CommScope RUCKUS Community Forums

paul_andrew_ram · ‎08-18-2021

Good day!

Our firm is looking into implementing 802.1X authentication for our Wi-Fi and it happened that we are using Ruckus vSZ. Looking to shed some light on what are the things that we exactly need in order to be able to implement this one properly. To add to this, we also have Apple devices (Mac's and Ipad's) that will need to work on this project as well. Another thing is that we also have a guest Wi-Fi, do we need to include that as well when this change has been implemented or we can keep the same traditional password based authentication for this?

Basing it from the guide that I found and from what I understand is that we will need the following. Any other input will be appreciated. Thank you.

SSL Certificate

NPS/Radius

Active Directory

Reference link: https://www.commscope.com/globalassets/digizuite/1609-6-appnote-configuring-802-1x-with-windows-serv...

syamantakomer · ‎08-20-2021

Hi Paul,

For a secure network (and or automated, if required), you need below network resources.

For controller:

CA signed SSL certificate for Controller web server and all web hosted services running on the controller like captive portal based SSID.

For client connection:

For authentication (AAA):
- Radius/NPS server with a certificate assigned to it (self signed cert will also work)
- Identity server (AD, LDAP)
- If you want to use strongest security for client connection, certificate based authentication is advised (TLS). For this you will also need a certificate manager, which can provide user certificates to end user devices. Like a domain server which can push the certificates to end devices upon domain join.
- For managing MAC devices, you may need additional server for certificate management.

Or

You can simply use Ruckus Cloudpath which can do all the above.
- Identity server.
- Radius
- 3rd party AAA and Identity server integration
- Captive portal.
- Certificate manager.
- User onboarding for guest (BYOD) and staff (Secured) client.
- And many more options.
- Cloud hosted Cloudpath and on-premises, both solution type are available.

To know more about Cloudpath, refer the product link from here.

View solution in original post

syamantakomer · ‎08-20-2021

Hi Paul,

For a secure network (and or automated, if required), you need below network resources.

For controller:

CA signed SSL certificate for Controller web server and all web hosted services running on the controller like captive portal based SSID.

For client connection:

For authentication (AAA):
- Radius/NPS server with a certificate assigned to it (self signed cert will also work)
- Identity server (AD, LDAP)
- If you want to use strongest security for client connection, certificate based authentication is advised (TLS). For this you will also need a certificate manager, which can provide user certificates to end user devices. Like a domain server which can push the certificates to end devices upon domain join.
- For managing MAC devices, you may need additional server for certificate management.

Or

You can simply use Ruckus Cloudpath which can do all the above.
- Identity server.
- Radius
- 3rd party AAA and Identity server integration
- Captive portal.
- Certificate manager.
- User onboarding for guest (BYOD) and staff (Secured) client.
- And many more options.
- Cloud hosted Cloudpath and on-premises, both solution type are available.

To know more about Cloudpath, refer the product link from here.

paul_andrew_ram · ‎08-23-2021

@syamantak_omer

Just to check and clarify a couple of things.

CA signed SSL certificate for Controller web server and all web hosted services running on the controller like captive portal based SSID. - Will this still be needed if you the AP that is connected from the controller will be configured with and SSID to communicate with NPS/Radius to be able to cross check the certificate that has been pushed out to the machines?

For managing MAC devices, you may need additional server for certificate management. - This is also what we are looking at if we will just manually push a cert to the MAC devices but we will still double check as they are being managed in Jamf.

Also if this does makes sense, would you reckon using a one cert to many devices or cert is per device?

syamantakomer · ‎08-25-2021

Hi Paul,

CA signed cert for controller has nothing to do with radius/802.1X auth.

Please do not get confused with controller web cert vs the client cert required for EAP-TLS. Both are different.

For controller web and other services, you can use a wildcard certificate or create a CSR from controller and get it signed by any public CAs.

For user certs, you need a certificate manager like Window domain controller or other certificate managers which will create certs for users and push it to user devices.

As I have explained before, Cloudpath can help you with all the client related certificate, authentication, guest/staff provisioning. Or you have to build each server separately and configure them to work with controller.

paul_andrew_ram · ‎08-26-2021

@syamantak_omer

Alrighty, now I get the point with regards to the controller having a cert of its own and that can be generated from the controller itself.

Just wondering, which of the following service will this fall into in this case.

Management Web—Used by Web UI and Public API traffic.
AP Portal—Used by Web Auth WLAN and Guest Access WLAN control traffic.
Hotspot (WISPr)—Used by WISPr WLAN control (Northbound Interface, Captive Portal, and Internal Subscriber Portal) traffic.
Communicator—Used by AP control traffic.

We will be shying away from Cloudpath as we will be looking into lessen expenses and build away on what we currently have as we already have Windows Server that can cater the other things needed.

Correct me if I am wrong but these are the things that we will need in order to get this rolling.

Cert for the controller
Cert for the clients that will come from the DC (Another cert for the NPS/Radius itself?)
AD - For the user group/security group
NPS - For the connection request policies
SSID config for the 802.1X auth from the controller

CommScope RUCKUS Community Forums

Implementing 802.1X using vSZ-E