Creating a Network That Uses an Enterprise AAA Server
You can create a network that authenticates users against a remote authentication, authorization, and accounting (AAA) server. Before you create a network, write down the IP address, port number, and shared secret of the primary and secondary (if any) RADIUS server that you want to use to authenticate network users.
In non-proxy mode, an AP makes the RADIUS requests directly to the RADIUS server. The outbound connection is from the AP to the IP/FQDN of RADIUS on the RADIUS port in use by the RADIUS service. If this is an internet/external RADIUS system, the APs must be able to reach the server from their locations, presumably via NAT or public routing.
For proxy mode, the controller makes the outbound RADIUS queries on behalf of the AP to the RADIUS system. Therefore, in this instance, the Cloud controller performs the outbound connection on the required port, and there is no firewall requirements for the customer (given that the Cloud is making the request). If you are hosting the RADIUS system, you must allow inbound connectivity to a routable or NATted IP address on the RADIUS port that is configured in the WLAN. In proxy mode, all the RADIUS requests from the AP to the controller passes over the existing control tunnel.
-
On the navigation bar, click
Wi-Fi > Wi-Fi
Networks > Wi-Fi Networks
List.
The Wi-Fi Networks page is displayed.
-
On the upper-right corner, click
Add Wi-Fi
Network. Alternatively, select an Enterprise AAA (802.1X)
network setting that you want to copy and click Clone at the top
of the table.
The Create New Network page is displayed.
-
Complete the following settings
in the Network Details page.
- Network Name: Enter a name (up to 32 characters) that you want assign to the network.
- Set different SSID: Use this option to configure the SSID different from the network name.
- Description: Enter a description (up to 64 characters) to help you identify the network using.
- Network Type: Select Enterprise AAA (802.1X).
When the network type is selected, a structure diagram of a Enterprise AAA (802.1X) type of network is displayed. -
Click Next.
The Enterprise AAA (802.1X) Settings page is displayed.
-
Complete the settings on the
Enterprise AAA (802.1X) Settings
page.
- Security
Protocol : Select WPA or
WPA2 (Recommend) from the drop down list. By
default, WPA2 (Recommend) is selected.Note: For robust Wi-Fi security, WPA2 (Wi-Fi Protected Access 2) is an excellent choice. Widely supported on most mobile devices since 2006, it offers a strong foundation. However, if you're using cutting-edge technology with 6 GHz Wi-Fi radios, WPA3 might be necessary for optimal connection.
- Authentication
Service: Select the existing RADIUS Server from the drop
down list or complete the following steps to add a new RADIUS Server.
- Click Add Server and configure a new RADIUS Server. Refer to Creating a Radius Server Profile.
- Proxy
Service: Toggle switch to ON to
enable the proxy service.Note: Use the controller as proxy in 802.1X networks. A proxy AAA server is used when APs send authentication/accounting messages to the controller and the controller forwards these messages to an external AAA server.
- Accounting
Service: Toggle the switch to ON to
enable this option and select the existing RADIUS Server from the drop
down list or complete the following steps to add a new RADIUS Server.
- Click Add Server and configure a new RADIUS Server. Refer to Creating a Radius Server Profile.
- Proxy
Service: Toggle switch to ON to
enable the proxy service.Note: Use the controller as proxy in 802.1X networks. A proxy AAA server is used when APs send authentication/accounting messages to the controller and the controller forwards these messages to an external AAA server.
- MAC Authentication: Toggle the switch to
ON to enable the MAC
Authentication feature and select a MAC Address
Format from the drop-down.Supported MAC address format are:
- Upper case MAC address separated by colons: 70:EA:5A:78:A1:A0
- Upper case MAC address separated by hyphens: 70-EA-5A-78-A1-A0
- Upper case MAC in a continuous string: 70EA5A78A1A0
- Lower case MAC address separated by colons: 70:ea:5a:78:a1:a0
- Lower case MAC address separated by hyphens: 70-ea-5a-78-a1-a0
- Lower case MAC in a continuous string: 70ea5a78a1a0
Note:In the 802.1X and MAC Authentication method, MAC authentication is the first layer of security—a list of authorized MAC addresses is configured on the network device first. Devices with MAC addresses that are not on the list are denied access to the network. The 802.1X authentication method uses a RADIUS server to verify the user’s identity (for example, username, password) before granting access to the network. A RUCKUS AP grants access to UE only after both the MAC authentication and 802.1X authentication are successful.- MAC Authentication provides an additional level of security for corporate networks. Client MAC addresses are passed to the configured RADIUS servers for authentication and accounting.
