MAC address authentication on Ruckus Smartzone-E 3.6

  • 1
  • Question
  • Updated 1 month ago
  • Answered
I am looking a solution as MAC address authentication on Ruckus Smartzone-E  3.6 with Radius server. Is it possible Version 3.6?

Regards,
Deepak Kumar

Photo of Deepak Kumar 1

Deepak Kumar 1

  • 5 Posts
  • 0 Reply Likes

Posted 2 years ago

  • 1
Photo of Deepak Kumar 1

Deepak Kumar 1

  • 5 Posts
  • 0 Reply Likes
Yes, it is possible. It's confirmed.
Photo of Thomas Carter

Thomas Carter

  • 3 Posts
  • 0 Reply Likes
Yes, we do this with PacketFence with a vSZ running 3.6.1.
Photo of Diego Garcia del Rio

Diego Garcia del Rio

  • 126 Posts
  • 45 Reply Likes
Hi Thomas,

Which version of PF are you using? I also have a few sites with Packet Fence and had to tweak it quite a bit
Photo of Thomas Carter

Thomas Carter

  • 3 Posts
  • 0 Reply Likes
We're running 5.4 and just transitioned to Ruckus this year. I believe I did have to make a small change to the Ruckus "switch" code in PF that I believe is resolved in the latest version of PF. We actually would have migrated to a newer PF but wanted to make one big change (migration to Ruckus) at a time.
Photo of Diego Garcia del Rio

Diego Garcia del Rio

  • 126 Posts
  • 45 Reply Likes
Thanks! Im on 8.1 and 7.5 on different schools. Using ZoneDirector (on 7.5) and 8.1 with SmartZone 3.6.0. It would be good to talk off-line. Im at dgarcia(at)mediatel.com.ar

Cheers!
Photo of Claudinir Carfaro

Claudinir Carfaro

  • 1 Post
  • 0 Reply Likes

Hello! I need help. I am using virtual smartphone 3.6.1 with packetfence 8.1.0. after authentication I get the error:

Dec  5 16:07:50 packetfence pfqueue: pfqueue(4096) ERROR: [mac:9c:4e:36:9d:15:10] Failed to contact Ruckus for deauthentication: 500 Can't connect to xxx.xxx.xxx.xxx:9443 (certificate verify failed) (pf::Switch::Ruckus::SmartZone::deauthenticateMacWebservices)


even after running the no-encrypt command on the smartzone controller




Photo of Diego Garcia del Rio

Diego Garcia del Rio

  • 126 Posts
  • 45 Reply Likes
Are you trying to do radius de-auth or using web-services? the error you're seeing seems to be tied to not having a proper cert on smartzone. You can use port 9080 instead of 9443 for non-TLS channel.
Photo of EightOhTwoEleven

EightOhTwoEleven

  • 177 Posts
  • 42 Reply Likes
We authenticate users for MAC authentication using AD servers and CloudPath (vSZ 5.0). Works like a charm.
Photo of Deepak Kumar 1

Deepak Kumar 1

  • 5 Posts
  • 0 Reply Likes
HI,
Is it possible to share NPS and AD server's configuration guide? I implemented AD username and password authentication many times but MAC authentication is the first time. If it is possible.   Any URL.
Photo of EightOhTwoEleven

EightOhTwoEleven

  • 177 Posts
  • 42 Reply Likes
This is basically our setup:
  1. Hotspot (WISPr) wireless LAN in vSZ (auth method MAC, no encryption), linked to hotspot portal
  2. Hotspot portal setup in vSZ to point to CloudPath
  3. AD server auth setup in CloudPath
  4. Workflow in CloudPath for register MAC address using AD auth servers
A lot of it is self-explanatory. And we don't use RADIUS for MAC auth, as it's not needed. We just use RADIUS for PEAP/TLS with certificates.
(Edited)
Photo of Hayder Al Windi

Hayder Al Windi

  • 6 Posts
  • 0 Reply Likes
Hi EightOhTwoEleven 
can you please share the WF step of setting up CloudPath for register MAC address using AD auth servers
Photo of Scott Lu

Scott Lu

  • 1 Post
  • 0 Reply Likes
We are running PacketFence/SZ with AD, SMS, local username/password works perfect, but we have email issue, PF/SZ couldn't "deauth" when time is up, PF unregistered the client but SZ still authenticated the client, here is error message from PF "According to rules in fetchRoleForNode this node must be kicked out. Returning USERLOCK (pf::Switch::handleRadiusDeny)".

Thanks,
Photo of Diego Garcia del Rio

Diego Garcia del Rio

  • 126 Posts
  • 44 Reply Likes
do you know if you're using RADIUS based de-auth or web-services? If using radius, you have to use smartzone as RADIUS proxy and not do RADIUS directly from the APs. I am using RADIUS directly from the APs and de-auth via web-services from PF to SZ. I had to do some small changes to PF but nothing huge.
Photo of Eizens Putnins

Eizens Putnins

  • 125 Posts
  • 53 Reply Likes
Hello, dear Diego,
As I understand, you have working combination of vSZ and PF.

I am stuck with combination of vSZ v.5.1.2 and PF 9.0.1. Users get to captive portal and get through registration steps, even get PF confirmation, but authentication on vSZ doesn't happen, and connection to Internet is not established.
Seems that PF isn't enabling user through WEB-service. We use guest access without password.
MAC and IP encryption in requests is disabled on vSZ.
Status of user in vSZ is unauthorised. Any ideas will be appreciated. You can reach me on eizens (at) e-meter.lv It would be great to have off-line conversation about this.

