Download this guide ⬇
Introduction
Scope and Purpose
Thank you for purchasing the Trusted WiFi solution. This document is a hardware configuration guide describing how to setup a Ruckus ZoneDirector WLAN Controller for a Trusted WiFi Passpoint service.
For more information on how to setup an end-to-end Trusted WiFi Passpoint service, please refer to the Trusted WiFi Passpoint Administration Guide.
For complete information on how to setup a Ruckus ZoneDirector WLAN Controller, please refer to the vendor’s original documentation.
Documentation Conventions
The following conventions are used throughout this document:
Notes: Helpful information, suggestions or references.
Warning: Important notification that something might result in a configuration not working, loss of data, equipment damage or personal injury.
Bold and/or green: commands, command options and keywords.
Italics: variable, input requirement for a valid parameter.
Passpoint Overview
Passpoint – also known as Hotspot 2.0 – is an industry-wide next generation approach to public internet access driven by the Wi-Fi Alliance that brings the following benefits:
Frictionless onboarding and roaming, thanks to a one-time registration followed by automatic access to interconnected hotspots
More secure and private Wi-Fi connections, compared with general visitor networks
Passpoint is based on the IEEE 802.11u standard, which is a set of protocols enabling cellular-like roaming. Following the initial enrollment, frequent users such as visitors, guests or employees bypass repeated logins, forms and passwords, as their mobile devices automatically join the Wi-Fi subscriber service when they return to a venue or roam between inter-linked Passpoint enabled hotpots and providers, while being better protected against potential cyber threats.
If a device supports 802.11u and is enrolled to a service, it automatically communicates with the Wi-Fi infrastructure via the access points to discover the network SSID and connects securely to it by presenting its access credentials. Upon successful authentication, the device is provisioned with Passpoint standards-based management objects - known as Per-Provider Subscription Management Objects (PPS-MO).
GlobalReach - an ASSA ABLOY company - has been involved with Passpoint since its inception and even contributed to the creation and initial pilot testing of the standard. As a result, it is one of the few trusted worldwide experts on this topic, with a proven platform backed by real-world operational experiences at scale.
The best user experience is to offer Passpoint through a customer/brand mobile app integration, as it further simplifies the onboarding process, while incentivizing app downloads and customer loyalty, leading to further engagement and monetization opportunities. To this effect, Trusted WiFi offers a Software Development Kit (SDK) for easy app integration.
.png?sv=2022-11-02&spr=https&st=2026-04-17T16%3A22%3A20Z&se=2026-04-17T16%3A43%3A20Z&sr=c&sp=r&sig=wxt2pYlD5%2FCFEKlXMbd66diXeMiCozxrmrJIXrmRla4%3D)
End-to-End Service Components
Implementing an end-to-end Trusted WiFi Passpoint service requires a combination of the following software and hardware components:
Trusted WiFi Passpoint: the core services are offered and managed centrally via the Trusted WiFi Passpoint Module (hosted and operated by GlobalReach). Following an initial setup performed by the GlobalReach Operations team, Managed Service Providers (MSPs) can then add sites to customer realms and monitor the solution.
Customer Realm: the service requires connectivity to a realm including domain, security certificate and private key, as well as the database holding the users’ Personally Identifiable Information (PII). It is the responsibility of the Identity Provider – typically the customer/brand – to make this part available.
Mobile App: the best user experience is to offer Passpoint through a customer/brand mobile app integration. Trusted WiFi offers a Software Development Kit (SDK) for easy implementation. It is the responsibility of the app owner – typically the customer/brand – to perform the integration.
Local Networks: the local networks must be compliant with Passpoint (Hotspot 2.0). – Most recent Wi-Fi access points and controllers from major vendors support Passpoint today, however older models or products from more exotic manufacturers might not do. The configuration of the local infrastructure is typically handled by the Managed Service Providers (MSPs).
User Devices: the subscribers’ mobile devices (belonging to visitors, guests, employees, etc.) must be compliant with Passpoint (Hotspot 2.0) – All recent iOS and Android-based smartphones or tablets support Passpoint today, however older models or products running less popular operating systems might not do. Laptops compatibility is also more erratic. It is therefore essential to maintain a traditional onboarding service in parallel with Passpoint to handle non-compatible devices.
