Partners
Log in
Compare Products
Hide
VS
Before getting started, verify that youinstall Microsoft SQL Server and RG-SMP, then start SMP Service correctly.
For Database and SMP installation, see RG-SMP Installation Guide and RG-SMPDatabase Installation and Maintenance Guide
When you complete SMP installation and start SMP service successfully,visit SMP web UI at http://ServerIP:8080/smp or https://ServerIP:8443/smp , the default Username is “admin”and password is “111111111”
Note: Use IE 8.0 and above version incompatibility mode. Firefox and chrome may have compatible issues.
It is recommended to change password when login. Click “ChangePassword” in the top right on WEB UI.
In this left side, it is the menu as shown,it includes three main components: Authentication &Authority, System Maintenance and Log Audit.
In the middle of the window, it is System Status
Under the system Information, it is the Online User Trend in 24 hours.
Click System Statusin the up right corner, you can view Current System Status.Usually, it displays Normal as shown in belowdiagram which indicates SMP works properly.
If it displays Abnormal as shown in diagram, something must be wrong, clickSee Details to check.
The RG-SMP supports the Microsoft SQLServer 2005 or SQL Server 2008 as well as the SQL Server 2012as the background database. The installation steps for the latter two aredescribed as below.
The operation of theRG-SMP system requires a background database. If you use the Microsoft SQLServer 2008, you must install the Microsoft SQL Server 2008 EnterpriseEdition.
The SQL Server2008 is a large database server of Microsoft. This section describes thesoftware and hardware configuration requirements for installing the SQLServer 2008 Enterprise Edition, detailed installation steps and notes.
1) Insert the CD of SQL Server 2008Enterprise Edition, click setup.exe, and a message will be promptedasking whether to install the NET framework. Click OK.
2) After automatic installation, the followinginterface is prompted.
3) Click Installation >NewInstallation or add features to an existing installation.
4) Click OK.
5) Click Next.
6) Tick I accept the license terms, andclick Next.
7) Click Install.
8) Click Next.
9) Click Next.
10) Tick the components you need as shown inthe following figure, and then click Next.
11) Click Next.
12) Choose Default instance, and thenclick Next.
13) Click Next.
14) Choose NT AUTHORITY/SYSTEM from the AccountName drop-down list.
15) Choose NT AUTHORITY/SYSTEM for thethree services as shown in the figure below.
16) Choose the Collation tab.
17) Configure collation. Make sure that theconfiguration is done exactly as shown in the following figure, or otherwisethe SMP cannot run properly.
18) Click Next.
19) Configure a user account and a password.
20) In the Data Directories tab, you canuse the default configuration. If the default drive space is insufficient,choose another drive.
21) In the FILESTREAM tab, configure asshown in the following figure. Click Next.
22) Click Next.
23) Click Next.
24) Click Next.
25) Click Next.
26) The installation is complete. Click Close.
27) Double click the SP1 patch, and click Next.
28) Tick I accept the license terms, andclick Next.
29) Click Next.
30) Click Next.
31) Click Update.
32) Click Next.
33) The installation is complete. Click Close.
1) Double-click the setup.exe file, andthe following interface is prompted.
2) Click Installation >New SQL Serverstand-alone installation or add features to an existing installation.
3) Click OK.
4) Click Next.
5) Tick I accept the license terms, andclick Next.
6) Keep the default setting, and click Next.
7) Click Next.
8) Click Next.
9) Tick the components you need as shown in thefollowing figure, and then click Next.
10) Click Next.
11) Choose Default instance, and then click Next.
12) Click Next.
13) Choose Browse from the Account Namedropdown list.
14) Click Advanced.
15) Click Find Now, and then choose the Administratoruser.
16) Click OK.
17) As shown in the following figure, choose Administratorfor the five services, and input the system login password as the password.
18) Choose the Collation tab.
19) Configure collation. Make sure that theconfiguration is done exactly as shown in the following figure, or otherwisethe SMP cannot run properly.
20) Click Next.
21) Configure a user account and a password.
22) In the Data Directories tab, you may usethe default configuration. If default drive space is insufficient, you maychoose another drive.
23) In the FILESTREAM tab, configure as shownin the following figure. Click Next.
24) Click Next.
25) Click Next.
26) Click Next.
27) Click Next.
28) Click Next.
29) Click Install.
30) The installation is complete. Click Close.
31) Double click the SP1 patch, and click Next.
32) Tick I accept the license terms, andclick Next.
33) Click Next.
34) Click Next.
35) Click Update.
36) Click Next.
37) The installation is complete. Click Close.
In this section, you will learn how tobackup database.
Go to SystemMaintenance >Database Maintenance, by default auto backup is enabledand the schedule is executed at 4:00 in the morning every day. You can set theremoval period in which backup database will be removed automatically.
Click BackupImmediately to backup current database, then browse and save to localdisk.
SMP license is a red USB dongle which lookslike USB drive. Plug in USB dongle in SMP Server before starting SMPservice. SMP detects USB dongle at first startup and every 30 minuteswhen started up. SMP service will stop if USB dongle is missing.
Click System Statusin the top right on SMP WEB UI to display license status.
In this section, you will learn the mostrecommended SMP solutions for users in enterprise, education, and otherindustries either for wired and wireless network. The SMP solutions mainlyincludes 802.1x authentication, web authentication, MAC authentication, GuestAuthentication and Windows AD integration which cover the most of practicalscenarios.
As per diagram shown above, it is a typicalenterprise network. Authorized wired users and devices, like personal computer,laptop, printer, IP phone, IP camera, are able to access Intranet and Internet.But unauthorized wired users & devices, like personal home device, guestsare not able to access any resources or impact production network at all.
You will learn three authentication methodsfor wired access:
l 802.1xAuthentication
l MACAuthentication
l WebAuthentication
802.1x Authentication allowed users toaccess network by verifying their username and password. For more informationabout IEEE standard 802.1x protocol, see Ruijie Wirelessconfiguration guide or Ruijie Switch configurationguide.
