Vlan – Wireless (Ruckus) and Dynamic VLAN Assignment via Microsoft NPS

dhcpieee-802.1xvlanwireless

Our current 802.11 setup has a large number of SSIDs to segregate traffic by subnet. This isn't ideal, and I've been attempting to consolidate to a single SSID but use dynamic VLANs instead.

This is on a Ruckus Zonedirector 3000 and Microsoft NPS as the RADIUS server.

My test clients connect to the SSID, and are prompted for credentials. I can see the credentials accepted on the NPS server, and wireshark confirms the Access-Accept message contains the Tunnel-Private-Group-ID value for the desired VLAN.

At this point the client stalls trying to get a DHCP lease. The DHCP server is working, as these are existing scopes and subnets and I can connect a wired client into the switch on an access port for the same vlan and get a lease.

Wireshark shows no DHCP broadcast request from the client at all.

The switchport for the AP is a trunk, with the VLAN tagged and allowed.

Any assistance would be greatly appreciated!
Rob

Best Answer

I found the answer here:

http://forums-archive.ruckuswireless.com/forums/8/topics/1278

NPS does not return AD group memberships back to the ZoneDirector without setting a vendor-specific attribute on NPS. A role has to be configured for each group on the ZoneDirector and a network policy has to be configured for each group on NPS.

This seems rather redundant as I've already got authorization and vlan assignment happening on NPS, why would the ZoneDirector also require a role to authorize access to the specified WLAN? Oh well at least it works now.

Related Solutions

Mobile devices behind wireless bridge not getting IP address

This sounds like broken broadcast to me.

First, the fact that your laptop works is maybe due to how Windows tend to do strange things with DHCP, like trying a unicast DHCPREQUEST with its previous lease to try to renew it. I assume that it only works in your case because you always connect to the main site before connecting to the remote site, or your laptop was never connected to another network. Try connecting a laptop that has never seen the main network before, or use a LiveCD. I would expect it to not work.

Either fix/configure your wireless bridge to support broadcast (I would look at the AP side, you maybe have to register the client bridge or something) or deploy a DHCP relay on your remote site.

Vlan – IPv6 DHCP Server vs Router

IPv6 has more options for configuring addresses than IPv4. The process works as follows:

A new client joins the network and sends a Router Solicitation (RS)
Each router (can be multiple) sends a Router Advertisement (RA)
- This happens both on request (when receiving an RS) as well as periodically
The RA contains a lot of information on how the network is run:
- If the router sending the RA can be a default gateway, and for how long
- Telling clients if there is a stateless (not giving out addresses, only providing extra information like DNS settings) DHCPv6 server on the network (the O=other flag)
- Telling clients if there is a stateful (like in IPv4) DHCPv6 server on the network (the M=managed flag)
- Telling clients about the prefixes in use on the network
  - For each prefix: tell the clients if they can auto-configure an address by themselves (the A=autoconf flag)
- And possibly lots of other stuff

If you want to run a fully managed network where the DHCPv6 server manages all the addresses (and please think why you want this before choosing it, if you don't use the information in the DHCPv6 server then letting clients configure their own addresses is much easier) then the router has to turn off the A (autoconf) flag for every prefix it announces and turn on the M (managed) flag so that clients know that they are not allowed to choose their own addresses but that there is a DHCPv6 server available to help them.

This is how to do that on a Cisco router:

; Go to the interface configuration
interface FastEthernet0/0
  ; Tell clients that auto configuration is not allowed
  ; This changes the default parameters.
  ; You have to specify the timers, so I use the standard values
  ipv6 nd prefix default 2592000 604800 no-autoconfig
  ;
  ; Tell the clients that there is a stateful DHCPv6 server available
  ipv6 nd managed-config-flag

; Repeat this for every (sub)interface where you want to force clients to use DHCPv6.

Also note: You need those RA packets. DHCPv6 only provides information, and optionally addresses. It does not provide a default gateway. That is done using RA. The idea here is that routers usually have better information on routing and gateways than DHCP servers, with the added benefit that you can have multiple routers on one subnet acting as default gateways with clients load balancing between them etc.

Best Answer

Related Solutions

Mobile devices behind wireless bridge not getting IP address

Vlan – IPv6 DHCP Server vs Router

Related Topic