To view detailed information about a specific client 1 Go to Monitor Currently Active Clients 2 Click the link for the MAC address of the client you want to monitor The page refreshes to display a page of client specific information and statistics The Monitoring gt Currently Active Clients gt client MAC address page displays the following information about the connected client Table 28 Clie
429. wer embedded on Solid Green ZoneDirector is receiving power the Power button D Off ZoneDirector is NOT receiving power If the power cable or adapter is connected to a power source verify that the power cable is connected properly to the power jack on the rear panel of ZoneDirector Status Solid Green Normal state Flashing Green ZoneDirector has not yet been configured Log into the Web interface and then configure ZoneDirector using the setup wizard Red ZoneDirector has shut down but is still connected to a power source Flashing Red ZoneDirector is starting up or shutting down 16 Introducing Ruckus Wireless ZoneDirector ZoneDirector Physical Features Table 2 ZoneDirector 1100 front panel LEDs LED Label State Meaning Ethernet Link Solid Green or The port is connected to a device Amber Flashing Greenor The port is transmitting or receiving Amber traffic Off The port has no network cable connected or is not receiving a link signal Ethernet Rate Green The port is connected to a 1000Mbps device Amber The port is connected to a 100Mbps or 10Mbps device ZoneDirector 3000 This section describes the following physical features of ZoneDirector 3000 e Buttons Ports and Connectors e Front Panel LEDs Figure 2 ZoneDirector 3000 OF s T EET pur RESET b ZoneDirec 3000 17 Introducing Ruckus Wireless ZoneDirector ZoneDirector Ph
430. whose priority levels are the same as or lower than the configured level 68 Configuring System Settings Setting Up Email Alarm Notifications 5 Repeatstep 4 for Managed AP Settings ZoneDirector and Access Points can use different facility and priority settings All managed APs share the same facility and priority settings Figure 39 Remote Syslog Advanced Settings Country Code Different countries have different regulations on the usage of radio channels To ensure that ZoneDirector is using an authorized radio channel select the correct country code for your location Country Code United states X On the 5 0 GHz band certain channels won t be utilized if Optimize for Compatibility or Optimize for Interoperability is selected otherwise all available channels wil be utilized Channel Optimization Optimize for Compatibility Optimize for Interoperability Optimize for Performance Channel Mode F Aiow indoor channels allows ZoneFlex Outdoor APs to use channels regulated as indoor use only Log Settings Event Log level show More Warning and Critical Events Critical Events Only Remote Syslog Enable reporting to remote syslog server at IP Address Ej Remote Syslog Advanced Settings ZoneDirector Settings Facility Name Keep Original Priority Level ALL Managed AP Settings Facility Name Keep Original Priority Level Err m Ej Network Management
431. ws 00 00 00 00 00 00 for all users When a user of the device that he used will be permanently associated with the dynamic PSK that he used To enable wireless users to access the wireless network you need to send them the following information e WLAN Name This is the WLAN with which they are authorized to access and use the dynamic PSK that you generated passphrase e Passphrase This is the network key that the user needs to enter on his WLAN configuration client to access the WLAN e Expiration Optional This is the date when the passphrase network key will expire After this date the user will no longer be able to access the WLAN using the same passphrase network key Alternatively you can allow users to automatically self provision their clients using Zero IT as described in Enabling Automatic User Activation with Zero IT on page 234 Creating a Batch Dynamic PSK Profile 1 In the Dynamic PSK Batch Generation section look for the following message To download an example of profile click here 2 Click the click here link to download a sample profile 3 Save the sample guest pass profile in CSV format to your computer 176 Managing a Wireless Local Area Network Enabling Bypass Apple CNA Feature 4 Usinga spreadsheet application open the CSV file and edit the batch dynamic PSK profile by filling out the following columns e User Name Required Type the name of the user one name per row MAC Add