High-Level Topology
The diagram below illustrates the high-level topology for the end-to-end Trusted WiFi Passpoint service:
.png?sv=2022-11-02&spr=https&st=2026-04-17T16%3A22%3A20Z&se=2026-04-17T16%3A43%3A20Z&sr=c&sp=r&sig=wxt2pYlD5%2FCFEKlXMbd66diXeMiCozxrmrJIXrmRla4%3D)
Glossary
The following is a glossary of the most common terms used regarding this solution.
Term | Abbreviation | Description |
|---|---|---|
Deployment | - | Enabling of a Trusted WiFi product module for a property via the Trusted WiFi interface. |
Module | - | Product or service purchased from Trusted WiFi that is managed through its own sub-section via the Trusted WiFi interface. |
License | - | Legal agreement that grants users the right to use specific software, outlining terms and conditions for its usage, distribution, and potential modifications, while protecting the intellectual property of the software developer. GlobalReach licenses comprise of two different types:
Trusted WiFi is sold as a combination of one-off licenses to activate the service and recurring licenses based on a price per Wi-Fi access point per month. |
Managed Service Provider | MSP | The third-party company that remotely manages and monitors a client's IT infrastructure and end-user systems, offering services like network and infrastructure management, security, and 24/7 technical support. |
Organization | Org | A company account in Trusted WiFi. |
Operator | - | An organization type account in Trusted WiFi that is used by MSPs to manage a property’s Wi-Fi network. |
Customer | - | An organization type account in Trusted WiFi typically used for customers/brands that allows grouping to view all properties belonging to the same company even if managed by several different MSPs. |
Linked Organization | Linked Org | A link creating a relationship between an operator and a customer account, allowing a customer to view a property while allowing an operator to manage it. |
User | - | An individual accessing a product, service or system.
|
Property | - | Trusted WiFi concept representing an Individual site or location where products are deployed. |
Linked Property | - | Site or location shared between operator and customer accounts. |
Passpoint Software Development Kit | Passpoint SDK | The service that sits within the customer’s mobile app and that is connected to the Trusted WiFi RADIUS infrastructure allowing Passpoint profiles to be created for a given Passpoint realm. |
Passpoint Realm | - | The customer specific domain that is used to provision Passpoint profiles that are approved for connection to any associated network. |
Passpoint Profile | - | The security certified profile that sits on a subscriber’s device. If installed correctly it allows seamless authentication to the secure Passpoint SSID. |
Secure Passpoint Service Set Identifier | Secure Passpoint SSID | The Wi-Fi network that is associated to the Passpoint realm configured to allow subscriber devices with a valid Passpoint profile to seamlessly connect to the Passpoint network at a property. |
Subscriber | - | An individual person using a service. |
Subscriber Device | - | The equipment – typically a smartphone, tablet or computer – the subscriber is using to connect to the service. |
Collision-Resistant Unique Identifier | CUID | A unique identifier designed to be collision-resistant – meaning engineered to minimize the likelihood of generating duplicate IDs even in distributed systems – and more efficient in terms of space and database indexing performance due to its sequential nature. In the context of Passpoint, a CUID is delivered to a subscriber device when it requests a Passpoint profile. |
Customer Loyalty Mobile Application | Mobile App | The iOS and/or Android digital application used by businesses to engage and reward their customers through loyalty programs. In the context of Passpoint, the best user experience is to offer Passpoint through a customer/brand mobile app integration using the Trusted WiFi SDK. |
RUCKUS ZONEDIRECTOR CONFIGURATION
Supported Versions
Ruckus ZoneDirector version 10.0 or later is recommended to run Passpoint. This document is using screens from v10.5. While the user interface might vary a little between versions, the requirements are the same.
Note
Please refer to the Ruckus Wireless AP-Controller Matrix - January 2022 document for further information on which versions of OS code supports which APs.
Warning
The ZoneDirector 1200 is now end of life and should be replaced with a supported alternative.
Prerequisites
It is assumed the following prerequisites are met before configuring a Ruckus ZoneDirector WLAN Controller for a Trusted WiFi Passpoint service:
A supported Ruckus ZoneDirector running version 10.0 or greater, activated and licensed.
A Trusted WiFi account with operator permissions.
A core Trusted WiFi Passpoint service configured and tested.
A property in Trusted WiFi with deployed Gateway and Passpoint modules.
A deployed and configured Wi-Fi network.
Note
This document focuses on a specific part of the Ruckus ZoneDirector configuration only.
