RADIUS not working with new vSZ 5.2???

  • 3
  • Question
  • Updated 1 month ago
I currently have a ZoneDirector 3050 which is setup to use RADIUS and it works perfectly. I am trying to configure a new Virtual SmartZone 5.2 that I setup using Hyper-V connect using RADIUS as well, but RADIUS keeps failing. I have tried to replicate the similar settings I have on the ZD3050 but it constantly fails. Has anyone ran into this issue and resolved it successfully?  I'm thinking there are some settings i'm missing somewhere, but I feel like I have tried everything. 
Photo of John Krussaniotakis

John Krussaniotakis

  • 14 Posts
  • 0 Reply Likes
  • frustrated

Posted 6 months ago

  • 3
Photo of David Black

David Black

  • 108 Posts
  • 59 Reply Likes
This is probably a dumb question, but is the vSZ listed as a RADIUS client?  That's what I forget to do about half the time LOL. 
Photo of John Krussaniotakis

John Krussaniotakis

  • 14 Posts
  • 0 Reply Likes
At this point, there are no dumb questions. Thank you for responding and yes it has a RADIUS Client. The RADIUS Client for the vSZ is setup almost identical to our ZD3050 RADIUS Client for the exception of the IP Address.
(Edited)
Photo of Vineet Nejawala

Vineet Nejawala, Employee

  • 2 Posts
  • 1 Reply Like
Hi John,

What server are you using ? Are you using proxy or non proxy settings, in non proxy AP is the authenticator and AP subnet or individual IP needs to be added as radius client.
What does the AAA test say, FYI AAA test is just to check the connection between controller and AAA server using PAP and client Auth uses EAP.

Best Regards
Vineet
Photo of John Krussaniotakis

John Krussaniotakis

  • 14 Posts
  • 0 Reply Likes
Thank you for assisting and any help you can provide. Below are screen shots of the process i'm taking with non-proxy. I have tested proxy, but had the same results. It seems that the Virtual SmartZone does not like the "Connection Request Policy" "NAS Port Type". The ZoneDirector 3050 Controller (10.32.0.2) works perfectly, but not the vSZ (10.42.0.2). RADIUS Client settings are exactly the same except for the IP obviously. 

 













BELOW IS A SUCCESSFUL TEST FROM OUR ZD3050 (10.32.0.2) AND EVENT LOGS. 










Photo of Vineet Nejawala

Vineet Nejawala, Employee

  • 52 Posts
  • 22 Reply Likes
Hi John,

Yes, so the radius request is not matching any connection request policy and hence the auth is failing. Kindly follow the below and create a new connection request policy, if it still fails kindly open a ticket with Ruckus support to assist over remote session.

https://www.youtube.com/watch?v=QlL777qF95s

Best Regards
Vineet 
Photo of John Krussaniotakis

John Krussaniotakis

  • 14 Posts
  • 0 Reply Likes
That video doesn't help my issue. I've watched it 20 times. The only Connection Request Policy which communicates with my Virtual SmartZone is when I create a Condition for "Client IPv4 Address". Which is great to see the green "Success" display during testing in vSZ, but it returns with "None group is associated with this user.". Even though there is a Network Policy with a User Group its using to authenticate with. When I set it up this way and create an SSID using RADIUS, no wireless device can authenticate. The wireless SSID prompts for credentials, but it looks like it dies at the controller because nothing shows up in the Event Logs in the Server. I currently have a ticket open with Ruckus. The technician looked at it for 5 minutes and couldn't resolve the problem. Below are some more pictures. 














Photo of Vineet Nejawala

Vineet Nejawala, Employee

  • 52 Posts
  • 22 Reply Likes
Hi John,

As a test can you configure below :

1)Connection request policy : under condition add only "Day and time restriction" and allow all time

2) Network policy : under condition add "Day and time restriction" allow all time and add the user group. 

Other all settings would remain same, we are just removing NAS port, Test the above settings and update, meanwhile let me check with the case owner. 



Best Regards
Vineet 
Photo of John Krussaniotakis

John Krussaniotakis

  • 14 Posts
  • 0 Reply Likes
Thank you for the suggestion. It comes back as Success and None group, but still cannot authenticate wireless devices with the SSID/RADIUS. 
Photo of Vineet Nejawala

Vineet Nejawala, Employee

  • 52 Posts
  • 22 Reply Likes
John, is it still not hitting connection request policy or any other error on event viewer?

