Skip to main content

Ruckus SmartZone - OpenRoaming with RadSec

Configure RadSec (RADIUS over TLS) on Ruckus SmartZone and Virtual SmartZone controllers for secure OpenRoaming authentication with IronWifi. This guide covers CA chain and client certificate installation, RadSec proxy authentication service creation, Hotspot 2.0 profile configuration, and WLAN deployment.

Quick Start

  1. Enable RadSec and OpenRoaming in IronWifi Console
  2. Download certificate bundle
  3. Import CA chain and client certificate to SmartZone (Administration > Certificates)
  4. Create RadSec proxy authentication service
  5. Create Hotspot 2.0 profile with OpenRoaming OIs
  6. Create WLAN and assign Hotspot 2.0 profile

Prerequisites

In Ruckus SmartZone:

  • Ruckus SmartZone or Virtual SmartZone (vSZ) controller
  • SmartZone firmware 5.x or later
  • Ruckus access points with Hotspot 2.0 support

In IronWifi Console (complete these first):

  1. Create or select a Network in the IronWifi Console
  2. Enable OpenRoaming from the dropdown menu
  3. Enable RadSec from the dropdown menu
  4. Download the certificate bundle (ZIP file containing Root CA, Intermediate CA, client certificate, and private key)

SmartZone Certificate Configuration

Step 1: Import Trusted CA Chain

  1. Log in to SmartZone web interface
  2. Navigate to Administration > Certificates
  3. Go to SZ Trusted CA Certificates/Chain (external)
  4. Click + Import
  5. Configure:
    • Name: IW Trusted PKI Chain
    • Root CA Certificate: Upload iw-rsa-root-ca.cert.pem
    • Intermediate Root CA Certificates: Add iw-rsa-radsec-signing-ca.cert.pem
  6. Click OK to save

Step 2: Import Client Certificate

  1. Go to SZ Client Certificates
  2. Click + Import
  3. Configure:
    • Name: IronWifi-RadSec-Client
    • Certificate File: Upload client.cert.pem
    • Private Key File: Upload client.key.pem
    • Passphrase: Leave empty (or enter if set)
  4. Click OK to save

Verify Certificates

After import, verify both certificates appear:

  • Trusted CA Chain: IW Trusted PKI Chain
  • Client Certificate: IronWifi-RadSec-Client

RadSec Proxy Configuration

Step 3: Create RadSec Authentication Service

  1. Navigate to Services & Profiles > Authentication
  2. Click Create > Proxy (SZ Authenticator)
  3. Configure General Settings:
    • Name: IronWifi-RadSec
    • Description: IronWifi RadSec OpenRoaming
    • Service Protocol: RadSec

Step 4: Configure Primary Server

  1. In the authentication service, configure:

    • Primary Server IP/FQDN: radsec.ironwifi.com
    • Port: 2083
    • Shared Secret: Leave empty (RadSec uses certificates)

  2. Configure RadSec Settings:

    • RadSec: Enable
    • CN/SAN Identity: radsec.ironwifi.com
    • CA Chain Certificate: Select IW Trusted PKI Chain
    • Client Certificate: Select IronWifi-RadSec-Client

Step 5: Configure Accounting (Optional)

  1. Enable Accounting
  2. Configure:
    • Accounting Server: radsec.ironwifi.com
    • Accounting Port: 2083
    • Use same RadSec settings: Yes

Step 6: Save Configuration

  1. Review all settings
  2. Click OK to create the authentication service

Hotspot 2.0 Configuration

Step 7: Create Hotspot 2.0 Venue Profile

  1. Navigate to Services & Profiles > Hotspot 2.0 > Venue
  2. Click Create
  3. Configure:
    • Name: IronWifi-Venue
    • Venue Group: Business
    • Venue Type: Unspecified
    • Venue Name: Your Organization Name

Step 8: Create Hotspot 2.0 Operator Profile

  1. Go to Operator
  2. Click Create
  3. Configure:
    • Name: IronWifi-Operator
    • Operator Name: IronWifi
    • Domain Name: ironwifi.net

Step 9: Create NAI Realm Profile

  1. Go to Identity Provider > Realms
  2. Click Create
  3. Configure:
    • Name: IronWifi-Realm
    • Realm: ironwifi.com
    • EAP Method: EAP-TTLS
    • Auth Method: PAP