Please refer to the Passpoint Administration Guide for instructions on how to configure the end-to-end Passpoint service.
Please refer to the original Ruckus documentation for complete instructions on Ruckus ZoneDirector WLAN Controllers configuration.
Warning
All properties must share the same NAI realm, RADIUS IP / port settings and SSID name for the Passpoint service (CustomerPasspoint).
Each property requires a separate RADIUS secret and NAS identifier, both generated when a configuration is activated within the Trusted WiFi management platform.
Core Passpoint Settings
Log into Trusted WiFi, then click on the Properties icon in the left menu to view the properties list.
Select or search for the property you wish to work on. This will open its deployments page:
.png?sv=2022-11-02&spr=https&st=2026-04-17T16%3A22%3A20Z&se=2026-04-17T16%3A43%3A20Z&sr=c&sp=r&sig=wxt2pYlD5%2FCFEKlXMbd66diXeMiCozxrmrJIXrmRla4%3D)
Click on the Passpoint tile and then click on the Configuration option in the left menu to display the Passpoint settings summary as per the example below:
.png?sv=2022-11-02&spr=https&st=2026-04-17T16%3A22%3A20Z&se=2026-04-17T16%3A43%3A20Z&sr=c&sp=r&sig=wxt2pYlD5%2FCFEKlXMbd66diXeMiCozxrmrJIXrmRla4%3D)
Take note of the details for your respective installation as they will be required at a later step.
Ruckus ZoneDirector Configuration
RADIUS
Log into the Ruckus ZoneDirector with your credentials to display the page below:
.png?sv=2022-11-02&spr=https&st=2026-04-17T16%3A22%3A20Z&se=2026-04-17T16%3A43%3A20Z&sr=c&sp=r&sig=wxt2pYlD5%2FCFEKlXMbd66diXeMiCozxrmrJIXrmRla4%3D)
On the left-hand navigation menu, click on the Services & Profiles > AAA Servers to display the page below:
.png?sv=2022-11-02&spr=https&st=2026-04-17T16%3A22%3A20Z&se=2026-04-17T16%3A43%3A20Z&sr=c&sp=r&sig=wxt2pYlD5%2FCFEKlXMbd66diXeMiCozxrmrJIXrmRla4%3D)
Click on Create New in the upper left part of the screen to display the pages below:
.png?sv=2022-11-02&spr=https&st=2026-04-17T16%3A22%3A20Z&se=2026-04-17T16%3A43%3A20Z&sr=c&sp=r&sig=wxt2pYlD5%2FCFEKlXMbd66diXeMiCozxrmrJIXrmRla4%3D)
.png?sv=2022-11-02&spr=https&st=2026-04-17T16%3A22%3A20Z&se=2026-04-17T16%3A43%3A20Z&sr=c&sp=r&sig=wxt2pYlD5%2FCFEKlXMbd66diXeMiCozxrmrJIXrmRla4%3D)
Complete the fields, as per the description below:
Field
Description
Name
Enter a name.
Type
Select RADIUS.
Encryption
Leave unchecked.
Auth Method
Select PAP.
Backup RADIUS
Select this checkbox.
Primary Sever
IP Addresses
Enter the <Primary RADIUS IP> from Trusted WiFi.
Port
Enter the < RADIUS Authentication Port> from Trusted WiFi.
Shared Secret
Enter the < RADIUS Shared Secret> from Trusted WiFi.
Confirm Shared Secret
Re-enter the < RADIUS Shared Secret> from Trusted WiFi.
Secondary Server
IP Addresses
Enter the <Secondary RADIUS IP> from Trusted WiFi.
Port
Enter the < RADIUS Authentication Port> from Trusted WiFi.
Shared Secret
Enter the < RADIUS Shared Secret> from Trusted WiFi.
Confirm Shared Secret
Re-enter the < RADIUS Shared Secret> from Trusted WiFi.
Click on OK at the bottom of the screen to save the RADIUS configuration.
Once back on the AAA screen, click Create New again to configure the RADIUS accounting settings and open the page below:
.png?sv=2022-11-02&spr=https&st=2026-04-17T16%3A22%3A20Z&se=2026-04-17T16%3A43%3A20Z&sr=c&sp=r&sig=wxt2pYlD5%2FCFEKlXMbd66diXeMiCozxrmrJIXrmRla4%3D)
.png?sv=2022-11-02&spr=https&st=2026-04-17T16%3A22%3A20Z&se=2026-04-17T16%3A43%3A20Z&sr=c&sp=r&sig=wxt2pYlD5%2FCFEKlXMbd66diXeMiCozxrmrJIXrmRla4%3D)
Complete the fields, as per the description below:
Field
Description
Name
Enter a name.
