Guest access not working after 9.7 upgrade

  • 5
  • Question
  • Updated 10 months ago
  • Answered
After my upgrade to 9.7 Guess pass/ Guess access no longer works. When connecting to the guest SSID it connects but the authentication web page fails to load.

Upon trying to access external outside resources via web browser I get a redirect as expected but it redirects to here:
http://zonedirector.companyname.com/u...

This doesn't work so well.

If I type in the URL it also fails. If I type in the IPaddress/guestpass it works for one of the IP addresses (I'm running smart redundancy on my 1100's).

For troubleshooting steps I've failed over to the other ZD (to change primary) - no change. I've also rebooted both ZD's - no change.

Any suggestions?

Anyone else encounter this?

Thanks
Photo of Todd

Todd

  • 53 Posts
  • 7 Reply Likes
  • frustrated

Posted 4 years ago

  • 5
Photo of Keith - Pack Leader

Keith - Pack Leader

  • 860 Posts
  • 51 Reply Likes
This looks like a confirmed bug. The workaround is as you've discovered, but in a SR topology it's obviously not ideal. If you open a support case, we can let you know when other fixes are available. Downgrade to 9.6 corrects the issue if you don't need any of the features in 9.7
Photo of Todd

Todd

  • 53 Posts
  • 7 Reply Likes
I was hesitant moving forward with this upgrade. I even called support the night I performed the upgrade (1-9-2014) and was not warned about guest access by the technician. I was watching the forums, I had read all the release notes, the upgrade documents, etc... and there was no mention of guest access issues.

Also I realized I typed the URL incorrectly above it should be: IPADDRESS/user/index.jsp NOT IPADDRESS/guestpass.

Is there a way to get a list of identified bugs before upgrading?

Is there any kind of an ETA on an patch version? I really don't want to roll back to 9.5.1 and then upgrade again to 9.6.x . Also again I don't know what bugs I'd be inheriting with 9.6.x
Photo of Martin Kane

Martin Kane

  • 72 Posts
  • 7 Reply Likes
Thanks for the warning! I am not sure that I can downgrade in my present climate, so will have to get a workaround. ETA of fix would be appreciated, Keith! :)
Photo of Keith - Pack Leader

Keith - Pack Leader

  • 860 Posts
  • 51 Reply Likes
Ouch, sorry about that. You did your upgrade almost exactly when engineering was able to confirm the bug (timestamp of the update..1/9/14 11:57pm).

Right now, for 9.7, I'm aware of 2, and this (above) is the only "serious" one I am aware of for ZD controlled systems.

Please open a support case so we can aggregate the requests and work on getting a "patch" available (a patch is an issue-specific build with basic quality tests, but not full regression, an MR is a fully tested build that will contain multiple patches). The first MR of 9.7 is still some weeks away.
Photo of Rob Coote

Rob Coote

  • 37 Posts
  • 7 Reply Likes
This reply was created from a merged topic originally titled
ZeroIT redirect not working since 9.7 update.


Apologies in advance for the generic nature of this question but I have not been able to pinpoint a specific device, OS or browser that this is impacting.

I upgraded both our ZD3000's to 9.7 over the holidays and since then I have had a steady trickle of users complaining that the login redirect for the activation SSID does not work.

They are able to connect to the activation SSID, but when attempting to browse to any url, expecting the authentication redirect, the browser goes nowhere.

Manually typing in the url works.

So far I have reports of iOS devices, Windows 7 and Android doing this, with various browsers.

I have tested in my office with several devices and can't replicate the issue.

I was wondering if anyone else may have run into this with 9.7? I am loathe to roll back to 9.6 without further info as we would really like to start using the Bonjour Gateway features.

Rob
Photo of Martin Kane

Martin Kane

  • 72 Posts
  • 7 Reply Likes
DId some testing today - and it seems to work fine for me - at least for Guest Passes generated under the old firmware. Haven't tried generating new Guest Passes in the new firmware to see whether they work.
Photo of Rob Coote

Rob Coote

  • 37 Posts
  • 7 Reply Likes
I haven't seen this as an issue with guest passes, but rather the DPSK generated via ZeroIT.
Photo of Rob Coote

Rob Coote

  • 37 Posts
  • 7 Reply Likes
Rolled back to 9.6 for now as support doesn't seem to have a fix. Fingers crossed for a 9.7 patch...
Photo of Keith - Pack Leader

Keith - Pack Leader

  • 860 Posts
  • 51 Reply Likes
Yes, with Smart Redundancy we don't have any other workaround (using IP instead of FQDN works otherwise). We have escalated with engineering, and we believe they have everything needed to construct a patch release.
Photo of Martin Kane