- By default, the MAC Authentication is disabled.
- Changing the MAC Authentication option requires to re-create the Enterprise AAA (802.1X) network. Currently, there is no edit option for this feature.
- Security
Protocol : Select WPA or
WPA2 (Recommend) from the drop down list. By
default, WPA2 (Recommend) is selected.
-
Click Show more settings.
Note:
Demonstration of Advanced Settings for a Wi-Fi Network. This video explains advanced settings for a Wi-Fi network and walks you through the process of configuring them.
-
By default, the
VLAN tab is selected. Complete the following VLAN
settings:
- VLAN Pooling: Toggle switch to ON to enable the VLAN pooling.
- Select VLAN
Pooling: Select a VLAN pool from the drop down list or
complete the following steps to add a new VLAN pool.
- Click Add Pool and configure a new VLAN pool. Refer to Creating a VLAN Pool.
- VLAN ID: Type the VLAN ID number (default is 1) that you want to assign to this network. The valid range is from 1 to 4094. VLAN ID option is not available if VLAN Pooling is enabled. VLAN ID option is disabled if you enable the Enable RUCKUS DHCP service option.
- Dynamic VLAN: By default, Dynamic VLAN is enabled.
- Proxy ARP: Toggle the switch to ON to enable the proxy ARP.
-
Select the Network
Control tab and complete the following services settings:
- DNS
Proxy: Toggle switch to ON to
enable the DNS proxy.
- Select a DNS Proxy from the table or add a new DNS proxy.
- Click Add Rule to add a new DNS proxy. The Add DNS Proxy Rule dialog box is displayed.
- Complete the
following fields:
- Domain Name: Enter a domain name for the DNS proxy rule.
- IP Addresses: Enter an IP address.
- Click Add, to add the domain name and IP address to the table.
- Click Save.
- Click OK.
- Wi-Fi
Calling: Toggle switch to ON to
enable the Wi-Fi Calling.
- Click Select Profiles. The Select Wi-Fi Calling Profiles dialog box is displayed.
- Select the profiles in the Available Profiles table and click Add to move the selected profile to the Selected Profiles table. To remove the profiles from the Selected Profiles table, select the profiles in the Selected Profiles table and click Remove.
- Click Save.
- Client
Isolation: Toggle switch to ON to
enable the client isolation.
- Complete the
following fields:
- Isolation Packets: Select Unicast, Multicast/broadcast, or Unicast and Multicast/broadcast.
- Automatic support for VRRP/HSRP: Set the switch to ON to enable the automatic support for VRRP/HSRP.
- Client Isolation Allowlist by Venue: Set the switch to ON to enable the client isolation allowlist by venue.
- Complete the
following fields:
- Anti-spoofing: Toggle switch to ON to
enable the anti-spoofing.
- Complete the
following fields:
- ARP request rate limit: Enter the ARP request rate limit.
- DHCP request rate limit: Enter the DHCP request rate limit.
- Complete the
following fields:
- Enable logging client data to external syslog: Enable the Enable logging client data to external syslog.
- Under DHCP, enable the Force DHCP feature. This feature is disabled if you enable the Anti-spoofing feature.
- Under DHCP, enable the DHCP Option 82 feature. DHCP Option 82 allows a DHCP Relay Agent to insert circuit−specific information into a request that is being forwarded to a DHCP server. This option works by setting two sub-options: Circuit ID and Remote ID. The insertion of DHCP Option 82 information is now supported for wireless clients in RUCKUS One. By default, this feature is disabled.
- Access Control: Toggle the Access Control switch to ON to enable the access control policy feature.
