I'm trying to setup Self-Service Guest Access on customer's ZD but they require that select domain users can only approve Self-Service access request. Customer created a new group (sponsor/approvers) in AD and added only a few domain users as members. Also created a Role in ZD matching the new group on Group Attribute. Ruckus Support told me before to configure LDAP on ZD and set a search filter so that only the members of the AD group can login and approve Self-Service requests. Initial tests were successful and I thought that everything's OK so I left it at that.
However, I returned to the customer's office a few weeks later and saw that even non-members of the group was able to approve Self-Service requests. My question now is is it really possible to filter sponsors that can approve via LDAP? Below is the LDAP configuration I did based on customer's settings. I replaced the actual company domain name but everything else is the same.
base dn dc=corp,dc=company,dc=com
admin dn CN=Ruckus Service Account,OU=Service Accounts,DC=CORP,DC=COMPANY,DC=COM
Ruckus-WifiApprovers is the Group Attribute that I configured in Roles. That is the same group in AD that customer created.
I also thought that maybe because the Self-Service Guest SSID is allowed in Default Role so I removed it from there and only allowed it on Ruckus-WifiApprovers Role but result is the same. This is driving me crazy.
Turned out I have to disable guestpass generation on Default Role. Everythings working now. My problem now is you can only have one authentication server for all Self-Service profiles you create. Support said this is working as designed. Sad.