Creating a Network That Uses a Captive Portal with Active Directory or LDAP Server

You can create a captive portal network that allows users to join by entering an organization-based username and password, which is authenticated by an associated Active Directory (AD) server or a Light Directory Access Protocol (LDAP) server.

Complete the following steps to create a captive portal network that uses the Active Directory or LDAP authentication option.
  1. On the navigation bar, click Wi-Fi > Wi-Fi Networks > Wi-Fi Networks List.
    The Wi-Fi Networks page is displayed.
  2. Click Add Wi-Fi Network. Alternatively, select an existing Captive Portal Wi-Fi network with Active Directory/LDAP Server setting that you want to copy and click Clone at the top of the table.
    The Create New Network page is displayed.
  3. Complete the settings on the Network Details page.
    • Network Name: Enter a name (from 2 through 32 characters) that you want to assign to the network.
    • Set different SSID: Use this option to configure an SSID different from the network name. For SSID, enter an SSID name (from 2 through 32 characters and up to 32 bytes when using UTF-8 non-Latin characters).
    • Description: Enter an optional description (up to 64 characters).
    • Network Type: Click Captive Portal.
    A structure diagram of a Captive Portal network type is displayed.
  4. Click Next.
    The Portal Type page is displayed.
  5. Click Active Directory/LDAP Server.
    The Captive Portal Active Directory or LDAP network type diagram is displayed.
    Creating an Active Directory or LDAP Server Captive Portal Network Type
  6. Click Next.
    The Onboarding page is displayed.
  7. Complete the following settings on the Onboarding page:
    • Select Directory Server: Select an Active Directory or LDAP server profile or click Add Server to create a new Active Directory or LDAP server profile. Refer to Adding and Managing a Directory Server for more information. If you select an existing profile, so can click Profile Detail to easily view the Directory Server Details in a sidebar without leaving the network creation wizard.
    • (Optional) Secure your network: Select one of the following options:
      • None (default): No encryption method is used.
      • Pre-Share Key (PSK): Select Pre-Share Key (PSK) and select a Security Protocol for the network.
        • WPA2 (Recommended) (default): Encrypts traffic using the WPA2 standard, which complies with the IEEE 802.11i security standard. Select WPA2 (Recommended) and enter a passphrase of at least eight characters in length in the Passphrase field.
        • WPA3: The WPA3 standard has several security enhancements when compared to WPA2. Select WPA3 and enter a passphrase of at least eight characters in length in the SAE Passphrase field.

          The IEEE 802.11ax (Wi-Fi 6E) and IEEE 802.11be (Wi-Fi 7) APs support only WPA3. The 6 GHz radios are supported with WPA3 only.

        • WPA2/WPA3 mixed mode: Allows mixed networks of WPA2- and WPA3-compliant devices ensuring compatibility. Select WPA2/WPA3 mixed mode and in the WPA2 Passphrase and WPA3 SAE Passphrase fields, enter a passphrase of at least eight characters each in length.
      • OWE Encryption: Opportunistic Wireless Encryption (OWE) provides encrypted communications for open Wi-Fi networks without needing passwords. Choose this option to allow users to access the network without needing to enter a password for authentication.
    • (Optional) Redirect Users to: Select the Redirect Users to check box and enter a valid URL.

      You can redirect users to your company website or another URL after they log in successfully. If the check box is not selected, users are sent to the page they originally requested.

    • (Optional) Enable RUCKUS DHCP service: Select the Enable RUCKUS DHCP service check box to automatically create and assign a new DHCP-Guest Service and DHCP Pool for those Guest WLAN-related venues that do not have a specified DHCP Service. Refer to the DHCP Service of each Venue for more information.
    • (Optional) Use Bypass Captive Network Assistant: Select the Use Bypass Captive Network Assistant check box. The devices that are already authenticated are not redirected for authentication when reconnecting to the onboarding network.
    • (Optional) Walled Garden: Enter the network destinations (URLs or IP addresses) that users can access without going through authentication. A walled garden is a limited environment to which an unauthenticated user is given access to set up an account. After the account is established, the user is allowed out of the walled garden.
  8. (Optional) Click Show more settings.

