D

25 Messages

 • 

372 Points

Wed, May 5, 2021 5:06 PM

Setup 802.1x on WiFi network using Ruckus Cloud

Hi all,

I am trying to get 802.1x working on our ICX switches and on our WiFi. 

All switches and APs / WiFi networks are managed in Ruckus Cloud.

I have configured a test wireless network for Enterprise AAA (802.1x), and have a RADIUS server setup (Windows 2019 with the NPS role). 

When I try to connect to the WiFi network, I get prompted for my username and password, but I don't get past that, and cannot connect.

I am completely new to this; Is there any testing tool or tips that might help? 

I have added all our APs as RADIUS clients in the NPS server, and have double checked the shared secret.

I have created a basic Network Policy in the NPS server; grant access to domain users, Microsoft PEAP w/ MS-CHAP-v2. Nothing special... just trying to get username/password auth to connect to the WiFi.

When trying to connect from a laptop, I get prompted for username and password, but cannot successfully auth. Pretty much same behavior if trying from a domain joined laptop or a non domain joined laptop.

Any tips are much appreciated!

Responses

Accepted Solution

25 Messages

 • 

372 Points

5 m ago

So, a little embarrassing, but it looks like stuff started working once I set the local Windows firewall on the NPS server to allow all incoming connections. 

This is strange because - when installing / configuring the NPS role - the corresponding allow rules were automatically created (I had double checked that a few times while working through this process). So, maybe there is some port requirement other than UDP 1812, 1645, 1813, 1646... and TCP 135 and RPC Dynamic Ports...

Anyone run into this before?

Thanks!

Official Rep

 • 

1.2K Messages

 • 

16.7K Points

Hi David,

Good to know that its working now!

I have not seen similar issue, may be windows server experts can give more insights on this.

For Cloud Analytics, are you still getting error? If yes, could you please try to create a new test venue and see if error goes away on Analytics?

(edited)

Regards,

Syamantak Omer

25 Messages

 • 

372 Points

Analytics is working - and finding client info helped - I was able to see my test laptop connect and try to do PEAP, and that the RADIUS server was not responding.

However it seems that there is some delay in when data is visible in analytics... is this normal? 12-24 hours?

Thanks,

Official Rep

 • 

1.2K Messages

 • 

16.7K Points

Hi David,

I am glad to know that both the issues has been fixed!

Yes, on a new account, there could be some delay but not 12-24 hrs.

Wait for some time as Analytics seems started getting data recently (you were getting error yesterday on GUI and that was mostly because connection profile was not created correctly).

(edited)

Regards,

Syamantak Omer

Official Solution

Official Rep

 • 

1.2K Messages

 • 

16.7K Points

5 m ago

Hi Devid,

Please check and make sure auth method (EAP - PEAP) has a certificate mapped to it, else auth will not work.

If still facing issue, check event viewer >> Customer Views >> Server Roles >> Network Policy And Access Service >> Review the most recent authentication attempt. It will give you more info like if request is even reaching the server and hitting the correct policy, and what is the reason for auth failure, etc.

To see the complete picture, we need to review and collect information from below points.

  1. Radius policy should be configured correctly with a certificate in auth method.
  2. Radius server profile on Cloud should be configured correctly.
  3. Make sure shared secrete is same on both sides, on Cloud and on Radius server.
  4. Make sure AP IPs are added to radius client list on Radius Server.

For troubelshooting:

  1. Setup packet capture on the AP where test client is connecting.
    - Select AP on cloud GUI >> Click on More Action >> Test Connection >> Packet Capture >> Set "Capture Interface" to "Wired" and start capture when client is ready to connect.
  2. Setup and run wireshark on NPS server, and set the filter for AP IP address to filter the traffic coming from radius server.
  3. Now connect the client and try 2-3 times so that you have more captures for review.
  4. Post 2-3 failure, stop captures on AP and on radius server side.
  5. Save captures from AP, radius server and review all to see the connection flow.
    - AP capture
    - Server capture
    - Server event logs.

Parallelly, if Cloud Analytics is working, it can also show you complete client connection flow and can pin point the failure.

If still facing issue, open a case with support for further help.

(edited)

25 Messages

 • 

372 Points

Thanks for the detailed reply;

Regarding the first part - yes - there is a certificate mapped for PEAP

When looking at the NPS Event Log, I only see some logs from when I was initially trying to add the APs (had initially deployed windows server standard, and was trying to add APs using cidr... had to upgrade edition to Datacenter to do that :))

I don't see any authentication attempts in the NPS event log at all.

As for making sure the RADIUS server is configured correctly in the Cloud, there is nothing else aside from defining it in the WiFi network setup, correct?

Shared secret is the same, and all AP IP addresses have been added. Again, added using cidr, but maybe I will try adding individually see if that makes a difference.

I was looking around in Analytics, but I don't see any reference to the failed connection / auth attempts from my laptop and another test laptop I have. So, not sure if I am not looking where I should be.

I will look at doing a packet trace also.

Thanks,

Official Rep

 • 

1.2K Messages

 • 

16.7K Points

If you are not seeing any logs in event viewer, check the connectivity between AP to radius server.

For server config on Cloud, it is only available under WLAN settings.

On Analytics, you will see a search box on top, just put the failing client MAC address and search for it.

Regards,

Syamantak Omer

Official Rep

 • 

1.2K Messages

 • 

16.7K Points

Hi David,

If you can please open a support case and confirm the case number, we will be happy to assist you.

Or

Could you please enable support on your Cloud account.

(edited)

Regards,

Syamantak Omer

1 Message

 • 

60 Points

5 m ago

Hello,

You probably already checked this document

https://docs.cloud.ruckuswireless.com/GUID-9A510A48-02AA-4A4C-AE75-9EED90BC7A4C.html

Gives a extended walkthrough on the where and why

Below video also gives a decent step by step on the Ruckus side

https://www.youtube.com/watch?v=vjecA51ySq0

As for the NPS side, I am sorry, not sure...

(edited)

25 Messages

 • 

372 Points

Yes - I am going off of that document and video as well... no joy yet though...

Thanks!

Employee

 • 

44 Messages

 • 

1K Points

What is the client troubleshooting showing, in the Analytics section? In .1x scenario, the AP acts as the authenticator/proxy and the auth flow does not travel to the cloud controller. Are the APs IPs allowed by the radius server? Cheers - Phal

25 Messages

 • 

372 Points

Thanks - I hadn't thought of looking at the Analytics in Ruckus Cloud...

I am there now, but apparently there is an issue with Analytics.... none of the widgets are loading... getting:

"Network error: Response not successful: Received status code 500"

on all widgets.

1 Message

 • 

60 Points

David, for the NPS side, a log analyser would help show you if the requests are even hitting the Radius server and if so, why they are failing. Im working through a similar issue monitoring the NPS logs using https://www.deepsoftware.com/iasviewer/ (its free and has a portable app which doesn't require installation).

25 Messages

 • 

372 Points

Thanks - I'll check that tool out!

Important Announcement