There are three components in 802.1xAuthentication.
l SMPserver(Radius Server)
l Accessswitch(NAS ,Network Access Server)
l Computerwith Ruijie SA Client(Security Agent)
In this example, we are using Ruijie Gigabit Switch S2928G-E with software version10.4(2b12)p6 as Access Switch , and Ruijie SecurityAgent software version V1.60.
Note: Third party access switch which supports IEEE standard 802.1xprotocol is applicable also.
Enable SNMP on access switch, set the read& write community string to “ruijie”.
snmp-server community ruijierw
snmp-server host 172.29.2.11traps Ruijie
snmp-server enable traps
Edit SMP device template first, go to Authentication & Authority > Device > NASConfiguration Templates, modify Ruijie Wired Device,set the parameters as below,
Identity Authentication Key is used forRadius Server.
Web Authentication Key is used for WebPortal.
Note: Web portal key is not occupied in 802.1x authentication, wejust configure it for the following Web authentication in advance.
SNMP community is used for SNMP management.
Click Modifywhen complete setting.
Go to Authentication& Authority > Device > Add, input NAS IP address,select Device Template, System will get relevantinformation via SNMP automatically. Click Add tofinish.
Go to Authentication& Authority > User > Add, fill in required fields, here wecreate a user named “Henry” and put it into Default UserGroup. Common User indicates it is a SMP local user account.
aaa new-model
aaa accounting update
aaa accounting network For1xstart-stop group radius
aaa authentication dot1x For1xgroup radius
radius-server host 172.29.2.11key ruijie
dot1x accounting For1x
dot1x authentication For1x
interface GigabitEthernet 0/21
dot1x port-control auto
For more information about how to installSA, see Appendix > SA.
Open SA, input username and password, clickConnect.
Succeed in authentication.
Go to SMP >Authentication & Authority > Online User , you can view Henry isonline now .
Go to AccessSwitch , execute command “show dot1x summary” , the port-status is authenticated
Actually, MAC authentication is a kind of802.1x authentication, the difference is that in MAC authentication, both theusername & password are device MAC address. Mac authentication is used for dumbdevices which do not support 802.1x, like printer, IP camera, and IP phone andso on.
There are three components in MACAuthentication.
l SMPserver(Radius Server)
l Accessswitch(NAS ,Network Access Server)
l Dumbdevices
In this example, we are using Ruijie Gigabit Switch S2928G-E with software version 10.4(2b12) p6as Access Switch.
Note: Third party access switch whichsupports IEEE standard 802.1x protocol is applicable also.
interface GigabitEthernet 0/21
dot1x port-control auto
dot1x mac-auth-bypass
Go to Authentication& Authority > MAC Terminal >Add, input MAC address, click Add.
Connect your printer to network, it willpass the authentication in a few seconds.
Go to SMP >Authentication& Authority > MAC Terminal, the printer is in connectedstatus.
Go to Access Switch, execute command “showdot1x summary”, the username is MAC address.
Web authentication is applicable for scenariosin which users would not install additional client on their computer. Whenusers try to access network, web authentication page pops up, users input theirusername & password to pass authentication.
There are three components in WebAuthentication.
l SMPserver(Radius and Portal Server)
l Accessswitch(NAS ,Network Access Server)
l Computer
In this example, we are using Ruijie Gigabit Switch S2928G-E with software version 10.4(2b12) p6as Access Switch.
Note: Web Portal is Private protocol, so youshould deploy Ruijie switch only, third party switch have compatibility issues.
aaa new-model
aaa accounting update
aaa accounting network Forwebstart-stop group radius
aaa authentication web-auth Forwebgroup radius
web-auth authentication v2 Forweb
web-auth accounting v2 Forweb
radius-server host 172.29.2.11key ruijie
portal-server eportalv2 ip172.29.2.11 url http://172.29.2.11:80/smp/commonauth
web-auth portal eportalv2
web-auth portal key ruijie
http redirect direct-site 172.29.7.254arp
web-auth offline-detect flowidle-timeout 10 threshold 100
Note: Go to SMP > Authentication & Authority> Portal Settings > Tips, you can find thedetail URLs for different methods.
interface GigabitEthernet 0/21
web-auth port-control
arp-check
Bypass the public resources which allowed to be visited before Webauthentication. For example, 192.168.5.1 is a Free Web Server
http redirect direct-site192.168.5.1
Bypass the specific IP that is free of Webauthentication. For example, 192.168.4.12 is IP address for Department Manager.
web-auth direct-host 192.168.4.12arp
VerificationVisit any HTTP site, you will be redirectto Web authentication page, like below diagram.
Restriction: Unable to redirect HTTPS web page.
Input username & password , click Login. You will get Loginsuccess page .
Go to SMP >Authentication & Authority > Online User, you can view Henry isonline now
Go to Access Switch, execute command “showweb-auth user all” to display online web user.
As per diagram shown above (Ag 1 meansAggregate Port 1), it is a typical wireless network. Staff are able to access wirelessnetwork using their laptop, pad and mobile phone. SMP manages user accounts,authorities and other information.
In this section, you will learn threeauthentication methods for wireless access:
l Seamless802.1x Authentication(BYOD)
l MAC Authentication
l SeamlessWeb Authentication(BYOD)
Note: Usually, above three methods areapplied for Staff. For guest users, see following section Authentication forGuest.
Why we call it “Seamless” The perfect user experience itdelivers. During seamless 802.1x authentication, you just need to inputusername & password at the first time connecting to wireless network, thennever ever input again can you access network seamlessly in the future.
There are three components in thisauthentication.
l SMPserver(Radius Server)
l WirelessController (NAS) and Access Points
l WirelessUsers(Usually applied to Staff)
Below commands do not include basic wirelessconfigurations, ensure your wireless network works properly before starting.
