Category Archives: Ruckus wireless

Fortigate Radius SSO with Ruckus 802.1x logins using NPS

This is an amazing method for getting users in their correct groups in Fortigates. This way we can apply different security profiles to individual groups, all through one 802.1x login. This example is using Ruckus wireless , but will work exactly the same for any wifi vendor..

This method works by using 802.1x WPA2/AES logins on the Ruckus , and passing the users info over to the Fortigate by Radius accounting. Then on the Fortigate we are using RSSO (Radius single sign on) groups to collect the username/group that is sent to the Ruckus by the Windows NPS server. Lots of moving parts here, but it is really simple. I have had problems finding good documentation about Fortigate’s RSSO profiles – but they work great.

The goal of this project/entry is to have the Fortigate know the Username, IP and group (if assigned) of the user who just authenticated to the wireless network. Once you know these things you can apply different UTM policies to users VIA RSSO groups in the Fortigate. There are many good scenarios and uses for this – one example that I have is for a school network. I set this up recently for a school that has students and faculty authenticate through the same Ruckus controller, but to different 802.1x WLANs (SSIDs: Student and Faculty). The fortigate can then apply correct policies to each user (student or faculty) and therefore lock down student web surfing much more than a faculty member. You might be saying – you could just use captive portal on the fortigate,with LDAP groups. I would say yes, but that is another step users have to take, and its called “Single Sign on” for a reason.

So what is needed to make all this happen: Ruckus wireless using 802.1x, NPS (or any radius server) , Fortigate  – that’s it.

I am going to assume that we already have Ruckus using 802.1x and NPS with no problems.

I had trouble at first setting this up, because I thought that that the NPS server should send the radius accounting info to the Fortigate, I was wrong. The controller is the Authenticator – therefore the device that knows about the authentication, and needs to pass on the info to the Fortigate. The Authenticator (Controller) needs to send the radius accounting info to the Fortigate.

That means you have a AAA server setup on the controller for 802.1x authentication, and a AAA radius accounting server pointing to the Fortigate.

Setup Radius accounting between Ruckus and Fortigate

First we need to create the connection between Ruckus and Fortigate via radius accounting.

On the Ruckus system, go to Configure – AAA servers – create a new server. Then click the box that says “Radius accounting” Fill in the IP of your Fortigate, and create a PSK between the two.

Ruckus-acct

Next on our Fortigate we need to create a RSSO profile for the Ruckus system.

rsso-agent

Feel free to name this Ruckus or whatever. The PSK has to match what you created on the Ruckus system. By default the RSSO profile uses the Class variable to match the users. You can change what to match, for example you could match by NAS-Port, User-Name, Class, etc.

So, if we go into CLI we can modify many of these settings. Below are the settings I have used

config user radius
edit “Zonedirector”
set rsso enable
set rsso-secret ENC eoTXOqectoW0sjb5lLVW/7rr3BB0DocxlKeW64yfoIq7NTblyMc1TT9/V2M8m2LJmotwNrDYS+hOBSWV68wWULjuT88tOZHli7Nqqe8k5hoK4iHmLuG6x9R7apR9b+JU6O48mY8jiUaf48pY8wamagNdOALtrew6k+yWFzfd7gzo+qgag2sOI+Q46GnI1ybGPo6YQQ==
set rsso-endpoint-attribute User-Name
next
end

Next we need to modify NPS to send the values that we will match on the Fortigate. In this example I am matching I am saying that if any Domain users authenticate through the ZD, then send the IP/Username/”Tag” to the Fortigate so it knows who to apply the correct firewall policy to. My “Tag” I am sending in is the Class Variable of “Domain Users”..  Something to note is this is not the given AD group, but a variable I am assigning that just references the group. I could say “Social media” if I wanted, then match on that.

So lets modify the Microsoft NPS policies to reflect what we need.

Remember, we are going from the assumption that 802.1x is up and working, and NPS is great. So, how do we match a variable from NPS on the fortigate? We could really use a ton of different variables. Lets use the class variable. To assign the class variable we will modify the the Network Policy in NPS that we want to apply a to a certain criteria.

nps-policy1

I will modify my “Connections to Wireless VIA AD Authentication” Policy. Then once, you edit the policy and go to “Settings” tab, there will be a few attributes already listed . You may have some already or not. We will add the “Class” variable, and then assign it to what ever value we want to match in the firewall group. In this case I am setting my value to “Domain Users”.

class1

So from the settings tab, lets click “Add” under the Radius Attributes standard section.

