Dynamic Vlan failling with NPS ??

  • 1
  • Question
  • Updated 3 years ago
I am trying to configure a dynamic vlan solution where a users is dropped into a specific vlan dependant on their AD group membership validated by a Microsoft NPS server.

I have the NPS server running and configured the appropiate settings
Under Radius Attributes:
Framed- Protocol - PPP
Service-Type - Framed
Tunnel-Medium-Type - 802
Tunne-PVT-group-ID 501 - (this is the vlan I want to drop into)
Tunnel-Type - Virtual LANs

I can connect to the wireless and get authenticated however I drop into the VLAN that the AP is connected into.

If I enable Dynamic Vlan - I still connect to the wireless but get no network.

I am thinking it is something to do with the way we are connecting the AP's to the switches?

If I connect to an AP that is in the VLAN I want - everything works.

So my thinking is that there has to be a bit more work on switch configuration for the AP's to support this?

I cannot find any info about this on the ruckus knowledgebase anywhere?

Does this sound familiar to anyone

For reference we are using Juniper EX4200 switches.

Thanks
Photo of Simon Young

Simon Young

  • 14 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of Sid Sok

Sid Sok, Official Rep

  • 102 Posts
  • 48 Reply Likes
The NPS configuration looks correct. When it's in DVLAN mode and a client is connected to the AP, look in the Monitor>Currently Active Clients page and see if the ZD has identified the client to be on the correct VLAN, from the above configuration it should show up as ACCESS VLAN 501, but verify.

If the client is identified as being on the correct VLAN, it means NPS setting works, the ZD received the VLAN setting correctly, so the next step is to figure out why the client is not able to get in IP on that VLAN.

Check the switch port the AP is connected to:
1. Is it set to trunk mode? Management traffic is untagged
2. Is VLAN 501 configured as an allowed tagged VLAN on that port
3. Is there a DHCP server on VLAN 501 already

If you configure a switch port for Access mode VLAN501 adn plug a wired PC to that port does the PC get an IP in the VLAN501 range?

Post the switchport config as well.
Photo of Simon Young

Simon Young

  • 14 Posts
  • 0 Reply Likes
I have just changed the switchport that the AP is connected to into a trunk and the AP went offline?

Juniper EX4200 switch

ge-0/0/3 {
unit 0 {
description Ruckus_AP;
family ethernet-switching {
port-mode trunk;
vlan {
members Wifi-Testing;

When I changed the port back to access it goes into provisioning and then active.

The AP has a manual address assignment within that vlan

I am now confused on the Management VLAN?

Why did the AP go offline? I assume because it cannot see the controller.

This switch is trunked to another switch where the controller is connected and the vlan is permitted

Thanks

Roger
Photo of Keith - Pack Leader

Keith - Pack Leader

  • 860 Posts
  • 51 Reply Likes
Your problems with NPS sound like a symptom and not a cause. You lost L2/L3 when you changed the port.

(you can easily validate this if you can locally connect the AP)

Something isn't right in that switch configuration. I would recommend you have Juniper TAC review the config/topology and suggest diagnostics you can run to isolate the issue.
Photo of Sid Sok

Sid Sok, Official Rep

  • 102 Posts
  • 48 Reply Likes
By default the AP sends out it's management traffic untagged. If you put the AP on a trunk port you have to make sure the Native/PVID/Untagged management VLAN is the same as the ZD or has a route to the ZD, and allow tagged vlan for the Clients, Dynamic in this case. Here is an example I found on Juniper's site:

ge-0/0/23 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ Cust_150 Cust_151 ];
}
native-vlan-id 10; < will be send as untagged.
}
}
}

This assumes that your untagged/Native vlan is 10. I do not know if this is the same command for your brand/model/version you are running but it should be similar.
Photo of Tyler Frantz

Tyler Frantz

  • 3 Posts
  • 0 Reply Likes
I have a question about implementing a dynamic vlan assignment setup such as Simon is describing above.

Is it possible to setup this type of vlan assignment and NPS authentication per user on a wireless network using a ZF7025 AP without the need for a ZoneDirector.
Photo of Keith - Pack Leader

Keith - Pack Leader

  • 860 Posts
  • 51 Reply Likes
This is a great conversation that's separate from the main topic, so I created a new topic to continue the discussion. Please reference the new topic here: Dynamic VLANs with Standalone APs