Hi everyone, I'm currently trialling Ruckus vSZ 126.96.36.199.222 with an R510 and R710 AP.
I'm attempting to set up a single SSID (eduroam) for both internal devices authenticating via EAP-TLS and BYOD devices using PEAP.
Depending on which rule is triggered in NPS Ruckus should apply a different traffic profile i.e. domain-joined laptops get full connectivity but BYOD is in a restricted VLAN with limited access to specific IP addresses (internal web servers etc.)
The authentication side works fine and I can assign devices to VLANs by using Dynamic VLAN in Ruckus with Tunnel-Pvt-Group-ID and Tunnel-Type attributes being sent by NPS (Server 2012 R2)
However that doesn't help me with the Role & Traffic Profile as that's assigned to the WLAN itself, meaning there's no distinction between the BYOD and domain-joined machines.
As far as I understand I should
be able to do this...
- define a User Role that sets the Traffic Profile and VLAN ID
- set vendor-specific attribute in NPS using vendor code 25053, attribute number 1 and the role name as a String value
- Ruckus should then override the settings in the WLAN with those in the Role (i.e. set VLAN ID and User Traffic Profile as required)
However it doesn't seem to work, the device gets no VLAN assigned (goes back to Default) no network access so looks like the Traffic Profile hasn't applied either.
Is this scenario even supported in vSZ or will I have to go back to multiple SSIDs to apply different Traffic Profiles?
Also noticed in the radiusd.log file this appears
[Thu Apr 25 2019 14:08:56:876][***servername***]][RADIUS][WRN][FID=1,ueMac=MACADDRESS,TID=-1201772800][wsg_rad_proxy.c:1497]
Not retrieving UTP-Id because either Filter-Id not received, No AAA service is found
[Thu Apr 25 2019 14:08:56:876][SER][RADIUS][WRN][FID=1,ueMac=MACADDRESS,TID=-1201772800][wsg_rad_proxy.c:1440]
vlan_id, vlan_pool is not available from utp_profile and as well as tunnel-private-group-id is not set in AAA