Back to Blog
Setup Guide March 2, 2026 8 min read

Ruckus RADIUS Setup Guide: Configure IronWiFi with Ruckus Wireless

Learn how to configure WPA2-Enterprise 802.1X authentication on CommScope Ruckus wireless controllers using IronWiFi Cloud RADIUS. This guide covers SmartZone, ZoneDirector, and Unleashed platforms with step-by-step RADIUS server setup, WLAN configuration, and troubleshooting.

To set up RADIUS for Ruckus wireless, create a Cloud RADIUS profile in IronWiFi with your authentication sources, then configure an AAA server on your Ruckus SmartZone or ZoneDirector controller pointing to the IronWiFi RADIUS server IP on port 1812 with the shared secret. Create a WLAN with 802.1X EAP security and assign the RADIUS authentication service. The controller forwards authentication requests to IronWiFi, which validates credentials and returns accept or reject decisions.

CommScope Ruckus is a widely deployed wireless platform known for its adaptive antenna technology and robust controller architecture. Whether you run SmartZone, ZoneDirector, or Unleashed APs, integrating an external RADIUS server enables enterprise-grade 802.1X authentication that goes far beyond pre-shared keys. This guide walks through connecting Ruckus wireless to IronWiFi Cloud RADIUS for secure, scalable network access control.

Why Use RADIUS with Ruckus Wireless?

Pre-shared keys work for small deployments, but they share a single password across every user and device. When an employee leaves or a device is compromised, you must change the password for everyone. RADIUS authentication eliminates this problem by giving every user or device a unique identity.

With RADIUS on Ruckus, you gain:

  • Individual user credentials - Every person authenticates with their own identity, ending shared password management
  • Certificate-based authentication - Deploy EAP-TLS to remove passwords entirely using device certificates
  • Dynamic VLAN assignment - Place users into different network segments based on their role, department, or device type
  • Centralized access control - Grant or revoke network access instantly from the IronWiFi console
  • Detailed audit trails - Know exactly who connected, when, and from which device
  • Identity provider integration - Authenticate against Azure AD, Google Workspace, Okta, or any SAML/LDAP directory

Prerequisites

Before starting the configuration, make sure you have the following in place:

  • Ruckus controller access - Admin credentials for SmartZone, ZoneDirector, or Unleashed web interface
  • IronWiFi account - Sign up for a free trial if you do not have one
  • Firewall access - Allow outbound UDP on ports 1812 and 1813 from your Ruckus controller/APs to IronWiFi server IPs
  • A test client device - Laptop or phone that supports WPA2-Enterprise

Controller vs. AP Communication

On SmartZone and ZoneDirector deployments, the controller sends RADIUS requests on behalf of the APs. On Unleashed deployments, the master AP communicates directly with the RADIUS server. Make sure the correct source IP (controller or AP) is registered in IronWiFi.

Step 1: Create a RADIUS Profile in IronWiFi

Start by configuring the RADIUS server side in IronWiFi. This creates the authentication endpoint that your Ruckus controller will send requests to.

  1. Log into the IronWiFi Console at console.ironwifi.io and navigate to Networks.
  2. Create a new Network by clicking Add Network. Give it a descriptive name (e.g., "Ruckus Corporate WiFi") and select the server region closest to your access points.
  3. Note the RADIUS server details that IronWiFi generates:
    • Primary server: 35.174.127.31
    • Secondary server: 44.199.225.113
    • Authentication port: 1812
    • Accounting port: 1813
    • Shared secret: YOUR_SHARED_SECRET
  4. Add your Ruckus controller source IP under the network's authorized clients. This is the public IP that your SmartZone or ZoneDirector uses for outbound traffic. For Unleashed, add the master AP's public IP.
  5. Configure authentication sources - Connect your identity provider (Azure AD, Google Workspace, Okta) or create local user accounts for testing.

