LDAP Filtering for Self-Service Guest Access Approver

  • 1
  • Question
  • Updated 1 year ago
  • (Edited)
I'm trying to setup Self-Service Guest Access on customer's ZD but they require that select domain users can only approve Self-Service access request. Customer created a new group (sponsor/approvers) in AD and added only a few domain users as members. Also created a Role in ZD matching the new group on Group Attribute. Ruckus Support told me before to configure LDAP on ZD and set a search filter so that only the members of the AD group can login and approve Self-Service requests. Initial tests were successful and I thought that everything's OK so I left it at that.

However, I returned to the customer's office a few weeks later and saw that even non-members of the group was able to approve Self-Service requests. My question now is is it really possible to filter sponsors that can approve via LDAP? Below is the LDAP configuration I did based on customer's settings. I replaced the actual company domain name but everything else is the same.


base dn
dc=corp,dc=company,dc=com

admin dn
CN=Ruckus Service Account,OU=Service Accounts,DC=CORP,DC=COMPANY,DC=COM

key attribute
samAccountName


search filter
|(objectClass=Person)(memberOf=CN=Ruckus-WifiApprovers,OU=Domain Security Groups,DC=CORP,DC=COMPANY,DC=COM)


Ruckus-WifiApprovers is the Group Attribute that I configured in Roles. That is the same group in AD that customer created.

I also thought that maybe because the Self-Service Guest SSID is allowed in Default Role so I removed it from there and only allowed it on Ruckus-WifiApprovers Role but result is the same. This is driving me crazy.
Photo of M

M

  • 30 Posts
  • 4 Reply Likes

Posted 1 year ago

  • 1
Photo of M

M

  • 30 Posts
  • 4 Reply Likes
Turned out I have to disable guestpass generation on Default Role. Everythings working now. My problem now is you can only have one authentication server for all Self-Service profiles you create. Support said this is working as designed. Sad.