Creating a Network That Uses Hotspot 2.0 Access

You can create a Wi-Fi hotspot network that automatically and securely authenticates users while roaming.

You can configure the Wi-Fi Operator and Identity Provider profiles before or during the creation of a Hotspot 2.0 Access network.
Complete the following steps to create a Hotspot 2.0 Access network:
  1. On the navigation bar, select Wi-Fi > Wi-Fi Networks > Wi-Fi Networks List.
    The Wi-Fi Networks page is displayed.
  2. Click Add Wi-Fi Network. Alternatively, select an existing Hotspot 2.0 Access network that you want to copy and click Clone at the top of the table.
    The Create New Network page is displayed.
  3. Complete the settings on the Network Details page:
    • Network Name: Enter a name (2 to 32 characters) for the network. By default, this name is also used as the SSID.
    • (Optional) Set different SSID: Click Set different SSID to configure an SSID different from the network name.
      The SSID field is displayed.
      • SSID: Enter an SSID (2–32 characters; up to 32 bytes for UTF‑8 non‑Latin characters).
    • (Optional) Description: Enter a description to help you identify the network.
    • Network Type: Select Hotspot 2.0 Access.

      A structure diagram of a Hotspot 2.0 Access network is displayed.

      Note: If you used the Clone option, the Network Type is already set to Hotspot 2.0 Access.
  4. Click Next.
    The Hotspot 2.0 Settings page is displayed.
    Hotspot 2.0 Settings
  5. (Optional) Select an option from the Security Protocol drop-down list. The options are:
    • WPA2 (Recommended) (default)

      WPA2 provides strong Wi‑Fi security and is widely supported on devices manufactured after 2006. Select WPA2 unless your deployment requires WPA3. The 6 GHz radio band is supported only with WPA3.

    • WPA3

      WPA3 provides the highest Wi‑Fi security and is supported on most devices manufactured after 2019.

      Note: The IEEE 802.11ax (Wi-Fi 6E) and IEEE 802.11be (Wi-Fi 7) APs support only WPA3. The 6 GHz radio band supports WPA3 only.
  6. Select a Wi-Fi Operator profile from the drop-down list.
    If the Wi‑Fi Operator is not yet defined, you can create a new one; click Add, complete the fields in the Add Wi‑Fi Operator sidebar, and click Add. Then select the newly created Wi-Fi Operator from the drop‑down list. Refer to Creating a Wi-Fi Operator Profile for information on how to add a new Wi‑Fi operator.
  7. Select one or more Identity Provider profiles from the drop-down list.
    If an Identity Provider is not yet defined, you can create a new one; click Add, complete the fields in the Add Identity Provider sidebar, and click Add. The newly created identity provider appears in the Identity Provider field. Refer to Adding and Managing a Hotspot 2.0 Identity Provider Profile for information on how to add a new Identity Provider profile.
    Note: You can select up to six Identity Provider profiles.
    Note: Hotspot 2.0 requires realm‑based authentication to function correctly during fallback.
  8. Fallback Authentication Service: Toggle the switch on to enable this option. This option applies when the AP loses its connection to RUCKUS One.
    When enabled, the AP uses a non‑proxy RADIUS authentication server if the controller becomes unreachable. This ensures authentication continuity during controller outages and helps maintain service availability.
    When you enable this option, the Authentication Service section is displayed.
    • Non‑proxy Authentication Server: Select an existing RADIUS server from the drop‑down list.
      If a suitable RADIUS is not yet defined, you can create a new one; click Add Server, complete the fields in the Add AAA Server sidebar, and click Add.
      • Profile Name: Enter a unique name for the server profile.

        By default, the Type, Enable RadSec (over TLS), and Server Address Type fields are read‑only and automatically set by the system.

