ZeroIT redirect and Smart Redundancy

  • 1
  • Question
  • Updated 4 years ago
In the Hotspot settings a redirect URL is set for unauthenticated clients to be sent for authentication. For us, this is the hostname of our primary ZD3000.

If Smart Redundancy is triggered however, and all AP's and clients fail over to the secondary ZD - with a different IP and hostname - the redirect fails (obviously).

Is there a way to ensure ZeroIT will still function properly if the primary ZD has failed?
Photo of Rob Coote

Rob Coote

  • 37 Posts
  • 7 Reply Likes

Posted 4 years ago

  • 1
Photo of Ed Hynds

Ed Hynds

  • 6 Posts
  • 0 Reply Likes
Hi Rob,

Did you ever get this answered or figured out?

I'm performing the installation of a secondary ZD1100 for a client tomorrow and will obviously come across the same issue. They also use Microsoft NPS for 802.11 certificate based authentication so I would have thought I will need to take this in to consideration too.

I've looked on the forums and documentation and can't find anything that can help.

TIA

Ed
Photo of Rob Coote

Rob Coote

  • 37 Posts
  • 7 Reply Likes
Ed,

I haven't yet, although I suspect this may be part of the issue I'm having with firmware 9.7 and the redirection issue. The issue being it doesn't redirect. :)

I'd be interested in a white paper or "best practice" when it comes to setting up multiple ZD's as far as hostnames, IP addressing, SSL certificates, Management addressing, etc.

Rob
Photo of Ed Hynds

Ed Hynds

  • 6 Posts
  • 0 Reply Likes
Rob,

Thanks for the quick response, I guess I'll have to see how I get on tomorrow!

By the sound of it I'll stay away from firmware 9.7!

Hopefully someone else (perhaps a Ruckus employee?!?!) could offer some advice on this post.

Ed
Photo of Todd

Todd

  • 57 Posts
  • 13 Reply Likes
Hey guys here's what I did on my 1100's cause I had the same issue when I went live with 9.4.?

I configured Smart Redundancy

Then also under Configure>System I set "Management Interface" to enable IPv4 Management Interface. I set a static IP address for my network along with the rest of the configuration (netmask, gateway, vlan).

Then I made a static DNS entry on my DNS server to be zonedirector.domainname to the static IP address I entered for the management interface.

That way when a Smart Redundancy event occurs everything continues to work with a brief few minute outage while the standby ZD takes over.

For what it's worth I named my ZD's ZDPrimary & ZDSecondary. But all my name resolution is going to zonedirector.domainname.xxx.

Hope this helps.
Photo of Rob Coote

Rob Coote

  • 37 Posts
  • 7 Reply Likes
Todd,

Curious if your device/system IP is on a different subnet than the management IP?

Also if either have an Access VLAN specified?

Rob
Photo of Todd

Todd

  • 57 Posts
  • 13 Reply Likes
Rob,

No everything is on the same subnet. my ips:
PrimaryZD: 10.200.13.99
SecondaryZD: 10.200.13.98
Zonedirector managment IP: 10.200.13.100

Also access vlan is set to default of: 1. which is what our primary vlan is.

Our network is pretty flat.
Photo of Rob Coote

Rob Coote

  • 37 Posts
  • 7 Reply Likes
So the management IP is the same for both? My ZD's are in different physical buildings and subnets, so addressing them might be a bit more complicated.
Photo of Todd

Todd

  • 57 Posts
  • 13 Reply Likes
Yes, the management IP is the same for both. Note that I'm (was) using guest pass not hotspot, but I would think the process would work the same. But according to the post below this might not be a good option, but it's worked for me and guestpass.
Photo of DSE

DSE

  • 62 Posts
  • 3 Reply Likes
If smart redundancy is on, then the management IP should be the same for both, that way U'll allways connect to the Active.
Photo of Albert Pierson

Albert Pierson, Employee

  • 6 Posts
  • 8 Reply Likes
Using the management (shared) IP for other than accessing the ZD management WEBB UI can be problematic. It works but was originally not designed for use other than convenience of having a single IP that always redirects to the Active ZD.

The correct solution is to use the sip variable that is sent in the URL enhancement when the ZD redirects the user to the Hotspot login page. The sip variable will always have the device IP of the Active ZD.

in the Post commands of the WEB server login page you use this sip variable to post the credentials to the correct IP.

Here is a snipit from a sample Java script post command:

');
Photo of Ed Hynds

Ed Hynds

  • 6 Posts
  • 0 Reply Likes
Hi Albert,

It looks like the Javascript didn't post correctly, could you try again (perhaps via a screenshot)? Also where / how would I use this sip variable?

Thanks for your response.

Ed
Photo of Albert Pierson

Albert Pierson, Employee

  • 6 Posts
  • 8 Reply Likes
The ZD will enrich the URL with several variables (last url, sip, uip)

The Login page coding can extract the sip variable and use it as the destination in the Post command.

The sample page can be downloaded:
http://ftp.ruckuswireless.com/downloa....

Also, if the client is connected with a NAT between the AP and the ZD then the ZD also needs to know the clients actual IP address. This is the uip variable. A sample page using this varialbe can be downloaded:

http://ftp.ruckuswireless.com/downloa...

The application note describing Hotspot configuration can be found:

http://www.ruckuswireless.com/library...

Enabling WISPr (Hotspot Services) in the ZoneDirector PDF
Photo of Ed Hynds

Ed Hynds

  • 6 Posts
  • 0 Reply Likes
Hi Albert,

Reading those application notes has been very helpful.

It is a shame that the devices can't handle this themselves, for the smaller deployments having a separate web server for the login page just adds another point of complexity and weakness.

Thanks again,

Ed
Photo of Albert Pierson

Albert Pierson, Employee

  • 6 Posts
  • 8 Reply Likes
Ruckus Zone Director does have a built in captive portal login page. You can add WEB Authentication to a Standard type WLAN. Users will get redirected to a secure (https) simple login page served by the ZD and can authenticate to a local data base or an external AAA (RADIUS, Active Directory, LDAP). This page is not configurable.

Since this page is sent with SSL security users will receive a security alert if you have not uploaded a digital certificate signed by a well known Certificate Authority into the Zone Director..
Photo of Ed Hynds

Ed Hynds

  • 6 Posts
  • 0 Reply Likes
This is how I've set the ZD up, it works fine, however what happens when the primary zonedirector fails? I presume we must login and change the path to the captive portal or update the A record to point to the secondary ZDs IP? Also on the Radius (NPS) server I have to create a second configuration for the secondary zonedirector?

Thanks,
Photo of Albert Pierson

Albert Pierson, Employee

  • 6 Posts
  • 8 Reply Likes
Smart Redundancy does not sync the client status.
When the ZD fails over all captive portal authenticated users will have to log in again. WPA and open WLAN devices without authentication will re-connect in the background

If you are using Hotspot with an external WEB server for the login page then the sip variable will automatically have the correct ZD device IP so users connect and authenticate on the now Active formally standby ZD.

If you are using WEB-authentication, then users will get automatically redirected again to the now Active ZD.

Since the client authentication status is not synced, grace period will begin again once the clients re-authenticate.

Each ZD will have to be configured as a RADIUS client in your RADIUS/NPS. The Active ZD will send authentication packets using it's device IP.
Photo of Ed Hynds

Ed Hynds

  • 6 Posts
  • 0 Reply Likes
Hi Albert,

Thanks for all your help, its really appreciated.

Ed