Martin Kane

  • 72 Posts
  • 7 Reply Likes
I wonder if this has something to do with my iOS 6 problem where going to http://(ZoneDirectorIP)/activate just sits there. OR sometimes opens up the JSP but then remains blank?
Photo of Michael Brado

Michael Brado, Official Rep

  • 1996 Posts
  • 280 Reply Likes
Bug ER-1171: Guest Access redirect loop on 9.7.0.0.220, is the bug Keith refers to
which contains this following information. You can revert to 9.6.2 which has no
problem for SR ZDs, or use multiple certs with the real IPs of the two ZDs. - mwb

There are two workarounds for this problem:

1. If customer is happy to use 9.6.2, they can downgrade ZD to 9.6.2. Redirect with ZD management IP is working fine in 9.6.2

2. If customer wants to stay on 9.7, they can import different certificate on each ZD. For example ZD1 has FQDN zd1.wifi.com, ZD2 has FQDN zd2.wifi.com, also in DNS server, map zd1.wifi.com to ZD1 device IP address, map zd2.wifi.com to ZD2 device IP address. This setup will workaround management interface. But it requires two certificate, or wildcard certificate.

Wildcard Certificate Installation:

A wildcard certificate is a generic certificate that can be used for devices in a specific domain. This is useful for Smart Redundancy installations where you have two ZoneDirectors. You can purchase and install two certificates, or use a wildcard certificate.

When you try to import a wildcard certificate, the ZoneDirector will notify you that it does not have the matching private key. At this point, click on the "click here" link to import the private key. Once the private key is imported, try to import the certificate again. The ZoneDirector will prompt you for the host name. Enter the hostname and ensure that your DNS server is configured to resolve that name to the IP address of ZoneDirector.

Wildcard Certificates In Smart Redundancy With Captive Portals

In order to prevent redirect loops when deploying SSL certificates in a Smart Redundant configuration with Guest Access, Web Portal and Hotspot captive portals, use the following wildcard certificate procedure:

1. Purchase or generate a self-signed wildcard certificate such as *.acompany.com and install it on both ZoneDirectors in the Smart Redundant pair.

2. In DNS, add 3 host/IP entries similar to the following

◦ management.acompany.com; 192.168.0.100: This is the FQDN you wish to use for reaching the shared virtual management interface and is mapped to its configured IP address.

◦ primary-zd.acompany.com; 192.168.0.98: This is the FQDN for the primary ZD controller and its physical IP address.

◦ backup-zd.acompany.com; 192.168.0.99: This is the FQDN for the backup ZD controller and its physical IP address

3. When you import the wildcard certificate into the ZoneDirectors you will be prompted to enter the host name – make sure you use the same host name as you will advertise in DNS for that ZoneDirector (the default is the same configured ZoneDirector name).
Photo of Eric Vollbrecht

Eric Vollbrecht

  • 1 Post
  • 0 Reply Likes
This appears to still be an issue in 9.9.

We are pointing guest users to external DNS servers and not our internal. If we could update the address that it is getting redirected to and set it to the IP that would be fine.
Photo of Vangelis Patsalis

Vangelis Patsalis

  • 1 Post
  • 0 Reply Likes
Hi guys. We just upgraded our ZD (in smart redundancy) and we have the exact same issue with guest access.

Any resolution yet?

We have a certificate with a single name.

In our DNS instead of pointing to a virtual IP, we are now pointing to the primary ZD and completely ignoring the existence of the secondary ZD (its still on the network and all).

Anybody found a solution?
Photo of Todd

Todd

  • 53 Posts
  • 7 Reply Likes
So here's where I'm at.  Currently running 9.7.1.0 build 30 on 2 ZD1100's in smart redundancy and everything is working just fine.

The thing that seemed to fix all my issues with my ZoneDirectors was to backup the settings and perform a factory reset of each of the units.  Then reapply the backed-up settings and then performed my upgrades.  I did not need to perform the work around(s) that have been suggested.

FYI, I did an upgrade on my lab units yesterday from 9.9 to 9.10 (ZD1100's) and I was able to do it without breaking the Smart Redundancy.  It went very well, finally!

I'd recommend contacting Ruckus before wiping your ZD's and ask the appropriate questions.  I don't want to be the cause of someones environment going down.

Best of luck!  I'd be curious to hear if other peoples issues are resolved also by resetting to factory defaults and reapplying backup settings.
Photo of Richard Marshall

Richard Marshall

  • 1 Post
  • 0 Reply Likes
Had the same issue on about 4 ZD1100's all running different versions of firmware 9.7 - 9.10.  Firmware upgrades alone didn't make a difference and neither did a factory reset and restoring from backup.  I had to do a factory reset and configure the ZD from scratch, not ideal solution but gets the captive portal redirect working again.