It is recommended to create a dedicate WlanSSID for Seamless 802.1x authentication.
Note: Ruijie BYOD is a Private solution, so you should deploy Ruijiewireless devices only, third party devices have compatibility issues.
In this example, we are using Ruijie WirelessController WS6108 and AP320-I with software version 11.1(5) B7.
snmp-server community ruijie rw
snmp-server host 172.29.2.11traps Ruijie
snmp-server enable traps
Edit SMP device template first, go to Authentication & Authority > Device > NASConfiguration Templates, modify Ruijie Wireless Device,set the parameters as below,
Identity Authentication Key is used forRadius Server.
Web Authentication Key is used for WebPortal
Note: Web portal key is not occupied in802.1x authentication, we just configure it for the following Webauthentication in advance.
SNMP community is used for SNMP management.
Click Modify whencomplete settings.
Go to Authentication& Authority > Device > Add, input NAS IP address,select Device Template, System will get relevantinformation via SNMP automatically. Click Add tofinish.
Go to Authentication& Authority > User > Add, fill in required fields, here wecreate a user named “Henry”, and put it into Default UserGroup.
Common User indicates it is a SMP local user account.
Go to SMP >Authentication & Authority > Authentication Settings > AuthenticationParameters, select PEAP_MSCHAP in drop downlist of Preferred Wireless Authentication.
aaa new-model
aaa authentication dot1x For1xgroup radius
aaa accounting network For1xstart-stop group radius
radius-server host 172.29.2.11key ruijie
dot1x valid-ip-acct enable
ip dhcp snooping
Apply IP DHCP Snooping trust to uplink port
interface AggregatePort 1
ip dhcp snooping trust
wlansec 2
security rsn enable
security rsn ciphers aes enable
security rsn akm 802.1x enable
dot1x accounting For1x
Take Windows 7 asexample, input username & password at the first time connecting to wirelessnetwork, click “connect” when security alert prompts, then you will be online.
Go to SMP >Authentication & Authority > Online User, you can view Henry is online now.
Go to wireless controller , execute commandshow dot1x summary , the port status isauthenticated.
Move away from this wireless coverage, disconnect the wireless network,and then go back again. The wireless network will be recovered seamlessly.
Actually, MAC authentication is a kind of802.1x authentication, the difference is that in MAC authentication, both theusername & password are device MAC. Mac authentication is used for wirelessdumb devices that do not supports 802.1x like printer, IP camera, IP PDA and soon.
There are three components in this authentication.
l SMPserver(Radius Server)
l WirelessController (NAS) and Access Points
l WirelessDump Devices
Below commands do not include basicwireless configurations, ensure your wireless network works properly beforestarting.
It is recommended to create a dedicate WlanSSID for Mac Authentication.
Note: Ruijie BYOD is a Private solution, soyou should deploy Ruijie wireless devices only, third party devices havecompatibility issues.
In this example, we are using Ruijie Wireless Controller WS6108 and AP320-I with softwareversion 11.1(5) B7.
dot1x valid-ip-acct enable
ip dhcp snooping
Note: Above two commands is not required inMAC authentication
wlansec 3
dot1x-mab
dot1x authentication For1x
dot1x accounting For1x
Go to Authentication& Authority > MAC Terminal >Add, input MAC address, click Add.
Connect your wireless dumb device towireless network, no username & password is required .The device will be inconnected status without authentication.
Go to SMP >Authentication& Authority > MAC Terminal, the wireless camera is inconnected status.
Go to Access Switch , execute command show dot1x summary, the username is MAC address.
The same to seamless 802.1xauthentication(BYOD) , the main goal of this solution is to increase userexperience while using wireless network .When connect to seamless webauthentication network for the first time , you will be redirected to a webauthentication page ,you need to input username & password to passauthentication .
For the second time, no web authentication isrequired any more, you will be in connected status directly.
In addition, seamless web authenticationcombines both common web authentication and mac authentication.
There are three components in thisauthentication.
l SMPserver(Radius and Portal Server)
l WirelessController (NAS) and Access Points
l WirelessUsers(Usually applied to Staff)
Below commands do not include basicwireless configurations, ensure your wireless network works properly beforestarting.
It is recommended to create a dedicate WlanSSID for Seamless Web Authentication (BYOD).
Note: Ruijie BYOD is a Private solution, soyou should deploy Ruijie wireless devices only, third party devices havecompatibility issues.
In this example, we are using Ruijie Wireless Controller WS6108 and AP320-I with softwareversion 11.1(5) B7.
aaa new-model
aaa accounting update
aaa accounting network Forwebstart-stop group radius
aaa authentication web-auth Forwebgroup radius
aaa authentication dot1x For1xgroup radius
aaa accounting network For1xstart-stop group radius
web-auth authentication v2 Forweb
web-auth accounting v2 Forweb
radius-server host 172.29.2.11key ruijie
dot1x valid-ip-acct enable
ip dhcp snooping
Apply IP DHCP Snooping trust to uplinkport
interface AggregatePort 1
ip dhcp snooping trust
web-auth template web v2
ip 172.29.2.11
url http://172.29.2.11:80/smp/commonauth
web-auth portal eportalv2
web-auth portal key ruijie
http redirect direct-site 172.29.7.254arp
web-auth offline-detect flowidle-timeout 10 threshold 100
Note: Go to SMP > Authentication & Authority> Portal Settings > Tips, you can find the detail URLs for differentmethods.
wlansec 4
web-auth portal web
web-auth accounting v2 Forweb
web-auth authentication v2 Forweb
dot1x-mab
dot1x authentication For1x
dot1x accounting For1x
Note: for wlansec 1, 1 indicates the wlan id,your wlan id may be not 1.
Bypass the public resources which allowedto be visited before Web authentication. For example, 192.168.5.1 is a Free WebServer
http redirect direct-site192.168.5.1
Bypass the specific IP that is free of Webauthentication. For example, 192.168.4.12 is IP address for Department Manager.
web-auth direct-host 192.168.4.12arp
Go to Authentication& Authority > Portal Settings, Check EnableWeb Authentication box.
