I'm trying to setup Self-Service Guest Access on customer's ZD but they require that select domain users can only approve Self-Service access request. Customer created a new group (sponsor/approvers) in AD and added only a few domain users as members. Also created a Role in ZD matching the new group on Group Attribute. Ruckus Support told me before to configure LDAP on ZD and set a search filter so that only the members of the AD group can login and approve Self-Service requests. Initial tests were successful and I thought that everything's OK so I left it at that.
However, I returned to the customer's office a few weeks later and saw that even non-members of the group was able to approve Self-Service requests. My question now is is it really possible to filter sponsors that can approve via LDAP? Below is the LDAP configuration I did based on customer's settings. I replaced the actual company domain name but everything else is the same.
CN=Ruckus Service Account,OU=Service Accounts,DC=CORP,DC=COMPANY,DC=COM
|(objectClass=Person)(memberOf=CN=Ruckus-WifiApprovers,OU=Domain Security Groups,DC=CORP,DC=COMPANY,DC=COM)
Ruckus-WifiApprovers is the Group Attribute that I configured in Roles. That is the same group in AD that customer created.
I also thought that maybe because the Self-Service Guest SSID is allowed in Default Role so I removed it from there and only allowed it on Ruckus-WifiApprovers Role but result is the same. This is driving me crazy.