      • In the Primary Server section, configure the following:
        • IP Address: Enter the IPv4 or IPv6 address of the RADIUS server.
        • Port: Optionally, modify the default port number (1813) to a number from 1 through 65535. The authentication RADIUS port cannot be 1813, and the accounting RADIUS port cannot be 1812.
        • Shared Secret: Enter the shared secret key.
          Note: The Shared Secret key must be a string of 1 to 255 standard ASCII characters, including letters, numbers, symbols, and space. It cannot consist entirely of spaces and must start and end with a non-space character.
        • Click Add to save the server profile.
      You can then select the newly created RADIUS from the Non‑proxy Authentication Server drop‑down list.
    Note:
    • Only one fallback RADIUS server can be configured.
    • The RADIUS server does not support FQDN because this is a non‑proxy setup.
    • RADIUS servers with TLS enabled or with secondary servers configured are not supported for fallback.
    • Fallback activates only when the controller is unreachable.
    • Activation occurs after an approximate five‑minute delay, during which clients may be unable to authenticate.
    • The AP automatically reverts to normal authentication when the controller becomes reachable again.
    • Some controller‑dependent services are unavailable during fallback, including roaming, client barring, CCD / HCCD, and diagnostic and troubleshooting tools.
    • Requirement: This feature requires supported AP models that run firmware version 7.2.0.610.1317 or later.
  9. Select an identity group from the Identity Group drop-down list.
    If the identity group is not yet defined, you can create a new one; click Add, complete the fields in the Create Identity Group sidebar, and click Apply. You can then select the newly created identity group from the Identity Group drop-down list. Refer to Adding an Identity Group for information on how to create a new identity group.
    You can click View Details to view the identity group details in the Identity Group sidebar.
    Note:
    • When you select an identity group, all devices that join the network automatically become identities within that group, as shown on the Identity Group page. Users can select an existing identity group or create a new one.
    • During network editing, you cannot remove the originally selected identity group; however, you can change it to a different identity group. The identity configuration section does not apply to the MAC Registration List when MAC Authentication is enabled.
  10. Click Show more settings.
    The VLAN sub‑tab is displayed by default, and each sub‑tab presents additional Wi‑Fi configuration options. For details about configuring these options, refer to the Configuring Additional Settings for a Wi-Fi Network.
  11. Click Next.
    The Venues page is displayed.
  12. Select one or more venues to activate the network by clicking the checkbox alongside the venue name, and then toggle the switch on in the Activated column.
    The details in the APs, Radios, and Scheduling columns are displayed for all the activated venues. By default, this network configuration applies across All APs and their applicable radio bands and is scheduled to be available 24/7.
    Note: The Scheduling column displays availability based on the local time zone of the venue’s AP devices (for example, UTC offsets).
    1. Click the All APs hyperlink in the APs column or the list of radios in the Radios column to configure APs and radio-frequency bands for the selected venue.
      The Select APs dialog box is displayed. Select one of the following options:
      • All APs: Select All APs to activate the network on all current and future APs for this venue. Choose a radio band from the drop-down list. You can choose one or more of the supported radio bands.
        Select APs
      • Select specific AP groups: Select Select specific AP groups to activate the network on specific AP groups, including any AP added to the selected AP groups in the future. The APs not assigned to any group option is displayed with a checkbox and a reminder to select an AP Group.

        Click the APs not assigned to any group checkbox; the VLAN and Radio Band options are displayed:

