Dynamic Vlan via NPS failing

  • 1
  • Question
  • Updated 5 months ago
  • Answered
Currently, users are authenticated with AD via a Bradford device. The Bradford sets the dynamic vlan on the clients based on the Security Group they are a member of in AD. The bradford is no longer supported and I am trying to get rid of it from the network.

AP management is untagged using Vlan 18, while the client vlans (2, 4 and 6) are tagged to the AP ports.

I have a network policy in NPS for my Eng users which use Vlan 2:
Framed- Protocol - PPP
Service-Type - Framed
Tunnel-Medium-Type - 802
Tunnel-Type - Virtual LANs
Tunne-PVT-group-ID 2
Tunnel-Assignment-ID - 2

Custom
Vender-Specific
Vender Code: 25053
Attribute Number 1
Format: String
Attribute Value : CORP

The CORP role is configured on the Zone Director, however my client is always in Default, even with sending the CORP attribute.

I've confirmed my network configuration is correct by entering each vlan into the VLAN ID box on the WLAN. When I connect with Vlan 2 set, I get an IP in that Vlan, etc.
With Dynamic VLAN checked, and Vlan 1 in the VLAN ID box, I receive an IP in the AP management range, not in the proper vlan.

I'm running a pair of ZD1100s with Smart Redundancy on 9.8 build 373

Any assistance would be greatly appreciated,

Joe
Photo of Joe L

Joe L

  • 2 Posts
  • 1 Reply Like

Posted 3 years ago

  • 1
Photo of Michael Brado

Michael Brado, Official Rep

  • 2183 Posts
  • 301 Reply Likes
I believe a compatible Bradford version 7.1.0.306 should work with ZD 9.7.2.0.9 and 9.8 releases.

To troubleshoot in detail, please open a tech support ticket.
Photo of Michael Brado

Michael Brado, Official Rep

  • 2183 Posts
  • 301 Reply Likes
Re-reading your inquiry Joe, what Bradford did was assign a DVLAN in the access-accept of the 802.1x exchange, with a client DM/re-auth in order to reconnect with the newly assigned VLAN. I don't think just returning/assigning a CORP role is enough to change the VLAN ID.
Photo of Michael Brado

Michael Brado, Official Rep

  • 2183 Posts
  • 301 Reply Likes
To troubleshoot, from the ZD's Administer/Diagnostics page, enable debug components RADIUS, 802.1x, Dynamic VLAN, and enter your test client MAC address in the box.

Power on the client/radio to capture all connection messages, and proceed to login with uid/pw to AD. Note the client observations, initial IP, subsequent IP, and save the ZD debug info file. Use the support page Log Analyser, or request interpretation from Ruckus tech support, to follow your client transactions in the Event logs. Do you see the new VLAN ID in the radius access-accept, and is it applied by ZD?

You can also capture the br0 interface traffic of the AP your test client connects to, and will see the packet exchange and contents between your client and the AAA/AD server.

Compare a Bradford session with the AAA/AD only session output.
Photo of Michael Brado

Michael Brado, Official Rep

  • 2183 Posts
  • 301 Reply Likes
Here's a best practice doc on DVLAN:

https://support.ruckuswireless.com/an...
Photo of Joe L

Joe L

  • 2 Posts
  • 1 Reply Like
Thank you Michael, I rebuilt my server and now it's working.
Photo of Michael Brado

Michael Brado, Official Rep

  • 2183 Posts
  • 301 Reply Likes
Glad to hear it!