You can create a network that allows users to access the network through a third-party captive portal, authenticated by a RADIUS server.

1. On the navigation bar, click Wi-Fi > Wi-Fi Networks > Wi-Fi Networks List.
   The Wi-Fi Networks page is displayed.
2. Click Add Wi-Fi Network. Alternatively, select an existing Third-Party Captive Portal (WISPr Feature) Wi-Fi network setting that you want to copy and click Clone at the top of the table.
   The Create New Network page is displayed.
3. Complete the settings on the Network Details page.
   • Network Name: Enter a name (2–32 characters) for the network. By default, this name is also used as the SSID.
   • (Optional) Set different SSID: Click Set different SSID to configure an SSID that differs from the network name.
     The SSID field is displayed.

     • SSID: Enter an SSID name (2–32 characters; up to 32 bytes for UTF‑8 non‑Latin characters).
   • (Optional) Description: Enter a description to help you identify the network.
   • Network Type: Choose Captive Portal.

     The structure diagram of a Captive Portal network is displayed.

     Note: If you used the Clone option, the Network Type is already set to Captive Portal.
4. Click Next.
   The Portal Type page is displayed.
5. Click 3rd Party Captive Portal (WISPr).
   To access the network, users connect through a 3rd party captive portal, authenticated by a RADIUS server.
   The structure diagram on the right updates to show the 3rd-Party Captive Portal network type.
6. Click Next.
   The Settings page is displayed.

   

7. Portal Provider: Select a name of the provider from the drop-down list.
   Based on Portal Provider selection, the Captive Portal URL or Region field is displayed.

   • Captive Portal URL: Enter the vendor's complete URL for the selected Portal Provider. It is recommended that you copy the URL from the vendor's configuration.
   • Region: Select a region for the selected Portal Provider from the drop-down list.
8. (Optional) Redirect Users to: Select the Redirect Users to checkbox and enter a valid URL.

   You can redirect users to your company website or another URL after they log in successfully. If the checkbox is not selected, users are sent to the page they originally requested.

9. Integration Key: Click Copy Key to copy the password to your vendor's configuration to allow it to connect to RUCKUS One.
10. (Optional) Secure your network: Select a Secure your network method. The options are:
    • None (default): No encryption method is used.
    • Pre-Share Key (PSK): Select Pre-Share Key (PSK) and select a security protocol for the network.
      • Passphrase: Enter a Passphrase (minimum 8 characters) and select a Security Protocol. The options are:
        • WPA2 (Recommended) (default): Select WPA2 (Recommended) and enter a passphrase of at least eight characters in the Passphrase field.

          WPA2 provides strong Wi‑Fi security and is widely supported on devices manufactured after 2006. Select WPA2 unless your deployment requires WPA3. 6 GHz radios are only supported with WPA3.

        • WPA3: Select WPA3 and enter a passphrase of at least eight characters in the SAE Passphrase field.

          WPA3 provides the highest Wi‑Fi security and is supported on most devices manufactured after 2019.

          Note: The IEEE 802.11ax (Wi-Fi 6E) and IEEE 802.11be (Wi-Fi 7) APs support only WPA3. The 6 GHz radios support WPA3 only.
        • WPA2/WPA3 mixed mode: Select WPA2/WPA3 mixed mode and enter a passphrase of at least eight characters in the WPA2 Passphrase and WPA3 SAE Passphrase fields.

          WPA2/WPA3 mixed mode lets devices connect using either WPA3, the most secure Wi-Fi standard, or WPA2, which is still widely supported. Most devices made after 2006 support WPA2, and those from 2019 onward typically support WPA3.

          Note: Select WPA3 or WPA2/WPA3 mixed mode if you broadcast on 6 GHz.
    • OWE Encryption: Opportunistic Wireless Encryption (OWE) provides encrypted communications for open Wi-Fi networks without passwords. Choose this option to allow users to access the network without entering a password for authentication. If you selected OWE Encryption, configure the following field:
      • (Optional) OWE Transition mode: Toggle the OWE Transition mode switch on to enable a seamless transition from open, unencrypted WLANs to OWE WLANs without adversely impacting the end user experience.
        Note: OWE transition mode allows STAs that do not support OWE authentication to access the network in open authentication mode, while OWE-capable STAs can use OWE authentication mode.

        The migration to an enhanced open Wi-Fi network is done gradually, with user devices also upgrading over time. In OWE Transition mode, an AP creates two SSIDs as a pair: SSID1 (broadcast) for open authentication and SSID2 (hidden) for OWE authentication (read-only). Non-OWE devices connect to SSID1, while OWE-capable devices initially connect to SSID1 but are then associated with SSID2 for secure access.

