Professional Documents
Culture Documents
DPSKs prevent one valid user from decrypting Flexible Onboarding with Zero-IT Activation
traffic of other valid users.
What is Zero-IT Activation?
Provides per-user credentials and policies
Zero-IT Activation is a unique wireless onboarding
Avoids common 802.1X hurdles: feature that enables wireless users to securely access
No dependency on RADIUS or backend user the network without IT
databases staff intervention. Zero-IT
works in concert with the
No certificates
DPSK solution, automati-
No complex configuration cally creating and deploy-
ing DPSKs to valid users
How does it work? when they connect for the
Dynamic PSK creates a unique 62-byte preshared key first time
for each device. The PSK is used for network access as
well as to create encryption keys, which are unique for How does it work?
each user. DPSKs can be created in bulk and manually Zero-IT activation auto-
distributed to users and devices, or the ZoneDirector mates the DPSK genera-
can auto-configure devices with a DPSK when they con- tion and client device configuration steps. When a user
nect to the network for the first time. connects for the first time, the user enters his/her user-
name/password and downloads a configuration file for
their machine. The user runs the configuration file and
Zero-IT configures the client machine with a WLAN
profile, including a unique PSK. Zero-IT prepares the
machine to re-connected to the correct network.
Z
ero touch wireless configuration of laptops and smart
mobile devices
Name/ESSID = DPSK-ZERO-IT
Description = Enter a useful description or leave blank
Authentication Method = Open
Encryption Method = WPA2
Algorithm = AES
Password = Enter a long, complex passphrase
(this will not be given to users)
Zero-IT Activation = Enabled 1 2 3
Dynamic PSK = Enabled
9. Open the file and Zero-IT will auto-configure the To start, within the ZoneFlex system, define a new
WLAN profile (may require administrator privileges). Hotspot Service to use for wireless provisioning. Hotspot
Services are a way to control network access on open
networks. This helps ensure that the provisioning net-
work is used only for provisioning.
Zero-IT simplifies network setup for new users, as you Wireless Client Isolation =Full
can see. Configuring ZoneDirector is straightforward for 1 2
IT staff and the client experience is intuitive.
BYOD-Provisioning 5 6
Now its important to look at device onboarding with-
out Ethernet. Mobile phones and tablets are the primary 9 10
devices driving the BYOD trend, but they lack wired inter-
faces. So there needs to be a way to securely provision
them with a clean, intuitive workflow.
6b 6d
1 2 3 4 1 2 3 4 5 6
5 6 7 8 5 6 7 8 9 10
9 10 6c 9 10 6c 6b 6d
3. Now create a new WLAN to offer these Hotspot
Services. Navigate back to the WLANs page6b 6d
and cre- 6e 6b 6d 6e
ate a new WLAN.
6. Now everything is ready to onboard this user and his/
Name/ESSID = BYOD-PROVISIONING her devices.
Description = Enter a useful description or leave blank a. With a mobile device (iphone shown here), connect
Type = Hotspot Service (WISPr) to the BYOD-PROVISIONING SSID.
Authentication Method = Open b. Launch the browser and the URL redirect will occur,
Encryption Method = None taking you to the connection activation page.
1 2
c. L ogin with the Mob.User user credentials created in
3
Hotspot Services = Select BYOD-PROVISIONING
from the list. step 5.
1 25
d. Successful login will launch the auto-configuration36 47
1 2 3 4 profile. Install the profile.
1 2 3 5 4 69
e. Now connect to the corporate WLAN
710 86c
5 6 7 8 (i.e. DPSK-ZERO-IT)
9 10 6c 5 6 7 9 8 106b 6c
6d 6e
6b 6d 6e
9 10 6c 6b 6d 6e
5 6 7 58 6 7 8
9 10 6c 9 10 6c
4. In the wired DPSK with Zero-IT demo, a Role titled
ZERO-IT-role was already created. This role has per-
mission to access the DPSK-ZERO-IT SSID. Confirm 6b 6d 6e 6b 6d 6e
that this role is still present.
7. Using the ZoneDirectors Monitor tab, currently active In this demo, well create a mock K-12 education scenario
clients can be easily viewed to check on users. Here, using the following roles:
the connected iPhone, the MAC address binding, the
user name of the connected user, and some device Administration
specific information are all visible. Even with a long Staff
list of users, it is easy to find specific clients using the Student
search field. Well create corresponding WLANs and then map the
users/roles to their proper WLAN.
