How to Troubleshoot Captive Portal/Hotspot (WISPr)/Guest Access/Web Auth Redirection and Authentication Issues

Summary

This document provides a comprehensive guide to troubleshoot Captive Portal or WISPr redirection issues. It includes understanding the flow of authentication, identifying where it’s breaking, necessary steps, troubleshooting tips, and resolution methods.

Question

How to troubleshoot Captive Portal Redirection and Authentication issues?

Customer Environment

Virtual SmartZone (vSZ). SmartZone-144 (SZ-144). SmartZone-100 (SZ-100). SmartZone-300 (SZ-300). ZoneDirector-1200 (ZD-1200). Ruckus One (R1). Unleashed.

Symptoms

Users not getting the Login Page.
iPhone, Androids, etc not getting the Login Page automatically.
The user gets failed authentication after posting the credentials on the Login page.

Troubleshooting Steps

Understanding the Captive Portal Flow Diagram: 

Before starting with the troubleshooting steps, first understand the Captive Portal flow diagram. 

User-added image
User-added image
User-added image

 

SmartZone and Virtual SmartZone


Types of Captive Portal Features Available: 

1. Hotspot (WISPr)
  • Can use Internal Logon URL or an External Web Server for the Logon URL. 
  • Authentication Service type can be Proxy Based (SZ) or Non-Proxy Based (AP). 
  • Accounting Service can be configured as either Proxy or Non-Proxy. 
  • Proxy Based: The Ruckus Smart Zone controller runs a service called RadiusProxy based on OpenRadius. All radius requests are sent from the controller’s management IP address. 
  • Non-Proxy Based: The access points terminate EAP and send Radius requests to the Authentication server. 
  • Map the certificate to the Hotspot (WISPr) through SZ Certificate Service Mapping option. 
  • References: 
RUCKUS SmartZone Hotspot WISPr Interface Guide here.
WISPr Portal Setup in SZ (YouTube) here.

2. Guest Access 
  • Guest Authentication can be configured using Guest Pass, Self Registration, and Social Media Login. 
  • Social Media Login options: LinkedIn, Google, Facebook (Meta), Microsoft. 
  • References: 
Guest Pass Setup in SZ (YouTube) here.
Setup of Guest Access using multiple Social Media Logins (Community Link) here.

3. Web Authentication
  • By default, uses Internal Logon URL. Authentication Service can be Proxy Based (SZ) or Non-Proxy Based (AP). 
  • References: 
Guest Pass Setup in SZ (YouTube) here.

Troubleshooting through SZ/vSZ
 
Use the Client Trace feature in SZ to check the connection flow. 
User-added image

SZ version 6.1 and above has an option for troubleshooting in the Web interface of SZ using the Support Bundle feature. 
Navigate to Monitor --> Troubleshooting and Diagnostics --> Support Bundle --> Select the WLAN, AP, SZ Key Application Logs, or SZ Snapshot logs and AP Packet capture on any radio. 
User-added image

 

RUCKUS One (Formerly known as RUCKUS Cloud)

 
Types of Captive Portal Features Available: 

1. Click-Through 
  • Creating a Captive Portal with Click-Through here.

2. Self Sign In
  • Creating a Captive Portal with Self Sign In here.
  • Options: SMS token, Email, Facebook (Meta), Google, X (Twitter), LinkedIn. 

3. Cloudpath Captive Portal
  • Creating a Captive Portal with Cloudpath Captive Portal here.
  • AAA can be Proxy based or Non-Proxy Based. 

4. Host Approval
  • Creating a Captive Portal with Host Approval here.

5. Guest Pass
  • Creating a Captive Portal with Guest Pass here.

6. Third-Party Captive Portal (WISPr Feature) 
  • Creating a Captive Portal with Third-Party Captive Portal (WISPr Feature) here.
  • Cloud Hotspot WISPr API Reference Guide here.
Troubleshooting through R1

Use the Trace Connectivity Option in Clients --> Wireless Clients List --> Client List --> Diagnostics. 
User-added image
Search with the user's MAC address to check the history of the connection (successful and failure). 
User-added image
Take the AP support log and select “Enable access to Ruckus Support” under Administration --> Account Management --> Setting and reach out to support using this link: Contact Ruckus Support
 
WISPr portal issue in R1 using CloudPath (KB Article) here.

 

 

Unleashed/ZoneDirector

 
Ruckus Unleashed is very similar to the working of the Zone Director and hence this section will be applicable to both. 

Types of Captive Portal Features Available: 

1. Hotspot (WISPr)
  • Hotspot (WISPr) setup in Unleashed here.
  • Hotspot (WISPr) call flow for ZD with external Web Portal Server (KB Article) here.

2. Guest Access
  • Guest Authentication can be configured using Guest Pass, Self Registration, and Social Media Login. 
  • Social Media Login options: LinkedIn, Google, Facebook (Meta), Microsoft, WeChat. 
  • References: 
Guest Pass Setup in Unleashed (YouTube) here.
Guest Pass Setup in ZoneDirector (YouTube) here.

3. Web Authentication
  • Web Authentication Setup using LDAP in ZoneDirector (YouTube) here.

General Verification
 
  • Ensure the user gets an IP from DHCP and DNS from the respective VLAN. 
  • DNS server resolving DNS requests, especially the captive portal URL. 
  • In Hotspot Portal Server, ensure the Redirect unauthenticated user URL is in the correct format. 
User-added image
  • Check if the user has reachability to the captive portal (whether external or internal). 
User-added image
  • Use the Bypass CNA feature for issues where Apple devices do not get the Login Page Automatically. When enabled, captive portal login must be performed by opening a browser to any unauthenticated page (HTTP) to get redirected to the login page. 
Reference: Bypass CNA feature here
Example of an HTTP link: http://neverssl.com
  • Add Walled Garden so the user can access the URL before getting authenticated successfully. 
  • Check if the AAA server is reachable from the Controller or AP. 
  • For RADIUS, ensure the Shared Secret is correct and port 1812 (For Authentication) and port 1813 (For Accounting) are allowed. 
  • For Active Directory and LDAP, port 389 should be allowed. 

Resolution

  • Ensure the user gets the IP address from the initial VLAN and DNS can send the DNS response. 
  • The user should be able to reach to the Captive Portal.
  • When using the AAA server the respective ports are allowed for the communication with SZ/AP/R1.

Article Number:
000014431

Updated:
October 09, 2024 01:25 PM (2 months ago)

Tags:
Configuration, Troubleshooting, R720 UNL, SZ144, Ruckus Cloud WiFi, SZ300, virtual SmartCell Gateway, SZ100, ZoneDirector 1200

Votes:
0

This article is:
helpful
not helpful

Working...Please wait

This is here to prevent you from accidentally submitting twice.

The page will automatically refresh.

Alert!!

Close