Thanks in advance,
Eizens
Photo of Diego Garcia del Rio

Diego Garcia del Rio

  • 126 Posts
  • 44 Reply Likes
just sent you an email. let me know
Photo of Eizens Putnins

Eizens Putnins

  • 125 Posts
  • 53 Reply Likes
Received first e-mail, sent info, but haven't got any farther communication - may be mails are not going and I need to switch to gmail?
Thanks in advance,
Eizens
Photo of Rafael Rocha

Rafael Rocha

  • 22 Posts
  • 1 Reply Like
I am having the same issue using PF 10.1.
Can you please share how you guys are able to resolve this ?

Using a ssid with hotspot, based on what I understand it should use the Northbound Portal Interface to communicate with the pf server about the auth user status, but I didn't see any place where there is a exchange message been sended.
any help is appreciate. Thanks in advance.
Photo of Diego Garcia del Rio

Diego Garcia del Rio

  • 126 Posts
  • 44 Reply Likes
hi Rafael,

in my case i was using a "patched"  version of packetfence (since I was using non-proxy radius mode and the packet fence was installed locally on the same lan as the APs. I was not using the captive portal hosting by smartzone (wispr style/hotspot) but rather everything on the packetfence side. 

I noticed there is a new version of PF which has different modes for smartzone but I havent looked into it yet.
Photo of Rafael Rocha

Rafael Rocha

  • 22 Posts
  • 1 Reply Like
I want and I am trying to have the same thing, the portal and the radius on the pf side, however in my situation I cannot use the in-line config, so I am trying to do the 3 layer auth/role ''layout''.  On SZ, guest and web auth type of ssid, can only use internal portal, so its only give us the hotspot/wispr and hotspot 2.0 types to work with.
Photo of Diego Garcia del Rio

Diego Garcia del Rio

  • 126 Posts
  • 44 Reply Likes
it doesnt need to be in-line (but the question is whether the users will be able to reach the packetfence portal / dhcp server for the registration vlan or not).

can ypu provide more details on your topology? 

I have smartzone working with radius auth but indeed, for registration purposes, the portal is served directly by packetfence as PF assigns the registration vlan to unknown devices.

if your pf can't be near the clients at all (say, its hosted on the internet) then yes, wispr / hotspot is probably your only option. I havent used this mechanism yet.
Photo of Rafael Rocha

Rafael Rocha

  • 22 Posts
  • 1 Reply Like
Yes Diego,  there is a central location and remote locations, so my pf server will be in my DMZ(a type of lan area) and acting like a ''internert'' server for the remote locations as a common hotspot would be. I think that the problem is on the pf using the wrong port (default transport ports http ou https) for web services instead as the ruckus WIPSR document refer, 9080 for http and 9443 for https. I am trying to see where to change it and try again if there is a communication or not between them.
Photo of Diego Garcia del Rio

Diego Garcia del Rio

  • 126 Posts
  • 44 Reply Likes
i need to test the wispr/ hotspot mechanism. Look at this guide:

https://support.purplewifi.net/en/support/solutions/articles/1000128387-ruckus-smartzone-managed-

you can specify the fulll redirection URL in smartzone so it should be ok on PF

one thing.. make sure you enabled the "captive portal" interface on the managment nic in PF.. otherwise it won't listen on that nic and only on the "inline" nic

if you try to access the portal url directly, from a regular browser anywhere, does it open?
Photo of Rafael Rocha

Rafael Rocha

  • 22 Posts
  • 1 Reply Like
Thank Diego. Its confirm my direction, on the end of the guide its says that the firewall need to forward traffic to the http wipsr port of the SZ 9080, so in the pf its need to have this ''specif'' port set on the smartzone switch ''settings''. In my case, the portal is been opened, the client is able to go through the registration process but the user still stays as unauthorized in the SmartZone, because there is not message coming back from the pf. 
Photo of Diego Garcia del Rio

Diego Garcia del Rio

  • 126 Posts
  • 44 Reply Likes
hi rafael. The last authorization is via API, not back to the portal. There are a few things to check..  you need to be sure that you have an api username / password on smartzone, and that your're either using the non-httpS (non-SSL) port for the API or that your smartzone has a valid certificate and that the api url configured in PF is using DNS with the matching the certificate. 
Packetfence uses by default port 9443 so its SSL always. But it seems it ignores the certificate check. Regardless, port 9443 has to be open on your SZ and reachable from PF. Is that the case?

you can run tcpdump on your PF server to see if the api call is being made.. or change this file: 

/lib/pf/Switch/Ruckus/SmartZone.pm
on this line

my $res = $ua->post("https://$controllerIp:9443/portalintf", Content => $payload, "Content-Type" => "application/json");

and change port 9443 to 9080 and then run tcpdump to capture port 9080 and see if you're getting an API error or something

tcpdump -i eth0 -vv -nn -A tcp port 9080 and host <smartzoneip>

(change eth0 to match your PF's IP)

see in your PF logs if you see anything similar to this: "Failed to contact Ruckus for deauthentication"

good luck!


Photo of Diego Garcia del Rio

Diego Garcia del Rio

  • 126 Posts
  • 44 Reply Likes
PS.. if you edit any of the perl files in PF you need to restart the PF service entirely...