cancel
Showing results for 
Search instead for 
Did you mean: 

VSZ - Active Directory and Default Group Attribute Value

david_lynas
New Contributor III
Hello,

I am just wondering if anyone has got their VSZ setup with a WLAN that users log into the web authentication using accounts from Active Directory. 

I had this set up p[perfectly with the ZoneDirector but can't seem to get it to work with the VSZ. 

The Admin Guide i have says I can set the default Group Attribute Value when configuring the Roles, but that option is not there. The option is there how ever when I configure a Proxy AAA, but when testing, the results return Primary server success but do not list the group (which I've read it should). When logging into the WLAN I can an Invalid username or password message.

Has anyone got this kind of setup working. I have a case open, just looking to see if people have the same issue.

Thanks.
26 REPLIES 26

ernesto_sesma
New Contributor
For some reasson the version 3.5.1.0.862, VSZ High is not letting us use proxy mode, does somebody knows if this mode works in this version ? im thinking that maybe I need an upgrade to fix some bug, have of you went through this problem? when I changed the mode to none proxy I started receving erros and logs from the AP, but I wasnt able to receive logs from the cVSZ controller in proxy mode.

tim_hobson
New Contributor III
We have been in the fortunate situation where we have a ZD1200 on loan from our suppliers when we bough the vSZ license. 2 Years on as we are still no where near to using the vSZ for what i want to do with it however it feels like we have some software that promissed to deliver but it simply doesn't, the vSZ is now running 5.1.

I was told years ago that the vSZ and the ZD software would alost be exactly the same however this isn't the case. It seems that the ZD software is more feature rich than the vSZ by a country mile.

It would seem that Ruckus have finally brough in the Active Directory Group lookup as shown here from my vSZ-H setup:

Image_ images_messages_5f91c455135b77e247a2cf93_91414bdacb781a22e2b849e7bc99608d_RackMultipart2019040428558tv22-37437abb-856f-41f0-9307-5183c5977291-83129147.JPG1554371832

however they haven't yet implimented the ROLES side so this user who is a test user in our AD is in the correct AD Group, however they aren't limited to join a specific SSID.

Here is what i am using now in the ZD1200 and would have hoped to have seen the same in the vSZ but this isn't the case:

Image_ images_messages_5f91c455135b77e247a2cf93_b02e1b4941729a6a573a36a9abab7f0f_RackMultipart20190404126920s45-6e05fe2a-8860-4b05-bbf2-f0d570e2b494-1471800179.JPG1554371974

Image_ images_messages_5f91c455135b77e247a2cf93_9d59b3568583a8d83397da08bcc93d8a_RackMultipart20190404154211xks-2c82ff50-b396-4a62-8b4a-34f96d3f3fb9-849710419.JPG1554371986

What the above 2 images from my ZD1200 are showing is, picture 1 is showing the ZD querying our AD to find what group memberships user 2012 is part of. 

Picture 2 is showing the options under ROLES so that if the GROUP ATTRIBUTES field matches those that the user is part of in AD, the user is able to access that SSID.

This feature is missing from the vSZ and cannot be found!

I guess this is what others are waiting for and using RADIUS Authentication is not an option. We do Radius Accounting via our Smoothwall on the ZD1200.

Also what is missing on the vSZ, is the ability to have HOTSPOT (WSPr) set and to authenticate via Active Directory.

timothy_cumming
New Contributor II
I'm doing vSZ And have run into this problem, moving from ZD3050 and realize.the feature are just there in vSZ, disappointing. Also web authentication doeant seem to work, having to do hotspot Wispr. Not impressed so far, so disappointed. I did some trouble shooting before my planned deployment next week, I discovered when doing AD auth, if a user is in one group it's fine, but if it multiple groups it's only the first queried group that works, and it's in alpha order.

david_lynas
New Contributor III
I got round the problem in the end. BYOD WLAN setup as 802.1x EAP and the authentication server set as our RADIUS server (Smoothwall). In the smoothwall box is now where we can limit the access to users that are a member of a certain AD group. Any users that we then want to have BYOD access we can add to a named security group and they can authenticate with their AD username and password.

Dave, how did you go about doing this? We are trying to do something similar using Windows NPS and are striking out. I have a AAA (RADIUS) server setup (our NPS) and I configured a specific WLAN for a NAS-ID. I enabled Web Auth and tied the Web Auth portal to the WLAN. The page comes up but no user can authenticate, period. If I change the portal to HotSpot WISPr, authentication works just fine...I'm not sure what the issue is here.