        Select Specific AP Groups
      • VLAN: Select VLAN-1, which is selected by default. Click the icon, and select a VLAN or a pool from the drop-down list. Depending on the selection, enter the VLAN ID or select a pool from the drop-down list.
      • Radio Band: Select one or more supported radio bands from the drop-down list for the selected AP group.
      • Click Apply.
    2. Click the 24/7 hyperlink in the Scheduling column to customize the schedule.
      The Schedule for Network dialog box is displayed.
      Schedule for Network Dialog Box
      You can choose 24/7 or Custom Schedule. Configure the following if you select Custom Schedule:
      • Click Custom Schedule to customize the network schedule as required.
        The Custom Schedule has Basic and Advanced tabs.
        Note: The venue time zone appears at the bottom of the dialog box.
      • On the Basic tab, you can configure the following:
        Schedule for Network - Basic Configuration
        • Start Date: Displays the date when the schedule begins. You can select any future date using the date picker. The schedule always uses the local time of the AP devices.
          Note: When the Start Date is today, time slots that have already passed are disabled.
        • (Optional) All day: Select this option to make the network available for the entire day. When All day is selected, the From and To fields automatically disappear.
        • From and To: These fields appear only when All day is not selected. You can select the start and end times in 15‑minute intervals, where the From time ranges from 00:00 to 23:45, the To time ranges from 00:15 to 24:00, and the To time must always be later than the From time.
          Note: The selected times follow the local time of the venue’s AP devices.
        • Select a repeat rule to determine how the network availability repeats after the Start Date. The available options are Do not repeat (default), Repeat Daily, Repeat Weekly, and Repeat Monthly.
          Note: The Do not repeat option displays a one‑time schedule for the selected Start Date.
        • End Date:
          • Select None or Select date if Repeat Daily is selected. Pick an end date from the date picker when Select date is chosen.
          • Select the required weekday, and then select None or Select date if Repeat Weekly is selected. Pick an end date from the date picker when Select date is chosen.
          • Select a monthly recurrence option such as a specific day of every month, the nth weekday of every month, or the last weekday of every month, and then select None or Select date if Repeat Monthly is selected. Pick an end date from the date picker when Select date is chosen.
            Note: Selecting at least one weekday is mandatory if Repeat Weekly is selected, and selecting a monthly recurrence option is mandatory if Repeat Monthly is selected.
            Note: Monthly options depend on whether the Start Date falls on the first through fourth weekday occurrence or the last weekday of the month. Daily, Weekly, and Monthly repeat rules deactivate the network automatically at midnight on the selected End Date.
            Note: If an End Date is selected, the schedule ends at midnight on that date.
      • On the Advanced tab, you can configure the following:
        Schedule for Network - Advanced Configuration
        • Start Date: Displays the date when the schedule begins. You can select any future date using the date picker. The schedule always uses the local time of the AP devices.
          Note: When the Start Date is today, time slots that have already passed are disabled.
        • (Optional) Select a repeat rule to determine how the network availability repeats after the Start Date. The available options are Do not repeat (default) and Repeat Weekly.
          Note: The Do not repeat option displays a one‑time weekly schedule for the selected Start Date. The network automatically deactivates at the end of the last active time slot.
        • End Date:
          • Select None or Select date if Repeat Weekly is selected. Pick an end date from the date picker when Select date is chosen.
            Note: When the Start date is chosen, selecting a date from the date picker is mandatory.
            Note: If an End Date is selected, the schedule ends at midnight on that date.
        • Mark the required time on the weekly grid to enable or disable network availability in fifteen‑minute intervals. You can click a single slot or click and drag to update multiple adjacent slots. A full day can be enabled or disabled using the checkbox next to each day. Dragging across a range of slots changes all slots to the opposite state of the first slot selected.
        • Click See tips to view guidance on how to activate or deactivate the network for the entire day, individual time slots, or multiple adjacent time slots. The See tips option opens the Network Scheduler Tips window, which explains how to use the checkbox for full‑day selection, how to click individual slots, and how to drag across the timeline to update multiple time slots.
      • Click Apply. The hyperlink displays the configured schedule, either 24/7, ON now, or OFF now. The day and time of the next change in network availability are displayed under the ON now and OFF now hyperlinks and also when you hover your cursor over the hyperlink.
    3. Toggle the Network Tunneling switch on to define how network traffic is tunneled at the venue. When toggled on, the Tunnel sidebar is displayed.
      Note: The Network Tunneling switch is displayed only when the venue is Activated.
      • Select a Tunneling Method from the drop-down.
      • If you choose SoftGRE, select a SoftGRE profile and optionally enable and configure IPsec. (Refer to Creating a SoftGRE Profile and Adding an SD-LAN Service).

        The SD-LAN option is available only when RUCKUS Edge devices are present.

      • Click Add to save and apply.
  13. Click Next.
    The Summary page is displayed.
  14. Review the settings that you configured.
  15. Click Finish.

To view diagnostic data for the Hotspot 2.0 Access network, including ANQP Request/Response, refer to Performing Client Connectivity Diagnostics.