CommScope RUCKUS Community Forums

charles_sprick1 · ‎01-08-2019

I've been extremely frustrated with guest wifi setup - all the docs I can find and the scattered forum posts seem to reference a world before all browsers started doing strict https certificate checks. All I want is to offer the same experience I see in national chains (Starbucks, Panera, etc.) and there's not a single up-to-date FAQ or anything here.

So I decided to open a support ticket (first one ever). My day is busy - I may or may not be available at various times, I'm a freelancer working with multiple clients. Here's everything that is annoying me about the process. Am I doing this wrong?

Even though I'm signed in here when opening the ticket, I have to wait some period of time for a support agent to respond and then collect info that's already available (who am I, what's my number, what product, what serial # - this is IN MY PROFILE).
My question is simple - setup guest wifi w/radius auth, what is best current practice for this on Ruckus. I don't need a call, I just need a pointer to a HOWTO or if there isn't one, an email response outlining what you tell the other other customers that want guest wifi w/radius auth setup. I'll make my config match whatever you want and then we'll go from there
Instead, I get an email back demanding a call. I hate the phone, I will choose text or email always. Also I can't promise I'll be available at any particular time (again, don't have to do that with email). So I pick a range of times. I'm outside when a call w/o caller ID comes through, and I missed my chance by the time I notice there's a missed call, possibly from Ruckus.
Later I get an email that I've missed a call so I give another block of time. This time the support agent ignores the phone # in the ticket, ignores the phone # in my profile, and calls the main number of the client. They have no idea what he's talking about. So I miss another call. The support agent calls after the window at the correct number and I'm not here.
This I guess gives them license to just dump this back on me and I've not heard anything since.

Is this basically how support works? A phone call for a simple "how to XYX" seems crazy, esp. when we're dealing with what I assume is offshore support.

charles_sprick1 · ‎01-09-2019

Manoj was very helpful!

charles_sprick1 · ‎02-25-2019

I'm also just going to outline what I found about the guest login process (using an external radius server and splash page) after playing with this in the "lab" and capturing all the traffic with wireshark.

Of note, in my support call there was talk of the initial redirection happening via DNS, but I did not see any DNS spoofing attempts. This is the process I recorded:

host joins wifi network
DHCP request/granted (via the router)
host makes any of dozens of requests, some via already-cached DNS entries, some make a DNS request to the DHCP-provided DNS server(s) - I'm following a new/"fresh" request after having flushed my local DNS cache
host receives a correct DNS answer from configured DNS server
host makes an http or (more often than not) an https request to a server, either something the user is trying to reach in the browser or any of the many background tasks.
the ZD (or is the AP?) responds to the request with the spoofed IP of the destination host
the reply is an http redirect (302) that redirects the user to the ZD, with a query string that includes the destination the user was requesting
in my case, where the splash page is external, another 302 is issued that points to the external splash page and the query string now includes all sorts of extra info as well - like the client MAC, AP MAC and the final redirect URL. This request is let through, presumably by the "walled garden" list of allowed IPs
once the correct login info is entered on the splash page, all the ZD redirections and spoofing stop and requests proceed as normal

A few other random notes:

With something like Apple CNA, these requests initiated by the OS are all via http, which is why the experience is relatively smooth on apple devices (and why I can see all the traffic in wireshark, which is nice).
Firefox has its own built-in CNA check, did not realize that. It requests via https, so it does get tripped up on TLS cert issues
Didn't test windows, but I assume that's where we start seeing TLS certificate issues. I feel like step 6 probably throws up an ominous warning about the SSL cert not matching the hostname. Further redirects will trigger TLS warnings if you're using a self-signed cert.
It seems wise to put certs on all ZDs to at least get rid of one warning. I bought a 1 year cert for $9 for testing, LetsEncrypt has pushed the prices down (too bad the ZD can't just use LetsEncrypt natively!)

michael_brado · ‎02-26-2019

Your feedback is appreciated, and the test Cert provider suggestion is not SPAM enough for my edit..., thx.

charles_sprick1 · ‎02-26-2019

No spam - LetsEncrypt is free (see https://letsencrypt.org/ - funded by technology companies - and them giving out free certs has pushed down the prices for paid certs) and many vendors that have any sort of web interface or anything that can use a TLS cert build support for LE into their products now. Ruckus should consider that... you'd have working HTTPS out of the box.

If anyone wants to know the private cert provider I used, message me. I paid $8.88 for a one-year cert. Had no issues importing it into an Unleashed instance... Will be loading similar into 4 or 5 ZDs shortly.

alexey_isakov · ‎01-11-2019

Charles
I like your hate.
I have got some expirience of interactions with many different vendors HDescks include Ruckus.
I have had the same opinion with you about Ruckus HD just a small time ago.

But i have corrected this my opinion becourse of :
in fact, it works.

From my point of view only.
They are not good enough on the low level priority incidents - it takes too much time and not effective often. It is common problem, not only Ruckus.
Their site & documentations are very convoluted - I ve seen some users not only me that where emphasized this problem (even rather difficult Cisco site are much more relevant) .
But Ruckus HD rather good in difficult cases decisions. They use Webex effective.
Its all only my own private opinion.

Summary. From my point of view Ruckus HelpDesk is seem to be rather a.. specific.
A user should get time to get used to it.
But after some working time any user will be able to solve any problem.
Or almost any 🙂

CommScope RUCKUS Community Forums

Support Process?