Can't switch users from open SSID to secured one easily.

  • 1
  • Question
  • Updated 2 years ago
  • Answered
  • (Edited)
This is so odd. 

High school campus. Due to a certificate error on the network over the summer, we had to set up an open SSID for students. Once they reached the network, a new cert would come down and then most machines will automatically switch to our preferred, secured network pushed out by GPO.

That works fine with our Ruckus 7363 AP's. But....anyplace we have a newer 600,we have issues. If I turn off broadcasting the temp SSID, machine go correctly to the regular WLan. No one even connects to the temp SSID! But if I just turn it off completely, (disabling that SSID)  every machine fails and never switches. It's only these newer AP's with this issue. Note the 7363's are using an 1100 ZD; the 600's are on a 1200ZD with newer firmware. 

I can't find a setting on the new ZD that could cause this behavior. Any suggestions?
Photo of Sheldon Lefkowitz

Sheldon Lefkowitz

  • 16 Posts
  • 3 Reply Likes

Posted 2 years ago

  • 1
Photo of Mitchell Axtell

Mitchell Axtell

  • 58 Posts
  • 15 Reply Likes

Is it possible that the old ZD has the WLAN set to WPA/TKIP, and the new ZD is set to WPA/AES?  Is there any noticeable differences in the config of the WLANs?

Photo of Sheldon Lefkowitz

Sheldon Lefkowitz

  • 16 Posts
  • 3 Reply Likes
Looked over the configs again. Authentication and encryption are identical. I do see that I have "Enable Dynamic VLan" enabled on the new ZD for our regular SSID, but not enabled on the older ZD. I think I was forced to turn that on, if I recall, when doing the setup. What impact does this setting have?
Photo of Mitchell Axtell

Mitchell Axtell

  • 58 Posts
  • 15 Reply Likes

Dynamic VLAN?  Do you have 802.1x enabled on the WLAN?


Dynamic VLAN is a way for the RADIUS server to tell the ZD what VLAN a specific client should be on- so you can have one SSID like "School" and it can assign students to one VLAN, and staff to another (without having multiple SSIDs).  Because of this, it's only usable when paired with 802.1x.

Photo of Sheldon Lefkowitz

Sheldon Lefkowitz

  • 16 Posts
  • 3 Reply Likes

We do use RADIUS so have 802.1x enabled. I do not have any assigned vlans per user, however. VLans are given based on the subnet the AP is on.

We have a device policy that I set up to deny access to IOS machines. When I created it, I was forced to enable DVLan; the GUI will not close without that option turned on. I don't have that policy with my ZD1100.

If this setting is creating this problem, it would make sense that all computers should experience it. Interestingly, only about 10% will not switch as I described above. The rest connect as they should.

Either way, it's puzzling to me that I have to leave on the temp SSID in order for machines to connect to our regular SSID!

I have turned off the temp SSID this evening and removed the device policy and DVLan settings. Will see if that changes things on Tuesday.

Photo of Sheldon Lefkowitz

Sheldon Lefkowitz

  • 16 Posts
  • 3 Reply Likes
No luck. Still have the same issues. I'm really at a loss with this.
Photo of Sheldon Lefkowitz

Sheldon Lefkowitz

  • 16 Posts
  • 3 Reply Likes
Opened a case. I was told this could be caused by the cache on the ZD still being in place and that I can clear it via a reboot. I did so and then disabled the temp SSID. That did not fix the problem. I had to re-enable the temp SSID so that users would auto switch to the regular SSID as usual!
Photo of Sheldon Lefkowitz

Sheldon Lefkowitz

  • 16 Posts
  • 3 Reply Likes

Updating this post;

I worked with Support for several days. Ultimately, we updated the firmware to the current version and made a few small configuration changes, including removing the temp SSID so that no leftover settings would exist.

This solved the problem I was having and we are now back to normal operations.

Photo of Sean

Sean

  • 346 Posts
  • 88 Reply Likes
Just a stab in the dark, have you recently upgraded from one firnware to another on the 1200 as I have seen certain WLANs lock out clients sometimes on upgrade and what you have to do is delete the WLAN and then recreate it again for clients to be able to be able to connect - juts changing the config does nothing at all.
Photo of Sheldon Lefkowitz

Sheldon Lefkowitz

  • 16 Posts
  • 3 Reply Likes
Actually, the upgrade solved the problem. See my note above. Thanks for the tip.
Photo of Sean

Sean

  • 346 Posts
  • 88 Reply Likes
what version are you on at the moment?

be careful with 9.10 MR1 as there is a roaming bug; Ruckus are aware as I have a ticket and its waiting to be resolved
(Edited)
Photo of Sheldon Lefkowitz

Sheldon Lefkowitz

  • 16 Posts
  • 3 Reply Likes
Our 1200 is on 9.9.1.0