I work for a School District that has 27 physical sites and over 7000+ users. Currently to make our end user experience easy we have simply setup and PSK WPA2 SSID for BYOD users to connect to. We have not been using the Ruckus captive portal to auth users. Our firewall (FortiGate) is currently doing it's own captive portal to allow users access.
This has become a strain on our Firewall and we are looking to reduce the workload caused by the authentication requests and identity based policies on the firewall.
We have discussed using the ruckus captive portal and a long grace period (7 days) to limit the amount of re authentication the end user must do and I can't quite find the info I am looking for in the docs. So here are my scenario
UserA's Device Connects to BYOD SSID and authenticates via Ruckus Captive Portal to a RADIUS AAA server using AD User Credentials, RADIUS rule validates membership of AD Group "Has Wireless Access"
UserA's Device will be able to reconnect to the Wireless without requiring re authentication within 7 days.
UserA happens to live within Wireless distance of the School Site so UserA's device is basically able to remain connected 24x7.
UserA graduates from School, AD Account is removed and UserA would know longer be able to connect new devices using their defunct credentials.
How do you deal with the existing connected device one UserA departs?
Can the UserA's device be disconnected by simply removing them from the "Has Wireless Access" group that RADIUS checks?
Does the Ruckus Controller recheck the RADIUS login validity?
One additional caveat is that at any time I need to know the IP of the device and associated user for up to 90 days after. I believe RADIUS Accounting will allow me to record this info however I am unsure how reconnects using the Grace Period would be reported especially if the IP changes due to short DHCP Leases.
I realize that many might say that I should be using a 802.1x User based SSID for this but management feels that this would be over complicated even though it is pretty much a one time setup.
Also we do not feel that DPSK is an option as that requires a manual revoking the DPSK to disconnect the user.
Does Ruckus provide any type of API access to the ZoneDirector? If it was possible then I could easily integrate a call to the ZoneDirector from my User Provisioning system to deauth any devices.
Thanks, I know this is long and may spur some conversation hopefully.
Patrick, we don't recommend some of your suggested "workarounds", particularly with long authentication periods. 802.1x does provide greater administrative control, and would allow you to remove graduated students. It might be best to discuss your security and accounting needs with your local VAR or Ruckus SE, for a more complete solution.