class-2

Select “Class” from the list of attributes that comes up, it will then  ask you to enter a string that you want to set. This is the Keyword you will use to match the user to group in the Firewall. Just like use a FSSO group and matching the domain group. Some examples might be students vs teachers, or Domain users.

class-3

Press OK, and now we have the variable added, you can confirm as seen below:

class-4

Great, now we have the hard part done. Now, have some users log in to wireless, and see if you get correct RSSO users found in the firewall. you can check this my navigating in the firewall to User&Device – Monitor – Firewall

No-group

Awesome, it found my username, and my IP, but my group is blank, how can you apply a policy to user if they have no group? The answer – is just the same as the FSSO. If you do not have a firewall policy that references the Radius group that you created then no group, no filtering, nothing. So you need to create a new firewall policy and select the RSSO group you created as the source group. In my example the group is called Radius Domain Users.

firewall-rss-policy-creation

To show a policy example check out below: My domain FSSO is above my RSSO policy.

firewall-rss-policy

Now that that is created and enabled, lets check the user monitoring – BAM! there it is, my group included.

Radius-user

Using RSSO and 802.1x is awesome, it allows you to kinda use a single pane of glass aspect and have Firewall, and Wireless be able to know who the user is just my them logging into the wireless network. Also, using 802.1x for wireless authentication and Key management is very secure. Having users known that are on wireless no matter what device can really be beneficial in reporting, either through Forticloud of FAZ.

Ruckus Self Service portal for Guest access

Ruckus brought in the Guest Self Service portal in firmware 9.10.0.0 build 218 – so if you are looking to configure it please install this update first (Check release notes for proper upgrade path). After we are on build 218, lets get configuring.

So the Ruckus Guest self service portal is Ruckus’s first step in creating an “on boarding”  process. It allows administrators to make sure that there is at least some kind of authentication on their guest WLANs. The portal gives guest users the ability to create their own guest pass, and the admin can set many options of the guest pass such as expiration, amount of devices that can be registered with this pass, and how the pass is given to the user – for example you can send it through text, email, just show it to them on the screen, or a combination of all. So this feature is great, and helps admins authenticate guest users with very minimal intervention.

So how do we configure this?

First we need to create a new Guest access policy. This is located under Configure – Guest Access. Create a new portal.

creation-guest

Lets now configure our portal page. A few options that are very important are:

Enable Zero IT Registration from the Guest Portal – Use this if you are also planning to register devices. I was confused by this at first. As you will see you have the option to use guest pass, or register a device. When you register a device you are just using Zero IT as normal to get on the secured network.

Authentication – Use guest pass for this. Since thats the goal.

Next you have a lot of options such as Terms of service and time out.

The main box you have to check is the “Guestpass Self-Service” box , you will then get a lot of options to do with that process and how to get the guest pass to the user. A few things to note, if you want to txt them, or send the pass through email you will need to configure a mail server and/or SMS server in the settings of the ZD.

checkbox

If you notice there is a small “Restricted Subnet access” – Its kind of hidden in my opinion. This is very important. If this is used for guest access more than likely you will want to make sure that guests cannot access internal hosts. This is where that is done. This or the Layer 3 access list. Remember Ruckus does the filtering on the AP, so having to have a ACL on the router is not needed. Below if the full Guest access config.

Settings

That is about it for the Guest portal. Now we need to create a WLAN and use it for our guest access.

So, lets create a WLAN at configure – WLAN- create a new one.

SSID

Things to note – Select “Guest Access” Then select your Guest access Service portal you created.

Great!! All done, so what happens when you connect?

First you will be presented with the on boarding portal that asks if you would like to use Guest Access, or Register a device (Zero-IT).

register

Select “Guest Access”

On the next screen it will ask you for your Guest pass, but you don’t have one yet. Select the button to create a new pass. Note that you have the option to Query the status. This is a feature if you want to approve guests of getting a Guest pass before they do.

guest-pass

On the next screen you will be asked to fill out your information.

pass-info

And here you go! you have your guest pass, which is valid for the length of time that you configured in the policy. Copy and keep this key. The ZD will automatically copy the key into the next page for you. Select to go to Guest Access portal.

guest-pass-show

You can see the the ZD copied the key for you. Just Press submit.

last-guess

And there we go!! We are online. Ruckus does it again with making getting on Wifi easier. Now we have a built in On boarding portal.

authenticated

You can view the Guest Pass and its config under Monitor-Guest pass to find out who the GP was assigned to, when it expires, and you can delete them from here as well.

Generated

Ruckus has done a great job giving us a simple but effective way to on board users for Guest and/or internal use.