Type
Select RADIUS Accounting.
Encryption
Leave unchecked.
Auth Method
Select PAP.
Backup RADIUS
Select this checkbox.
Primary Sever
IP Addresses
Enter the <Primary RADIUS IP> from Trusted WiFi.
Port
Enter the < RADIUS Authentication Port> from Trusted WiFi.
Shared Secret
Enter the < RADIUS Shared Secret> from Trusted WiFi.
Confirm Shared Secret
Re-enter the < RADIUS Shared Secret> from Trusted WiFi.
Secondary Server
IP Addresses
Enter the <Secondary RADIUS IP> from Trusted WiFi.
Port
Enter the < RADIUS Authentication Port> from Trusted WiFi.
Shared Secret
Enter the < RADIUS Shared Secret> from Trusted WiFi.
Confirm Shared Secret
Re-enter the < RADIUS Shared Secret> from Trusted WiFi.
Click on OK at the bottom of the screen to save the RADIUS Accounting configuration.
Warning
If the ZoneDirector controller is behind a Nomadix Gateway, the address, port, and shared secret settings will be associated with the gateway.
Passpoint (Hotspot 2.0)
Click on the Services & Profiles > Hotspot 2.0 Services on the left of the screen to display the page below:
.png?sv=2022-11-02&spr=https&st=2026-04-17T16%3A22%3A20Z&se=2026-04-17T16%3A43%3A20Z&sr=c&sp=r&sig=wxt2pYlD5%2FCFEKlXMbd66diXeMiCozxrmrJIXrmRla4%3D)
Under Service Provider Profiles, click on Create New to display the page below:
.png?sv=2022-11-02&spr=https&st=2026-04-17T16%3A22%3A20Z&se=2026-04-17T16%3A43%3A20Z&sr=c&sp=r&sig=wxt2pYlD5%2FCFEKlXMbd66diXeMiCozxrmrJIXrmRla4%3D)
Enter a name and optional description for this Service Provider profile.
Under NAI Realm List, click Create New to display the page below:
.png?sv=2022-11-02&spr=https&st=2026-04-17T16%3A22%3A20Z&se=2026-04-17T16%3A43%3A20Z&sr=c&sp=r&sig=wxt2pYlD5%2FCFEKlXMbd66diXeMiCozxrmrJIXrmRla4%3D)
Complete the fields, as per the description below:
Field
Description
Name
Enter the NAI realm name.
Encoding
Select the appropriate encoding type from the drop-down list.
EAP Method
Select EAP-TTLS from the drop down list.
Click Done to display the page below:
.png?sv=2022-11-02&spr=https&st=2026-04-17T16%3A22%3A20Z&se=2026-04-17T16%3A43%3A20Z&sr=c&sp=r&sig=wxt2pYlD5%2FCFEKlXMbd66diXeMiCozxrmrJIXrmRla4%3D)
Under the Domain Name List, click Create New to display the page below and enter the Domain Name:
.png?sv=2022-11-02&spr=https&st=2026-04-17T16%3A22%3A20Z&se=2026-04-17T16%3A43%3A20Z&sr=c&sp=r&sig=wxt2pYlD5%2FCFEKlXMbd66diXeMiCozxrmrJIXrmRla4%3D)
Click Save to save the Domain Name.
Repeat this step for any additional Domain Names that need to be added:
.png?sv=2022-11-02&spr=https&st=2026-04-17T16%3A22%3A20Z&se=2026-04-17T16%3A43%3A20Z&sr=c&sp=r&sig=wxt2pYlD5%2FCFEKlXMbd66diXeMiCozxrmrJIXrmRla4%3D)
Click on OK to save the Service Provider profile.
Under the Operator Profiles, click Create New to display the page below:
.png?sv=2022-11-02&spr=https&st=2026-04-17T16%3A22%3A20Z&se=2026-04-17T16%3A43%3A20Z&sr=c&sp=r&sig=wxt2pYlD5%2FCFEKlXMbd66diXeMiCozxrmrJIXrmRla4%3D)
Complete the fields, as per the description below:
Field
Description
Name
Enter the name of the Operator Profile. (provided by the installer).
