ZD1106 and Active Directory Authentication

  • 1
  • Question
  • Updated 4 years ago
We have a functional ZD1106, 4 AP configuration (non-Mesh), all setup and working fine. We had 2 SSIDs, one for Guests and one for Corporate. Both work fine, the Corporate one has a PSK that we give to employees.

I'd like to get Active Directory authentication working on the devices but so far it's kind of a hassle for users. I created another WLAN and enabled AD, lets call it Phil-AD.

Phil-AD is currently Open, otherwise a user would first need a PSK to connect to it. That doesn't seem very secure to me, but it's the least of my concerns right now.

Once I log into Phil-AD, I get redirected to the AD login portal page. My AD credentials work fine, and I'm in. Problem is, especially on iOS devices, when my devices go to sleep and wake up, I'm constantly being redirected to the captive portal page. Meaning it "forgets" my login information way, way too often. I can log in with my iPhone, let the device sleep and 5 minutes late, I have to re-auth to AD using the portal page, which is a hassle.

If I add a PSK to Phil-AD, the users first have to authenticate via PSK, and then they have to re-auth every time their devices go to sleep. If the users have to type in their AD credentials every hour or even every day they probably won't bother connecting to the wireless network.

Any thoughts or best practices on what I'm trying to accomplish?
Photo of Phil Lochner

Phil Lochner

  • 12 Posts
  • 3 Reply Likes

Posted 4 years ago

  • 1
Photo of janx

janx

  • 27 Posts
  • 0 Reply Likes
Hi,

I'm using RADIUS with certificates (IAS actually) to authenticate computers against AD... maybe it gives You a idea where to start from here. At least my XP's and Win7 are satisfied. I'm not familiar with iOS devices.
Photo of Keith - Pack Leader

Keith - Pack Leader

  • 860 Posts
  • 51 Reply Likes
This (somewhat unsatisfactory) thread has some suggestions/explanations that may help: https://forums.ruckuswireless.com/ruc.... In particular note the grace-period check box.

If you are seeing the same behavior with non-IOS devices there may be something else going on. If you're using NPS, you might check this technote: https://support.ruckuswireless.com/an...
Photo of Phil Lochner

Phil Lochner

  • 12 Posts
  • 3 Reply Likes
Thanks for the update. I'm not sure why I need a Premium Support contract to simply read a tech note, so the second link it's going to help me. We have a Premium Support contract that's tied to our main administration account (and tied to my boss's email address). Let me know if there's some way to tie all our company accounts to a blanket Premium Support so any one of our 3 IT guys can post messages and take advantage of the support.

Anyway, from the first link, I'll play with the grace period check and see if it makes a difference. I have mainly tested this AD integration with iPhones and iPads so I need to see if regular laptops have the same issue. Unfortunately we have many iOS devices in the office, and those users will be most effected / inconvenienced by constantly re-authenticating. So if it's not working properly with iOS devices that'll be a deal breaker for us.
Photo of Keith - Pack Leader

Keith - Pack Leader

  • 860 Posts
  • 51 Reply Likes
I've linked your (orphan) contact record to your corporate account, and you now have premium access. Email [email protected] with email address/names of others that should be linked. Thx
Photo of Phil Lochner

Phil Lochner

  • 12 Posts
  • 3 Reply Likes
Thanks Keith, I'll email cservice right away.