Save Your RADIUS Credentials

Copy the RADIUS server IP, port, and shared secret somewhere secure. You will need these exact values for the Ruckus controller configuration. Even a single character mismatch in the shared secret causes authentication to silently fail.

Step 2: Configure AAA Server on Ruckus Controller

Now configure the Ruckus controller to point to your IronWiFi RADIUS server.

SmartZone Controller

  1. Log into the SmartZone web interface and navigate to Services & Profiles > Authentication.
  2. Click Create New to add an authentication service. Select RADIUS as the type.
  3. Enter the primary RADIUS server details:
    • IP Address: 35.174.127.31
    • Port: 1812
    • Shared Secret: YOUR_SHARED_SECRET
  4. Add the secondary RADIUS server for failover:
    • IP Address: 44.199.225.113
    • Port: 1812
    • Shared Secret: YOUR_SHARED_SECRET
  5. Under Accounting, enable RADIUS accounting and add the same server IPs with port 1813.
  6. Click OK to save the authentication service.

ZoneDirector Controller

  1. Log into the ZoneDirector web interface and navigate to Services & Profiles > AAA Servers.
  2. Click Create New. Set the type to RADIUS.
  3. Enter the IronWiFi server details: IP address, port 1812, and shared secret.
  4. Add a backup server with the secondary IronWiFi IP for redundancy.
  5. Click OK to save.

Unleashed APs

  1. Log into the Unleashed web UI. Navigate to Admin & Services > Services > AAA Servers.
  2. Click Create New. Enter the IronWiFi RADIUS server IP, port 1812, and shared secret.
  3. Save the configuration.

Shared Secret Must Match Exactly

The RADIUS shared secret configured on the Ruckus controller must match the secret in IronWiFi character-for-character, including case. A mismatch is the most common cause of authentication failures and produces no error message on the controller - requests simply time out.

Step 3: Create a WLAN with 802.1X

With the RADIUS server configured, create a WLAN that uses enterprise authentication.

  1. On SmartZone, navigate to Wireless LANs and click Create New. On ZoneDirector or Unleashed, go to Wi-Fi Networks.
  2. Set the SSID name to something users will recognize (e.g., "CorpNet-Secure").
  3. Under Authentication Type, select 802.1X EAP.
  4. Under Encryption, select WPA2 (or WPA3 if your clients support it).
  5. For the Authentication Server, select the IronWiFi RADIUS service you created in Step 2.
  6. Configure VLAN settings if you want dynamic VLAN assignment from RADIUS responses.
  7. Click OK to save. The WLAN will be deployed to the associated APs.

Dynamic VLAN Assignment

To enable RADIUS-based VLAN assignment on Ruckus, enable the "Dynamic VLAN" option on the WLAN configuration. In IronWiFi, configure three RADIUS attributes per user group: Tunnel-Type (64) = VLAN, Tunnel-Medium-Type (65) = IEEE-802, and Tunnel-Private-Group-ID (81) = your VLAN ID. The VLANs must be trunked to the AP switch ports.

Step 4: Test Authentication

Before rolling out to all users, verify that the RADIUS configuration works correctly.

  1. On a test laptop or phone, search for the configured SSID and select it.
  2. When prompted, enter the username and password (for PEAP) or select the certificate (for EAP-TLS).
  3. On the first connection, you may be prompted to trust the server certificate. Accept it to proceed.
  4. Once connected, verify the assigned IP address is in the correct VLAN range.
  5. Check the IronWiFi authentication logs under Logs > Authentication to confirm the request was processed correctly.
  6. On the Ruckus controller, check Monitor > Clients to verify the client shows as authenticated via 802.1X.

Check Both Sides

Always verify authentication from both the Ruckus controller (Monitor > Clients) and the IronWiFi console (Logs). This confirms that requests are reaching the RADIUS server and that the response is being applied correctly by the controller.

Troubleshooting

Even with careful configuration, RADIUS integrations can run into issues. Here are the most common problems and how to resolve them.