432. y of these terms WLAN Groups Your Guest WLAN is now ready for use To configure guest access policies see Configuring System Wide Guest Access Policies on page 254 250 Onboarding Portal The Onboarding Portal feature provides a series of intuitive option screens allowing mobile users to self configure their mobile devices the first time they connectto an Open Guest WLAN Managing Guest Access Configuring Guest Access To enable the Onboarding Portal for mobile devices 1 Go to Configure Guest Access 2 Enable the check box next to Onboarding Portal 3 Click Apply Figure 149 Enable Onboarding Portal Ruckus ZoneDirector WIRELESS Dashboard Monitor Guest Access Configure Enable Guest Access Use these features to set limits for guest pass access to your wireless network Onboarding Portal Ese Zero IT device registration from the Guest Portal Authentication Use guest pass authentication No authentication Show terms of use C Allow users to create a single guest pass which can be shared by multiple guests 2013 06 11 18 11 19 Help Toolbox Log Out ruckus Terms of Use By accepting this agreement and accessing the wireless network you acknowledge that you are of legal age you have read and understood and agree to be bound by this agreement The wireless network service is Provided by the property
433. y to save your changes 7 Once allthe APs WLANs WLAN groups and AP groups have been deployed on the primary ZoneDirector s back up the AP configurations for each primary controller by going to Administer gt Backup and clicking the Backup button under Back Up Configuration NOTE You should also configure the same exact settings for WLANs WLAN groups AP Groups Mesh settings and AAA servers on the backup controller prior to importing AP lists If you do the APs will be automatically mapped to their respective settings on the backup controller If you do not configure these settings first before importing AP lists you will need to configure them for each AP after importing For example you will need to manually move APs into their respective AP groups from the System Default group if you did not create the AP groups prior to importing 8 Log into the secondary backup ZoneDirector and go to Configure gt Access Points 9 Import the AP lists that you backed up from the primary ZoneDirectors by selecting Import this backup file and additional backup file s and clicking Import 10 Repeat until all backup files have been imported 11 Go to Configure gt Access Points gt Access Point Policies and enable the check box next to Keep AP s Primary and Secondary ZD Settings This ensures that the APs primary secondary ZD settings will not be overwritten by the secondary ZoneDirector s configura tion after failover to the secon
434. ydomain com for authentication Hotspot Services Start Page After user is authenticated redirect to the URL that the user intends to visit redirect to the folowing URL Hotspot 2 0 Servi User Session Session Timeout E Terminate user session after 1440 minutes Grace Period C Users must re authenticate after disconnecting for 30 minutes Authentication Accounting Servers Authentication Server Local Database E m Accounting Server Disabled Wireless Client Isolation Enable Client Isolation White List None A list of reachable local wired hosts i e gateway printer etc Location Information M Walled Garden Ei Restricted Subnet Access amp Advanced Options NOTE If ZoneDirector is located behind a NAT device and signed certificates are used with portal authentication a static entry must be added to the DNS server to resolve ZoneDirector s private IP address to its FODN Otherwise client browsers may enter an infinite redirect loop and be unable to reach the login page Before the signed certificate gets added the client gets redirected to the IP address of the ZD instead of the FODN Assigning a WLAN to Provide Hotspot Service After you create a hotspot service you need to specify the WLANs to which you want to deploy the hotspot configuration To configure an existing WLAN to provide hotspot service do the following 166 Managing a Wireless Local Area Netw
435. you click DHCP Auto Configuration no Manual entri IPv4 Configuration Manual DHCP manual Auto Configuration IP Address 192 168 11 100 IP Address fe80 213 11ff fe01 101 E Netmask 255 255 255 0 Prefix Length 64 Gateway 192 168 11 1 Gateway Primary DNS Server 192 168 11 1 Primary DNS Server Secondary DNS Server Secondary DNS Server ACCESS VLAN 1 Management Interface Enable IPv4 Management Interface V Enable IPv6 Management Interface IP Address 192 168 11 200 IP Address fe80 213 11ff fe01 102 Netmask 255 255 255 0 Prefix Length 64 Default gateway is connected with this interface V Defaut gateway is connected with this interface ACCESS VLAN 1 Gateway m D Enabling an Additional Management Interface The additional management interface is created for receiving and transmitting management traffic only The management IP address can be configured to allow an administrator to manage ZoneDirector from its management VLAN thereby separating management traffic from LWAPP traffic between the controller and the access points The Management IP can be reached anywhere on the network as long as it is routable via the default Gateway configured in Device IP Settings It can also be used for Smart Redundancy when two redundant ZoneDirectors are deployed you can create a separate management interface to be shared by both devices Then you only have to remember one IP address that y