Best Regards
Vineet 
Photo of John Krussaniotakis

John Krussaniotakis

  • 14 Posts
  • 0 Reply Likes
Still getting this (picture below). When trying to connect with a wireless device to the SSID/RADIUS it doesn't authenticate and no Event Logs. So, the controller see's the RADIUS Server but when a wireless device (Laptop) tries to connect to the SSID it asks for credentials but it doesn't accept anything. Nothing shows in the Event Log that there was a failed login from the wireless device.  








Photo of Vineet Nejawala

Vineet Nejawala, Employee

  • 52 Posts
  • 22 Reply Likes
Hi John,

Lets ignore the AAA test now, kindly follow the below commands to make sure we have client failure logs enabled, if no failure logs on NPS event viewer we have to follow below?

  1. Open CMD prompt on Server as admin
  2. At the command prompt, type the following command, and then press ENTER                 auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
The above command would enable the client failure and success log on NPS. If even after this you do not see any logs populating ask engineer on case to take an capture on AP to see if the "access-request" packet is leaving AP eth interface. If the request is hitting NPS there has to be the failure log populating. 

Best Regards
Vineet  

Photo of John Krussaniotakis

John Krussaniotakis

  • 14 Posts
  • 0 Reply Likes
The Event Logs for NPS work, but when trying to authenticate to a SSID with a Wireless Device it doesn't even make it to the Server. How do i know Event Logs work, because if I have a successful or failed attempt directly from the AAA in the vSZ Controller it gives me a NPS Event Log. 
Photo of Javier Valdes

Javier Valdes

  • 28 Posts
  • 11 Reply Likes
Hi John,

From the "Even Viewer" screenshot I can see the NAS Port Type is being classified as "Virtual" instead of "Wireless IEEE 802.11". That should be an issue from the ZD OS code. 
Try as a workaround editing the NPS Policy  NAS Port Type Conditions and check "Virtual" option and see if that solves the problem.

Best regards.
Photo of John Krussaniotakis

John Krussaniotakis

  • 14 Posts
  • 0 Reply Likes
I'm thinking it's something down those lines. By checking "Virtual" I no longer get a Failed attempt using the NAS Port Type Condition. But I still get the below picture and still cannot authenticate with Wireless devices.
Photo of John Krussaniotakis

John Krussaniotakis

  • 14 Posts
  • 0 Reply Likes
The Virtual and Port # seem ok because it is a Virtual Controller via Hyper-V and that's the port # required to access the web portal interface. But because it is Virtual, i'm thinking there are some configuration tweeks that need to take place somewhere.
Photo of John Krussaniotakis

John Krussaniotakis

  • 14 Posts
  • 0 Reply Likes
Maybe there is something in here that needs further configuring when setting up the SSID. Under "RADIUS Options".



Photo of Javier Valdes

Javier Valdes

  • 28 Posts
  • 11 Reply Likes
Try enabling the option "Use controller as proxy" otherwise the AP will be the one who tries to communicate with the NPS. Unless that's the way you wanted to be.

Best regards
Photo of John Krussaniotakis

John Krussaniotakis

  • 14 Posts
  • 0 Reply Likes
I've tried that a few times to no success. This is ultimately how i'm going to have it setup, but for testing purposes it seems faster setting up the Non-Proxy. I get the same results, can't authenticate with the SSID.









Photo of Javier Valdes

Javier Valdes

  • 28 Posts
  • 11 Reply Likes
I don't have a ZD right know to check screens and show you exactly the menus, but I think that it has to be with the WLAN no being added to the user groups. Check default user group or any custom ones and check if the WLAN you're testing is added. Maybe I'm wrong, but I think it's worth the try.
Photo of EightOhTwoEleven

EightOhTwoEleven

  • 178 Posts
  • 42 Reply Likes
Instead of using "User Groups" in NPS, have you tried using "Windows Groups"?
Photo of John Krussaniotakis

John Krussaniotakis

  • 14 Posts
  • 0 Reply Likes
Numerous times. lol.. I'm in the process or reinstalling the Virtual SmartZone. I will update the forum with the outcome. 
Photo of EightOhTwoEleven

