02-06-2017 04:45 AM
Team,
Please share what features we support with RUCKUS WLAN controller as I see from ISE2.1 and ISE2.2 compatibility guide that we have only Authentication and Profiling support, and it doesn't support Posturing, BYOD and URL redirection.
Please confirm as we need to confirm a proposal to customer which will be Ordered in next week.
Thanks,
Phanikumar
Solved! Go to Solution.
02-06-2017 02:17 PM
Phanikumar,
Our ISE Compatibility Guides outline support based on these feature requirements:
Feature | Functionality |
---|---|
AAA | 802.1X, MAB, VLAN Assignment, dACL |
Profiling | RADIUS CoA and Profiling Probes |
BYOD | RADIUS CoA, URL Redirection + SessionID |
Guest | RADIUS CoA, URL Redirection + SessionID, Local Web Auth |
Guest Originating URL | RADIUS CoA, URL Redirection + SessionID, Local Web Auth |
Posture | RADIUS CoA, URL Redirection + SessionID |
MDM | RADIUS CoA, URL Redirection + SessionID |
TrustSec | SGT Classification |
Ruckus does not natively support URL Redirection therefore we do not document that supports those scenarios in our Compatibilty Guide.
The document ISE 2.1 Integration with Ruckus 1200 Wireless: BYOD & Posture using Auth VLAN shows how to do a workaround using the DNS/DHCP capabilities to get them to do those things:
3.5 Configuring the DHCP/DNS services in ISE for Auth VLAN flow
The Auth VLAN flow designated to third party device which doesn’t support URL-redirection option.
How Auth VLAN flow works:
1. The guest endpoint connects to the network device.
2. The device sends Radius/MAB request to ISE.
3. ISE runs the MAB Authentication/Authorization policy
4. ISE stores the Guest Portal details on the user session on Session cache.
5. ISE responds with the Radius Access carrying the Guest VLAN name.
6. The guest endpoint obtains network access.
7. The endpoint broadcasts a DHCP request and obtains a client IP address and the ISE sinkhole DNS IP address from the ISE DHCP service.
8. Endpoint browser sends a DNS query and receives the ISE’s IP address.
9. Endpoint HTTP/S request is directed to the ISE box.
10. ISE maps the client IP address to the MAC address using DHCP query.
11. ISE searches the user session by the MAC address, extracts the Guest portal details and builds the portal URL
12. ISE responses with HTTP 301/Moved providing the guest portal URL.
13. The endpoint browser redirects to the Guest portal page.
14. The client authenticates in Guest portal
15. ISE issues a CoA request with authorization details.
16. Endpoint obtains an access to the corporate network
17. Endpoint receives an IP address from the enterprise DHCP.
We also publicly document our Ruckus integration in Third Party NAD Profile & Config .
02-06-2017 04:51 AM
According to the Cisco Identity Services Engine Network Component Compatibility, Release 2.2, it seems that Ruckus has the same support.
02-06-2017 05:18 AM
Hi,
Ruckus ZD 1200 tested with ISE 2.2 using AuthVLAN flow.
for more info please check out this link:
Integration Between ISE2.1 and Ruckus 1200 Wireless -BYOD/Posture flows using Auth VLAN
02-06-2017 02:17 PM
Phanikumar,
Our ISE Compatibility Guides outline support based on these feature requirements:
Feature | Functionality |
---|---|
AAA | 802.1X, MAB, VLAN Assignment, dACL |
Profiling | RADIUS CoA and Profiling Probes |
BYOD | RADIUS CoA, URL Redirection + SessionID |
Guest | RADIUS CoA, URL Redirection + SessionID, Local Web Auth |
Guest Originating URL | RADIUS CoA, URL Redirection + SessionID, Local Web Auth |
Posture | RADIUS CoA, URL Redirection + SessionID |
MDM | RADIUS CoA, URL Redirection + SessionID |
TrustSec | SGT Classification |
Ruckus does not natively support URL Redirection therefore we do not document that supports those scenarios in our Compatibilty Guide.
The document ISE 2.1 Integration with Ruckus 1200 Wireless: BYOD & Posture using Auth VLAN shows how to do a workaround using the DNS/DHCP capabilities to get them to do those things:
3.5 Configuring the DHCP/DNS services in ISE for Auth VLAN flow
The Auth VLAN flow designated to third party device which doesn’t support URL-redirection option.
How Auth VLAN flow works:
1. The guest endpoint connects to the network device.
2. The device sends Radius/MAB request to ISE.
3. ISE runs the MAB Authentication/Authorization policy
4. ISE stores the Guest Portal details on the user session on Session cache.
5. ISE responds with the Radius Access carrying the Guest VLAN name.
6. The guest endpoint obtains network access.
7. The endpoint broadcasts a DHCP request and obtains a client IP address and the ISE sinkhole DNS IP address from the ISE DHCP service.
8. Endpoint browser sends a DNS query and receives the ISE’s IP address.
9. Endpoint HTTP/S request is directed to the ISE box.
10. ISE maps the client IP address to the MAC address using DHCP query.
11. ISE searches the user session by the MAC address, extracts the Guest portal details and builds the portal URL
12. ISE responses with HTTP 301/Moved providing the guest portal URL.
13. The endpoint browser redirects to the Guest portal page.
14. The client authenticates in Guest portal
15. ISE issues a CoA request with authorization details.
16. Endpoint obtains an access to the corporate network
17. Endpoint receives an IP address from the enterprise DHCP.
We also publicly document our Ruckus integration in Third Party NAD Profile & Config .
07-30-2017 09:19 PM
Hi Thomas,
I am doing POC at my client. I tried the method of Auth VLAN, it works at first try. However, on my subsequent tries on the same device, the user is redirected but the browser show that it can't reach the page anymore. Any inputs on this ?
07-31-2017 03:54 AM
Dns problem? Acl problem? Troubleshoot with tac as well
08-13-2017 07:34 AM
Hi Jason,
Thanks, but it doesn't seem like DNS / ACL problem since it works in the first attempt. Anyway, I am trying to replicate the issue in my lab and let's see whether it can be resolved.
08-13-2017 07:58 AM
try to remove the MAC address from endpoints page.
also try to send CoA from MnT (live session page) to kill that session.
09-29-2017 05:50 AM
Hi all,
I have tested in my lab, it seems that the issue only happen on Ruckus ZD1200 version 9 software. I have tested using software version 10, and everything works perfectly fine.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide