vSZ configure User Role via RADIUS Attribute
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-25-2019 07:41 AM
Hi everyone, I'm currently trialling Ruckus vSZ 3.6.2.0.222 with an R510 and R710 AP.
I'm attempting to set up a single SSID (eduroam) for both internal devices authenticating via EAP-TLS and BYOD devices using PEAP.
Depending on which rule is triggered in NPS Ruckus should apply a different traffic profile i.e. domain-joined laptops get full connectivity but BYOD is in a restricted VLAN with limited access to specific IP addresses (internal web servers etc.)
The authentication side works fine and I can assign devices to VLANs by using Dynamic VLAN in Ruckus with Tunnel-Pvt-Group-ID and Tunnel-Type attributes being sent by NPS (Server 2012 R2)
However that doesn't help me with the Role & Traffic Profile as that's assigned to the WLAN itself, meaning there's no distinction between the BYOD and domain-joined machines.
As far as I understand I should be able to do this...
Is this scenario even supported in vSZ or will I have to go back to multiple SSIDs to apply different Traffic Profiles?
Also noticed in the radiusd.log file this appears
[Thu Apr 25 2019 14:08:56:876][***servername***]][RADIUS][WRN][FID=1,ueMac=MACADDRESS,TID=-1201772800][wsg_rad_proxy.c:1497]
Not retrieving UTP-Id because either Filter-Id not received, No AAA service is found
[Thu Apr 25 2019 14:08:56:876][SER][RADIUS][WRN][FID=1,ueMac=MACADDRESS,TID=-1201772800][wsg_rad_proxy.c:1440]
vlan_id, vlan_pool is not available from utp_profile and as well as tunnel-private-group-id is not set in AAA
I'm attempting to set up a single SSID (eduroam) for both internal devices authenticating via EAP-TLS and BYOD devices using PEAP.
Depending on which rule is triggered in NPS Ruckus should apply a different traffic profile i.e. domain-joined laptops get full connectivity but BYOD is in a restricted VLAN with limited access to specific IP addresses (internal web servers etc.)
The authentication side works fine and I can assign devices to VLANs by using Dynamic VLAN in Ruckus with Tunnel-Pvt-Group-ID and Tunnel-Type attributes being sent by NPS (Server 2012 R2)
However that doesn't help me with the Role & Traffic Profile as that's assigned to the WLAN itself, meaning there's no distinction between the BYOD and domain-joined machines.
As far as I understand I should be able to do this...
- define a User Role that sets the Traffic Profile and VLAN ID
- set vendor-specific attribute in NPS using vendor code 25053, attribute number 1 and the role name as a String value
- Ruckus should then override the settings in the WLAN with those in the Role (i.e. set VLAN ID and User Traffic Profile as required)
Is this scenario even supported in vSZ or will I have to go back to multiple SSIDs to apply different Traffic Profiles?
Also noticed in the radiusd.log file this appears
[Thu Apr 25 2019 14:08:56:876][***servername***]][RADIUS][WRN][FID=1,ueMac=MACADDRESS,TID=-1201772800][wsg_rad_proxy.c:1497]
Not retrieving UTP-Id because either Filter-Id not received, No AAA service is found
[Thu Apr 25 2019 14:08:56:876][SER][RADIUS][WRN][FID=1,ueMac=MACADDRESS,TID=-1201772800][wsg_rad_proxy.c:1440]
vlan_id, vlan_pool is not available from utp_profile and as well as tunnel-private-group-id is not set in AAA
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-25-2019 09:14 AM
Hello Gerrard,
You should use Radius standard attribute Filter-id for sending the role to use. The value to be returned from AAA server is not strictly the UTP name, instead you should configure the User Role mapping (value received from AAA and corresponding UTP) inside the Authentication server configuration.
Thanks.
You should use Radius standard attribute Filter-id for sending the role to use. The value to be returned from AAA server is not strictly the UTP name, instead you should configure the User Role mapping (value received from AAA and corresponding UTP) inside the Authentication server configuration.
Thanks.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-25-2019 09:34 AM
Hi José, just trying this at the moment but initially doesn't seem to have changed anything. Is there anything else that needs setting (or indeed removing) from the WLAN profile for Roles to take effect? Will a RADIUS Attribute Role always take precedence over something statically configured in the GUI?
At the moment there's a UTP configured against the WLAN, access VLAN is set to 1 with Dynamic Override ticked.
At the moment there's a UTP configured against the WLAN, access VLAN is set to 1 with Dynamic Override ticked.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-25-2019 10:00 AM
Hi Gerrard,
Yes, the profile obtained via the user role has precedence over the one in WLAN. If the UE is being assigned to the WLAN UTP it must be because it is still failing to link the value received in Access-Accept attribute to the correct profile.
You can enable Debug log level in Radius controller process to get some more details about what is received and a possible failure. If you can't sort it out, please open a Support ticket and we will look into your specific config in more detail.
Thanks.
Yes, the profile obtained via the user role has precedence over the one in WLAN. If the UE is being assigned to the WLAN UTP it must be because it is still failing to link the value received in Access-Accept attribute to the correct profile.
You can enable Debug log level in Radius controller process to get some more details about what is received and a possible failure. If you can't sort it out, please open a Support ticket and we will look into your specific config in more detail.
Thanks.
