Skip to main content

14 Messages

 • 

220 Points

Mon, Apr 20, 2020 10:11 PM

RADIUS not working with new vSZ 5.2???

I currently have a ZoneDirector 3050 which is setup to use RADIUS and it works perfectly. I am trying to configure a new Virtual SmartZone 5.2 that I setup using Hyper-V connect using RADIUS as well, but RADIUS keeps failing. I have tried to replicate the similar settings I have on the ZD3050 but it constantly fails. Has anyone ran into this issue and resolved it successfully?  I'm thinking there are some settings i'm missing somewhere, but I feel like I have tried everything. 

Responses

105 Messages

 • 

2.3K Points

6 months ago

This is probably a dumb question, but is the vSZ listed as a RADIUS client?  That's what I forget to do about half the time LOL. 

14 Messages

 • 

220 Points

6 months ago

At this point, there are no dumb questions. Thank you for responding and yes it has a RADIUS Client. The RADIUS Client for the vSZ is setup almost identical to our ZD3050 RADIUS Client for the exception of the IP Address.

2 Messages

 • 

90 Points

6 months ago

Hi John,

What server are you using ? Are you using proxy or non proxy settings, in non proxy AP is the authenticator and AP subnet or individual IP needs to be added as radius client.
What does the AAA test say, FYI AAA test is just to check the connection between controller and AAA server using PAP and client Auth uses EAP.

Best Regards
Vineet

14 Messages

 • 

220 Points

6 months ago

Thank you for assisting and any help you can provide. Below are screen shots of the process i'm taking with non-proxy. I have tested proxy, but had the same results. It seems that the Virtual SmartZone does not like the "Connection Request Policy" "NAS Port Type". The ZoneDirector 3050 Controller (10.32.0.2) works perfectly, but not the vSZ (10.42.0.2). RADIUS Client settings are exactly the same except for the IP obviously. 

 













BELOW IS A SUCCESSFUL TEST FROM OUR ZD3050 (10.32.0.2) AND EVENT LOGS. 










54 Messages

 • 

1K Points

6 months ago

Hi John,

Yes, so the radius request is not matching any connection request policy and hence the auth is failing. Kindly follow the below and create a new connection request policy, if it still fails kindly open a ticket with Ruckus support to assist over remote session.

https://www.youtube.com/watch?v=QlL777qF95s

Best Regards
Vineet 

14 Messages

 • 

220 Points

6 months ago

That video doesn't help my issue. I've watched it 20 times. The only Connection Request Policy which communicates with my Virtual SmartZone is when I create a Condition for "Client IPv4 Address". Which is great to see the green "Success" display during testing in vSZ, but it returns with "None group is associated with this user.". Even though there is a Network Policy with a User Group its using to authenticate with. When I set it up this way and create an SSID using RADIUS, no wireless device can authenticate. The wireless SSID prompts for credentials, but it looks like it dies at the controller because nothing shows up in the Event Logs in the Server. I currently have a ticket open with Ruckus. The technician looked at it for 5 minutes and couldn't resolve the problem. Below are some more pictures. 














54 Messages

 • 

1K Points

6 months ago

Hi John,

As a test can you configure below :

1)Connection request policy : under condition add only "Day and time restriction" and allow all time

2) Network policy : under condition add "Day and time restriction" allow all time and add the user group. 

Other all settings would remain same, we are just removing NAS port, Test the above settings and update, meanwhile let me check with the case owner. 



Best Regards
Vineet 

14 Messages

 • 

220 Points

6 months ago

Thank you for the suggestion. It comes back as Success and None group, but still cannot authenticate wireless devices with the SSID/RADIUS. 

54 Messages

 • 

1K Points

6 months ago

John, is it still not hitting connection request policy or any other error on event viewer?

Best Regards
Vineet 

14 Messages

 • 

220 Points

6 months ago

Still getting this (picture below). When trying to connect with a wireless device to the SSID/RADIUS it doesn't authenticate and no Event Logs. So, the controller see's the RADIUS Server but when a wireless device (Laptop) tries to connect to the SSID it asks for credentials but it doesn't accept anything. Nothing shows in the Event Log that there was a failed login from the wireless device.  








54 Messages

 • 

1K Points

6 months ago

Hi John,

Lets ignore the AAA test now, kindly follow the below commands to make sure we have client failure logs enabled, if no failure logs on NPS event viewer we have to follow below?

  1. Open CMD prompt on Server as admin
  2. At the command prompt, type the following command, and then press ENTER                 auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
The above command would enable the client failure and success log on NPS. If even after this you do not see any logs populating ask engineer on case to take an capture on AP to see if the "access-request" packet is leaving AP eth interface. If the request is hitting NPS there has to be the failure log populating. 

Best Regards
Vineet  

14 Messages

 • 

220 Points

The Event Logs for NPS work, but when trying to authenticate to a SSID with a Wireless Device it doesn't even make it to the Server. How do i know Event Logs work, because if I have a successful or failed attempt directly from the AAA in the vSZ Controller it gives me a NPS Event Log. 

28 Messages

 • 

612 Points

6 months ago

Hi John,

From the "Even Viewer" screenshot I can see the NAS Port Type is being classified as "Virtual" instead of "Wireless IEEE 802.11". That should be an issue from the ZD OS code. 
Try as a workaround editing the NPS Policy  NAS Port Type Conditions and check "Virtual" option and see if that solves the problem.

Best regards.

14 Messages

 • 

220 Points

I'm thinking it's something down those lines. By checking "Virtual" I no longer get a Failed attempt using the NAS Port Type Condition. But I still get the below picture and still cannot authenticate with Wireless devices.

14 Messages

 • 

220 Points

The Virtual and Port # seem ok because it is a Virtual Controller via Hyper-V and that's the port # required to access the web portal interface. But because it is Virtual, i'm thinking there are some configuration tweeks that need to take place somewhere.

14 Messages

 • 

220 Points

6 months ago

Maybe there is something in here that needs further configuring when setting up the SSID. Under "RADIUS Options".



28 Messages

 • 

612 Points

6 months ago

Try enabling the option "Use controller as proxy" otherwise the AP will be the one who tries to communicate with the NPS. Unless that's the way you wanted to be.

Best regards

14 Messages

 • 

220 Points

I've tried that a few times to no success. This is ultimately how i'm going to have it setup, but for testing purposes it seems faster setting up the Non-Proxy. I get the same results, can't authenticate with the SSID.









28 Messages

 • 

612 Points

I don't have a ZD right know to check screens and show you exactly the menus, but I think that it has to be with the WLAN no being added to the user groups. Check default user group or any custom ones and check if the WLAN you're testing is added. Maybe I'm wrong, but I think it's worth the try.

178 Messages

 • 

2.9K Points

6 months ago

Instead of using "User Groups" in NPS, have you tried using "Windows Groups"?

14 Messages

 • 

220 Points

Numerous times. lol.. I'm in the process or reinstalling the Virtual SmartZone. I will update the forum with the outcome. 

178 Messages

 • 

2.9K Points

Because we use Windows Groups with a group of users that have access and we also have a or condition for Domain Computers, so machine auth can take place as well (if you have Windows based computers).