Enable enter username (Optional),if you check this box, only password is required. You have to set username andpassword to the same in advance.
Go to Authentication& Authority >User Group, select Default UserGroup because we put Henry into this group, click Modify.Go to Behavior Restrict >Multi-Access Limit,
An Account can be used on maximum of []terminals at the same time
Just as it suggests, this value allows themaximum number of your wireless device to login simultaneously.
An account can register [] mobile terminals
It enables the feature that SMP records and binds how many MACaddresses to user accounts when users logins web authentication with theirseparate wireless devices for the first time. Once there is a MAC-to-Accountbinding, the MAC address becomes credentials and username& password is notrequired any more during authentication.
Note: The value should be less or equal tothe number of “An account can be used on Maximum of [] terminal at the sametime”
For example, Henry have two wirelessdevices including his laptop and mobile phone. Network administrator configuresparameters as shown above on SMP , so Henry is allowed to have both hiswireless devices online in meantime , and SMP records and binds the two MACaddresses to Henry account ,which indicates both wireless devices haveauthority to do seamless Web Authentication.
Henry is not allowed to login on the thirdwireless device due to 2 maximum terminals limitation , and of cause SMPwill not record the MAC address of the third wireless device because maximum 2terminals is allowed to be recorded.
VerificationConnect to wireless network, the web authentication page pops upautomatically. If it does not, visit any http site to redirect to webauthentication page. Input username and password, check RememberMe box, click Login.
Note: Do not supportHTTPS redirection.
Go to SMP > Authentication & Authority > Online User, you can view Henry is online now.
Go to SMP>Authentication & Authority>User, select user Henry, click Mobile Terminalto display the MAC addresses SMP has recorded and bound to this account.
You can also go to SMP>Authentication & Authority>Mobile Terminal to manage all MACaddresses SMP has recorded globally.
Move away from this wireless coverage,disconnect the wireless network, then go back again. The wireless network willbe recovered seamlessly.
As per diagram shown above (Ag 1 meansAggregate Port 1), it is a typical wireless network. SMP provides threesolutions for Guests authentications.
In this section, you will learn:
l QRCode Authentication(BYOD)
l QRCode Card Authentication(BYOD)
l ExemptionAuthentication(BYOD)
QR Code is more and more popular and widely used in our daily life.This solution combines web authentication and QR Code and deliver a convenientway to guest for wireless access. Guest connects to wireless network, the sameto common web authentication, guest will be redirected to a web page whichprints one QR Code. Once Staff or receptionist scans the QR Code with their mobilephone, authentication succeeds.
There are four components in QR Codeauthentication,
l SMP(Portal and Radius Server)
l WirelessController(NAS) and Access Point
l Staffor Receptionist
l Guests
Below configuration do not include basic wireless settings, so ensureyour wireless network works properly first before starting. Suggest to create adedicate wlan ssid for QRCode authentication (BYOD).
Note: Ruijie BYOD is a Private solution, soyou should deploy Ruijie wireless devices only, third party devices have compatibilityissues.
In this example, we are using Ruijie Wireless Controller WS6108 and AP320-I with softwareversion 11.1(5) B7.
snmp-server community ruijie rw
snmp-server host 172.29.2.11traps Ruijie
snmp-server enable traps
Edit SMP device template first, go to Authentication & Authority > Device > NASConfiguration Templates, modify Ruijie Wireless Device,set the parameters as below,
Identity Authentication Key is used forRadius Server.
Web Authentication Key is used for WebPortal
SNMP community is used for SNMP management.
Click “Modify”when complete setting.
Go to Authentication& Authority > Device > Add, input NAS IP address,select Device Template, System will get relevantinformation via SNMP automatically. Click Add tofinish.
Go to Authentication& Authority > User Group>Add, create a new user groupnames as Staff .Go to BehaviorRestrict> Guest User Management Rights, Check box of Allow guest to access network by scanning a QR Code, thenroll to bottom , click Add.
Go to Authentication& Authority > User > Add, fill in required fields, here wecreate a user named “Scott”, and put it into user group Staff,click Add.
Go to SMP>Authentication& Authority >Portal Settings, Check the box of Enable Guest Registration,
Check the box of EnableGuest QR Code Registration.
aaa new-model
aaa accounting update
aaa accounting network Forwebstart-stop group radius
aaa authentication web-auth Forwebgroup radius
web-auth authentication v2 Forweb
web-auth accounting v2 Forweb
radius-server host 172.29.2.11key ruijie
dot1x valid-ip-acct enable
ip dhcp snooping
Apply IP DHCP Snooping trust to uplinkport
interface AggregatePort 1
ip dhcp snooping trust
web-auth template qrcode v2
ip 172.29.2.11
url http://172.29.2.11:80/smp/qrcodeservlet
web-auth portal eportalv2
web-auth portal key ruijie
http redirect direct-site 172.29.7.254arp
web-auth offline-detect flowidle-timeout 10 threshold 100
Note: Go to SMP > Authentication &Authority > Portal Settings > Tips, youcan find the detail URLs for different methods.
wlansec 5
web-auth portal qrcode
web-auth accounting v2 Forweb
web-auth authentication v2 Forweb
webauth
Bypass the public resources which allowedto be visited before Web authentication. For example, 192.168.5.1 is a Free WebServer
http redirect direct-site192.168.5.1
Receptionist Scott should connected towireless network via either seamless 802.1x authenticationor seamless web authentication first. To verifyonline status, Go to SMP>Authentication & Authority> Online User, we can see Scott is online now.
At this moment, guest comes in and would like to use wireless network. Scottshould guide guest to connect to special QR Code wireless network.
When guest connects to QR Code wireless network,he will be redirected to QR Code authentication page as shown in the diagram. Ifit does not , visit any http site to redirect to this authentication page .
