ZD3000: added AAA Active Directory server - then added wlan, no visible aaa choice

  • 2
  • Question
  • Updated 4 years ago
On a ZD3000 ver 9.6.1.
added AAA Active Directory server - then added WLAN, no visible aaa choice:

1. AD server added and tested successful
2. Tried to add WLAN:
2a. chose standard usage
2b. chose 802.1x EAP
2c. chose WPA2
2d. chose AES

3. Authentication Server: pull-down does not display name of AAA server as a choice.
Photo of ThX

ThX

  • 128 Posts
  • 2 Reply Likes

Posted 4 years ago

  • 2
Photo of Keith - Pack Leader

Keith - Pack Leader

  • 860 Posts
  • 50 Reply Likes
Hi Rick,

Sorry for the troubles. What version did you upgrade from? Were you previously running this configuration or is this a new installation?

Thx
Photo of ThX

ThX

  • 128 Posts
  • 2 Reply Likes
New install. factory version 9.4.0.0.110

Upgraded to 9.6.0.0.267
Upgraded to 9.6.1

Then tried adding AAA - AD

Thanks
Photo of r0nnieb

r0nnieb

  • 5 Posts
  • 2 Reply Likes
Hi Rick,

802.1X will require a RADIUS server within your AAA config. If you require EAP authentication this will need to be added to your zonedirector and configuration of a radius / network policy server

Depending what you need, there are other alternatives that the zone director supports with Dynamic PSK, Role Based Access Control, Captive Portal, Hotspot Provisioning that are easier to configure that a full blown radius solution :)
Photo of ThX

ThX

  • 128 Posts
  • 2 Reply Likes
Thanks r0nnieb.

r0nnieb: "...Depending what you need, there are other alternatives that the zone director supports with Dynamic PSK, Role Based Access Control, Captive Portal, Hotspot Provisioning that are easier to configure that a full blown radius solution..."

Note: I am a ruckuswireless noob. I am preparing the ZD300 for production. We anticipate (max) 2000 student "guest" users using 100 APs at any one time. We also anticipate 400 employees using their active directory credentials.

Part B:
Do any of the aforementioned alternatives support multi-thousands of "guests" using the identical login credentials (or pass phrases) ? Do any of of the alternatives NOT require a separate server or non-ruckus device...that is, I would like the ZD3000 to offer the "guest" webpage (or other ZD built-in security solution) for credentialing and encryption.

Part A:
r0nnieb: "802.1X will require a RADIUS server within your AAA config. If you require EAP authentication this will need to be added to your zonedirector and configuration of a radius / network policy server"

Are you saying I need a separate RADIUS server in order to use active directory ("AD") credentialing? That is, I thought I could point the ZD at our AD without the need for a RADIUS server.

Thanks much,
Rick
Photo of r0nnieb

r0nnieb

  • 5 Posts
  • 2 Reply Likes
"Do any of the aforementioned alternatives support multi-thousands of "guests""

- Sure, the zonedirector 3000 supports 5000 Dynamic PSK's (with the firmware 9.6 and above you can limit users to an x amount each (in your case 2 max but i'd stick with 1)

"Do any of of the alternatives NOT require a separate server or non-ruckus device...that is, I would like the ZD3000 to offer the "guest" webpage (or other ZD built-in security solution) for credentialing and encryption"

- you can provide guest access or dynamic PSK's based on the local user database, perhaps someone on here can point out how many users can be created, though i dont recall a bulk import facility (with the exception of guest account names for each ticket)

"Are you saying I need a separate RADIUS server in order to use active directory ("AD") credentialing? That is, I thought I could point the ZD at our AD without the need for a RADIUS server. "

-You can certainly point your ruckus to the Active Directory server for authentication based on RBAC (Role Based Access Control) via either a captive portal or a BYOD provisioning hotspot which can use the zero IT activation to "push" the wlan profiles to the user device (however its most client devices you can think of except widows mobile and blackberry for now but these can be manually setup i believe)

also you can use the onboarding portal within the guest access config page (similar to hotspot only a tad easier)

:)