CommScope RUCKUS Community Forums

waqar_aamer · ‎09-30-2015

Can anyone please tell me why I am not being moved to secure network once Zero IT certificate is downloaded and installed?

I have created "provisioning network" (SSID, VLAN 1) using hotspot so all the wireless devices use secure network. I have also created "main domain" (SSID, VLAN 1) using zero IT and DPSK activation enabled.

Authentication method is AD and role is assigned accordingly.

Everything is working fine and when I reach to the point where after AD authentication, on provision network, I download and successfully install certificate the user does not move to the secure network which is "main domain" and it stays in the same provision network. So whenever user tries to browse anything gets the same authentication page.

It seems certificate gets installed but not being activated. User doesn't switch to secure network according to role but there is option to configure it manually (on certification download page) by having DPSK so whenever I put manually it works.

Please help me where I am doing wrong. Thank you

andrew_bailey_7 · ‎10-02-2015

Vick,

Without knowing more details of your network, size of organization and the mix of devices you have it's hard to be precise.
Just to be clear, I don't believe this is an "issue" with the Zero IT feature- simply a tendency for most Wifi devices to "hang on" to a Wifi network which already "working" (at least as far as the device is concerned).
That said, In my experience Zero IT works very well for Windows and IOS, perhaps a little less well for Blackberry, Andriod and Linux, and is not useful at all for Wireless Printers, Wireless Media Centers, TVs etc. The release notes for the Software Version you are using will summarize the compatibility.
If you have a mix of clients my tip would be to ensure you are using "mobile friendly" DPSK keys with a shorter key (perhaps 20 characters or so). You can find these settings on your secure WLAN config and it can be configured per VLAN. As a warning- if you change these settings you will need to generate new DPSK keys for each device- so something to get right at the initial Wifi config.
Using DPSK keys like this makes it more practical to setup non Zero IT devices or avoid Zero IT altogether- you simply generate a key (either individually or as a batch- the ZoneDirector allows either option) and manually enter that into the device. The DPSK keys get bound to the MAC of the device when they connect so you still have all the good features of DPSK keys including the ability to block and track users as you need to.
If you give users DPSK keys directly this would "bypass" your initial provisioning WLAN issue. You can generate keys for users and give them to the directly (via print out or text, whatever) and let them enter it to directly to connect to the secure WLAN.
As another thought, if you do have an all Windows devices then you maybe able to control the WLAN preferences by group policy. I found this link (albeit a little old) which looks useful and might help set up a policy to push users towards the secure WLAN http://www.techrepublic.com/blog/data-center/configuring-wireless-settings-via-group-policy/
I'm not sure if something similar to group policy in Windows could be done in iOS or MACs. This https://support.apple.com/en-us/HT202831 suggests that iOS devices should prefer secure networks, but only when signal level falls away or a re-connection is required. If that is the case a power cycle of the iOS device, enabling flight mode briefly or making the provisioning WLAN only available during certain hours or in certain areas may work for you.
Lastly, there is my initial suggestion- just "forget" the initial provisioning network once the client is connected or turn it off once all clients are setup.
Those are my thoughts and I hope they are useful to you.
Regards, Andy.

waqar_aamer · ‎10-02-2015

Hi Andy,

Thank you for detailed reply and valuable inputs. I think if we include this procedure in "how to" guide for users, to disable wifi after having certificate installed once connected to "provision network", would solve the problem. Users get moved to secure network according to configured role if disable/enable wifi adaptor after certificate is installed.

we have a windows environment and can also control from group policy or generate manual keys and provide each user but I still think the idea of disabling the wifi adaptor is far more easy and involve less administration than maybe generating keys and providing them to every user. But I will definitely be thinking on these lines too.

Thank you so much for your time and suggestions.

Anusha_Vemula · ‎10-01-2015

Hi Vick,

I am not sure with which device you are facing this issue.

However from your description, I believe that the device is not officially supported for Zero-IT configuration. In this case, we will manually provision the client like what you did.

Check the release notes of the firmware version running on your ZD for the Zero-IT Compatible devices.

- Anusha

waqar_aamer · ‎10-01-2015

Hi Anusha,

I tried with different models (Dell latitude 6230, 6330, 6430) but same result. I have to either disable and enable wireless to have it connected with secure network after certificate is installed or forget the "provisioning network". Though after this extra step i am able to achieve result but it should work automatically and move user to secure network.

jay_files · ‎10-06-2015

Hi Vick,

This sounds like a known issue with iOS devices that is noted in the ZD Release Notes. It's been a known issue for a long time, and it looks like something that we can't fix - it's a limitation of the OS.

If you're having the same issue with Dell notebooks (Windows 7 I assume), then it may be a different issue, in which case I suggest you could contact Support and ask them to file a new bug for it.

Cheers,

Jay Files
Technical Writer
Ruckus Wireless, Inc.

CommScope RUCKUS Community Forums

Zero IT Certificate - Zonedirector 3000