CommScope RUCKUS Community Forums

deepak_kumar_1 · ‎10-02-2018

I am looking a solution as MAC address authentication on Ruckus Smartzone-E 3.6 with Radius server. Is it possible Version 3.6?

Regards,
Deepak Kumar

diego_garcia_de · ‎09-04-2020

it doesnt need to be in-line (but the question is whether the users will be able to reach the packetfence portal / dhcp server for the registration vlan or not).

can ypu provide more details on your topology?

I have smartzone working with radius auth but indeed, for registration purposes, the portal is served directly by packetfence as PF assigns the registration vlan to unknown devices.

if your pf can't be near the clients at all (say, its hosted on the internet) then yes, wispr / hotspot is probably your only option. I havent used this mechanism yet.

rafael_rocha_i5 · ‎09-04-2020

Yes Diego, there is a central location and remote locations, so my pf server will be in my DMZ(a type of lan area) and acting like a ''internert'' server for the remote locations as a common hotspot would be. I think that the problem is on the pf using the wrong port (default transport ports http ou https) for web services instead as the ruckus WIPSR document refer, 9080 for http and 9443 for https. I am trying to see where to change it and try again if there is a communication or not between them.

diego_garcia_de · ‎09-04-2020

i need to test the wispr/ hotspot mechanism. Look at this guide:

https://support.purplewifi.net/en/support/solutions/articles/1000128387-ruckus-smartzone-managed-

you can specify the fulll redirection URL in smartzone so it should be ok on PF

one thing.. make sure you enabled the "captive portal" interface on the managment nic in PF.. otherwise it won't listen on that nic and only on the "inline" nic

if you try to access the portal url directly, from a regular browser anywhere, does it open?

rafael_rocha_i5 · ‎09-08-2020

Thank Diego. Its confirm my direction, on the end of the guide its says that the firewall need to forward traffic to the http wipsr port of the SZ 9080, so in the pf its need to have this ''specif'' port set on the smartzone switch ''settings''. In my case, the portal is been opened, the client is able to go through the registration process but the user still stays as unauthorized in the SmartZone, because there is not message coming back from the pf.

diego_garcia_de · ‎09-08-2020

hi rafael. The last authorization is via API, not back to the portal. There are a few things to check.. you need to be sure that you have an api username / password on smartzone, and that your're either using the non-httpS (non-SSL) port for the API or that your smartzone has a valid certificate and that the api url configured in PF is using DNS with the matching the certificate.
Packetfence uses by default port 9443 so its SSL always. But it seems it ignores the certificate check. Regardless, port 9443 has to be open on your SZ and reachable from PF. Is that the case?

you can run tcpdump on your PF server to see if the api call is being made.. or change this file:

/lib/pf/Switch/Ruckus/SmartZone.pm

on this line

my $res = $ua->post("https://$controllerIp:9443/portalintf", Content => $payload, "Content-Type" => "application/json");

and change port 9443 to 9080 and then run tcpdump to capture port 9080 and see if you're getting an API error or something

tcpdump -i eth0 -vv -nn -A tcp port 9080 and host

(change eth0 to match your PF's IP)

see in your PF logs if you see anything similar to this: "Failed to contact Ruckus for deauthentication"

good luck!