Setting up Zero-IT with DPSK

Summary

How to setup Zero-IT with DPSK on ZD platforms

Question

I heard benefits of Zero-IT. How do I set it up now?

Customer Environment

zd controlled network

Resolution

Many of the small and medium businesses don't have a RADIUS server on their network. But they do want to provide best possible security to their users and protect their network from users that are not intended to have access.

PSK (passphrase) based networks are relatively simple to set up yet ensure top level security to user traffic in the air medium. But by its nature, the administrator has to pass the passphrase to the users that need access to the network. At some point, it can lead to compromise of the network if it falls in the hands of the unintended users. Then the administrator will be forced to change the passphrase and provide or type in the new passphrase on all devices. This is lot of work.

To help passphrase based networks, Zero-IT feature was introduced into ZD. It derives a 63-character strong passphrase called Dynamic PSK (DPSK) from a simple passphrase to each device. Here is how Zero-IT can be setup to provide a strong DPSK to each user.
1. First of all, decide on a backend user authentication system. For a lot of businesses, this will be a Microsoft Active Directory.
2. If there is no AD on the network a local user database can be used on the ZD.
3. Above need to be defined within ZD either under AAA Servers OR under Users section.
4. Create a new SSID.
5. Define the SSID type as standard and choose WPA2 for the encryption method.
6. Choose AES for the algorithm to provide robust security and type in hard to guess passphrase
7. Choose the authentication server type (whatever is concluded based off of steps 1 and 2)
8. Enable Zero-IT. And then enable DPSK.
9. Select either Secure D-PSK or Mobile Friendly D-PSK. Please also choose a key expiration type.
10. Enable the Limit D-PSK generation per user to 1-4 devices
11. Let the users connect to a wired network that has reachability to ZD. Please refer to the last point at the bottom if there is no LAN port on the client device.
12. Ask them to type in https://<zd_ip>/activate URL in a browser.

The last step will give them a compatible executable file based on their OS. They need to run it to setup the necessary configuration to connect to the target wireless network. At this point they should disconnect the cable going to the wired network to be on the wireless network. Please ensure the Zero-IT SSID is enabled under the user roles (Configure --> Roles) so the connection could be successful.

If the customer doesn't have an Ethernet port on their device, please refer to Onboarding Portal setup details at https://support.ruckuswireless.com/answers/000002842

With this setup, there is no need to type in the https://<zd_ip>/activate URL into the browser. Entire Zero-IT provisioning will take place in wireless.

Article Number:
000002009

Updated:
August 18, 2020 04:42 AM (over 3 years ago)

Tags:
Configuration, Installation, ZoneDirector

Votes:
2

This article is:
helpful
not helpful

Working...Please wait

This is here to prevent you from accidentally submitting twice.

The page will automatically refresh.