- DNS
Proxy: Toggle switch to ON to
enable the DNS proxy.
-
Select the
Radio tab and complete the following radio
settings:
Radio Settings - Complete the following
fields:
- Hide SSID: Select this feature to hide SSID.
- Load
Control: Complete the following fields:
- Max
Rate: Choose one of the following options
from the drop-down list:
- Unlimited—no limits on bandwidth allocation.
- Per AP—The max bandwidth allocation limit of all connections to that specific network on the AP. If selected, two other options appear, Upload Limit and Download Limit. If either (or both) boxes are checked, a sliding scale appears and you can drag your cursor along the line to choose the Mbps limits.
- Max clients per radio: Limit the number of clients that can associate with this network per AP radio (default is 100).
- Enable load balancing between all radios: Select this check box to enable load balancing for all radios. Load balancing helps improve network performance by helping to spread the client load between the radios on the AP.
- Enable load balancing between APs: Select this check box to spread the client load between nearby access points, so that one AP does not get overloaded while another sits idle.
- Max
Rate: Choose one of the following options
from the drop-down list:
- OFDM only (Disables
802.11b): Select the check box to enable this
option. Enabling this option disables CCK rates of 1, 2, 5.5,
and 11 Mbps, so no 802.11b-only clients can connect. Beacons and
probe responses will be transmitted at 6 Mbps, and data frames
at 6, 9, 18, 24, 36, 48, and 54 Mbps. Enforcing higher minimum
data rates increases overall network throughput capacity, but
reduces the distance at which clients are able to remain
connected.
OFDM Settings - Data
Rate Control (2.4 GHz & 5 GHz): Configure the
following:
- BSS Min Rate: Select None, 12 Mbps, or 24 Mbps from the drop-down list. Use this option to configure the minimum transmission rate supported by the network. If OFDM Only is enabled, the only valid options are 12 Mbps and 24 Mbps, with Mgmt Tx frames fixed at 6 Mbps. This option can also be used to prevent 11b clients from connecting, and to allow greater client density with higher data rates.
- Mgt Tx Rate: Select 1, 2, 5.5, 6, 9, 11, 12, or 18 Mbps from the drop-down list. This option is only available if both Enable OFDM only and BSS Min Rate are disabled. (Otherwise, the Mgmt Tx Rate is defined by those settings.) Use this setting to configure the rate at which management frames are sent. The default is 6 Mbps.
- Complete the following
fields:
-
Select the
Networking tab and configure the following.
The Networking Tab - Enable Agile Multi-Band (AMB): Introduced by the Wi-Fi Alliance, Agile Multiband is a collection of features designed to improve resource utilization, balance Wi-Fi load, increase capacity, and provide the best possible Wi-Fi experience. AMB configures WLANs to send IE Multi Band Operation announcements that include beacon reporting, channel non-preference, cellular capability, and association disallow. It interoperates with existing load balancing protocols including 802.11k and 802.11r.
- Enable 802.11k neighbor reports: Select the check box to enable this option. Enhances roaming by providing a list of neighbor APs to the client device.
- Enable 802.11d: Select the check box to enable this option. Allows the AP to support multiple regulatory domains by the addition of a country information element to beacons, probe requests, and probe responses.
- Enable 802.11r Fast BSS Transition: 802.11r Fast BSS Transition fast roaming protocol that reduces the number of frame exchanges required for roaming and allows the clients and APs to reuse the master keys obtained during a prior authentication exchange.
- Client Inactive Timeout: Enter the duration in seconds. This option disables the client if the client is inactive for the configured duration.
- Directed MC/BC Threshold: Enter the number of counts. The point at which an AP stops converting group addressed data traffic to unicast is indicated by the number of radio client counts.
- Airtime Decongestion: Set the switch to ON to activate the airtime decongestion feature.
- Join RSSI Threshold: Set the switch to ON and then enter the threshold value. This option is disabled if you enable the Airtime Decongestion option.
- Transient Client Management: Set the switch to
ON and the configure parameters for Join Wait Time, Join
Expire Time, and Join Wait
Threshold.
