Creating a Network That Uses a Captive Portal with SAML Identity Provider (IdP)
You can create a captive portal network that allows users to join by entering an organization-based SAML Identity Provider (IdP) for secure Single Sign-On (SSO) using their credentials.
-
On the navigation bar, click
Wi-Fi > Wi-Fi
Networks > Wi-Fi Networks
List.
The Wi-Fi Networks page is displayed.
-
Click Add Wi-Fi
Network. Alternatively, select an existing Captive Portal Wi-Fi
network with SAML IdP setting that you want to copy and click Clone at the top
of the table.
The Create New Network page is displayed.
-
Complete the settings on the
Network Details page.
- Network Name: Enter a name (from 2 through 32 characters) that you want to assign to the network.
- Set different SSID: Use this option to configure an SSID different from the network name. For SSID, enter an SSID name (from 2 through 32 characters and up to 32 bytes when using UTF-8 non-Latin characters).
- Description: Enter an optional description (up to 256 characters).
- Network Type: Click Captive Portal.
A structure diagram of a Captive Portal network type is displayed. -
Click Next.
The Portal Type page is displayed.
-
Click SAML Identity Provider
(IdP).
The Captive Portal SAML Identity Provider (IdP) network type diagram is displayed.
Creating a SAML Identity Provider (IdP) Captive Portal Network Type -
Click Next.
The Onboarding page is displayed.
-
Complete the following settings
on the Onboarding page:
- Select Identity Provider (IdP) via SAML: Select a SAML IdP profile from the drop-down list or click Add to create a new SAML IdP profile (refer to Adding and Managing a SAML Identity Provider Profile). If you select an existing profile, you can click View Details to easily view the SAML IdP Details in a sidebar without leaving the network creation wizard.
- Identity Group: Select an identity group profile or click Add to create a new SAML Identity Group profile. Refer to Adding an Identity Group for more information.
- (Optional) Secure your
network: Select one of the following options:
- None (default): No encryption method is used.
- Pre-Share Key
(PSK): Select Pre-Share Key
(PSK) and select a Security
Protocol for the network.
- WPA2 (Recommended) (default): Encrypts traffic using the WPA2 standard, which complies with the IEEE 802.11i security standard. Select WPA2 (Recommended) and enter a passphrase of at least eight characters in length in the Passphrase field.
- WPA3: The WPA3 standard has several
security enhancements when compared to WPA2. Select
WPA3 and enter a passphrase of at least
eight characters in length in the SAE
Passphrase field.
The IEEE 802.11ax (Wi-Fi 6E) and IEEE 802.11be (Wi-Fi 7) APs support only WPA3. The 6 GHz radios are supported with WPA3 only.
- WPA2/WPA3 mixed mode: Allows mixed networks of WPA2- and WPA3-compliant devices ensuring compatibility. Select WPA2/WPA3 mixed mode and in the WPA2 Passphrase and WPA3 SAE Passphrase fields, enter a passphrase of at least eight characters each in length.
- OWE Encryption: Opportunistic Wireless Encryption (OWE) provides encrypted communications for open Wi-Fi networks without needing passwords. Choose this option to allow users to access the network without needing to enter a password for authentication.
- OWE
Transition mode: Enables a seamless transition
from Open unencrypted WLANs to OWE WLANs without adversely
impacting the end user experience. The OWE
Transition mode setting is not visible unless
OWE Encryption is enabled. Note: OWE transition mode allows STAs that do not support OWE authentication to access the network in open authentication mode, while OWE-capable STAs can use OWE authentication mode.
The migration to an enhanced open Wi-Fi network is done gradually, with user devices also upgrading over time. In OWE Transition mode, an AP creates two SSIDs: SSID1 (broadcast) for open authentication and SSID2 (hidden) for OWE authentication (read only). Non-OWE devices connect to SSID1, while OWE-capable devices initially connect to SSID1 but are then associated with SSID2 for secure access.
If SSID1 is deleted or OWE Transition mode is disabled, SSID2 will also be deleted. Cloning SSID1 creates two new WLANs.
Note: SSID1 and SSID2 co-exist as a pair and a maximum of six WLANs can be created per venue, per AP group.
- (Optional) Redirect users
to: Select the Redirect users
to checkbox and enter a valid URL.
You can redirect users to your company website or another URL after they log in successfully. If the checkbox is not selected, users are sent to the page they originally requested.
- (Optional) Enable RUCKUS DHCP service: Select the Enable RUCKUS DHCP service checkbox to automatically create and assign a new DHCP-Guest Service and DHCP Pool for those Guest WLAN-related venues that do not have a specified DHCP Service. Refer to the DHCP Service of each Venue for more information.
