cancel
Showing results for 
Search instead for 
Did you mean: 

vSZ 5.1 apply User Role to SSID(s) to allow access

tim_hobson
New Contributor III
We are finding it somewhat difficult to setup User Roles on vSZ 5.1 and assign them specific WLANs. For example, we would like a group of students to only access the Student-BYOD WLAN and Staff to access the STAF-BYOD.

It would seem this is not possible in vSZ as i have been stuck with this problem for the last 2 years unless i've completely missed it.

On the ZD1200 it can be found under Services & Profiles > Roles. In the vSZ, looking under Clients > User & Roles it's a completely different thing.

Can someone tell me where the image below can be configured in vSZ:
Image_ images_messages_5f91c401135b77e247916078_b2d78684b822e58a80ffc8c45fddd7b9_RackMultipart201904041124021jb-15d736b7-43c7-4b7a-a1c6-4b5602711003-85309386.JPG1554387824

Image_ images_messages_5f91c401135b77e247916078_9ee55fa1e1bcc3228411bcdcc34447df_RackMultipart20190404719181e42-da5fdabe-2484-4ace-b7da-ef6b9fd31d71-2119534491.JPG1554388066
As you can see on the ZD, testing a user against AD and against Roles, the ZD knows what ROLE to give the user.


When i try to test the AAA AD server i've setup on the vSZ i get the follow message against a test user:
Image_ images_messages_5f91c401135b77e247916078_e75d038784128a3febd5e4b6426a4b8f_RackMultipart20190404108481j1v-a854480d-47f5-44c7-a3f7-2cd8dfd42fa2-1769052399.JPG1554387881
I've tried my best to find the ROLES as on the ZD1200 so i'm now left with the message "The user will not be assigned to any roles." 

Can somebody / anybody tell me where to configure the roles just like on the ZD1200.

Thanks

4 REPLIES 4

marcus_burton
New Contributor III
Hi Tim, sorry for the confusion. This is not supported currently on SZ--at least, not supported from the SZ's enforcement perspective. We have had many customers solve this by using AAA policies on the AAA server, using the WLAN attribute sent in the RADIUS request to allow/deny roles based on this input. 

thanks,
Marcus

tim_lillis
New Contributor II
Marcus can you explain how to send the WLAN attribute in the Radius request?

marcus_burton
New Contributor III
Hey Tim, sorry for the late reply here. Sorry if you've already sorted this out. 

On the WLAN settings, configure a user-defined NAD ID (RADIUS options). This NAS ID is sent in RADIUS requests to the RADIUS server. 
Image_ images_messages_5f91c45b135b77e247a421f2_5a58f9bf403aeb1f277e6264f50708dc_RackMultipart2019062719389a8n8-2b58fa24-b64c-40f7-9543-0b9642f19942-732787331.png1561666228

On the RADIUS side, configure a policy allowing (or denying) user groups based on the NAS ID matching your configured definition on SZ. In the authentication exchange, this NAS ID is used as a match condition to allow/deny certain user groups. 

Image_ images_messages_5f91c45b135b77e247a421f2_76a3be058efbe548897d30b8848724f5_RackMultipart2019062714890ns33-c5e0b21a-ebe5-4914-8dd9-c2d2d1444409-1135587095.png1561666236

Please help me,

I want configuration NAS ID on NPS windows Server. 

Can you guide me to configure it ?