As an example:
Role-Based Access
In conjunction with Zero-IT Activation and DPSK, Ruckus Administration VLAN 10
provides a straightforward way to apply roles to each Staff VLAN 50
user, granting access to WLAN policies and VLANs Student VLAN 80
according to the user type. By granting access based
Now configure it in the ZoneDirector.
on user roles, IT staff can extend specific permissions to
users based on wired network design and policy.
Implementing Role-Based Access
So far, weve focused on the internal database of the Start by creating the requisite WLANs.
ZoneDirector to create users, but in live networks, the
ZoneDirector seamlessly integrates with an existing user 1. Navigate to the WLANs menu in the left pane and
database, such as Active Directory, Open Directory, then create a new WLAN:
OpenLDAP, or eDirectory to determine a users role
Name/ESSID = Administration
assignment. The internal database of the ZoneDirector
Description = Enter a useful description or leave
can be used for this feature which is shown in this demo.
blank
Well also discuss how you can use this feature with an
Authentication Method = Open
external database.
Encryption Method = WPA2
Planning Role-Based Access Algorithm = AES
Password = Enter a long, complex passphrase (this
By relying on the Zero-IT Activation feature, the pro-
will not be given to users)
visioning network automatically redirects users to the
Zero-IT Activation = Enabled
Zone Directors activate login screen.
Dynamic PSK = Enabled
The first planning step to take is to decide what types of
In Advanced Options,
users will use the network, what roles to create for those
users, and what permissions should be assigned to these ACCESS VLAN = 1
0
roles. Click OK.
Now configure administrative users and roles so they are 3. Now lets navigate to the Roles page and create our
mapped to this WLAN, receiving administrator privileges respective roles. Create New.
and policies.
Name = Administrators
Note: If were supporting multiple VLANs on each AP, Description = Enter a useful description or leave blank
we need to make sure our switch ports are configured to
WLAN Policies = Enable Administration WLAN
support those VLANs.
Click OK.
11 22 33 44
1 2 3 4
55 66 77 88
5 6 7 8
99 10
10
9 10
and enter the credentials. This will test that the database 5 6 7
is properly configured and that the user is assigned to
the correct role.
As shown, this user authenticated successfully and was
9 10
assigned to the Administrators role. Zero-IT would then
provision this users DPSK for the proper WLAN and
VLAN.
5 6 7 8
9 10
Summary
For organizations trying to solve BYOD challenges, it
doesnt have to be complex and cumbersome. With
easy to implement features like Zero-IT configuration,
Dynamic PSK, and simplified role-based access control,
enterprises can leverage their existing network resources
to extend policies to their wireless users. Ruckus makes it
painless to get users connected and provisioned with the
A user can be added for each of the roles (admin, correct network permissions. After that, we keep them
staff, student). The final user list will look similar to happily connected with reliable RF performance.
this.
Appendix A
The DPSK batch tool is essentially an interface for cre- 8. Test it and connect a client. Launch your wireless con-
ating DPSKs. If we have a list of users (and their MAC nection utility, scan for the DPSK-batch SSID and,
address and assigned VLANs), we can import a comma using the first passphrase in the .csv file, connect to
separated value (.csv) file here. Otherwise, we can let the the WLAN as you would to a traditional PSK network.
ZoneDirector create a file for us with default usernames
and the default VLAN. This tool has flexible options, but
lets focus on a simple implementation for now.
9. Success!
The default DPSK file has stock user names and empty
MAC address bindings (we can customize these set-
tings if we use the DPSK import tool). When a DPSK is
used to connect to the network for the first time, the
ZoneDirector will bind the devices MAC address to the
DPSK.
The manual DPSK model is easy to use and flexible.
Avoid the complexities of 802.1X and elude the weak-
nesses of legacy shared passphrases.
Copyright 2012, Ruckus Wireless, Inc. All rights reserved. Ruckus Wireless and Ruckus Wireless design are registered in the U.S. Patent and Trademark
Ofce. Ruckus Wireless, the Ruckus Wireless logo, BeamFlex, ZoneFlex, MediaFlex, FlexMaster, ZoneDirector, SpeedFlex, SmartCast, and Dynamic PSK
are trademarks of Ruckus Wireless, Inc. in the United States and other countries. All other trademarks mentioned in this document or website are the
w w w.r u c k u s w i re le s s .co m
property of their respective owners. 805-71768-001 rev 01