Setting up Zero-IT with DPSK
QuestionI heard benefits of Zero-IT. How do I set it up now?
Customer Environmentzd controlled network
ResolutionMany of the small and medium businesses don't have a RADIUS server on their network. But they do want to provide best possible security to their users and protect their network from users that are not intended to have access.
PSK (passphrase) based networks are relatively simple to setup yet ensure top level security to user traffic in the air medium. But by its nature, administrator has to pass the passphrase to the users that need access to the network. At some point it can lead to compromise of the network if it falls in the hands of unintended user. Then the administrator will be forced to change the passphrase and provide or type in the new passphrase on all devices. This is lot of work.
To help passphrase based networks, Zero-IT feature was introduced into ZD. It derives a 63-character strong passphrase called Dynamic PSK (DPSK) from a simple passphrase to each device. Here is how Zero-IT can be setup to provide a strong DPSK to each user.
1. First of all decide on a backend user authentication system. For lot of businesses this will be a Microsoft Active Directory.
2. If there is no AD on the network a local user database can be used on the ZD.
3. Above need to be defined within ZD either under AAA Servers OR under Users section.
4. Create a new SSID.
5. Define the SSID type as standard and choose WPA2 for encryption method.
6. Choose AES for the algorithm to provide robust security and type in hard to guess passphrase
7. Choose the authentication server type (whatever is concluded based off of steps 1 and 2)
8. Enable Zero-IT. And then enable DPSK.
9. Select either Secure D-PSK or Mobile Friendly D-PSK. Please also choose key expiration type.
10. Enable the Limit D-PSK generation per user to 1-4 devices
11. Let the users connect to a wired network that has reachability to ZD. Please refer to the last point at the bottom if there is no LAN port on the client device.
12. Ask them to type in https://<zd_ip>/activate URL in a browser.
Last step will give them a compatible executable file based on their OS. They need to run it to setup necessary configuration to connect to the target wireless network. At this point they should disconnect the cable going to the wired network to be on the wireless network. Please ensure the Zero-IT SSID is enabled under the user roles (Configure --> Roles) so the connection could be successful.
If customer doesn't have an Ethernet port on their device, please refer to Onboarding Portal setup details at https://support.ruckuswireless.com/answers/000002842
With this setup, there is no need to type in the https://<zd_ip>/activate URL into the browser. Entire Zero-IT provisioning will take place in wireless.