NPS, Roles and VLAN Configuration

  • 1
  • Question
  • Updated 2 years ago
  • (Edited)
I am currently implementing a method for our users to connect to a specific SSID using a Hotspot Provisioning SSID which downloads the Zero IT configuration installer and connects them to the appropriate network based on their AD group membership.

As it stands I have configured Ruckus, setup the SSIDs, setup the roles and responses, setup NPS with matching responses (via the Vendor ID) for the roles and added users to groups for testing.

So, users connect to the Provisioning SSID, are prompted for credentials which they enter, receive either an executable file or a profile for iOS users and are then connected to the appropriate SSID and VLAN based on AD and the response from NPS.

The issue is that whilst some users receive the correct SSID configuration based on their group membership, others receive all three SSID configurations.

For example, I am a member of Staff in AD and get only the Staff SSID during the configuration process, and the correct VLAN and therefore filtering. Whereas a test Student, who is a member of Student in AD, receives configuration profiles for Staff, Student and SixthForm SSIDs. Another test student, with only the Student group in AD, receives configuration profiles for Staff and SixthForm but NOT Student.

The process is not consistent.

When I test the configuration under AAA Servers, I get the correct group responses from NPS for all three accounts, suggesting they would only receive the one configuration profile.

I am at a loss to explain or understand this. Can anyone help me identify where I might be going wrong here?
Photo of Andrew Wills

Andrew Wills

  • 2 Posts
  • 0 Reply Likes
  • Confused, Frustrated

Posted 2 years ago

  • 1
Photo of Monnat Systems

Monnat Systems, AlphaDog

  • 714 Posts
  • 151 Reply Likes
hi andy,

I would advice to check the ZD GUI --> configure -> roles and ensure that roles are configured correctly.

Also leave the default role in ZD as it is and don't rename it for creating some other role. Better add new roles and modify them.


Hope this helps.
Photo of Andrew Wills

Andrew Wills

  • 2 Posts
  • 0 Reply Likes
Thank you for your reply! I checked all the roles and then discovered that it was something else and very simple. I hadn't specified that the Zero-IT Activation under Configure; WLANs was set to use NPS as the Authentication server, so it was using AD instead and returning confusing values. Changing that has fixed it!