Enabling LLDP in Ruckus wireless

Ruckus has finally built in the ability to use LLDP to find Access points. I was so excited when I found this out, I installed the newest firmware and was ready to be blown away – and alas.. no LLDP. So, what was wrong? LLDP is not enabled by default! You have to go into the AP group via CLI and enable LLDP. No biggie.

This feature comes in software version ZDXXX 9.9.0.0.205 GA Software Release .

To enable LLDP – SSH into the zonedirector

Then after logging in run these commands

enable

config

ap-group “System Default”

LLDP enable

exit

exit

Here are some screenshots:

LLDP-3

As you can see, by just doing a “Show” it is disabled:

LLDP-1

After running the command: “LLDP enable”

LLDP-2

And BAM: now I can find my APs no matter where they are plugged in at

LLDP-5-edit

Dynamic Vlans with Ruckus wireless and Microsoft NPS

Hello all, I recently was given a strange task. An office needs to have everyone in there office on different vlans. The reason for this is that each user is developing software and they need to test VIA wireless to other wireless  devices. Lots and Lots of broadcast, as well as different subnets. So, how can we separate each of these users wirelessly and give each of them their own “play space”? You can accomplish this a couple ways: We can have 100 different WLANs, each with their own Vlans, or use 1 SSID and use Dynamic Vlans to separate them out.

The tools I will be using are – Ruckus Wireless Zondirector, and APs, Microsoft NPS, and Wireshark to take a better look at what is happening at the packet level.

So first lets setup everything. We need to use 802.1x authentication for WLAN Access. I will not walk through all the steps here but definitely do another blog entry on setting that up. So lets assume as of now we have 802.1x working great for authentication.

Our next step is that we need to create new Security Groups in AD and add our users to them. I added groups that reflected the Vlan name. For example WIFI-VLan-150 and then added my user I want to get VLAN 150 to.

Next lets create our Radius Policies.

Create a new Network Policy- match the Group, add your Encryption and other settings. See below:

1

Then add your Constraints that you would like:

constraints

Next the magic happens – we have to add in our Radius attributes . These are Standard radius attributes. We will add 4 802.1x attributes.

Attributes to add:

1. Tunnel-Assignment-ID – String – Vlan ID.

2. Tunnel-Type – Select Virtual Lans (VLANS)

3. Tunnel-Medium-Type – Value – 802 – Commonly used for 802.1x

4. Tunnel-Pvt-Group-ID – Value – String – Vlan ID. Note – I did not add this at first, this attribute is what fixed my issue, and successfully pushed the Vlan ID to my client.

Here is a screenshot of all the attributes:

attributes

Make sure this policy is above your default policies. The next screen shot shows my order of policies. Notice I have one for 666 vlan, and 150. Then there is a domain computer, then a catch all for domain users.

policies

That’s it for Radius, now we need to create the WLAN for in Ruckus for our Dynamic Vlans. Remember, we are assuming everything works great with Radius authentication from the get go.

The main thing when creating the WLAN in Ruckus is to use 802.1x for authentication, and then under “Advanced” check the “Dynamic Vlan” box. You will notice I am using “SRV-dir03” For authentication (My Radius Server). Apply this and we should be golden.

ruckus

To check and make sure you are on the correct vlan/wlan you can always check your ip address or look into Ruckus and see what your info is. You Notice mine –

jc

Fortigate and Ruckus AP remote registration issues across a IPSEC VPN

Recently I and others have had an issue when using interface based VPNs on Fortigate, and remote Ruckus APs are on the other side of the VPN. For some reason these APs cannot register with the ZD – sometimes they never even show up. I can log into the remote APs, SSH, Web, Ping everything works they will just not register with the ZD.

When I see this the most the client has just updated to Fortinet 5.2 firmware, and is using Interface based VPNs instead of policy based.

Now back to the main goal of the entry – If you are using a interface based VPN with Fortinet specifically you might see your APs come up for a while, then drop. Another symptom I have seen is that you have your DHCP options, and DNS record  set for the Zonedirector but the APs never show up.  The underlying issue is that the interface based VPN will drop sometimes – the Fortigate may not even report the drop. During this time the the Logical VPN interface is no longer attached to the Fortigate, that means the route you set to push traffic over it to the remote subnet no longer exists. So a UDP session is opened to the internet – since there is no other place to send the traffic to. Once that happens the UDP stays active – Even though it should timeout.