Note: Do not supportHTTPS redirection.
Then, Scott open his QR Code Scanning Appon his wireless device, and scan the QR Code . Next, set the guest validity period,click Confirm.
Note: There are manykinds of QR Code scanner Apps on Android and IOS platform.
System prompt on Scott‘s wireless device that authentication succeeds.
In meanwhile, system prompts on Guest’swireless device that authentication succeeds also.
Go to SMP >Authentication & Authority > Online User, we can see Guest,marked as Scott‘s guest, is online now.
Go to wireless controller CLI, execute command “show web-auth user all” , Scott’s guest is online now .
Compare with QR Code Authentication, QR Code Card is more flexible,staff might print their QR Code on their name card, then guide guests to scanthe QR Code to access the network.
There are four components in a complete QRCode Card authentication,
l SMP(Portaland Radius Server)
l WirelessController (NAS)and Access Point
l PrintQR Code somewhere
l Guests
Below configuration do not include basicwireless settings, so ensure your wireless network works properly first beforestarting. Suggest to create a dedicate wlan ssid for QR CodeCard authentication (BYOD).
Note: Ruijie BYOD is a Private solution, soyou should deploy Ruijie wireless devices only, third party devices have compatibilityissues.
In this example, we are using Ruijie WirelessController WS6108 and AP320-I with software version 11.1(5) B7.
Go to Authentication& Authority > User Group>Add, create a new user groupnamed as Staff .Go to BehaviorRestrict> Guest User Management Rights, Check box of Allow user to scan QR to authentication, then roll tobottom , click Add.
Note: Every user in this group has their ownQR Code .Users can go to SMP Self-Service system at http://smpIP:80/smp/selfserviceto manage their own QR Code.
Go to Authentication& Authority > User > Add, fill in required fields, here wecreate a user named “Scott”, and put it into Staff,click Add.
Go to SMP>Authentication & Authority>Portal Settings, Check the box of Enable GuestRegistration,
The Validity Periodis the period that allows guest to access wireless network. Once time is up, guest will be forced offline.
Check the box of Guestscan QR Code to register.
User Group: Guests will be put into Default User Grouponce authentication succeeds. You can create a special group for guests, then configurespecial authority accordingly.
web-auth template qrcodecard v2
ip 172.29.2.11
url http://172.29.2.11:80/smp/qrcodecardservlet
web-auth portal eportalv2
web-auth portal key ruijie
http redirect direct-site 172.29.7.254arp
web-auth offline-detect flowidle-timeout 10 threshold 100
Note: Go to SMP > Authentication & Authority> Portal Settings > Tips, you can find thedetail URLs for different methods.
wlansec 6
web-auth portal qrcodecard
web-auth accounting v2 Forweb
web-auth authentication v2 Forweb
Step 9, Generate QR Code Card. Visit SMP self-service portal at http://172.29.2.11:80/smp/selfservice, login.
Go to Myself-Service>QR Code card,
As shown in the diagram,Scott has his own QR Code. He might print it on his name card or anywhereconvenient for guests.
You might regenerate the QR Codeimmediately or auto regenerate in a period.
You might also limit the scanning times.
Guest comes in andwould like to use wireless network. Receptionist should guide guest to connectto special QR Code Card wireless network.
When guest connects to QR Code Cardwireless network, receptionist should guide user to scan the prepared QR Code,then System prompts on Guest wireless device that authentication succeeds.
Go to SMP>Authentication& Authority > Online User, we can see guest is online now, and itmarks as Scott‘s guest.
Go to wireless controller CLI, executecommand “show web-auth user all”, Scott’s guest isonline now.
Note: For ios device, additional setting isrequired. Guests should select detail setting, then disable Auto-Login first before connecting to wireless network. Otherwise, ios mightdisconnect the wireless network once guests switch to QR Code Scanner App.
Exemption Authentication is the mostconvenient and fastest solution for Guests ,as long as guests agree the disclaimer ,theycan access wireless network immediately.
There are four components,
l SMP(Portaland Radius Server)
l WirelessController (NAS)and Access Point
l Guests
Below configuration do not include basicwireless settings, so ensure your wireless network works properly first beforestarting. Suggest to create a dedicate wlan ssid for ExemptionAuthentication (BYOD).
Note: Ruijie BYOD is a Private solution, soyou should deploy Ruijie wireless devices only, third party devices havecompatibility issues.
In this example, we are using Ruijie Wireless Controller WS6108 and AP320-I with softwareversion 11.1(5) B7.
Go to Authentication& Authority > User Group>Add, create a new user groupnames as Exemption Guest. Click Add.
Go to SMP>Authentication& Authority >Portal Settings , Check the box of Enable Authentication-Exemption Rule For Web Users , thenselect the user group Exemption Guest.
Click Modify.
web-auth template exemption v2
ip 172.29.2.11
url http://172.29.2.11:80/smp/freeauthenservlet
web-auth portal eportalv2
web-auth portal key ruijie
http redirect direct-site 172.29.7.254arp
web-auth offline-detect flowidle-timeout 10 threshold 100
Note: Go to SMP > Authentication & Authority> Portal Settings > Tips, you can find thedetail URLs for different methods.
URLs for different methods.
wlansec 7
web-auth portal exemption
web-auth accounting v2 Forweb
web-auth authentication v2 Forweb
webauth
VerificationGuest comes in and connects to wireless network,he will be redirected to a web page stating Disclaimer Rule. If it does not,visit any http site to redirect to authentication page.
Note: Do not supportHTTPS redirection.
Click Access ifguest agrees the rule, then authentication succeeds.
Go to SMP>Authentication& Authority > Online User, a new record of exemption user displaysas shown below.
In this example , network administrator cangrant advanced authority to staff ,allowing them to manage their ownGuest, so Guest canaccess network using Wired and Wireless Authenticationmentioned in previous sections(MAC Authentication is not applicable).
