Skip to main content

30 Messages


454 Points

Thu, Apr 4, 2019 2:26 PM


vSZ 5.1 apply User Role to SSID(s) to allow access

We are finding it somewhat difficult to setup User Roles on vSZ 5.1 and assign them specific WLANs. For example, we would like a group of students to only access the Student-BYOD WLAN and Staff to access the STAF-BYOD.

It would seem this is not possible in vSZ as i have been stuck with this problem for the last 2 years unless i've completely missed it.

On the ZD1200 it can be found under Services & Profiles > Roles. In the vSZ, looking under Clients > User & Roles it's a completely different thing.

Can someone tell me where the image below can be configured in vSZ:

As you can see on the ZD, testing a user against AD and against Roles, the ZD knows what ROLE to give the user.

When i try to test the AAA AD server i've setup on the vSZ i get the follow message against a test user:

I've tried my best to find the ROLES as on the ZD1200 so i'm now left with the message "The user will not be assigned to any roles." 

Can somebody / anybody tell me where to configure the roles just like on the ZD1200.



34 Messages


920 Points

2 years ago

Hi Tim, sorry for the confusion. This is not supported currently on SZ--at least, not supported from the SZ's enforcement perspective. We have had many customers solve this by using AAA policies on the AAA server, using the WLAN attribute sent in the RADIUS request to allow/deny roles based on this input. 


5 Messages


100 Points

a year ago

Marcus can you explain how to send the WLAN attribute in the Radius request?

34 Messages


920 Points

a year ago

Hey Tim, sorry for the late reply here. Sorry if you've already sorted this out. 

On the WLAN settings, configure a user-defined NAD ID (RADIUS options). This NAS ID is sent in RADIUS requests to the RADIUS server. 

On the RADIUS side, configure a policy allowing (or denying) user groups based on the NAS ID matching your configured definition on SZ. In the authentication exchange, this NAS ID is used as a match condition to allow/deny certain user groups.