One SSID at all sites and Radius Redundancy - Help.

  • 1
  • Question
  • Updated 6 months ago
  • Answered
  • (Edited)
Hello everyone, we use ruckus in our K-12 environment.  We have a zone director and roughly 200 AP's.  These are implemented across 31 school and 6000 students, and approx 1000 staff. We have a great fiber network between all the buildings.  

We use freeradius for against our LDAP, for WPA2 Enterprise Authentication.  Currently, we have a radius server at each site, and then the School SSID points to that freeradius server, as a AAA radius server from the zonedirector.  All school radius servers point to the top of our LDAP server, so any user walking in, can log in with thier LDAP credentials, and be on the wireless.  

This is great for redundancy and load, however, over time, we have found that although staff and students can use the same credentials, to login into school SSID's, they seem to not like, or have trouble, re-entering in their same credentials, when they go to a different school site, it should be an easy task, since it is the same credentials everywhere, but it dosen't seem to work out that way for staff. So this leads me to my question. 

We are going to do a redesign this summer, and have basically two SSID's everywhere.  It will look somthing like this:

NTPS-Wireless (WPA2 Enterprise SSID, Auth against Radius) - This SSID will be the internal SSID for all trusted staff, and school owned devices, and will be rolled out at EVERY site

NTPS-BYOD (An isolated BYOD Network for everyone else coming in with thier own devices)

For the NTPS-Wireless network, I have some questions, that I am hoping someone has some solutions to. 

1. How can I associate my NTPS-Wireless SSID with MORE than one radius server for redundency and load?  For example, is there any way to do something like this:

Lets talk about zones.  Is there a way to define a zone or rule, and then associate the SSID with a rule, so more than one zone can apply IE:  Something like this:

Highschool ZONE is 10.3.0.1 - 10.3.6.254
Middle School Zone is 10.12.0.1 - 10.12.6.254  

Then for the NTPS-Wireless:

If client is Highschool Zone use highschoolRADIUS (name of AAA defined freeradius server)

If client is Middle School Zone use middleschoolRAIDUS (name of AAA defined freeradius server)

This would REALLY solve my load problem, and I wouldn't have to worry about overload and using the same SSID everywhere, is there ANYTHING or ANYWAY to do something like this in the Zonedirector.  I know it's possible, as I have seen it in other systems.  Can I do something like this with the zone director?I know that the user probably dosen't have the IP yet for the handshake, so I looking to do something similar to the above, as it would solve all of my problems with the redesign. Similar ideas that accomplish the same result and solve the problem, would be VERY welcome :)  I really look forward to hearing from you all.
Photo of microchipmatt

microchipmatt

  • 4 Posts
  • 0 Reply Likes

Posted 6 months ago

  • 1
Photo of Herminio Bisneto

Herminio Bisneto

  • 8 Posts
  • 1 Reply Like
Hi!
With your current scenario, you should be ok if the ESSID is the same for all buildings.Your customer's device will hear the "the same SSID" in the beacon, so they will try to authenticate without asking for the credentials again.Hope this help.
Photo of microchipmatt

microchipmatt

  • 4 Posts
  • 0 Reply Likes
Ohhhh!!!!  This looks like it would work!  Herminio Bisneto, what firmware are you on?  This looks newer than mine.  
Photo of Herminio Bisneto

Herminio Bisneto

  • 8 Posts
  • 1 Reply Like
Mine is 10.1.1.0 build 26, but you can do this trick in any firmware version.
Glad I could help :)
Photo of microchipmatt

microchipmatt

  • 4 Posts
  • 0 Reply Likes
Excellent
Photo of microchipmatt

microchipmatt

  • 4 Posts
  • 0 Reply Likes
I just want to make one clarification here, So I'll give an example, the name can still be the site wireless, IE: BCPS-Wireless, but the ESSID will be NTPS-Wireless, correct?  is this how it's going to work? In this scenario will it try both BCPS-Wireless as the SSID, and NTPS-Wireless as the ESSID, if it needs to.
Photo of Herminio Bisneto

Herminio Bisneto

  • 8 Posts
  • 1 Reply Like
Hi,

Your client device will see/hear only "NTPS-Wireless" as the SSID and not two SSIDs. So it will try only "NTPS-Wireless".
(85% sure :D)