For detail configuration, see User Self-Service Management in following section.
SMP supports integration with multipleexternal identity server, the most common one is Windows Active Directory. Inthis section, you will learn how to configure SMP and windows AD integration.
l Currently, SMP supports integration with Windows Server 2008/R2 and 2012
l Supportthe clients mentioned below,
1. Web Authentication on Android, IOS, WindowsPhone, Linux, MacOS , Windows.
2. Wireless 802.1x authentication on Android、ios、Windows phone 、linux、MacOS ,Windows
3. Wireless and wired 802.1x authentication onWindows with Ruijie Security Agent (SA)
l Supportuser login in below formats:
1. Username
2. Username@Domain Name
3. Domain name\Username
4. NetBios\Username
In this example, we are going to integrateSMP with Windows Server 2012 R2 Standard.
Step 1, Create an AD user dedicate for integration.Go to AD Controller> run > dsa.msc, open Active DirectoryUsers and Computers, create a new user and put it into Domain Users group.
In this example, wecreate a new user, named smpadmin
Reset password to Ruijie@SMP
Then assign it to Domain Users group
You might verifyport status using TELNET.
The diagram indicates that the port 389 isopen.
Step 3, Configure Domain DNS server on SMP server, so SMP is able toresolve Domain name. For example, 172.29.2.12 is AD controllerIP address,
Launch a ping sessionon SMP Server to verify. For example, FZ.RuijieIBDis domain name.
Step 4, Create a Computer account dedicate for integration.Go to AD controller> run > dsa.msc, create a computer named RG-SMP-Server.
Then go to run >adsiedit.msc , reset password to Ruijie@SMP.The password must be the same to the user created in Step 1.
Note: adsiedit.msc is an administrative tool available for Windows server 2008 and laterversion.
Go to SMP>Authentication& Authority > External Identity Center, Check box of Enable External Identity Center. Switch to tab Windows AD Domain.
Click Windows ADDomian Server, a new configuration windows pops up, click Add.
In this example, we divide it to multiple partsto explain how to fill in required information.
l 
Input ADDomain name, Primary AD controller IP address, Standby AD controller IP address(not required), and Domain Server Port (Keep default).
l 
InputSMP login User Name(the user created in Step 1) , Login password , check box of PEAP-MSCHAPv2 for 802.1x PCs , and input PC Name (the computer created in Step 4).Then click Test Connection toverify.
This messageindicates that the connection between SMP and AD controller succeeds.
Next, we are going to synchronize Users andUser Groups to SMP. SMP is capable of synchronizing Users in User Group from AD .Do not support synchronize users in OU (Organization Unit).
In this example, we create a new User Groupnamed BYOD.
Create a new user named Scott, assign this user to User Group BYOD.
Go to Other Info, In User Group ContainingAuto Added Users, click Select User Group,and select Default User Group.
You might select other User Group in this option.This option takes effect only when Learn the user groupduring new user authentication is disabled, SMP will put all users intothis special user group.
Next, go to Identity Center Correlation Test, input username Scott and password, the account we created previously,click Identity Authen to verify.
As shown indiagram, Identity verification succeeds. Click Modify,
l Goback to Windows AD Domain settings.
SynchronizationInterval for AD Domain User Info [] days.
By default, SMP will synchronize thoselearned user every 7 days. Actually, this setting is designed for inactiveusers. Active user will trigger synchronization every time they authenticates.
Learn new users during authentication
When SMP and AD integration completes, SMPwill not learn all users immediately, only when a new user launches an authenticationrequest that triggers SMP to learn new users from AD.
If check this box, SMP will learn new user fromAD and approve authentication even if this account does not exist in SMP beforeuser authentication
If uncheck this box, SMP will not learn newfrom AD and will only approve authentication for accounts that already exist inSMP.
Note:It is recommended to check this box.
Learn the user group during new userauthentication
If check this box, SMP will auto learn usergroup from AD when there is a trigger, just the same to learn users mentionedabove.
If uncheck this box, SMP won’t learn user group,and will put learned users into a specified user group defined in User Group Containing Auto Added Users.
Note: As shown indiagram , If you assign a user to multiple user groups , SMP only learns thetop user group displayed in Member of .Inthis example , SMP learns user group BYOD.
In addition, SMP cannot learn Primary Group.
In this example, SMP cannot teach user group BYOD if you set it to Primary Group. SMPwill learn BYODVisitor then.
Existing users update the user group automatically
If check this box, SMP will update localuser and user group mapping information automatically every time users launchauthentication requests.
For example, at first Scottis assigned to user group Guest, SMP learnsnew user and put Scott into user group Guest .Some days, AD administrator reassign Scott to user group BYOD, SMPwill update the mapping information and put Scott intouser group BYOD Next time Scott authenticates.
Note: It is recommended to check this box.
l Map ADattributes to SMP local Attributes (Optional)
Click Modifywhen completes all above settings, below message pops up. This messageindicates whether you would like to convert all current CommonUser to Third Party User.
There are three user types in SMP, youmight go to SMP > Authentication & Authority >User >Add > User Type to view this option.
l Common User: SMP common Local user, you can manage the user on SMP.
l Guest User: SMP local user, you canassign Guest user to Guest User Group only. All guest user expire after a period.
l Third party User: The userslearned from third party server, like windows AD, are classified as Third partyuser automatically. Third party user are able to be synchronized with thirdparty server periodically. You can manage users on AD controller.
In this example, we click Cancel because SMP will learn new users fromWindows AD.
SMP and AD integration is just about theUSER SOURCE, you should have knowledge of either Wired Authentication,Wireless Authentication or Authenticationfor Guest, the AUTHENTICATION SOLUTIONs before verification.
In this example, we are going to verify theintegration function using Wireless Authentication >Seamless 802.1x Authentication (BYOD)
Firstly, connectto wireless network, input username Scott and password.