RADIUS Timeout (No Response)

  • Firewall rules - Verify UDP ports 1812 and 1813 are open from the controller/AP subnet to the IronWiFi server IPs. Many corporate firewalls block outbound UDP by default.
  • Source IP mismatch - The public IP of your Ruckus controller must be registered as an authorized client in IronWiFi. For SmartZone, this is the controller management IP. For Unleashed, it is the master AP's public IP.
  • Wrong server IP - Double-check the RADIUS server IP on the Ruckus controller matches what IronWiFi provided.
  • Zone/domain mismatch - On SmartZone, ensure the AAA server is configured in the correct zone or system-level domain where your WLAN resides.

Authentication Rejected (Access-Reject)

  • Wrong credentials - Verify the username and password in IronWiFi. Authentication is case-sensitive.
  • Shared secret mismatch - Even one character difference causes the RADIUS server to reject the request. Re-enter the secret on both sides.
  • Disabled account - Check that the user account is active in IronWiFi and not blocked by a conditional access policy.
  • EAP method mismatch - Ensure the client is configured for an EAP method that IronWiFi supports (PEAP, EAP-TLS, EAP-TTLS).

VLAN Assignment Not Working

  • Dynamic VLAN not enabled - On the Ruckus WLAN settings, the Dynamic VLAN option must be turned on for the controller to honor VLAN attributes from RADIUS.
  • Missing VLAN attributes - All three tunnel attributes (64, 65, 81) must be present in the RADIUS response.
  • VLAN not trunked - The VLAN must be configured on the switch port connecting to the Ruckus AP.

Check Firewall Logs First

Most RADIUS integration failures are caused by firewall rules blocking UDP traffic between the Ruckus controller and the RADIUS server. Check your firewall logs for dropped packets on UDP 1812 before investigating other causes.

Ready to Secure Your Ruckus Network?

Set up Cloud RADIUS with IronWiFi in minutes. No on-premises servers required.

Start Free Trial Schedule a Demo

Trusted by 1,000+ organizations across 108 countries

Frequently Asked Questions

Yes. Ruckus SmartZone controllers fully support external RADIUS servers for 802.1X authentication. You configure the RADIUS server under Services & Profiles > Authentication, then assign it to a WLAN. SmartZone supports both primary and secondary RADIUS servers for failover, as well as RADIUS accounting.

Ruckus uses the standard RADIUS ports: UDP 1812 for authentication and UDP 1813 for accounting. These are the IETF standard ports and match IronWiFi's default configuration. Ensure your firewall allows outbound UDP traffic on these ports from the Ruckus controller or APs to the IronWiFi server IPs.

Yes. Ruckus Unleashed APs support external RADIUS servers for WPA2-Enterprise authentication. In the Unleashed web UI, navigate to Wi-Fi Networks, edit or create an SSID, select WPA2-Enterprise security, and add the IronWiFi RADIUS server IP, port, and shared secret. The Unleashed master AP communicates directly with the RADIUS server.

Enable VLAN pooling or dynamic VLAN on your Ruckus WLAN configuration. In IronWiFi, configure three RADIUS attributes for each user group: Tunnel-Type (64) set to VLAN, Tunnel-Medium-Type (65) set to IEEE-802, and Tunnel-Private-Group-ID (81) set to the desired VLAN ID. The Ruckus controller applies the VLAN from the RADIUS Access-Accept response.

RADIUS timeouts on Ruckus typically indicate a network connectivity issue between the controller and the RADIUS server. Check these common causes: (1) Firewall blocking UDP 1812/1813 outbound. (2) The Ruckus controller's source IP is not registered as an authorized client in IronWiFi. (3) Incorrect RADIUS server IP or shared secret. (4) If using SmartZone, verify the AAA server is in the correct zone or domain. Check IronWiFi authentication logs for rejected or missing requests.

Tags: Ruckus CommScope RADIUS 802.1X WPA-Enterprise Cloud RADIUS SmartZone Network Security