Currently, users are authenticated with AD via a Bradford device. The Bradford sets the dynamic vlan on the clients based on the Security Group they are a member of in AD. The bradford is no longer supported and I am trying to get rid of it from the network.
AP management is untagged using Vlan 18, while the client vlans (2, 4 and 6) are tagged to the AP ports.
I have a network policy in NPS for my Eng users which use Vlan 2:
Framed- Protocol - PPP
Service-Type - Framed
Tunnel-Medium-Type - 802
Tunnel-Type - Virtual LANs
Tunnel-Assignment-ID - 2
Vender Code: 25053
Attribute Number 1
Attribute Value : CORP
The CORP role is configured on the Zone Director, however my client is always in Default, even with sending the CORP attribute.
I've confirmed my network configuration is correct by entering each vlan into the VLAN ID box on the WLAN. When I connect with Vlan 2 set, I get an IP in that Vlan, etc.
With Dynamic VLAN checked, and Vlan 1 in the VLAN ID box, I receive an IP in the AP management range, not in the proper vlan.
I'm running a pair of ZD1100s with Smart Redundancy on 9.8 build 373
Re-reading your inquiry Joe, what Bradford did was assign a DVLAN in the access-accept of the 802.1x exchange, with a client DM/re-auth in order to reconnect with the newly assigned VLAN. I don't think just returning/assigning a CORP role is enough to change the VLAN ID.
To troubleshoot, from the ZD's Administer/Diagnostics page, enable debug components RADIUS, 802.1x, Dynamic VLAN, and enter your test client MAC address in the box.
Power on the client/radio to capture all connection messages, and proceed to login with uid/pw to AD. Note the client observations, initial IP, subsequent IP, and save the ZD debug info file. Use the support page Log Analyser, or request interpretation from Ruckus tech support, to follow your client transactions in the Event logs. Do you see the new VLAN ID in the radius access-accept, and is it applied by ZD?
You can also capture the br0 interface traffic of the AP your test client connects to, and will see the packet exchange and contents between your client and the AAA/AD server.
Compare a Bradford session with the AAA/AD only session output.