We are using Windows 7.
Click Connect.Wait until authentication succeeds.
Go to SMP >Authentication & Authority >Online User, Scott is online now. Click View,
SMP has learned new user Scott and user group BYOD fromAD FZ.RuijieIBD, and the user type is Third party User.
Go to SMP >Authentication & Authority >User, SMP has learned the newuser.
Go to SMP >Authentication & Authority >User Group , SMP has learned the newuser group.
Note: If user Scott hasbeen created on SMP in type Common User previously,SMP prefers local database and will not learn new user from AD.
Sometimes, network administrator would liketo control authorized user in a more strict way, for example, allow users inuser group OFFICEROOM to access network via wirednetwork with their own Laptop only. Allow users in user group LOBBY to access network via wireless network with theirmobile phone only.
To achieve this, SMP should be able to controlthe way (wired or wireless) user’s login and bind IP and MAC address to useraccounts.
In this example, We are going to configureAccess Control.
Go to SMP>Authentication& Authority >User Group, select user group OFFICEROOM,click Modify,
Note: You need to create User Group OFFICEROOM first
Switch to Tab Access Control, asshown in below diagram, uncheck Enable Wireless Accessto prohibited users from accessing network via wireless.
When both User IP Verification and User MAC Verification are checked, SMP will verifythe IP and MAC address upon user logins.
Check When networkinformation verification is enabled the serverauto-learns the network binding information to make SMP learn requiredinformation automatically upon first time login.
.
Note: To auto learnHD Serial Number Verification and IP Type Authentication, Ruijie SA isrequired.
To add binding information manually, go to Authentication & Authority >User ,selectuser and click Modify, go to Add Network Binding list , as shown in below diagram.
To display the existing binding information,go to Authentication &Authority >User, select user and click View. Go to Network Binding List,
As shown in below diagram, there is onebinding entry for User Jay.
Note: By default, an account can be used on maximumone terminal simultaneously, so in this case, SMP auto learns maximum onebinding entry. In next section Behavior Restrict, wewill learn the way to increase maximum terminal limit on a single account.
There are many features in Behavior Restriction, in this section, you will learn themost common ones.
Go to SMP>Authentication& Authority >User Group, select user group OFFICEROOM,click Modify, Switch to Tab BehaviorRestrict.
By default, one account can be used onmaximum one terminal simultaneously. For example , Jay has a laptop and amobile phone , now she logins with his account on her laptop , she will getfailure error when she logins with the same account on her mobile phone.
Note: To view login failure logs, go to Log Audit >Authentication Failure Logs.
To increase the maximum terminal number,input a bigger value in the first table.
Regarding An accountcan register [] mobile terminals , we have mentioned this feature insection Seamless Web Authentication (BYOD) .By checkingthis box, SMP will learn Device MAC address and bind it to your account whenyou login via WEB AUTHENTICATION. The value indicates the numbers thatSMP learns and binds.
Note: The value should be less or equal tothe value of an account can be used on Maximum of [] terminal at the same time
In addition, there’s an option allowing youto forcedly kick out the previous authenticated terminal, and let the newterminal be authenticated. Go to SMP>Authentication& Authority >Authentication Settings > Authentication Parameters >When account logins exceed the limit.
Offline Timer allows network administratorto allocate specific timer to user group in which users have limited onlineduration for one time authentication. Usually, this feature is integrated withauthentications for guests or paid users, like Exemption Authentication and QRCode Card Authentication.
There are three kinds of methods in OfflineTimer.
Daily Timer
When the daily timer ends, users are forcedoffline and SMP will put user account in suspended status, so user cannot loginany more until next day, the account will be recovered to normal status automatically.
You might also put user account back toNormal manually. Go to Authentication & Authority >User > Select user and click Modify >Basic Information > User Status.
Note: When SMP forces user offline, go to Log Audit >Authentication Failure Logs and Network Access Log to view system logs and verify.
Total timer
When the total timer ends, user accountswill be suspended or cancelled.
If Cancel is selected,User will be forced offline andthe account will be cancelled when the timer is up.
If Suspend is selected, User will be forcedoffline and the account will be put in suspend status when the timer is up .Youmight recover it to normal status manually if required.
Note: When SMP forces user offline, go to Log Audit >Authentication Failure Logs and Network Access Log to view system logs and verify.
Single Timer
When the single timer ends, users will beforced offline or accounts will be suspended.
If Offline is selected, user will be forcedoffline .but user is able to authenticate with the same account again.
If suspend is selected, user will be forcedoffline, then SMP put this account in suspend status. After holding time, SMPwill put account back to normal status automatically.
Note: When SMP forces user offline, go to Log Audit >Authentication Failure Logs and Network Access Log to view system logs and verify.
This feature allows network administratorto customize the time range in which users are prohibited to access network.
In below example, the rules allow user toaccess network in work hour during 8:00 am – 18:00 pm. The time and time zonemust be correct on your SMP Server.
Note: Just as the tips suggests, thecustomized message will be pushed to only the users who installed Ruijie SA.
SMP allows to push bulletin information tousers when they are authenticated.
Note: This feature is applicable only forusers who install Ruijie SA (Security Agent)
Go to Authentication& Authority >Bulletin Information, edit the bulletin information.
Bulletin Information URL: The specific web page will auto pop up when users login.
In this example,we are using Seamless 802.1x Authentication (BYOD)to verify, the bulletin information pops up as expected.
Usually, network administrator would liketo publish disclaimer for end users before authentication. To enable disclaimerpage, go to Authentication &Authority>PortalSettings > Open Disclaimer Page, edit disclaimer contents. Move tothe bottom, click Modify when finish.
In this example, we are using seamless web authentication (BYOD) to verify .Connect towireless SSID, redirect to authentication page, users need to Agree Disclaimerbefore input username and password.
Note: This feature is applicable for Seamless Web Authentication(BYOD) only.