ASRA Options
Leave unchecked.
Internet Option
Enable this checkbox.
Access Network Type
Select Free Public from the drop down list.
IP Address Type
Select the appropriate IPv4 & IPv6 Address from the drop down list.
Under the Operator Friendly Name, click on Create New, select English and enter a Name followed by Save.
Select the Service Provider by clicking the checkbox corresponding to the desired name:
.png?sv=2022-11-02&spr=https&st=2026-04-17T16%3A22%3A20Z&se=2026-04-17T16%3A43%3A20Z&sr=c&sp=r&sig=wxt2pYlD5%2FCFEKlXMbd66diXeMiCozxrmrJIXrmRla4%3D)
Click OK to save the configuration.
Wi-Fi Network
To create the Hotspot 2.0 WLAN SSID, click on Wireless LANs on the left of the screen to display the page below:
.png?sv=2022-11-02&spr=https&st=2026-04-17T16%3A22%3A20Z&se=2026-04-17T16%3A43%3A20Z&sr=c&sp=r&sig=wxt2pYlD5%2FCFEKlXMbd66diXeMiCozxrmrJIXrmRla4%3D)
Note
The example above already shows 4 defined WLAN Groups, so the Hotspot WLAN Group will be used.
Click on Create to display the page below:
.png?sv=2022-11-02&spr=https&st=2026-04-17T16%3A22%3A20Z&se=2026-04-17T16%3A43%3A20Z&sr=c&sp=r&sig=wxt2pYlD5%2FCFEKlXMbd66diXeMiCozxrmrJIXrmRla4%3D)
Complete the fields, as per the description below:
Field
Description
General Options
Name
Enter the customer SSID name.
ESSID
Enter the customer ESSID name.
Description
Enter an optional description.
WLAN Usages
Type
Select the Hotspot 2.0 radio button.
Hotspot 2.0 Operator
Select the operator that you have previously configured from the drop down list.
Authentication Server
Select the Authentication server that you have previously configured from the drop down.
Scroll down to the bottom of the screen to display the page below:
.png?sv=2022-11-02&spr=https&st=2026-04-17T16%3A22%3A20Z&se=2026-04-17T16%3A43%3A20Z&sr=c&sp=r&sig=wxt2pYlD5%2FCFEKlXMbd66diXeMiCozxrmrJIXrmRla4%3D)
Complete the fields, as per the description below:
Field
Description
Authentication Options
Method
Select the 802.1x EAP radio button.
Fast BSS Transitions
Enable the 802.1rFT Roaming check box.
Authentication Server
Select the Authentication Server you have already configured from the drop-down list.
Encryption Options
Leave the default enabled.
Scroll down to the bottom of the screen to display the Advanced Options:
.png?sv=2022-11-02&spr=https&st=2026-04-17T16%3A22%3A20Z&se=2026-04-17T16%3A43%3A20Z&sr=c&sp=r&sig=wxt2pYlD5%2FCFEKlXMbd66diXeMiCozxrmrJIXrmRla4%3D)
Complete the fields, as per the description below:
Field
Description
Wireless Client Isolation
Enable the Isolate wireless client traffic from other clients on the same AP. checkbox.
Whitelist
Add the desired whitelist by clicking the Create New button.
Accounting Server
Select the Accounting Server you have configured from the drop down list.
Scroll down to the bottom of the screen to display the following options:
.png?sv=2022-11-02&spr=https&st=2026-04-17T16%3A22%3A20Z&se=2026-04-17T16%3A43%3A20Z&sr=c&sp=r&sig=wxt2pYlD5%2FCFEKlXMbd66diXeMiCozxrmrJIXrmRla4%3D)
• Set the Access VLAN to 1006 and click OK to save the configuration.
NAS ID
To configure the NAS ID, log into the ZoneDirector controller via the CLI and enter the following commands:
Commands:Please login: admin ]Password: Welcome to the Ruckus Wireless ZoneDirector 1200 Command Line Interface ruckus> en ruckus# conf You have all rights in this mode. ruckus(config)# wlan [customer SSID] The WLAN service '[customer SSID]' has been loaded. To save the WLAN service, type 'end' or 'exit'. ruckus(config-wlan)# nasid-type user-define <WORD> (Where WORD is the NAD-ID) ruckus(config-wlan)# called-station-id-type wlan-bssid ruckus(config-wlan)# exit