Zone Director and NPS/Radius for Admin authentication

  • 1
  • Question
  • Updated 10 months ago
I am trying to find documentation on how to properly configure Windows(2016) Server with AD/NPS/Radius to authenticate administrators on our ZD (and eventually SZ) controllers.  We are NOT looking to authenticate WiFi users.

Are there any special attributes we need to add?  Assuming Service-Type:Login and removing any Framed statements(PPP) Anything else?  
Photo of Dave Bauman

Dave Bauman

  • 10 Posts
  • 0 Reply Likes

Posted 11 months ago

  • 1
Photo of Dave Bauman

Dave Bauman

  • 10 Posts
  • 0 Reply Likes
Update: I've found that the authentication appears to succeed on NPS, but the ZD1200 controller doesn't seem to think so
Photo of JSo

JSo

  • 7 Posts
  • 2 Reply Likes
Hi, have you tried following this guide: https://support.ruckuswireless.com/articles/000008283  ?

Photo of Dave Bauman

Dave Bauman

  • 10 Posts
  • 0 Reply Likes
I've looked at it.  The SCG is a bit different than a ZD, but I was able to apply similar principals, no luck though.  The Radius test on the ZD works, but logging in does not.  My AD/NPS logs show the login as successful
Photo of JSo

JSo

  • 7 Posts
  • 2 Reply Likes
I'd check Roles in ZD configuration, verify that you have Role which allows ZD administration. Since RADIUS test works, verify that user is assigned correct Role. You probably have done it, but also remember to enable external admin authentication under Administration-> Preferences.

If everything looks correct and still not working, then I'd try changing to Active Directory type of authentication profile instead of RADIUS, at least as troubleshooting method narrowing the problem. I've found AD authentication easier to implement, especially if you wan't to allow ZoneDirector admin only for members of specific AD group. I'm currently trying to achieve that on SmartZone platform, without success...
Photo of Gordon Taylor

Gordon Taylor

  • 15 Posts
  • 1 Reply Like
at my school we use 802.1x and NPS on server 2016/2012R2 (auth against computer accounts) i have two docs with screenshots of every step of both the NPS setup and the GPO to make the laptops joint the WiFi i can share them if you like
Photo of Edward Toovey

Edward Toovey

  • 2 Posts
  • 0 Reply Likes
@Gordon Taylor I would be very interested to share those documents, just in the process of setting up something similar at our school.
Photo of Gordon Taylor

Gordon Taylor

  • 15 Posts
  • 1 Reply Like
give me your email address... i cant see how to PM on here :-/
Photo of Dave Bauman

Dave Bauman

  • 10 Posts
  • 0 Reply Likes
My biggest issue with this process right now is getting the SSL certificate working on the AD server.
Photo of Edward Toovey

Edward Toovey

  • 2 Posts
  • 0 Reply Likes
Hi Gordon my email is my first name {period} last name {at} durlstoncourt.co.uk. Thanks for your help.
Photo of Gordon Taylor

Gordon Taylor

  • 15 Posts
  • 1 Reply Like
ok i got that if you want to delete it
Photo of Gordon Taylor

Gordon Taylor

  • 15 Posts
  • 1 Reply Like
Dave Bauman, you do ideally need an internal AD CA that issues certificates to your  NPS servers and probably your workstations and DCs too.  and the CA is in Trusted Root Certificate Authority on the connecting workstations ( which an AD CA Cert is automatically added to by AD to all domain joined workstations.)

to issue to workstations... 
GPO Computer Config > Policies >Windows Settings> Security Settings > Public Key Policies/Automatic Certificate Request Settings >  Automatic Certificate Request > Computer... 
Photo of Dave Bauman

Dave Bauman

  • 10 Posts
  • 0 Reply Likes
We don't really use AD for workstations or at all at this time.  We have a lot of gear in the field and are moving away from a single admin login/password as it has become unmanageable.  The only purpose for AD/Radius at this time is to authenticate our admins in the field.
Photo of Gordon Taylor

Gordon Taylor

  • 15 Posts
  • 1 Reply Like
fair enough i do use 802.1X for BYOD but the devices complain about the cert and windows PCs wont even connect unless you put the Root ADCA in the trusted root or use a publicly trusted cert (but not a wildcard) but then it complains about the name miss match... but it does work.... just a bit clunky on first connect.
Photo of Gordon Taylor

Gordon Taylor

  • 15 Posts
  • 1 Reply Like
thats my byod radius setup... not perfect but does work i don't think the vendor specific bit isnt needed i think that was me trying to use one NPS server for both computer auth and byod user auth in the end i split them
(Edited)
Photo of Brian Powers

Brian Powers

  • 23 Posts
  • 14 Reply Likes
Dave,

You're trying to actually log into the ZD/SZ, yes?  If you have it all configured and you're getting the proper accept message within your NPS logs, are logging in with your full AD address (email basically)?  We log in to a vSZ via our AD/NPS/RADIUS but the vSZ only support PAP/CHAP and we had to make some adjustments to our NPS policy and even then we still have to use the full account name (<username>@<site.abc>).


(Edited)