Zero IT Certificate - Zonedirector 3000

  • 1
  • Question
  • Updated 2 years ago
  • (Edited)

Can anyone please tell me why I am not being moved to secure network once Zero IT certificate is downloaded and installed?

I have created "provisioning network" (SSID, VLAN 1) using hotspot so all the wireless devices use secure network. I have also created "main domain" (SSID, VLAN 1) using zero IT and DPSK activation enabled.

Authentication method is AD and role is assigned accordingly.

Everything is working fine and when I reach to the point where after AD authentication, on provision network, I download and successfully install certificate the user does not move to the secure network which is "main domain" and it stays in the same provision network. So whenever user tries to browse anything gets the same authentication page.

It seems certificate gets installed but not being activated. User doesn't switch to secure network according to role but there is option to configure it manually (on certification download page) by having DPSK so whenever I put manually it works.

Please help me where I am doing wrong. Thank you

Photo of Vick

Vick

  • 5 Posts
  • 0 Reply Likes

Posted 2 years ago

  • 1
Photo of Andrew Bailey

Andrew Bailey

  • 13 Posts
  • 3 Reply Likes
Vick,

I've seen similar issues before. Usually on iOS or Windows devices you need to "forget" or delete the "provisioning network".

Most devices just seem to hang on to the "provisioning network" as long as they are authenticated and have internet access.

Would that explain what you are seeing?

Kind Regards, Andy.
Photo of Vick

Vick

  • 5 Posts
  • 0 Reply Likes
Thank you andy for reply. Yes, today i did try forgetting or deleting "provisioning network" and it worked fine and connected with desired network. But is there any way to have it worked on real time so once certificate gets installed user move to secure network (without disconnecting manually)?
(Edited)
Photo of Andrew Bailey

Andrew Bailey

  • 13 Posts
  • 3 Reply Likes
Vick, from what I have seen this purely a client issue and not a Zonedirector problem. I know for a Windows client you can change the wireless network priorities- you may be able to push the "provisioning network" to a lower priority that way. Then the client should favour you secure network. However I've not found anything similar for iOS. Can you not just amend your install process? Hope that helps, Andy.
Photo of Vick

Vick

  • 5 Posts
  • 0 Reply Likes
Andy, would you please let me know how and what to amend install process? To be honest i had been using cisco products and this is the second ruckus deployment for me. I have found it very powerful with amazing features but somehow this one is not working the way it should so i have to perform extra step to have clients connected with secure network. 
If there is anything i could try, what to amend in install process? i think this is the script which runs automatically and create profile in the system. 
(Edited)
Photo of Andrew Bailey

Andrew Bailey

  • 13 Posts
  • 3 Reply Likes
Vick,

Without knowing more details of your network, size of organization and the mix of devices you have it's hard to be precise.
Just to be clear, I don't believe this is an "issue" with the Zero IT feature- simply a tendency for most Wifi devices to "hang on" to a Wifi network which already "working" (at least as far as the device is concerned).
That said, In my experience Zero IT works very well for Windows and IOS, perhaps a little less well for Blackberry, Andriod and Linux, and is not useful at all for Wireless Printers, Wireless Media Centers, TVs etc. The release notes for the Software Version you are using will summarize the compatibility.
If you have a mix of clients my tip would be to ensure you are using "mobile friendly" DPSK keys with a shorter key (perhaps 20 characters or so). You can find these settings on your secure WLAN config and it can be configured per VLAN. As a warning- if you change these settings you will need to generate new DPSK keys for each device- so something to get right at the initial Wifi config.
Using DPSK keys like this makes it more practical to setup non Zero IT devices or avoid Zero IT altogether- you simply generate a key (either individually or as a batch- the ZoneDirector allows either option) and manually enter that into the device. The DPSK keys get bound to the MAC of the device when they connect so you still have all the good features of DPSK keys including the ability to block and track users as you need to.
If you give users DPSK keys directly this would "bypass" your initial provisioning WLAN issue. You can generate keys for users and give them to the directly (via print out or text, whatever) and let them enter it to directly to connect to the secure WLAN.
As another thought, if you do have an all Windows devices then you maybe able to control the WLAN preferences by group policy. I found this link (albeit a little old) which looks useful and might help set up a policy to push users towards the secure WLAN http://www.techrepublic.com/blog/data-center/configuring-wireless-settings-via-group-policy/
I'm not sure if something similar to group policy in Windows could be done in iOS or MACs. This https://support.apple.com/en-us/HT202831 suggests that iOS devices should prefer secure networks, but only when signal level falls away or a re-connection is required. If that is the case a power cycle of the iOS device, enabling flight mode briefly or making the provisioning WLAN only available during certain hours or in certain areas may work for you.
Lastly, there is my initial suggestion- just "forget" the initial provisioning network once the client is connected or turn it off once all clients are setup.
Those are my thoughts and I hope they are useful to you.
Regards, Andy.
Photo of Vick

Vick

  • 5 Posts
  • 0 Reply Likes

Hi Andy,

Thank you for detailed reply and valuable inputs. I think if we include this procedure in "how to" guide for users, to disable wifi after having certificate installed once connected to "provision network", would solve the problem. Users get moved to secure network according to configured role if disable/enable wifi adaptor after certificate is installed.

we have a windows environment and can also control from group policy or generate manual keys and provide each user but I still think the idea of disabling the wifi adaptor is far more easy and involve less administration than maybe generating keys and providing them to every user. But I will definitely be thinking on these lines too.

Thank you so much for your time and suggestions. 

(Edited)
Photo of Anusha V V L

Anusha V V L

  • 27 Posts
  • 14 Reply Likes
Hi Vick,

I am not sure with which device you are facing this issue.

However from your description, I believe that the device is not officially supported for Zero-IT configuration. In this case, we will manually provision the client like what you did.

Check the release notes of the firmware version running on your ZD for the Zero-IT Compatible devices.

- Anusha
Photo of Vick

Vick

  • 5 Posts
  • 0 Reply Likes
Hi Anusha, 

I tried with different models (Dell latitude 6230, 6330, 6430) but same result. I have to either disable and enable wireless to have it connected with secure network after certificate is installed or forget the "provisioning network". Though after this extra step i am able to achieve result but it should work automatically and move user to secure network.
Photo of Jay Files

Jay Files

  • 27 Posts
  • 15 Reply Likes
Hi Vick,

This sounds like a known issue with iOS devices that is noted in the ZD Release Notes. It's been a known issue for a long time, and it looks like something that we can't fix - it's a limitation of the OS. 

If you're having the same issue with Dell notebooks (Windows 7 I assume), then it may be a different issue, in which case I suggest you could contact Support and ask them to file a new bug for it. 

Cheers,

Jay Files
Technical Writer
Ruckus Wireless, Inc.