While the ZoneFlex solution certainly eases WLAN deployment and management for less technical shops, Ruckus has truly set a high bar for innovation on the client side. Ruckus’ ZeroIT feature truly makes it simple to deploy the strongest levels of wireless security, allowing customers to deploy WPA2 using either certificate-based authentication or dynamically pre-shared keys with a minimum of administrator interaction needed on the client machines—as long as the clients are running Windows XP with SP2.

Users configure their wireless security by first plugging into the wired network, where they log into the ZoneDirector, then download a client configuration applet. The applet ensures the client is running Windows XP with SP2, then automatically configures operating system’s integrated wireless supplicant with the appropriate network and encryption settings.

I did notice that the applet does not check for Microsoft’s Wi-Fi Protected Access 2/Wireless Provisioning Services Information Element (Microsoft KB 893357), a patch that adds WPA2 support to Windows XP, and that is required to enable ZeroIT to work properly.

While administrators can choose to pass through authentication requests to an existing RADIUS server or an Active Directory, ZeroIT requires users to authenticate to the local authentication server in the ZoneDirector. Still, using ZeroIT was absolutely the easiest way I’ve seen to deploy enterprise-grade, certificate-based wireless security, as the applet includes a certificate to client machines to use EAP-TLS. End users will need to be walked through a Windows Certificate installation wizard to complete the setup—a potentially daunting step for some users, even if the wizard only requires the user to click through the default settings to get the wireless network running.

IT administrators may instead opt for ZeroIT using Ruckus’ DynamicPSK, which automatically generates a unique pre-shared key for each user. In an ordinary PSK (pre-shared key) secured network, everyone would use the same key—meaning that every computer would need to be reconfigured when the key is changed. With DynamicPSK, each user has their own key, and administrators can easily configure the key expiry interval for each user, thereby creating an automated, periodic, key rotation.

Each user’s pre-shared key appears to be tied to both the client computer and the wireless adapter itself, as in tests I found I could not successfully install the applet on a PC other that the one from which I generated the applet, nor could I use a different wireless adapter in the same PC.

802.11n Support

With firmware release 3.0.1.0 build 109, Ruckus also added 802.11n support into the ZoneFlex solution. With that release, I could join and manage a new ZoneFlex 7942 802.11n access point ($699) to my ZoneFlex network in the same manner as legacy APs. In ZoneDirector, the only management difference for 802.11n was an additional field that allowed me to define whether the 11n AP utilized a standard 20 MHz channel or a wide 40 MHz channel.

Although most business-class 802.11n solutions operate in both the 2.4 GHz or 5 GHz bands, the ZoneFlex 7942 only operates in the 2.4 GHz band. Customers that want to reduce the potential for interference may therefore opt to stick with standard 20 MHz channels, which will limit their network’s top-end performance. Indeed, in my preliminary performance tests, which I conducted amid the over-saturated RF in our downtown San Francisco offices, I could only squeeze a maximum of around 80 Mbps out of the ZoneFlex 7942--adequate numbers for an 802.11n solution, but far from the best I’ve seen.