6

Our current 802.11 setup has a large number of SSIDs to segregate traffic by subnet. This isn't ideal, and I've been attempting to consolidate to a single SSID but use dynamic VLANs instead.

This is on a Ruckus Zonedirector 3000 and Microsoft NPS as the RADIUS server.

My test clients connect to the SSID, and are prompted for credentials. I can see the credentials accepted on the NPS server, and wireshark confirms the Access-Accept message contains the Tunnel-Private-Group-ID value for the desired VLAN.

At this point the client stalls trying to get a DHCP lease. The DHCP server is working, as these are existing scopes and subnets and I can connect a wired client into the switch on an access port for the same vlan and get a lease.

Wireshark shows no DHCP broadcast request from the client at all.

The switchport for the AP is a trunk, with the VLAN tagged and allowed.

Any assistance would be greatly appreciated! Rob

Mike Pennington
  • 29,876
  • 11
  • 78
  • 152
Network Canuck
  • 513
  • 5
  • 12
  • Does your capture also show the Tunnel-Type and Tunnel-Medium-Type attributes in addition to the Tunnel-Private-Group-ID? – YLearn Oct 12 '13 at 06:15
  • Yes, all three of the required attributes are showing in the packet capture. – Network Canuck Oct 15 '13 at 16:47
  • I've also tested without dynamic VLAN, using a static VLAN for the test WLAN. Clients are able to connect and receive a DHCP assignment for the correct VLAN. The full DHCP exchange is seen in Wireshark. – Network Canuck Oct 15 '13 at 17:28

1 Answers1

4

I found the answer here:

http://forums-archive.ruckuswireless.com/forums/8/topics/1278

NPS does not return AD group memberships back to the ZoneDirector without setting a vendor-specific attribute on NPS. A role has to be configured for each group on the ZoneDirector and a network policy has to be configured for each group on NPS.

This seems rather redundant as I've already got authorization and vlan assignment happening on NPS, why would the ZoneDirector also require a role to authorize access to the specified WLAN? Oh well at least it works now.

Network Canuck
  • 513
  • 5
  • 12