VSZ - Active Directory and Default Group Attribute Value

  • 6
  • Question
  • Updated 4 months ago
Hello,

I am just wondering if anyone has got their VSZ setup with a WLAN that users log into the web authentication using accounts from Active Directory. 

I had this set up p[perfectly with the ZoneDirector but can't seem to get it to work with the VSZ. 

The Admin Guide i have says I can set the default Group Attribute Value when configuring the Roles, but that option is not there. The option is there how ever when I configure a Proxy AAA, but when testing, the results return Primary server success but do not list the group (which I've read it should). When logging into the WLAN I can an Invalid username or password message.

Has anyone got this kind of setup working. I have a case open, just looking to see if people have the same issue.

Thanks.
Photo of Dave

Dave

  • 9 Posts
  • 0 Reply Likes

Posted 1 year ago

  • 6
Photo of Paddy Naughton

Paddy Naughton

  • 9 Posts
  • 0 Reply Likes
David, I've had the same problem. you'll see the case I brought about a year agoi;I tried everything you did and still had no success. It's a problem that Ruckus know about but have not come up with a solution yet. 
It's pretty urgent I would feel because a basic feature like this needs to be available to quite a lot of companies/organisations. Hopefully we'l get a solution sooner rather than later
Photo of Dave

Dave

  • 9 Posts
  • 0 Reply Likes
I had to guys remoted in all of Monday trying to setup NPS and RADIUS as a work around but no joy yet. I need to get this working by Monday or else I'm going to have to stick with the Zonedirector, which means sitting on 53 brand new APs and carrying on using 802.11b/g :(
Photo of Dave

Dave

  • 9 Posts
  • 0 Reply Likes
Well we got somewhere today. We were able to log in with AD users, but unfortunately any AD users. We were not able to limit it based on AD groups and vSZ Roles.
Photo of roger da luz

roger da luz

  • 3 Posts
  • 0 Reply Likes
I have one problem with the attributes.

I try to restrict the access to the one especifc wlan based on the RADIUS Group Atributes, but i does have susses. The users still have access to that wlan.
Photo of Dave

Dave

  • 9 Posts
  • 0 Reply Likes
This could be down to two issues, a) Either your group attributes arent working and everyone is getting the role of "default" and has access to all WLANs or b) In the vsz you have to select one of the wlans when selecting which wlans a role can use where as you didnt have to select one in the zone director software.
Photo of Tim Hobson

Tim Hobson

  • 26 Posts
  • 1 Reply Like
I'd be interested to see if this and been resolved as i'm having the exact same problem. I have a vSZ and 22 R510 APs sat waiting to replace a 1100 controller and 20 7363 APs but the 1100 just works and i feel that i've laid out a load of money to go backwards on functionality. Here's my thread with what we have at the moment https://forums.ruckuswireless.com/ruckuswireless/topics/vsz-3-5-roles-with-web-auth-limit-ad-groups-...

Why cant Ruckus just keep features in that are actually useful!
Photo of Dave

Dave

  • 9 Posts
  • 0 Reply Likes
It was ment to be resolved with a firmware update that was ment to come out at the end of Feburary according to the person at ruckus thats looking after the case for me. I haven't heard from him since december but you have reminded me to get incontact and get an update!
Photo of Tim Hobson

Tim Hobson

  • 26 Posts
  • 1 Reply Like
Did you manage to get an update from Ruckus?
Photo of Tim Hobson

Tim Hobson

  • 26 Posts
  • 1 Reply Like
Ha, false promises, that's a good start. 

Would you be able to update this thread when you've heard back, i'm keen to get my setup in next week / week after as that's a maintenance window for us otherwise it's going to be the end of May.
Photo of Dave

Dave

  • 9 Posts
  • 0 Reply Likes
Good news, the new firmware was released a few weeks ago. I haven't got my hands on it yet so can't comment on it.

If you have a login for the ruckus support site it's up for download.
Photo of Tim Hobson

Tim Hobson

  • 26 Posts
  • 1 Reply Like
I've got 3.5.0.0.808 which is showing on the downloads page however this hasn't addressed the issue with AD groups and roles meaning AD groups are still not supported in this release.
Photo of Dave

Dave

  • 9 Posts
  • 0 Reply Likes
Well that's not what I wanted to hear. I haven't even fired up the vSZ in about forever so have to get it on there and see. Can you see any changes in it?
Photo of Tim Hobson

Tim Hobson

  • 26 Posts
  • 1 Reply Like
I was on 3.4 before 3.5 - 3.5.0.0.808 came out a week or so after i purchased the vSZ.

3.5 has a completely different look and feel to it, my upgrade took a couple of hours to complete however it does seem a lot quicker.

I've asked my reseller to look into the AD problem too but they came back with creating a rule and force them on to a specific VLAN, this is not what i want to do, i'm wanting to stop a specific group in AD from being able to connect to a SSID.

Here are 2 screenshots of 3.5 - the login screen and the home page which can be customised.



Photo of Dave

Dave

  • 9 Posts
  • 0 Reply Likes
Do you have your smartzone and zonedirector up at the same time, is it safe to do that?
Photo of Tim Hobson

Tim Hobson

  • 26 Posts
  • 1 Reply Like
I cannot retire the smartzone yet until ruckus bring about the AD group feature. The smartzone has 20 7363s connected to it which is live.

I've got the vSZ setup with 22 R510s sat in a box waiting to be swapped out. Once Ruckus release the AD groups feature, then i'll setup the vSZ to the same configuration as the 1100 and swap the 7363s with the R510s. The R510s will detect with vSZ automatically and set them selves up.

It's been tested and the system is pretty much waiting to go but Ruckus will not release the AD groups feature to the vSZ. It feels like ive spent a small fortune on a white elephant!