P

5 Messages

 • 

168 Points

Wed, Aug 18, 2021 7:08 AM

Implementing 802.1X using vSZ-E

Good day!

Our firm is looking into implementing 802.1X authentication for our Wi-Fi and it happened that we are using Ruckus vSZ. Looking to shed some light on what are the things that we exactly need in order to be able to implement this one properly. To add to this, we also have Apple devices (Mac's and Ipad's) that will need to work on this project as well. Another thing is that we also have a guest Wi-Fi, do we need to include that as well when this change has been implemented or we can keep the same traditional password based authentication for this? 

Basing it from the guide that I found and from what I understand is that we will need the following. Any other input will be appreciated. Thank you.

SSL Certificate

NPS/Radius

Active Directory

Reference link: https://www.commscope.com/globalassets/digizuite/1609-6-appnote-configuring-802-1x-with-windows-server-2008-usletter.pdf

Responses

Accepted Solution

Official Solution

Official Rep

 • 

1.2K Messages

 • 

16.6K Points

1 m ago

Hi Paul,

For a secure network (and or automated, if required), you need below network resources.

For controller:

  • CA signed SSL certificate for Controller web server and all web hosted services running on the controller like captive portal based SSID.

For client connection:

  • For authentication (AAA):
    • Radius/NPS server with a certificate assigned to it (self signed cert will also work)
    • Identity server (AD, LDAP)
    • If you want to use strongest security for client connection, certificate based authentication is advised (TLS). For this you will also need a certificate manager, which can provide user certificates to end user devices. Like a domain server which can push the certificates to end devices upon domain join.
    • For managing MAC devices, you may need additional server for certificate management.

Or

  • You can simply use Ruckus Cloudpath which can do all the above.
    • Identity server.
    • Radius
    • 3rd party AAA and Identity server integration
    • Captive portal.
    • Certificate manager.
    • User onboarding for guest (BYOD) and staff (Secured) client.
    • And many more options.
    • Cloud hosted Cloudpath and on-premises, both solution type are available.

To know more about Cloudpath, refer the product link from here.

5 Messages

 • 

168 Points

@syamantak_omer

Just to check and clarify a couple of things.

  • CA signed SSL certificate for Controller web server and all web hosted services running on the controller like captive portal based SSID. - Will this still be needed if you the AP that is connected from the controller will be configured with and SSID to communicate with NPS/Radius to be able to cross check the certificate that has been pushed out to the machines?

  • For managing MAC devices, you may need additional server for certificate management. - This is also what we are looking at if we will just manually push a cert to the MAC devices but we will still double check as they are being managed in Jamf.

Also if this does makes sense, would you reckon using a one cert to many devices or cert is per device?

Official Rep

 • 

1.2K Messages

 • 

16.6K Points

Hi Paul,

CA signed cert for controller has nothing to do with radius/802.1X auth.

Please do not get confused with controller web cert vs the client cert required for EAP-TLS. Both are different.

For controller web and other services, you can use a wildcard certificate or create a CSR from controller and get it signed by any public CAs.

For user certs, you need a certificate manager like Window domain controller or other certificate managers which will create certs for users and push it to user devices.

As I have explained before, Cloudpath can help you with all the client related certificate, authentication, guest/staff provisioning. Or you have to build each server separately and configure them to work with controller.

Regards,

Syamantak Omer

5 Messages

 • 

168 Points

@syamantak_omer 

Alrighty, now I get the point with regards to the controller having a cert of its own and that can be generated from the controller itself.

Just wondering, which of the following service will this fall into in this case.

  • Management Web—Used by Web UI and Public API traffic.
  • AP Portal—Used by Web Auth WLAN and Guest Access WLAN control traffic.
  • Hotspot (WISPr)—Used by WISPr WLAN control (Northbound Interface, Captive Portal, and Internal Subscriber Portal) traffic.
  • Communicator—Used by AP control traffic.

We will be shying away from Cloudpath as we will be looking into lessen expenses and build away on what we currently have as we already have Windows Server that can cater the other things needed. 

Correct me if I am wrong but these are the things that we will need in order to get this rolling.

  1. Cert for the controller
  2. Cert for the clients that will come from the DC (Another cert for the NPS/Radius itself?)
  3. AD - For the user group/security group
  4. NPS - For the connection request policies
  5. SSID config for the 802.1X auth from the controller

Official Rep

 • 

1.2K Messages

 • 

16.6K Points

@paul_andrew_ramos 

Refer my response below.

Just wondering, which of the following service will this fall into in this case.

[Syamantak] All of them.

  • Management Web—Used by Web UI and Public API traffic.
  • AP Portal—Used by Web Auth WLAN and Guest Access WLAN control traffic.
  • Hotspot (WISPr)—Used by WISPr WLAN control (Northbound Interface, Captive Portal, and Internal Subscriber Portal) traffic.
  • Communicator—Used by AP control traffic.

Correct me if I am wrong but these are the things that we will need in order to get this rolling.

  1. Cert for the controller. || Just one CA signed certificate if you want to make user experience better and secure the communication for all the web based services like controller GUI, AP portal, WIPSr auth, etc. Please note that it is not mandatory to have a CA signed cert, system will still work with its default certificate.
  2. Cert for the clients that will come from the DC (Another cert for the NPS/Radius itself?) || You have windows server already, just install certificate manager services and you can generate self signed cert for radius server and same server can also generate certs for end user devices for EAP-TLS.
  3. AD - For the user group/security group. || Yes, this is required for identity management.
  4. NPS - For the connection request policies. || Yes
  5. SSID config for the 802.1X auth from the controller. || Yes, you have to first configure AAA server profile in controller and same will be used in WLAN configuration with 802.1X auth.

Regards,

Syamantak Omer

437 Messages

 • 

5.5K Points

Yes this is what you need. You also need to decide what kind or Radius authentication you want to use. The simplest to realise is to use of password authentication, it just requires some configuration on NPS and on SZ, but the most secure way is to use certificates for authentication.

Wireless configuration is almost the same in both cases, but to use certificates you need to setup properly MS infrastructure to to generate and distribute user and computer certificates. It is well documented, but requires some planning work, and as any Microsoft solution, may get complicated without obvious reason...

In all cases, there is not that much to configure on Smartzon part itself, as SZ works just as a autrhentication proxy and actual authentication is done by NPS.

Important Announcement