Ruckus & Radius Server in Windows Server 2012

  • 2
  • Question
  • Updated 3 years ago
Hi All,

I've plan to using Radius Server in Windows Server 2012.
I use 3 WLAN SSID that is :
- BOD (For BOD Access)
- Corporate (For the Employee using Notebook and access internal network)
- Guest (For Guest)

The Group Attribute are success to connect with roles+policies in Ruckus * Group Attribute in Windows Server 2012

- "Success! The user will be assigned a role of "Group Attribute AD-CBT". -
The Notebook Get the IP Address from DHCP Server , Gateway  and DNS IP
 
The Problem is :
When i connected with "Corporate" SSID, i still cannot ping server in internal network.
(Notes : I'm using Dynamic IP)

Please help for urgent condition, haha. thanks everbody

Perdianto
(Indonesia)
Photo of Perdianto Halim

Perdianto Halim

  • 6 Posts
  • 0 Reply Likes
  • frustated

Posted 3 years ago

  • 2
Photo of Eizens Putnins

Eizens Putnins

  • 107 Posts
  • 42 Reply Likes
Hi,
Check that you really have proper corporate VLAN  on switch port, to which AP is connected.
If it isn't the problem, than:
Check traffic on AP (use Wireshark  capability in ZD diagnostic menu).
Check traffic on switch port (use switch port mirroring or monitoring feature.

Than you'll see where the communication is broken.

Do you have client isolation set to on? It may disable all communication between client and VLAN hosts before you create white list.

Hope it helps,
Eizens
Photo of Perdianto Halim

Perdianto Halim

  • 6 Posts
  • 0 Reply Likes
Hi Elzens,

Thanks for reply my post.
There's no problem with VLAN Corporate ID, it was filled. and Client Isolation set to off
I'm using Windows Server 2012, and i try to build NPS for Radius Server.
Do you have any reference?

Thanks in advance,
Perdianto
Photo of Eizens Putnins

Eizens Putnins

  • 107 Posts
  • 42 Reply Likes
There is a Ruckus document about MS Server 2008 configuration, or may be even for 2012 if I remember correct. It is available on partner WEB. Have you consulted it?
Photo of Hoang Tung

Hoang Tung

  • 19 Posts
  • 1 Reply Like
Hi,
There are something I would check:
1)check ur devices which IPs it get, what gateway, subnet....
2)If they not get the right IPs, mean the configuration is not correct. Either server or ZD.
3)if device get the right IPs, you should check again with your VLAN.
I would suggest you upload some pics in here, so we know what it's going on.
Photo of Perdianto Halim

Perdianto Halim

  • 6 Posts
  • 0 Reply Likes
Hi Hoang Tung

- IP Address, subnet, gateway , IP DNS have been broadcast to notebook (That's not problem)
- Check from ZD, Configure-AAA server (SS) - Not Problem and Success to connect with radius

- WLAN Config 

- When i try to ping to internal network, the Result is Request Time Out.
I still doesn't have a solution.

Many Thanks,
Perdianto
Photo of Hoang Tung

Hoang Tung

  • 19 Posts
  • 1 Reply Like
It's not make sense that you test success the RADIUS but can't ping the internal.
Do you have proxy or any firewall rule?
Because if you can get correct IP address, which mean VLAN works good. 
Can you ping to outside? try ping google.com and see how it goes.
I you can ping google, I think you should check with proxy or firewall.

Secondly, I can see in your screenshot about Access Control, at L2/MAC, you choose Wireless Device? What your purpose for that, and I think it might cause you the problem. I would choose No ACLs, and test again.

Give me  screenshots so we can track it.
(Edited)
Photo of Eizens Putnins

Eizens Putnins

  • 107 Posts
  • 42 Reply Likes

Hello,

It doesn't seem to be authentication -- as you are getting IP, it must be OK.

It seems that your VLAN tag is incorrect, when packets try to leave the AP, or communication is somehow disabled on VLAN side.

As far as I see on your pictures, all things on wireless side look correct.

To be 100% sure, I would check if in fact you have right VLAN communication on switch -- get another switch, configure on it trunk with proper VLANs, connect instead of AP, make aditional Access port in 58 Vlan, connect client there and check if everything works. If it works -- than you really have to proceed with traffic monitoring on AP, if not -- look for wired infrastructure (Access lists in switches may be the source of problem).

By the way, in what role your users are -- do they actually have Access to proper WLANs in the ZD?

Regards,

Eizens

Photo of Munish Dhiman

Munish Dhiman, Employee

  • 100 Posts
  • 14 Reply Likes
Hi Perdianto Halim,

I order to isolate . 
  1. Could you create an TEST open SSID without encryption for same corp VLAN and test ?
  2. Also Do a trace route from the client to the internal server IP. 
  3. Connect a laptop directly to the switch port in the same VLAN and see you can ping the internal network . 
Thanks 
Munish