Skip to main content

Mon, Apr 4, 2016 10:59 AM

VSZ - Active Directory and Default Group Attribute Value


I am just wondering if anyone has got their VSZ setup with a WLAN that users log into the web authentication using accounts from Active Directory. 

I had this set up p[perfectly with the ZoneDirector but can't seem to get it to work with the VSZ. 

The Admin Guide i have says I can set the default Group Attribute Value when configuring the Roles, but that option is not there. The option is there how ever when I configure a Proxy AAA, but when testing, the results return Primary server success but do not list the group (which I've read it should). When logging into the WLAN I can an Invalid username or password message.

Has anyone got this kind of setup working. I have a case open, just looking to see if people have the same issue.



13 Messages


256 Points

3 years ago

I can't believe we're still waiting for AD to be included in our vSZ-H. I started to raise this issue way back at vSCG stage and now at vSZ 3.4 still not sorted.
I have a school asking us to give them a quotation to install WiFi for the full school but they want to be assured that AD will work for them. I have to turn the opportunity down. I also have an existing school looking for AD authentication and I can't provide it. How long do we have to wait???  Can somebody give a straight answer?

178 Messages


2.9K Points

You can't use AAA (RADIUS) authentication? Seems pretty straight forward with our vSZ-E deployment.

1 Message


60 Points

2 years ago

For some reasson the version, VSZ High is not letting us use proxy mode, does somebody knows if this mode works in this version ? im thinking that maybe I need an upgrade to fix some bug, have of you went through this problem? when I changed the mode to none proxy I started receving erros and logs from the AP, but I wasnt able to receive logs from the cVSZ controller in proxy mode.

30 Messages


454 Points

2 years ago

We have been in the fortunate situation where we have a ZD1200 on loan from our suppliers when we bough the vSZ license. 2 Years on as we are still no where near to using the vSZ for what i want to do with it however it feels like we have some software that promissed to deliver but it simply doesn't, the vSZ is now running 5.1.

I was told years ago that the vSZ and the ZD software would alost be exactly the same however this isn't the case. It seems that the ZD software is more feature rich than the vSZ by a country mile.

It would seem that Ruckus have finally brough in the Active Directory Group lookup as shown here from my vSZ-H setup:

however they haven't yet implimented the ROLES side so this user who is a test user in our AD is in the correct AD Group, however they aren't limited to join a specific SSID.

Here is what i am using now in the ZD1200 and would have hoped to have seen the same in the vSZ but this isn't the case:

What the above 2 images from my ZD1200 are showing is, picture 1 is showing the ZD querying our AD to find what group memberships user 2012 is part of. 

Picture 2 is showing the options under ROLES so that if the GROUP ATTRIBUTES field matches those that the user is part of in AD, the user is able to access that SSID.

This feature is missing from the vSZ and cannot be found!

I guess this is what others are waiting for and using RADIUS Authentication is not an option. We do Radius Accounting via our Smoothwall on the ZD1200.

Also what is missing on the vSZ, is the ability to have HOTSPOT (WSPr) set and to authenticate via Active Directory.

10 Messages


154 Points

a year ago

I'm doing vSZ And have run into this problem, moving from ZD3050 and realize.the feature are just there in vSZ, disappointing. Also web authentication doeant seem to work, having to do hotspot Wispr. Not impressed so far, so disappointed. I did some trouble shooting before my planned deployment next week, I discovered when doing AD auth, if a user is in one group it's fine, but if it multiple groups it's only the first queried group that works, and it's in alpha order.

11 Messages


270 Points

a year ago

I got round the problem in the end. BYOD WLAN setup as 802.1x EAP and the authentication server set as our RADIUS server (Smoothwall). In the smoothwall box is now where we can limit the access to users that are a member of a certain AD group. Any users that we then want to have BYOD access we can add to a named security group and they can authenticate with their AD username and password.

2 Messages


80 Points

Dave, how did you go about doing this? We are trying to do something similar using Windows NPS and are striking out. I have a AAA (RADIUS) server setup (our NPS) and I configured a specific WLAN for a NAS-ID. I enabled Web Auth and tied the Web Auth portal to the WLAN. The page comes up but no user can authenticate, period. If I change the portal to HotSpot WISPr, authentication works just fine...I'm not sure what the issue is here.

10 Messages


154 Points

a year ago

I was told that this is a feature request to have atrrib mapping for users in more then one AD group, which is ridiculous, how is that a feature to request, its a bug. I was also told the workaround is setting up a radius server, which I am trying to avoid but may have to do.