Ruckus SmartZone / Virtual SmartZone
Integrate Ruckus SmartZone and Virtual SmartZone (vSZ) controllers with IronWifi's RADIUS authentication and external captive portal. This guide covers RADIUS authentication and accounting configuration, Hotspot (WISPr) portal setup, walled garden configuration, WPA-Enterprise deployment, and optional RadSec (RADIUS over TLS) for enhanced security.
info
Requires SmartZone v3.0 or above.
Prerequisites
In Ruckus SmartZone:
- SmartZone controller version 3.0 or higher
- Administrative access to SmartZone web interface
- Public IP address for SmartZone (for IronWifi to communicate with)
- Northbound API access enabled
In IronWifi Console (complete these first):
-
Create a Network
- Navigate to Networks and click Create Network
- Note the RADIUS server details:
- Primary RADIUS Server IP
- Backup RADIUS Server IP (optional)
- RADIUS Authentication Port (1812)
- RADIUS Accounting Port (1813)
- Shared Secret
-
Create a Captive Portal
- Navigate to Captive Portals and click Create Captive Portal
- Select Vendor: Ruckus
- Enter your SmartZone Public IP Address
- Enter your Northbound Password (API password)
- Note the Splash Page URL provided
- Copy the Walled Garden domains list
SmartZone Configuration
Step 1: Configure RADIUS Authentication
- Navigate to Services & Profiles → Authentication
- Click Create
- Configure:
- Name: IronWifi
- Type: Proxy (SZ Authenticator)
- Service Protocol: RADIUS
- Primary Server IP:
{Primary IP from IronWifi} - Port:
1812 - Shared Secret:
{Secret}
- Add backup server if using redundancy
Step 2: Configure RADIUS Accounting
- Navigate to Services & Profiles → Accounting
- Click Create
- Configure:
- Name: IronWifi-Accounting
- Server IP:
{Primary IP from IronWifi} - Port:
1813 - Shared Secret:
{Secret}
Step 3: Configure Hotspot Portal
- Navigate to Services & Profiles → Hotspot
- Click Create
- Configure:
- Name: IronWifi-Portal
- Login URL:
{Splash Page URL} - Redirect Method: HTTP
- Click Save
Step 4: Configure Walled Garden
In the Hotspot Portal settings:
-
Navigate to Walled Garden section
-
Add the following required entries:
107.178.250.42*.ironwifi.com*.ironwifi.netsplash.ironwifi.com
-
If using social login providers, add their domains:
| Provider | Required Entries |
|---|---|
*.google.com, *.googleapis.com, *.gstatic.com, accounts.google.com | |
*.facebook.com, *.fbcdn.net, connect.facebook.net, facebook.com | |
*.linkedin.com, *.licdn.com, linkedin.com | |
| Twitter/X | *.twitter.com, *.twimg.com, twitter.com, *.x.com, x.com |
| Apple | *.apple.com, *.icloud.com, appleid.apple.com |
| Microsoft/Azure AD | *.microsoft.com, *.microsoftonline.com, *.msftauth.net, login.microsoftonline.com |
| Stripe | *.stripe.com, js.stripe.com |
| PayPal | *.paypal.com, *.paypalobjects.com |
| Twilio (SMS) | *.twilio.com |
Step 5: Create WLAN
- Navigate to Wireless LANs → Create
- Configure:
- Name: Guest-WiFi
- SSID: Guest-WiFi
- Zone: Your zone
- Authentication Type: Hotspot (WISPr)
- Hotspot Portal: IronWifi-Portal
- Authentication: IronWifi
- Accounting: IronWifi-Accounting
RadSec Configuration
For RADIUS over TLS (enhanced security):
- In IronWifi Console, enable RadSec for your network
- Download certificate bundle
- In SmartZone:
- Navigate to Services & Profiles → Authentication
- Edit the IronWifi authentication service
- Enable RadSec
- Upload certificates
- Configure port 2083
WPA-Enterprise
For 802.1X authentication without captive portal:
- Create WLAN
- Set Authentication Type: 802.1X EAP
- Configure:
- Auth Service: IronWifi
- Encryption: WPA2-AES (or WPA3)
- Accounting: IronWifi-Accounting
Testing
Once configuration is complete, verify everything is working properly:
Verify WLAN Status
# Check WLAN status
show wlan
# Check authentication servers
show auth-servers
# Check connected clients
show station
Test Captive Portal
- Connect a test device to the Guest WiFi network
- Open a web browser
- You should be automatically redirected to the IronWifi splash page
- Complete the authentication process
- Verify internet access is granted after authentication
Test Enterprise Authentication
- Connect a device to the WPA-Enterprise network
- Enter valid credentials when prompted
- Verify successful connection
- Check authentication logs in IronWifi Console
Troubleshooting
If you encounter issues during setup or operation, use this reference to diagnose and resolve common problems:
| Symptom | Possible Cause | Solution |
|---|---|---|
| Portal not appearing | Incorrect Hotspot Portal URL | Verify the Splash Page URL in Hotspot Portal settings matches IronWifi Console |
| Portal not appearing | Missing Walled Garden entries | Add all required IronWifi domains to Walled Garden |
| Portal not appearing | Authentication service not configured | Confirm authentication service is properly linked to WLAN |
| RADIUS authentication failures | Server connectivity issue | Test connectivity: ping {RADIUS IP} from SmartZone |
| RADIUS authentication failures | Incorrect shared secret | Verify shared secret matches exactly in both systems (case-sensitive) |
| RADIUS authentication failures | SmartZone IP not whitelisted | Check that SmartZone public IP is added in IronWifi Console |
| RADIUS authentication failures | Firewall blocking traffic | Ensure ports 1812 and 1813 are open between SmartZone and IronWifi |
| Client authorization issues | Incorrect Northbound password | Verify Northbound password in IronWifi captive portal settings |
| Client authorization issues | API access disabled | Check that SmartZone Northbound API is enabled and accessible |
| Client authorization issues | Certificate errors | Review IronWifi captive portal logs for SSL/TLS errors |
| Social login not working | Missing provider domains | Add all required domains for the social provider to Walled Garden |
| RadSec connection failing | Certificate mismatch | Ensure correct certificate bundle is uploaded to SmartZone |
| RadSec connection failing | Wrong port configuration | Verify RadSec is configured to use port 2083 |
For detailed error information:
- Review SmartZone logs: Monitoring → System Logs
- Review IronWifi logs: Analytics → Authentication Logs
- Check client connection logs: Monitoring → Client Sessions