cancel
Showing results for 
Search instead for 
Did you mean: 

Guest access not working after 9.7 upgrade

it_registration
Contributor
After my upgrade to 9.7 Guess pass/ Guess access no longer works. When connecting to the guest SSID it connects but the authentication web page fails to load.

Upon trying to access external outside resources via web browser I get a redirect as expected but it redirects to here:
http://zonedirector.companyname.com/u...

This doesn't work so well.

If I type in the URL it also fails. If I type in the IPaddress/guestpass it works for one of the IP addresses (I'm running smart redundancy on my 1100's).

For troubleshooting steps I've failed over to the other ZD (to change primary) - no change. I've also rebooted both ZD's - no change.

Any suggestions?

Anyone else encounter this?

Thanks
15 REPLIES 15

martin_kane
Contributor
I wonder if this has something to do with my iOS 6 problem where going to http://(ZoneDirectorIP)/activate just sits there. OR sometimes opens up the JSP but then remains blank?

michael_brado
Esteemed Contributor II
Bug ER-1171: Guest Access redirect loop on 9.7.0.0.220, is the bug Keith refers to
which contains this following information. You can revert to 9.6.2 which has no
problem for SR ZDs, or use multiple certs with the real IPs of the two ZDs. - mwb

There are two workarounds for this problem:

1. If customer is happy to use 9.6.2, they can downgrade ZD to 9.6.2. Redirect with ZD management IP is working fine in 9.6.2

2. If customer wants to stay on 9.7, they can import different certificate on each ZD. For example ZD1 has FQDN zd1.wifi.com, ZD2 has FQDN zd2.wifi.com, also in DNS server, map zd1.wifi.com to ZD1 device IP address, map zd2.wifi.com to ZD2 device IP address. This setup will workaround management interface. But it requires two certificate, or wildcard certificate.

Wildcard Certificate Installation:

A wildcard certificate is a generic certificate that can be used for devices in a specific domain. This is useful for Smart Redundancy installations where you have two ZoneDirectors. You can purchase and install two certificates, or use a wildcard certificate.

When you try to import a wildcard certificate, the ZoneDirector will notify you that it does not have the matching private key. At this point, click on the "click here" link to import the private key. Once the private key is imported, try to import the certificate again. The ZoneDirector will prompt you for the host name. Enter the hostname and ensure that your DNS server is configured to resolve that name to the IP address of ZoneDirector.

Wildcard Certificates In Smart Redundancy With Captive Portals

In order to prevent redirect loops when deploying SSL certificates in a Smart Redundant configuration with Guest Access, Web Portal and Hotspot captive portals, use the following wildcard certificate procedure:

1. Purchase or generate a self-signed wildcard certificate such as *.acompany.com and install it on both ZoneDirectors in the Smart Redundant pair.

2. In DNS, add 3 host/IP entries similar to the following

◦ management.acompany.com; 192.168.0.100: This is the FQDN you wish to use for reaching the shared virtual management interface and is mapped to its configured IP address.

◦ primary-zd.acompany.com; 192.168.0.98: This is the FQDN for the primary ZD controller and its physical IP address.

◦ backup-zd.acompany.com; 192.168.0.99: This is the FQDN for the backup ZD controller and its physical IP address

3. When you import the wildcard certificate into the ZoneDirectors you will be prompted to enter the host name – make sure you use the same host name as you will advertise in DNS for that ZoneDirector (the default is the same configured ZoneDirector name).

eric_vollbrecht
New Contributor
This appears to still be an issue in 9.9.

We are pointing guest users to external DNS servers and not our internal. If we could update the address that it is getting redirected to and set it to the IP that would be fine.

vangelis_patsal
New Contributor
Hi guys. We just upgraded our ZD (in smart redundancy) and we have the exact same issue with guest access.

Any resolution yet?

We have a certificate with a single name.

In our DNS instead of pointing to a virtual IP, we are now pointing to the primary ZD and completely ignoring the existence of the secondary ZD (its still on the network and all).

Anybody found a solution?

So here's where I'm at.  Currently running 9.7.1.0 build 30 on 2 ZD1100's in smart redundancy and everything is working just fine.

The thing that seemed to fix all my issues with my ZoneDirectors was to backup the settings and perform a factory reset of each of the units.  Then reapply the backed-up settings and then performed my upgrades.  I did not need to perform the work around(s) that have been suggested.

FYI, I did an upgrade on my lab units yesterday from 9.9 to 9.10 (ZD1100's) and I was able to do it without breaking the Smart Redundancy.  It went very well, finally!

I'd recommend contacting Ruckus before wiping your ZD's and ask the appropriate questions.  I don't want to be the cause of someones environment going down.

Best of luck!  I'd be curious to hear if other peoples issues are resolved also by resetting to factory defaults and reapplying backup settings.