Skip to main content

38 Messages

 • 

654 Points

Fri, Oct 11, 2013 9:59 PM

Answered

Dynamic Vlan Assignment via RADIUS (Microsoft NPS) - DHCP Failure

I'm in the process of consolidating a large number of SSID's into a single SSID using dynamic VLANS. I have followed the Ruckus documentation for configuring the appropriate attributes on the RADIUS server, and have an SSID set up for dynamic vlans on the Zonedirector.

My test clients connect to the SSID, and are prompted for credentials. I can see the credentials accepted on the NPS server, and wireshark confirms the Access-Accept message contains the Tunnel-Private-Group-ID value for the desired VLAN.

At this point the client stalls trying to get a DHCP lease. The DHCP server is working, as these are existing scopes and subnets and I can connect a wired client into the switch on an access port for the same vlan and get a lease.

Wireshark shows no DHCP broadcast request from the client at all.

The switchport for the AP is a trunk, with the VLAN tagged and allowed.

Any assistance would be greatly appreciated!
Rob

Responses

99 Messages

 • 

2K Points

7 years ago

Hi Rob,

I would suggest creating a test wlan in the clear so you can read the wireless capture and put it on a static VLAN to match the DVLAN is supposed to be assigned to, and see if you can get an IP that way and see if the client sends a DHCP discover.

You might want to mirror the AP's port and see if the AP got the Discover packet and if it's sending it out with the proper tag.

38 Messages

 • 

654 Points

Write a comment...

368 Messages

 • 

5.6K Points

7 years ago

DVLANs work no problem. You are probably having networking issues. You must not tagg all VLANs on a port. Suggest you use management VLAN untagged and others tagged.

38 Messages

 • 

654 Points

7 years ago

Sid,

I did as you suggested and created a test WLAN with a static VLAN matching the DVLAN I am testing. The client associated and the DHCP request is seen in the packet capture, and the client receives an IP address assignment for the correct VLAN.

Rob

38 Messages

 • 

654 Points

7 years ago

http://forums-archive.ruckuswireless....

It might be a good idea to provide this information in the documentation for ZoneDirector and DVLAN configuration.

683 Messages

 • 

11K Points

7 years ago

Is what you needed in here as well? https://support.ruckuswireless.com/an...

What was the "missing piece"?

38 Messages

 • 

654 Points

7 years ago

The vendor-specific attribute piece in NPS was required. It appears that NPS does not return AD groups to the ZoneDirector, so everything got dumped into the "Default" role. Adding the VSA (25053) with the AD group to match the ZD role appears to have resolved the issue in my test lab so far.