- (Optional) Use Bypass Captive Network Assistant: Select the Use Bypass Captive Network Assistant checkbox to prevent the controller from using the mini browser on mobile devices. Instead, with CNA bypass enabled, a standard browser is opened for any unauthenticated page (HTTP) and redirected to the login portal. Bypass CNA is supported by iOS and Android devices.
- Walled Garden: Enter the network destinations (URLs or IP addresses) of the IdP server to allow communication between RUCKUS One and IdP. A walled garden is a limited environment to which an unauthenticated user is given access to set up an account. After the account is established, the user is allowed out of the walled garden.
-
(Optional) Click Show more
settings.
By default, the VLAN sub-tab is displayed. Each sub-tab includes additional Wi-Fi configuration options to configure the settings of your preference. Refer to Configuring Additional Settings for a Wi-Fi Network to configure each of the available settings.
Note: In the User Connection sub-tab, for Max number of devices per credentials, you can set the maximum number of devices that may use the same SAML IdP login credentials. The default is 1; the allowed values are 1 through 10.Note:Demonstration of Advanced Settings for a Wi-Fi Network. This video explains advanced settings for a Wi-Fi network and walks you through the process of configuring them.
-
Click Next.
The Portal Web Page is displayed.
- Under Guest Portal Service, select a Guest Portal Service from the drop-down list or click Add Guest Portal Service to add a new Guest Portal Service. The Guest Portal Service is where you define the look and feel of the webpage that the guest uses to join the captive portal network. For more information, refer to Adding a Guest Portal Service.
-
Click Next.
The Venues page is displayed.
-
Complete the following steps to
configure a venue:
-
Select the venues in
which you want to activate this network:
- To activate the network in all your venues, select the checkbox beside Venue at the top of the table and click Activate.
- To activate the network in a specific venue, locate the venue from the list, and toggle on the switch in the Activated column.
The APs, Radios, Scheduling, and Network Tunneling columns of the selected venue are displayed in the table.
Select Venues to Activate a Captive Portal Network -
By default, this network
configuration is applicable for all APs and all radio bands supported by
the APs. To select specific AP groups or modify the radio bands that
will broadcast this network, complete one of the following steps:
- Click All
APs in the APs column. The
Select APs dialog box is displayed.
Select All APs to activate this network
on all current and future APs at this venue. You can also choose
to remove or add any AP-supported radio bands in the Radio
Band drop-down list giving you the flexibility
of broadcasting this network only on the selected radio
bands.
Select APs Dialog Box - Click Select
specific AP groups to activate this network on
specific AP groups including any AP that is added to selected AP
groups in the future. The APs not
assigned to any group option is displayed. After
APs not assigned to any group is selected, the
VLAN and Radio Band
options are displayed.
Selecting Specific AP Groups - In the VLAN option, by default, VLAN-1 is selected.
Click the
icon and configure the VLAN or VLAN pool for the selected AP group.
- In the Radio Band option, remove or add any AP-supported radio bands in the drop-down list for the selected AP group.
- Click Apply.
- Click All
APs in the APs column. The
Select APs dialog box is displayed.
Select All APs to activate this network
on all current and future APs at this venue. You can also choose
to remove or add any AP-supported radio bands in the Radio
Band drop-down list giving you the flexibility
of broadcasting this network only on the selected radio
bands.
-
By default, this network
configuration is scheduled for 24/7. To configure
Scheduling, complete the following steps:
- Click 24/7 in the Scheduling
column. The Schedule for Network
<network-name> in Venue <venue-name>
dialog box is displayed. You can also choose a schedule of 24/7
or complete the following steps to customize the schedule.
Schedule for Network Dialog Box - Click Custom Schedule. The network schedule is customized as per your requirements. You can configure the schedule for Monday through Sunday and from midnight to midnight (from 00:00 hours through 23.59 hours). For more information, click See tips. The Network Scheduler Tips dialog box opens, displaying different configuration tips in the form of animated GIFs
- Click OK to close the Network Scheduler Tips dialog box.
- Click Apply.
- Click 24/7 in the Scheduling
column. The Schedule for Network
<network-name> in Venue <venue-name>
dialog box is displayed. You can also choose a schedule of 24/7
or complete the following steps to customize the schedule.
- The Network Tunneling column shows the tunneling service or profile associated with each active network. Click the toggle to enable tunneling and select a Network Topology tunnel type from the drop-down list and click Save to apply your changes.
-
Select the venues in
which you want to activate this network:
-
Click Next.
The Summary page is displayed.
- Review the settings that you configured.
- Click Add.