SMP allows users to manage their ownaccount using Self-Service Platform. In this example, you will learn mostcommonly used features.
Actually, in previous section QR CodeAuthentication (BYOD) and QR Code Card Authentication (BYOD), we mentioned abit about self-service regarding QR Code management.
VisitSMP self-service page at http://ServerIP/smp/selfservice .
By default, the self-service authority is disabled,system will prompts you message as shown below.
To enable self-service authority, go to Authentication & Authority > User Group > select auser group, click Modify > switch to tab Behavior Restrict >Guest User ManagementRights, check any one box listed below. In this example, we check allboxes for convenient demonstration purpose.
l Allow user to scan QR to authentication: Mentioned in QR CodeCard Authentication (BYOD) previously.
l Allow guest users to access network by scanning a QR Code: Mentioned in QR CodeAuthentication (BYOD) previously.
l Allow managing guest userson a Ruijie client: Users might manage guest user via Ruijie SA (Security Agent),as shown in below diagram.
Note: For more information about SA, see Appendix > RuijieSecurity Agent (SA).
l Allow managing guest users on a Ruijie Self-Service platform(registering users in common mode): Users mightmanage guest user via Service-Service Portal, as shown in below diagram.
l Allow managing guest users on a Ruijie Self-Service platform(registering users in SMS mode): SMSauthentication is not covered in this manual.
As shown in below diagram, it is thehomepage of self-service portal. Actually, you can manage Guestand QR Code Card via this portal only.
In this section, you will learn the mostcommon way to trouble shooting on your SMP.
Commonly, we might encounter authenticationfailure, it is recommended that go to Log Audit >Authentication Failure Logs, query historical authentication failurelogs.
If SMP prompts the cause of failure, like “Theuser account is suspended”, “User Name does not exist or password mistake”,follow the instruction to investigate in further.
Note: If SMP prompts nothing , usually it iscaused by network issue , double check the configuration on NAS device ,also check the connectivitybetween NAS and SMP.
Sometimes, you might encounter some unknownproblems, suggest to read SMP installation guide and Implementation Guidecarefully and double check the configurations.
if you still cannot solve it, you might goto SMP installation root path, for example D:\RG-SMP\log, copy the whole “log”folder, then submit a case on Ruijie Service Portal attached with the log file,remember to describe the issue as detail as you can to make your problem easyunderstanding, so that portal manager can solve this problem efficiently.
This example describes the usages of RuijieSecurity Agent. You might find SA installation package in SMP matchingmaterials. Currently, SA supports below operation systems:
l WindowsXP
l WindowsVista
l Windows7
l Windows8/8.1
As shown in diagram, this is Ruijie SA icon. Double click the iconto open it.
Click the button in red line to opensetting window.
Select Language English.
The user interface has been in English now.
SA can scan and recognize your Network Interface Card on yourcomputer. Select correct NIC before authentication.
In this manual, SA is applied only for Wired 802.1x Authentication, so we select wired NIC here.
Go through Section mentioned in Wired Authentication > 802.1x Authentication first.Next, we are going to pass wired 802.1x authentication.
Input username and password.
(Optional)Click SavePassword and Automatic.
(Optional)Click Configure,
You might allow SA to auto run after WindowsLogin.
(Optional) You might enable Auto authentication when Windows domainlogin if it is a Windows AD scenario.
Note: You cannot enable both Auto run afterWindows login and Auto authentication when Windows domainlogin simultaneously.
(Optional)Click more, you might enable using domain login account as certified account.
In this example, we are using SA to doWired 802.1x Authentication.
Input username and password , click Connectto start authentication .
After authentication succeeds , you will se this windows.
In the upper position , the menu contains Bulletin, Business, Information, Settings,Guest, and Diagnostics,you will learn part of the common components in next section.
l Bulletin
System Message: Network administrator can propagate System Bulletin to all SA. Goto Common Features > Bulletin Information toconfigure this feature.
Notify Message andRepair Message: Network administrator can alsopush personal message to specific SA. Go to SMP>Authentication& Authority > Online User > Select user > Issue Message or Patch.
Issue Message or Patchwindows pops up, input PatchURL (Optional) and Message, then click Issue.
On SA side, a new message will pop up in the bottom right corner.
l Information
Click Information to obtain basic network information of yourcomputer including the Operating System, IP address, Gateway, DNS Server and soon.
l Settings
You might change the settings in this component.
l Guest
Go to Common Features >User Self-ServiceManagement > Allow managing guest users on a Ruijie client to studythis component.
How do you like this document ?
Thank you. We will inform you of our response as soon as possible. 
Ruijie Networks websites use cookies to deliver and improve the website experience.
See our cookie policy for further details on how we use cookies and how to change your cookie settings.
Cookie Manager
When you visit any website, the website will store or retrieve the information on your browser. This process is mostly in the form of cookies. Such information may involve your personal information, preferences or equipment, and is mainly used to enable the website to provide services in accordance with your expectations. Such information usually does not directly identify your personal information, but it can provide you with a more personalized network experience. We fully respect your privacy, so you can choose not to allow certain types of cookies. You only need to click on the names of different cookie categories to learn more and change the default settings. However, blocking certain types of cookies may affect your website experience and the services we can provide you.
Through this type of cookie, we can count website visits and traffic sources in order to evaluate and improve the performance of our website. This type of cookie can also help us understand the popularity of the page and the activity of visitors on the site. All information collected by such cookies will be aggregated to ensure the anonymity of the information. If you do not allow such cookies, we will have no way of knowing when you visited our website, and we will not be able to monitor website performance.
This type of cookie is necessary for the normal operation of the website and cannot be turned off in our system. Usually, they are only set for the actions you do, which are equivalent to service requests, such as setting your privacy preferences, logging in, or filling out forms. You can set your browser to block or remind you of such cookies, but certain functions of the website will not be available. Such cookies do not store any personally identifiable information.
Contact Us
How can we help you?
Global / EN
