Hi everyone, I'm currently trialling Ruckus vSZ 22.214.171.124.222 with an R510 and R710 AP.
I'm attempting to set up a single SSID (eduroam) for both internal devices authenticating via EAP-TLS and BYOD devices using PEAP.
Depending on which rule is triggered in NPS Ruckus should apply a different traffic profile i.e. domain-joined laptops get full connectivity but BYOD is in a restricted VLAN with limited access to specific IP addresses (internal web servers etc.)
The authentication side works fine and I can assign devices to VLANs by using Dynamic VLAN in Ruckus with Tunnel-Pvt-Group-ID and Tunnel-Type attributes being sent by NPS (Server 2012 R2)
However that doesn't help me with the Role & Traffic Profile as that's assigned to the WLAN itself, meaning there's no distinction between the BYOD and domain-joined machines.
As far as I understand I should be able to do this...
define a User Role that sets the Traffic Profile and VLAN ID
set vendor-specific attribute in NPS using vendor code 25053, attribute number 1 and the role name as a String value
Ruckus should then override the settings in the WLAN with those in the Role (i.e. set VLAN ID and User Traffic Profile as required)
However it doesn't seem to work, the device gets no VLAN assigned (goes back to Default) no network access so looks like the Traffic Profile hasn't applied either.
Is this scenario even supported in vSZ or will I have to go back to multiple SSIDs to apply different Traffic Profiles?
Also noticed in the radiusd.log file this appears
[Thu Apr 25 2019 14:08:56:876][***servername***]][RADIUS][WRN][FID=1,ueMac=MACADDRESS,TID=-1201772800][wsg_rad_proxy.c:1497] Not retrieving UTP-Id because either Filter-Id not received, No AAA service is found
[Thu Apr 25 2019 14:08:56:876][SER][RADIUS][WRN][FID=1,ueMac=MACADDRESS,TID=-1201772800][wsg_rad_proxy.c:1440] vlan_id, vlan_pool is not available from utp_profile and as well as tunnel-private-group-id is not set in AAA
You should use Radius standard attribute Filter-id for sending the role to use. The value to be returned from AAA server is not strictly the UTP name, instead you should configure the User Role mapping (value received from AAA and corresponding UTP) inside the Authentication server configuration.
Hi José, just trying this at the moment but initially doesn't seem to have changed anything. Is there anything else that needs setting (or indeed removing) from the WLAN profile for Roles to take effect? Will a RADIUS Attribute Role always take precedence over something statically configured in the GUI?
At the moment there's a UTP configured against the WLAN, access VLAN is set to 1 with Dynamic Override ticked.
Yes, the profile obtained via the user role has precedence over the one in WLAN. If the UE is being assigned to the WLAN UTP it must be because it is still failing to link the value received in Access-Accept attribute to the correct profile. You can enable Debug log level in Radius controller process to get some more details about what is received and a possible failure. If you can't sort it out, please open a Support ticket and we will look into your specific config in more detail.