436. your internal WLAN click the Map View icon for a device to open the Map View Open the Map View and look for rogue AP icons This provides a clue to their location You can now find the rogue APs and disconnect them Or if a rogue AP is actually a component of a neighboring network you can mark it as known NOTE f your office or worksite is on a single floor in a multistory building your upper and lower floor neighbors wireless access points may show up on the Map View but seemingly in your site As the Map View cannot locate them in vertical space you may need to do a bit more research to determine where the AP is located and if it should be marked as Known NOTE To assist in physically locating rogue devices click the plus sign icon next to a detected rogue AP This expands a list to display which ZoneFlex APs have detected this rogue sorted according to signal strength 229 Monitoring Your Wireless Network Evaluating and Optimizing Network Coverage skus ZoneDir TRELESS Figure 137 Monitoring Rogue Access Points ector Monitor Administer Configure Rogue Devices This tabie lists unknown access points that might pose a security threat to your network if connected to the LAN If a rogue device neither poses a threat nor interferes with network coverage click Mark as known which neutralizes that AP s effect on ZoneDirector and on Web interface monitoring if a rogue device is de
437. ysical Features Buttons Ports and Connectors Table 3 describes the buttons ports and connectors on ZoneDirector 3000 Table 3 Buttons ports and connectors on ZoneDirector 3000 Label Meaning Power Located on the rear panel Press this button to power on ZoneDirector F D To reset ZoneDirector to factory default settings press the F D button for at least five 5 seconds For more information referto Alternate Factory Default Reset Method on page 298 WARNING Resetting ZoneDirector to factory default settings will erase all configuration changes that you have made Reset To restart ZoneDirector press the Reset button once for less than two seconds USB For Ruckus Wireless Support use only Console RJ 45 port for accessing the ZoneDirector command line interface 10 100 1000 Ethernet Two auto negotiating 10 100 1000Mbps Ethernet ports For information on what the two Ethernet LEDs indicate refer to Table 4 Front Panel LEDs Table 4 describes the LEDs on the front panel of ZoneDirector 3000 Table 4 ZoneDirector 3000 front panel LEDs LED Label State Meaning Power Green ZoneDirector is receiving power Off ZoneDirector is NOT receiving power If the power cable or adapter is connected to a power source verify that the power cable is connected properly to the power jack on the rear panel of ZoneDirector 18 Table 4 ZoneDirector 3000 front panel LEDs
438. zontal Orientation 00 334 Indoor APs Vertical Orientation sastera 0 0 00 000 335 Outdoor APs Typical Horizontal Orientation isses 336 Elevation of RAPs and MAPS iren EIER do RRIA rl pedore Ned 336 Best Practice Checklist 3 rarr pA pel ever EE CAES Uu 337 Index 12 Introducing Ruckus Wireless ZoneDirector In This Chapter Overview of ZoneDILector uro rd td e Decr eda Deb d pad d En M 14 ZoneDirector Physical Features isses 15 Introduction to the Ruckus Wireless Network sses esee 24 Ensuring That APs Can Communicate with ZoneDirector 000000000 24 InstallinigzZoneDirecter Ie e CREE EISE AE PES eae 33 Using the ZoneDirector Web Interface 2 2 eee 37 Registering Your Prod ct oc ege LEURS ba bd bahes haw eae OPE ER 44 13 Introducing Ruckus Wireless ZoneDirector Overview of ZoneDirector Overview of ZoneDirector Ruckus Wireless ZoneDirector serves as a central control system for Ruckus ZoneFlex Access Points APs ZoneDirector provides simplified configuration and updates wireless LAN security control RF management and automatic coordination of Ethernet connected and mesh connected APs Using ZoneDirector in combination with Ruckus Wireless ZoneFlex APs allows deployment of a Smart Mesh network to extend wireless coverage throughout a location without having to physically connect each AP to Ethernet In a Smart Mesh network the APs form
Download Pdf Manuals
Related Search