topic Re: Dynamic Vlan via NPS failing in ZoneDirector

Dynamic Vlan via NPS failing

joseph_lefranco — Thu, 22 Jan 2015 15:54:59 GMT

Currently, users are authenticated with AD via a Bradford device. The Bradford sets the dynamic vlan on the clients based on the Security Group they are a member of in AD. The bradford is no longer supported and I am trying to get rid of it from the network.

AP management is untagged using Vlan 18, while the client vlans (2, 4 and 6) are tagged to the AP ports.

I have a network policy in NPS for my Eng users which use Vlan 2:
Framed- Protocol - PPP
Service-Type - Framed
Tunnel-Medium-Type - 802
Tunnel-Type - Virtual LANs
Tunne-PVT-group-ID 2
Tunnel-Assignment-ID - 2

Custom
Vender-Specific
Vender Code: 25053
Attribute Number 1
Format: String
Attribute Value : CORP

The CORP role is configured on the Zone Director, however my client is always in Default, even with sending the CORP attribute.

I've confirmed my network configuration is correct by entering each vlan into the VLAN ID box on the WLAN. When I connect with Vlan 2 set, I get an IP in that Vlan, etc.
With Dynamic VLAN checked, and Vlan 1 in the VLAN ID box, I receive an IP in the AP management range, not in the proper vlan.

I'm running a pair of ZD1100s with Smart Redundancy on 9.8 build 373

Any assistance would be greatly appreciated,

Joe

Re: Dynamic Vlan via NPS failing

michael_brado — Wed, 28 Jan 2015 01:10:24 GMT

I believe a compatible Bradford version 7.1.0.306 should work with ZD 9.7.2.0.9 and 9.8 releases.

To troubleshoot in detail, please open a tech support ticket.

Re: Dynamic Vlan via NPS failing

michael_brado — Wed, 28 Jan 2015 22:27:01 GMT

Re-reading your inquiry Joe, what Bradford did was assign a DVLAN in the access-accept of the 802.1x exchange, with a client DM/re-auth in order to reconnect with the newly assigned VLAN. I don't think just returning/assigning a CORP role is enough to change the VLAN ID.

Re: Dynamic Vlan via NPS failing

michael_brado — Wed, 28 Jan 2015 22:35:07 GMT

To troubleshoot, from the ZD's Administer/Diagnostics page, enable debug components RADIUS, 802.1x, Dynamic VLAN, and enter your test client MAC address in the box.

Power on the client/radio to capture all connection messages, and proceed to login with uid/pw to AD. Note the client observations, initial IP, subsequent IP, and save the ZD debug info file. Use the support page Log Analyser, or request interpretation from Ruckus tech support, to follow your client transactions in the Event logs. Do you see the new VLAN ID in the radius access-accept, and is it applied by ZD?

You can also capture the br0 interface traffic of the AP your test client connects to, and will see the packet exchange and contents between your client and the AAA/AD server.

Compare a Bradford session with the AAA/AD only session output.

Re: Dynamic Vlan via NPS failing

michael_brado — Wed, 28 Jan 2015 22:47:55 GMT

Here's a best practice doc on DVLAN:

https://support.ruckuswireless.com/an...

Re: Dynamic Vlan via NPS failing

joseph_lefranco — Fri, 30 Jan 2015 20:23:08 GMT

Thank you Michael, I rebuilt my server and now it's working.

Re: Dynamic Vlan via NPS failing

michael_brado — Wed, 05 Jul 2017 16:58:03 GMT

Glad to hear it!