Skip to main content

2 Messages

 • 

102 Points

Thu, Jan 22, 2015 3:54 PM

Answered

Dynamic Vlan via NPS failing

Currently, users are authenticated with AD via a Bradford device. The Bradford sets the dynamic vlan on the clients based on the Security Group they are a member of in AD. The bradford is no longer supported and I am trying to get rid of it from the network.

AP management is untagged using Vlan 18, while the client vlans (2, 4 and 6) are tagged to the AP ports.

I have a network policy in NPS for my Eng users which use Vlan 2:
Framed- Protocol - PPP
Service-Type - Framed
Tunnel-Medium-Type - 802
Tunnel-Type - Virtual LANs
Tunne-PVT-group-ID 2
Tunnel-Assignment-ID - 2

Custom
Vender-Specific
Vender Code: 25053
Attribute Number 1
Format: String
Attribute Value : CORP

The CORP role is configured on the Zone Director, however my client is always in Default, even with sending the CORP attribute.

I've confirmed my network configuration is correct by entering each vlan into the VLAN ID box on the WLAN. When I connect with Vlan 2 set, I get an IP in that Vlan, etc.
With Dynamic VLAN checked, and Vlan 1 in the VLAN ID box, I receive an IP in the AP management range, not in the proper vlan.

I'm running a pair of ZD1100s with Smart Redundancy on 9.8 build 373

Any assistance would be greatly appreciated,

Joe

Responses

Brand User

Former Employee

 • 

2.6K Messages

 • 

44.8K Points

6 years ago

I believe a compatible Bradford version 7.1.0.306 should work with ZD 9.7.2.0.9 and 9.8 releases.

To troubleshoot in detail, please open a tech support ticket.
Brand User

Former Employee

 • 

2.6K Messages

 • 

44.8K Points

6 years ago

Re-reading your inquiry Joe, what Bradford did was assign a DVLAN in the access-accept of the 802.1x exchange, with a client DM/re-auth in order to reconnect with the newly assigned VLAN. I don't think just returning/assigning a CORP role is enough to change the VLAN ID.
Brand User

Former Employee

 • 

2.6K Messages

 • 

44.8K Points

6 years ago

To troubleshoot, from the ZD's Administer/Diagnostics page, enable debug components RADIUS, 802.1x, Dynamic VLAN, and enter your test client MAC address in the box.

Power on the client/radio to capture all connection messages, and proceed to login with uid/pw to AD. Note the client observations, initial IP, subsequent IP, and save the ZD debug info file. Use the support page Log Analyser, or request interpretation from Ruckus tech support, to follow your client transactions in the Event logs. Do you see the new VLAN ID in the radius access-accept, and is it applied by ZD?

You can also capture the br0 interface traffic of the AP your test client connects to, and will see the packet exchange and contents between your client and the AAA/AD server.

Compare a Bradford session with the AAA/AD only session output.
Brand User

Former Employee

 • 

2.6K Messages

 • 

44.8K Points

6 years ago

Here's a best practice doc on DVLAN:

https://support.ruckuswireless.com/an...

2 Messages

 • 

102 Points

6 years ago

Thank you Michael, I rebuilt my server and now it's working.
Brand User

Former Employee

 • 

2.6K Messages

 • 

44.8K Points

Glad to hear it!