Transient Client Management - Optimized Connectivity Experience (OCE): Set the switch
to ON and then and configure parameters for
Broadcast Probe Response Delay
and RSSI-Based Association Rejection
Threshold.
Optimized Connectivity Experience (OCE) - Select the AP Host Name Advertisement in Beacon check box to enable the feature. When this feature is enabled, the AP will take the configured host name and insert it as a separate vendor specific IE in beacon and probe response frames, which will be used by our partners to identify the AP by name.
- Enable the GTK Rekey option. This feature helps period generation of the new group key for secure musticast and broadcast traffic.
- Enable the Multicast Filter
feature. By default, this feature is disabled. When the
Multicast Filter option is enabled on an AP, it will drop all IPv4 and
IPv6 multicast and broadcast from associated wireless clients except for
the below which forms into "multicast filter bypass" list. Note that the
downstream multicast is unaffected.
- ARP Request
- DHCPv4 Request
- DHCP v6 Request
- IPv6 NS
- IPv6 NA
- IPv6 RS
- IGMP
- MLD
- All unicast packets
Multicast Filter and Multicast Rate Limiting are mutually exclusive features. From the RUCKUS One web interface, you cannot enable both of them at the time.
- Enable the Multicast Rate Limiting feature. Multicast rate limiting and Multicast filtering are mutually exclusive features, SSID rate limiting will always take precedence if Multicast rate limiting is also configured. Multicast downlink rate limiting should not be greater than 50% of BSS min rate.
- Under RADIUS
Options, configure the following settings.
- NAS ID: Identifies clients to a RADIUS server. Select an option from the list.
- MAC Delimiter: Select Dash or Colon.
- NAS Request Timeout: Enter the timeout period (in seconds) after which an expected RADIUS response message is considered to have failed.
- NAS Max Retries: Enter the number of failed connection attempts after which RUCKUS One will failover to the backup RADIUS server.
- NAS Reconnect Primary: Enter the number of minutes after which RUCKUS One will attempt to reconnect to the primary RADIUS server after failover to the backup server.
- Called Station ID: Allows NAS to send the ID, which is called by the user. Select an option from the list.
-
Select the Advanced tab and
configure DITM, QoS Mirroring, and QoS Map set.
- Set the DTIM (Delivery Traffic Indication Message) Interval by dragging the slider between Lower latency to Longer client battery life. The valid range is from 1 through 255.
- Toggle the QoS
Mirroring switch to enable the feature and configure the
QoS mirroring scope. From the QoS Mirroring Scope
drop-down, select one of the following options:Note: QoS Mirroring allows an AP to use a client's uplink Quality of Service (QoS) classification (voice, video, best effort, or background) to classify the client device's downlink packets in the mirrored (reverse direction) stream. The AP assigns the downlink packets to the same QoS category as the uplink packets. By default, this feature is enabled. This QoS Mirroring is supported only on the APs that are running RUCKUS One AP firmware version 7.0 or higher.
- MSCS requests only: When selected, QoS mirroring is enabled only for clients that send mirrored stream classification service (MSCS) requests. This is the default setting.
- All clients: When selected, QoS mirroring is enabled for all clients.
Configuring QoS Mirroring - Toggle the QoS Map Set
switch to enable QoS Map Set and configure the feature. The QoS Map Set
feature reprioritizes downlink packets based on the configured mappings.
When an AP receives a downlink packet, it checks the existing DSCP
(Layer 3 QoS) marking, compares it to this map set, and changes the user
priority (Layer 2 QoS) values for transmission by the AP. QoS map
settings can be customized and applied per WLAN. From the
Priority list, select a priority and click
Next. To edit the QoS Map Set, select a
priority from the list and click Edit. In the
Edit QoS Map page, configure the DSCP
Range and Exception DSCP Values. You
can enter multiple exception DSCP values separated by commas.
Configuring QoS Map Set
-
Click Next to go to the
Venues page and select venues to activate
this network.
The Venues page is displayed.
Venues Page -
Click Next.
The Summary page is displayed.
Network Summary - Review the settings that you configured. To display the Shared Secret in plain text, click the eye icon.
- Click Finish.