Dynamic Vlan Assignment via RADIUS (Microsoft NPS) - DHCP Failure

  • 1
  • Question
  • Updated 4 years ago
  • Answered
I'm in the process of consolidating a large number of SSID's into a single SSID using dynamic VLANS. I have followed the Ruckus documentation for configuring the appropriate attributes on the RADIUS server, and have an SSID set up for dynamic vlans on the Zonedirector.

My test clients connect to the SSID, and are prompted for credentials. I can see the credentials accepted on the NPS server, and wireshark confirms the Access-Accept message contains the Tunnel-Private-Group-ID value for the desired VLAN.

At this point the client stalls trying to get a DHCP lease. The DHCP server is working, as these are existing scopes and subnets and I can connect a wired client into the switch on an access port for the same vlan and get a lease.

Wireshark shows no DHCP broadcast request from the client at all.

The switchport for the AP is a trunk, with the VLAN tagged and allowed.

Any assistance would be greatly appreciated!
Rob
Photo of Rob Coote

Rob Coote

  • 37 Posts
  • 6 Reply Likes

Posted 4 years ago

  • 1
Photo of Sid Sok

Sid Sok, Official Rep

  • 102 Posts
  • 48 Reply Likes
Hi Rob,

I would suggest creating a test wlan in the clear so you can read the wireless capture and put it on a static VLAN to match the DVLAN is supposed to be assigned to, and see if you can get an IP that way and see if the client sends a DHCP discover.

You might want to mirror the AP's port and see if the AP got the Discover packet and if it's sending it out with the proper tag.
Photo of Rob Coote

Rob Coote

  • 37 Posts
  • 6 Reply Likes
Write a comment...
Photo of Primož Marinšek

Primož Marinšek, AlphaDog

  • 413 Posts
  • 48 Reply Likes
DVLANs work no problem. You are probably having networking issues. You must not tagg all VLANs on a port. Suggest you use management VLAN untagged and others tagged.
Photo of Rob Coote

Rob Coote

  • 37 Posts
  • 6 Reply Likes
Sid,

I did as you suggested and created a test WLAN with a static VLAN matching the DVLAN I am testing. The client associated and the DHCP request is seen in the packet capture, and the client receives an IP address assignment for the correct VLAN.

Rob
Photo of Rob Coote

Rob Coote

  • 37 Posts
  • 6 Reply Likes
http://forums-archive.ruckuswireless....

It might be a good idea to provide this information in the documentation for ZoneDirector and DVLAN configuration.
Photo of Keith - Pack Leader

Keith - Pack Leader

  • 860 Posts
  • 50 Reply Likes
Is what you needed in here as well? https://support.ruckuswireless.com/an...

What was the "missing piece"?
Photo of Rob Coote

Rob Coote

  • 37 Posts
  • 6 Reply Likes
The vendor-specific attribute piece in NPS was required. It appears that NPS does not return AD groups to the ZoneDirector, so everything got dumped into the "Default" role. Adding the VSA (25053) with the AD group to match the ZD role appears to have resolved the issue in my test lab so far.