EightOhTwoEleven

  • 178 Posts
  • 42 Reply Likes
Because we use Windows Groups with a group of users that have access and we also have a or condition for Domain Computers, so machine auth can take place as well (if you have Windows based computers). 
Photo of John Krussaniotakis

John Krussaniotakis

  • 14 Posts
  • 0 Reply Likes
Reinstall of Virtual SmartZone didn't do the trick. I want to know if anybody has a Virtual SmartZone  on Hyper-V and has RADIUS working. I believe the issue is that it picks up the NAS Port-Type as Virtual (Because it is), like Javier mentioned previously. Because my physical ZD3050 works with RADIUS perfectly.  There has to be some tweaking I can do somewhere, but my brain is fried at this point. All ideas are welcomed. 
Photo of Diego Garcia del Rio

Diego Garcia del Rio

  • 131 Posts
  • 52 Reply Likes
HI John,

the nas port-type as virtual has nothing to do with the smartzone being a physical or virtual appliance. Its just what it does to create a "fake" test packet. 

In all your first attempts you were not using proxy mode. As such, the APs themselves are sending the radius auth request and thus you need to add all the APs as radius clients on your NPS. 

If you run in proxy mode, then its smartzone sending the requests. Are you able to run wireshark on your NPS server to see if any radius packets are reaching the controller at the IP level? I dont recall if NPS would create event logs for radius packets for unexpected clients.


Photo of John Krussaniotakis

John Krussaniotakis

  • 14 Posts
  • 0 Reply Likes
Thank you for your response. As for Proxy and non-Proxy, I just have one test AP running at the moment. Non-Proxy makes testing faster. I have a Ruckus Engineer working on the issue, and he is having difficulties resolving the issue as well. The problem seems to be with the Virtual SmartZone Controller. I will update the forum with any findings. 

But, I would still love to know if there is anybody out there who successfully uses a Virtual SmartZone Controller on Hyper-V and has RADIUS Authenticaing with a WIndows Server/NPS. 
Photo of Anders Grandt

Anders Grandt

  • 3 Posts
  • 0 Reply Likes
Hi, we are using Ruckus vSZ (5.2) and Radius (Windows NPS) on both Hyper-V and VMWare and it's working.
You cannot use 5.2 version and proxy your requests through SmartZone because there is some bug currently in that release (https://forums.ruckuswireless.com/ruckuswireless/topics/radius-server-unreachable-events).

So you have to use non-proxy if you are on 5.2 at least.
If you still need help you can contact me on Teams (anders.grandt(at)qsys.se).
Photo of Michael Carty

Michael Carty

  • 4 Posts
  • 0 Reply Likes
Was there any resolution to this issue? I am having the same issue with a virtual Smartzone controller. 
Photo of Zoran Nisevic

Zoran Nisevic

  • 1 Post
  • 0 Reply Likes
I am having the same issue with a virtual Smartzone controller too.
Photo of Intern Beheer

Intern Beheer

  • 1 Post
  • 0 Reply Likes
Hi all,

We had the same problem, even AAA tests in the vSZ (5.2) failed.

I have a possible solution:

- At the radius server, make sure your account matches the current network policy (Policies > Network Policies > Select your network policy > Conditions). If you have used the NPS wizard to setup network policies, it will create a condition: NAS port type "Wireless - IEEE 802.11". Remove this one if this exist. Select a user group (For example security group "Domain users") or another condition it should match.
- After that, restart all your smartzones (software- or hardware appliances doesn't matter).
- The AAA test in the vSZ should now pass and you should be able to connect to the the wifi network with 802.1x as authentication type.



(Edited)
Photo of kelly briene

kelly briene

  • 1 Post
  • 0 Reply Likes
vSZ version 5.2.0.0.699 with 411 R710s APs on campus. Every few days we are getting a bunch of radius server unreachable events. What is odd is the details of the event do not even point to our radius server. shareit app vidmate
Photo of Jeronimo

Jeronimo

  • 397 Posts
  • 50 Reply Likes
HI john.

Did this problem resolve?

If not, which mode of vsz( vsz-e or vsz-h) did you deploy?

This point is important.
(Edited)