Step 10: Create Hotspot 2.0 Profile

  1. Go to Hotspot 2.0 Profiles

  2. Click Create

  3. Configure General:

    • Name: IronWifi-Passpoint
    • Operator: Select IronWifi-Operator
    • Venue: Select IronWifi-Venue
    • Internet Access: Yes
    • Access Network Type: Free public network

  4. Configure Roaming Consortium:

    • Add OI: 5A03BA0000 (WBA OpenRoaming Settled)
    • Add OI: 5A03BA0200 (WBA OpenRoaming Settlement-free)
    • Add OI: 004096 (Cisco OpenRoaming)

  5. Configure NAI Realm:

    • Select IronWifi-Realm

  6. Click OK to save

WLAN Configuration

Step 11: Create WLAN with Passpoint

  1. Navigate to Wireless LANs
  2. Click Create
  3. Configure General:
    • Name: OpenRoaming
    • SSID: OpenRoaming
    • Zone: Select your zone

Step 12: Configure Authentication

  1. In WLAN settings, go to Authentication
  2. Configure:
    • Method: 802.1X EAP
    • Authentication Service: Select IronWifi-RadSec

Step 13: Configure Encryption

  1. Go to Encryption
  2. Configure:
    • Method: WPA2
    • Algorithm: AES

Step 14: Enable Hotspot 2.0

  1. Go to Hotspot 2.0
  2. Enable Hotspot 2.0
  3. Select Hotspot 2.0 Profile: IronWifi-Passpoint

Step 15: Save and Deploy

  1. Click OK to save WLAN
  2. Configuration deploys to APs in the zone

Complete Configuration Summary

Authentication Service

SettingValue
TypeRadSec Proxy
Serverradsec.ironwifi.com
Port2083
CA ChainIW Trusted PKI Chain
Client CertIronWifi-RadSec-Client

Hotspot 2.0 Profile

SettingValue
InternetYes
Network TypeFree public
Domainironwifi.net
Roaming OIs5A03BA0000, 5A03BA0200, 004096
NAI Realmironwifi.com (EAP-TTLS)

Verification

Check RadSec Status

  1. Navigate to Monitor > System
  2. Check Authentication Service status
  3. Verify RadSec connection is active

Check WLAN Status

  1. Go to Monitor > Wireless LANs
  2. Verify WLAN is broadcasting
  3. Check AP status

Test Client Connection

  1. Connect Passpoint-enabled device
  2. Device should auto-discover via ANQP
  3. Verify authentication in:
    • SmartZone Client Monitor
    • IronWifi Console Logs

CLI Verification

Access SmartZone CLI:

# Check authentication service
show running-config aaa

# Check RadSec status
show aaa radius-server status

# Check certificates
show certificate

Troubleshooting

RadSec Connection Issues

  1. TLS Handshake Failure

    • Verify CA chain is complete
    • Check client certificate validity
    • Ensure server CN matches

  2. Connection Timeout

    • Verify port 2083 is open
    • Check DNS resolution for radsec.ironwifi.com
    • Test network connectivity

  3. Certificate Errors

    • Re-import certificates
    • Verify certificate chain order
    • Check certificate expiration

Authentication Failures

  1. RADIUS Reject

    • Check NAI realm matches IronWifi config
    • Verify user credentials
    • Review IronWifi authentication logs

  2. No Response

    • Check RadSec service status
    • Verify server reachability
    • Review SmartZone logs

Hotspot 2.0 Issues

  1. Network Not Discovered

    • Verify HS2.0 enabled on WLAN
    • Check roaming consortium OIs
    • Verify client Passpoint support

  2. ANQP Failures

    • Review AP debug logs
    • Verify profile assignments
    • Check domain configuration

Debug Commands

# Enable debug logging
debug aaa radius
debug hotspot enable

# Check logs
show log

# Check client status
show client summary

Common Errors

ErrorCauseSolution
TLS verify failedCA not trustedRe-import CA chain
Connection refusedPort blockedOpen port 2083
No matching realmNAI mismatchCheck realm config
Cert expiredOutdated certificateDownload new bundle

Best Practices

  1. Firmware Updates: Keep SmartZone updated for best RadSec support
  2. Certificate Management: Monitor expiration, plan renewal
  3. Zone Organization: Use zones for logical AP groupings
  4. Monitoring: Enable alerts for RadSec failures
  5. Testing: Verify with multiple Passpoint devices
  6. Backup: Export configuration regularly