CommScope RUCKUS Community Forums

paul_andrew_ram · ‎08-18-2021

Good day!

Our firm is looking into implementing 802.1X authentication for our Wi-Fi and it happened that we are using Ruckus vSZ. Looking to shed some light on what are the things that we exactly need in order to be able to implement this one properly. To add to this, we also have Apple devices (Mac's and Ipad's) that will need to work on this project as well. Another thing is that we also have a guest Wi-Fi, do we need to include that as well when this change has been implemented or we can keep the same traditional password based authentication for this?

Basing it from the guide that I found and from what I understand is that we will need the following. Any other input will be appreciated. Thank you.

SSL Certificate

NPS/Radius

Active Directory

Reference link: https://www.commscope.com/globalassets/digizuite/1609-6-appnote-configuring-802-1x-with-windows-serv...

syamantakomer · ‎08-20-2021

Hi Paul,

For a secure network (and or automated, if required), you need below network resources.

For controller:

CA signed SSL certificate for Controller web server and all web hosted services running on the controller like captive portal based SSID.

For client connection:

For authentication (AAA):
- Radius/NPS server with a certificate assigned to it (self signed cert will also work)
- Identity server (AD, LDAP)
- If you want to use strongest security for client connection, certificate based authentication is advised (TLS). For this you will also need a certificate manager, which can provide user certificates to end user devices. Like a domain server which can push the certificates to end devices upon domain join.
- For managing MAC devices, you may need additional server for certificate management.

Or

You can simply use Ruckus Cloudpath which can do all the above.
- Identity server.
- Radius
- 3rd party AAA and Identity server integration
- Captive portal.
- Certificate manager.
- User onboarding for guest (BYOD) and staff (Secured) client.
- And many more options.
- Cloud hosted Cloudpath and on-premises, both solution type are available.

To know more about Cloudpath, refer the product link from here.

View solution in original post

syamantakomer · ‎08-26-2021

@paul_andrew_ramos

Refer my response below.

Just wondering, which of the following service will this fall into in this case.

[Syamantak] All of them.

Management Web—Used by Web UI and Public API traffic.
AP Portal—Used by Web Auth WLAN and Guest Access WLAN control traffic.
Hotspot (WISPr)—Used by WISPr WLAN control (Northbound Interface, Captive Portal, and Internal Subscriber Portal) traffic.
Communicator—Used by AP control traffic.

Correct me if I am wrong but these are the things that we will need in order to get this rolling.

Cert for the controller. || Just one CA signed certificate if you want to make user experience better and secure the communication for all the web based services like controller GUI, AP portal, WIPSr auth, etc. Please note that it is not mandatory to have a CA signed cert, system will still work with its default certificate.
Cert for the clients that will come from the DC (Another cert for the NPS/Radius itself?) || You have windows server already, just install certificate manager services and you can generate self signed cert for radius server and same server can also generate certs for end user devices for EAP-TLS.
AD - For the user group/security group. || Yes, this is required for identity management.
NPS - For the connection request policies. || Yes
SSID config for the 802.1X auth from the controller. || Yes, you have to first configure AAA server profile in controller and same will be used in WLAN configuration with 802.1X auth.

eizens_putnins · ‎08-31-2021

Yes this is what you need. You also need to decide what kind or Radius authentication you want to use. The simplest to realise is to use of password authentication, it just requires some configuration on NPS and on SZ, but the most secure way is to use certificates for authentication.

Wireless configuration is almost the same in both cases, but to use certificates you need to setup properly MS infrastructure to to generate and distribute user and computer certificates. It is well documented, but requires some planning work, and as any Microsoft solution, may get complicated without obvious reason...

In all cases, there is not that much to configure on Smartzon part itself, as SZ works just as a autrhentication proxy and actual authentication is done by NPS.

paul_andrew_ram · ‎09-13-2021

Thanks for your input @syamantak_omer and appreciate it.

paul_andrew_ram · ‎09-13-2021

@eizens_putnins Thanks for your response and we will go for the certificate based as the office has been using the traditional password setup for quite some time now and our InfoSec has been on the watch on this matter. I agree that chunk of work will be on the MS side which will fall on our System Admins team as we are separate from them and they are already aware on what is needed on their end and what will be done on our end as well and we will be looking into implementing this within the next couple of weeks or months to say the least.

syamantakomer · ‎09-14-2021

@paul_andrew_ramos glad to help you!

CommScope RUCKUS Community Forums

Implementing 802.1X using vSZ-E