This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

vSZ 6.1.1 - role based Web Auth - AD groups bug

tim_hobson
New Contributor III

‎09-21-2023 11:44 AM

For the last 7 years we have been waiting for Ruckus to bring in Role Based Access and Groups for Web Auth and now that my 1200 bricked it self the other day we were forced to move over to vSZ 6.1.1.

To say Ruckus have implemented and "fixed this issue", they have done half a job and I hope someone at Ruckus can deploy a patch PDQ (pretty **bleep** quick) because our users are struggling to authenticate them selves.

Basically the issue is...

our users authenticate themselves against a wispr hotspot which forces them to a webpage.

If the user's AD account belongs to any AD groups and the names (cn field) of these AD groups add up to 379 or more, they cannot authenticate against the wireless network.

So for example, User1 is a member of 20 groups and the names (cn field) of the groups contain 18 characters each (including spaces), this takes the group name character count up to 360. The user will be able to authenticate against the wireless network.

If User1 is then added to a group which it's name (cn field) has 19 characters or more (including spaces) the user will not be able to authenticate against the wireless because the total character count for the group name totals 379.

If User1 was added to a group whose group name (cn field) was 18 characters long, User1 would be able to authenticate against the wireless network.

I hope there are others out there who have this issue because i know this doesn't just apply to us.

0 Kudos
4 REPLIES 4

syamantakomer
Community Admin
Community Admin

‎10-04-2023 02:21 PM

Hi Tim,

I suspect this is not a bug but a limitation, let us check and get back to you.

@remya_murugesh, could you please check this one.


Syamantak Omer
Sr.Staff TSE | CWNA | CCNA | RCWA | RASZA | RICXI
RUCKUS Networks, CommScope!
Follow me on LinkedIn
0 Kudos

remya_murugesh
RUCKUS Team Member

‎10-05-2023 07:52 AM - edited ‎10-05-2023 07:53 AM

Hi Tim,

As per design, we have the "Group Attribute Value" max length restricted to 255. If the GAV length is more than 255, then the SZ version 6.1.1 is designed to self truncate the received value to 255 and pass the authentication.

Since this is not working as designed in your environment, please consider to open a TAC ticket as this needs more debugging or troubleshooting.

Thanks
Remya Murugesh
Staff Technical Support Engineer
0 Kudos

tim_hobson
New Contributor III

‎10-09-2023 12:33 AM

The "Group Attribute Value" needs to be unlimited for this to work in schools as you'll find staff or even students might be part of a lot of groups which are sync'd from the School's main database.

I have this raised with my reseller at the moment and from what i understand it has been passed up further to Ruckus.

Personally, i think Ruckus should have taken the good parts from the 1200 controller (version 10) and moved them across to the vSZ as the vSZ seems like it is lacking some main features, not to mention not being configured properly.

0 Kudos

remya_murugesh
RUCKUS Team Member

‎10-12-2023 01:56 PM

Hi @tim_hobson ,

This is acknowledged. There are efforts in place to match the group attribute support as in ZD on SZ, however, we do not have an ETA yet on the same as it is still a work in progress. 

Thanks
Remya Murugesh
Staff Technical Support Engineer
0 Kudos
Copyright © 2024 Khoros, LLC