        Deleting SSID1 or disabling OWE Transition also deletes SSID2; cloning SSID1 creates two new WLANs. SSID1/SSID2 co‑exist as a pair; a maximum of six WLANs can be created per venue, per AP group.

11. (Optional) Enable MAC auth bypass: Select the Enable MAC auth bypass checkbox to enable MAC-based authentication.
12. (Optional) Enable the encryption for users’ MAC and IP addresses: Select the Enable the encryption for users’ MAC and IP addresses checkbox to enable the encryption.
13. (Optional) Enable RUCKUS DHCP service: Select the Enable RUCKUS DHCP service checkbox to automatically create and assign a new DHCP-Guest Service and DHCP Pool for Guest WLAN-related venues that do not have a specified DHCP Service. Refer to the DHCP Service of each Venue for more information.
14. (Optional) Use Bypass Captive Network Assistant: Select the Use Bypass Captive Network Assistant checkbox to enable this option. Enabling this option prevents the controller from using the mini-browser on mobile devices. With CNA bypass enabled, portal login is achieved by opening a standard browser to any unauthenticated HTTP page to get redirected to the login portal.
15. (Optional) Walled Garden: Enter Walled Garden destinations (URLs or IP addresses) that users can access before authentication.
    A walled garden is a limited environment that allows unauthenticated users to access specific destinations so they can set up an account. After the account is established, the user is allowed out of the walled garden. Unauthenticated users will be allowed to access these destinations (i.e., without redirection to captive portal). Each destination should be entered in a new line. Accepted formats for destinations are:

    • IP address (for example, 10.11.12.13)
    • IP address range (for example, 10.11.12.13-10.11.12.15)
    • CIDR (for example, 10.11.12.13/28)
    • IP address and mask (for example, 10.11.12.13 255.255.255.0)
    • Website FQDN (for example, www.ruckus.com)
    • Website FQDN with a wildcard (for example, *.amazon.com; *.com)
16. Authentication Service: Populates the primary and secondary authentication server details configured for the selected portal provider.
17. Check the Accept All Connections option to enable the Accept All Connections feature.

    By default, this option is disabled. You must disable Enable MAC auth bypass before you can enable Accept All Connections.

18. Accounting Service: Populates the primary and secondary accounting server details configured for the selected portal provider.
19. Click Show more settings.

    The VLAN sub‑tab is displayed by default, and each sub‑tab presents additional Wi‑Fi configuration options. For details about configuring these options, refer to the Configuring Additional Settings for a Wi-Fi Network.

    Note: Demonstration of Advanced Settings for a Wi-Fi Network. This video explains advanced settings for a Wi-Fi network and walks you through the process of configuring them.

    Click to play video in full screen mode.

20. Click Next.
    The Venues page is displayed.
21. Select one or more venues to activate the network by clicking the checkbox alongside the venue name, and then toggle the switch on in the Activated column.
    The details in the APs, Radios, and Scheduling columns are displayed for all the activated venues. By default, this network configuration applies across All APs and their applicable radio bands and is scheduled to be available 24/7.

    Note: The Scheduling column displays availability based on the local time zone of the venue’s AP devices (for example, UTC offsets).
    1. Click the All APs hyperlink in the APs column or the list of radios in the Radios column to configure APs and radio-frequency bands for the selected venue.
       The Select APs dialog box is displayed. Select one of the following options:

       • All APs: Select All APs to activate the network on all current and future APs for this venue. Choose a radio band from the drop-down list. You can choose one or more of the supported radio bands.

         

       • Select specific AP groups: Select Select specific AP groups to activate the network on specific AP groups, including any AP added to the selected AP groups in the future. The APs not assigned to any group option is displayed with a checkbox and a reminder to select an AP Group.

         Click the APs not assigned to any group checkbox; the VLAN and Radio Band options are displayed:

         

       • VLAN: Select VLAN-1, which is selected by default. Click the icon, and select a VLAN or a pool from the drop-down list. Depending on the selection, enter the VLAN ID or select a pool from the drop-down list.
       • Radio Band: Select one or more supported radio bands from the drop-down list for the selected AP group.
       • Click Apply.
    2. Click the 24/7 hyperlink in the Scheduling column to customize the schedule.
       The Schedule for Network <network-name> in Venue <venue-name> dialog box is displayed.