    By default, the VLAN sub-tab is displayed. Each sub-tab includes additional Wi-Fi configuration options to configure the settings of your preference. Refer to Configuring Additional Settings for a Wi-Fi Network to configure each of the available settings.

    Note: In the User Connection sub-tab, for Max number of devices per credentials, you can set the maximum number of devices that may use the same Active Directory or LDAP login credentials. The default is 1; the allowed values are 1 through 10.
    Note:

    Demonstration of Advanced Settings for a Wi-Fi Network. This video explains advanced settings for a Wi-Fi network and walks you through the process of configuring them.

    Click to play video in full screen mode.

  9. Click Next.
    The Portal Web Page is displayed.
  10. Under Guest Portal Service, select a Guest Portal Service from the drop-down list or click Add Guest Portal Service to add a new Guest Portal Service. The Guest Portal Service is where you define the look and feel of the webpage that the guest uses to join the captive portal network. For more information, refer to Adding a Guest Portal Service.
  11. Click Next.
    The Venues page is displayed.
  12. Complete the following steps to configure a venue:
    1. Select the venues in which you want to activate this network:
      • To activate the network in all your venues, select the check box beside Venue at the top of the table and click Activate.
      • To activate the network in a specific venue, locate the venue from the list, and set the switch to ON in the Activated column.

      The APs, Radios, Scheduling, and Tunnel columns of the selected venue are displayed in the table.

      Select Venues to Activate a Captive Portal Network
    2. By default, this network configuration is applicable for all APs and all radio bands supported by the APs. To select specific AP groups or modify the radio bands that will broadcast this network, complete one of the following steps:
      • Click All APs in the APs column. The Select APs dialog box is displayed. Select All APs to activate this network on all current and future APs at this venue. You can also choose to remove or add any AP-supported radio bands in the Radio Band drop-down list giving you the flexibility of broadcasting this network only on the selected radio bands.
        Select APs Dialog Box
      • Click Select specific AP groups to activate this network on specific AP groups including any AP that is added to selected AP groups in the future. The APs not assigned to any group option is displayed. After APs not assigned to any group is selected, the VLAN and Radio Band options are displayed.
        Selecting Specific AP Groups
      • In the VLAN option, by default, VLAN-1 is selected. Click the icon and configure the VLAN or VLAN pool for the selected AP group.
      • In the Radio Band option, remove or add any AP-supported radio bands in the drop-down list for the selected AP group.
      • Click Apply.
    3. By default, this network configuration is scheduled for 24/7. To configure Scheduling, complete the following steps:
      • Click 24/7 in the Scheduling column. The Schedule for Network <network-name> in Venue <venue-name> dialog box is displayed. You can also choose a schedule of 24/7 or complete the following steps to customize the schedule.
        Schedule for Network Dialog Box
      • Click Custom Schedule. The network schedule is customized as per your requirements. You can configure the schedule for Monday through Sunday and from midnight to midnight (from 00:00 hours through 23.59 hours). For more information, click See tips. The Network Scheduler Tips dialog box opens, displaying different configuration tips in the form of animated GIFs
      • Click OK to close the Network Scheduler Tips dialog box.
      • Click Apply.
    4. The Tunnel column shows the tunneling service or profile associated with each active network. By default, Tunnel is set to Local Breakout when the venue is not linked to any SD-LAN or SoftGRE service. The SD-LAN Tunneling option is available only in networks containing RUCKUS Edge devices.
  13. Click Next.
    The Summary page is displayed.
  14. Review the settings that you configured.
  15. Click Finish.
In the Clients > Wireless > Guest Pass Credentials page, you can filter the list of Directory Server profiles by clicking the Type drop-down list and selecting the Directory option.