So to fix the issue, Add a service for “Ruckus services” and add UDP and TCP ports 12223, and UDP and TCP port 12222. Then create a policy in the firewall to block traffic going to the WAN on those ports. This will make sure that remote sessions are never created to the internet interface. So if the tunnel drops you will not have to worry about this. You could also just create an address object for your remote subnet and create a policy blocking any traffic matching that object going to the WAN interface.

ruckus-service

Here is the policy to block the traffic from leaving the WAN interface

Ruckus-block

Note – Make sure this policy is above any traffic that would be go from internal – to VPN.

After the policy is created to blog those ports – lets clear the sessions in the firewall. We can do this using the CLI command in the Fortigate:

Dia system session clear

So how did we figure this out? If you do a packet capture on the Fortigate matching the ZD or AP ip addresses, you will see registration attempts trying to go through the WAN interface, even though the VPN is up. Since UDP is connectionless, it never expects a response on the session, so it stays up. If you see the session going through your WAN interface, and your VPN is up, just kill that session. You will see your AP come up very quickly, but the same issue will happen if you don’t make sure the session is never created.

This has fixed the issue for a few clients having this problem.

SNMPv3 on Ruckus 9.7

I was having some trouble getting SNMPv3 up and working on PRTG and Solarwinds. It was a straight forward config but something wasn’t working. The following steps will show how to configure SNMPv3 on Ruckus ZD, and pull info from it on PRTG. Why SNMPv3? it offers a lot of more features such as encryption and user authentication. Definition:

SNMP Version 3 (SNMPv3) adds security and remote configuration  capabilities to the previous versions. The SNMPv3 architecture  introduces the User-based Security Model (USM) for message security and  the View-based Access Control Model (VACM) for access control. The  architecture supports the concurrent use of different security, access  control, and message processing models. More specifically: Security

First we will configure the ZD

Enable the SNMPv3 agent, and create your user/pass/hash/encryption.

Image

For some reason you have to have a R/W user in the ZD. This does not seem to be a requirement of v3.

Next lets configure PRTG, and find out where I made my mistake.

Image

So everything is pretty straight forward, but I was putting admin in for my context name as well. This was breaking the connection.

The context name is a collection of management information accessible by an SNMP entity.  A context is identified by the snmpEngineID value of the entity hosting the management information (also called a contextEngineID) and a context name that identifies the specific context (also called a contextName).

That was it, everything worked fine after that.

 

Modifying Ruckus QoS

Ruckus does an amazing job finding traffic to be QoS’d, and using a suite of tools to make sure that traffic is delivered as quickly and reliably as possible. They do this with what they call Smartcast. Smart cast is a group of features:

•Traffic queuing on a per client basis (voice, video, best-effort, background)
•Automatic (heuristics-based) traffic classification
•802.11e/WMM support
•TOS and 802.1p classification
•Airtime fairness
•Band steering
•Rate limiting
•WLAN prioritization
•Client load balancing
•Power save (UAPSD and Legacy)
•IP multicast-to-unicast conversion
•IGMP snooping
All of these features work together, but in this post I will just modify the settings for ToS markings and manually classify my traffic.

 

Background:

 

In wireless QoS there are 4 global hardware queues to place traffic into – voice, video, data and background packets. What happens if one of the wireless clients is sending very slow or having problems it can cause a problem called “Head of line blocking” and will slow everything down from being processed accordingly. Ruckus has helped this by adding 4 software queues for each client! This helps relieve a problem with a misbehaving client and helps get delay sensitive traffic where it needs go. Ruckus also implements Heuristic based classification. This means the look at how the packets are being sent, the gaps and spaces between and classify if its voice/video by preset parameters. But what if you want to know for sure that your data is being put in the right queues — that’s where the below info comes in.

 

I was working with a client the other day and over some of their private wan links they were having Video issues through Lync. Voice was perfect and the Voice DSCP value was being honored throughout the path. Video was a different story, they were having slight video issues. I know there are many reasons it could be having problems, interference, network issues..etc. I am focusing on wireless QoS though.

We were marking our VOIP/Video packets with DSCP values ef and af41 respectively. Ruckus looks at the ToS value instead of DSCP. I logged into the ZD through CLI and could see what was manually being added to the software queues. See below:

Image

From here you can see the ToS classifications in Hex, and the Heuristics used to detect voice/video/data. I wanted to make 100% sure that my video was in the video queue. So I changed from DSCP af41 Decimal 34 to hex 0x88. To add this I just checked to see what the video was already marked for, and added 0x88 (My DSCP value).

Image

As you can see after adding the 0x88 value to the queue all classifications show up. You could also modify your Heuristic interval from here as well.

Ruckus has lots of documentation on all their greatness and features including some great youtube videos.

More info on Smartcast:

http://c541678.r78.cf2.rackcdn.com/feature-sheets/fs-smartcast.pdf