       

       You can choose 24/7 or Custom Schedule. Configure the following if you select Custom Schedule:
       • Click Custom Schedule to customize the network schedule as required.
         The Custom Schedule has Basic and Advanced tabs.

         Note: The venue time zone appears at the bottom of the dialog box.
       • On the Basic tab, you can configure the following:

         

         • Start Date: Displays the date when the schedule begins. You can select any future date using the date picker. The schedule always uses the local time of the AP devices.
           Note: When the Start Date is today, time slots that have already passed are disabled.
         • (Optional) All day: Select this option to make the network available for the entire day. When All day is selected, the From and To fields automatically disappear.
         • From and To: These fields appear only when All day is not selected. You can select the start and end times in 15‑minute intervals, where the From time ranges from 00:00 to 23:45, the To time ranges from 00:15 to 24:00, and the To time must always be later than the From time.
           Note: The selected times follow the local time of the venue’s AP devices.
         • Select a repeat rule to determine how the network availability repeats after the Start Date. The available options are Do not repeat (default), Repeat Daily, Repeat Weekly, and Repeat Monthly.
           Note: The Do not repeat option displays a one‑time schedule for the selected Start Date.
         • End Date:
           • Select None or Select date if Repeat Daily is selected. Pick an end date from the date picker when Select date is chosen.
           • Select the required weekday, and then select None or Select date if Repeat Weekly is selected. Pick an end date from the date picker when Select date is chosen.
           • Select a monthly recurrence option such as Day <date> of every month, the <nth> <weekday> of every month, or the last <weekday> of every month, and then select None or Select date if Repeat Monthly is selected. Pick an end date from the date picker when Select date is chosen.
             Note: Selecting at least one weekday is mandatory if Repeat Weekly is selected, and selecting a monthly recurrence option is mandatory if Repeat Monthly is selected.
             Note: Monthly options depend on whether the Start Date falls on the first through fourth weekday occurrence or the last weekday of the month. Daily, Weekly, and Monthly repeat rules deactivate the network automatically at midnight on the selected End Date.
             Note: If an End Date is selected, the schedule ends at midnight on that date.
       • On the Advanced tab, you can configure the following:

         

         • Start Date: Displays the date when the schedule begins. You can select any future date using the date picker. The schedule always uses the local time of the AP devices.
           Note: When the Start Date is today, time slots that have already passed are disabled.
         • (Optional) Select a repeat rule to determine how the network availability repeats after the Start Date. The available options are Do not repeat (default) and Repeat Weekly.
           Note: The Do not repeat option displays a one‑time weekly schedule for the selected Start Date. The network automatically deactivates at the end of the last active time slot.
         • End Date:
           • Select None or Select date if Repeat Weekly is selected. Pick an end date from the date picker when Select date is chosen.
             Note: When the Start date is chosen, selecting a date from the date picker is mandatory.

             Note: If an End Date is selected, the schedule ends at midnight on that date.
         • Mark the required time on the weekly grid to enable or disable network availability in fifteen‑minute intervals. You can click a single slot or click and drag to update multiple adjacent slots. A full day can be enabled or disabled using the checkbox next to each day. Dragging across a range of slots changes all slots to the opposite state of the first slot selected.
         • Click See tips to view guidance on how to activate or deactivate the network for the entire day, individual time slots, or multiple adjacent time slots. The See tips option opens the Network Scheduler Tips window, which explains how to use the checkbox for full‑day selection, how to click individual slots, and how to drag across the timeline to update multiple time slots.
       • Click Apply. The hyperlink updates to ON now. When you hover over it, it displays the time until which the scheduler will remain active (<Day> <Time>).
         Note: If no weekday is selected, the message Network is configured to be unavailable at all times is displayed on the Network Scheduling dialog box. You can continue by clicking OK or by clicking Cancel to configure the required days.

       
    3. Toggle the Network Tunneling switch on to define how network traffic is tunneled at the venue. When toggled on, a Tunnel: <venue-name> sidebar is displayed.
       Note: The Network Tunneling switch is displayed only when the venue is Activated.
       • Select a Tunneling Method from the drop-down.
       • If you choose SoftGRE, select a SoftGRE profile and optionally enable and configure IPsec. (Refer to Creating a SoftGRE Profile and Adding an SD-LAN Service).

         The SD-LAN option is available only when RUCKUS Edge devices are present.

       • Click Add to save and apply.
22. Click Next.
    The Summary page is displayed.
23. Review the settings that you configured.
24. Click Finish.