Category Archives: Ruckus

Ruckus ICX Radius logins

I refer back to these commands a lot and thought they might help someone else. This will allow the Ruckus or Brocade ICX switches to authenticate to a radius server for logins to the device.

aaa authentication web-server default radius local enable
aaa authentication login default radius local enable
aaa authentication login privilege-mode

radius-server host 1.1.1.1 auth-port 1812 acct-port 1813 default key $aWdAblUmc3JuVSY9Z1k= dot1x

A few things to note about this. I am setting the web-server login and SSH logins to use radius, then if radius is not available use local authentication settings.

The login privilege-mode command bypasses the enable password and logs be straight in a privileged.

Advertisements

Ruckus ICX untagged vlan port config

I have been working with Brocade ICX and now Ruckus ICX for a few years now. They are awesome switches.

I was asked a couple of times about something that was happening when someone would try and set the untagged or access vlan on a port. They would get this error:

error – port ethe x/x/x are not member of default vlan

The reason we were getting this error is because other vlans were attached to port as either untagged or tagged. To put a port into a vlan other than default as ‘untagged’ we need to make sure no other vlans are bound to that port. To do this we can check what vlans are attached to the port. In this scenario my default vlan is 999. It would be 1 on a switch that it was not manually changed on.

switch#show vlan br eth 1/1/3

Port 1/1/3 is a member of 2 VLANs

VLANs 32 48

Untagged VLAN : 999

Tagged VLANs : 32 48

Great, so now we know its untagged 999 (default) but tagged those 2 other ports. We need to remove the tags of 32 and 48 on this port before we can add it untagged into vlan 16 – which is the goal

switch#config t

switch(config)#vlan 32

switch(config-vlan-32)#no tag eth 1/1/3

switch(config-vlan-32)#vlan 48

switch(config-vlan-48)#no tag eth 1/1/3

Voice-vlan is cleared on port 1/1/3

switch(config-vlan-48)#

switch(config-vlan-48)#exit
switch(config)#vlan 16

switch(config-vlan-16)#unt eth 1/1/3

Added untagged port(s) ethe 1/1/3 to port-vlan 16.

switch(config-vlan-16)#exit

switch(config)#exit

switch#show vlan br eth 1/1/3

Port 1/1/3 is a member of 1 VLANs

VLANs 16

Untagged VLAN : 16

Tagged VLANs :

 

Thats it! now we are untagged or access in vlan 16. But wait! what if we wanted to have it be a trunk port to allow vlans 32/48 and be native 16. Then we would use the ‘Dual port’ command with the modification of the untagged vlan like this:

dual mode 16¬†¬† — means untagged 16, but allow whatever vlans are tagged to pass. Of course vlans 16,32,48 would need to be tagged on the port first. I will write another entry about that.

Ruckus Zonedirector LDAP setup

Within ZD we might need to enable LDAP look ups to facilitate in using Active Directory logins to the firewall for administration, or authentication for Guest pass creation/ZeroIT.

Recently I had to do this, and it had been a while, so I decided to write a short entry on it.

So in this case I am configuring LDAP for use with Guest pass so domain users have to sponsor guest wireless accounts.

Below shows the options for our Test-AD LDAP server. There are some key things here.

Notice in this case we are not using TLS.

The Base DN and admin DN are the location of the user who can perform lookups in AD. The best way to find this info is going to AD user/computers and under “View” enable “Advanced features” then go into the details of the user account- you will have a “attribute editor” tab. The User DN is located, if you double click that attribute you can copy it directly.

Next key attribute is “sAMAccountName” under key attribute – that attribute is really just the windows user login account name.

ldap1

That’s it! I will do another entry on setting up guest pass where domain users can sponsor accounts.

Enabling LLDP in Ruckus wireless

Ruckus has finally built in the ability to use LLDP to find Access points. I was so excited when I found this out, I installed the newest firmware and was ready to be blown away – and alas.. no LLDP. So, what was wrong? LLDP is not enabled by default! You have to go into the AP group via CLI and enable LLDP. No biggie.

This feature comes in software version ZDXXX 9.9.0.0.205 GA Software Release .

To enable LLDP – SSH into the zonedirector

Then after logging in run these commands

enable

config

ap-group “System Default”

LLDP enable

exit

exit

Here are some screenshots:

LLDP-3

As you can see, by just doing a “Show” it is disabled:

LLDP-1

After running the command: “LLDP enable”

LLDP-2

And BAM: now I can find my APs no matter where they are plugged in at

LLDP-5-edit

Dynamic Vlans with Ruckus wireless and Microsoft NPS

Hello all, I recently was given a strange task. An office needs to have everyone in there office on different vlans. The reason for this is that each user is developing software and they need to test VIA wireless to other wireless¬† devices. Lots and Lots of broadcast, as well as different subnets. So, how can we separate each of these users wirelessly and give each of them their own “play space”? You can accomplish this a couple ways: We can have 100 different WLANs, each with their own Vlans, or use 1 SSID and use Dynamic Vlans to separate them out.

The tools I will be using are – Ruckus Wireless Zondirector, and APs, Microsoft NPS, and Wireshark to take a better look at what is happening at the packet level.

So first lets setup everything. We need to use 802.1x authentication for WLAN Access. I will not walk through all the steps here but definitely do another blog entry on setting that up. So lets assume as of now we have 802.1x working great for authentication.

Our next step is that we need to create new Security Groups in AD and add our users to them. I added groups that reflected the Vlan name. For example WIFI-VLan-150 and then added my user I want to get VLAN 150 to.

Next lets create our Radius Policies.

Create a new Network Policy- match the Group, add your Encryption and other settings. See below:

1

Then add your Constraints that you would like:

constraints

Next the magic happens – we have to add in our Radius attributes . These are Standard radius attributes. We will add 4 802.1x attributes.

Attributes to add:

1. Tunnel-Assignment-ID – String – Vlan ID.

2. Tunnel-Type – Select Virtual Lans (VLANS)

3. Tunnel-Medium-Type – Value – 802 – Commonly used for 802.1x

4. Tunnel-Pvt-Group-ID – Value – String – Vlan ID. Note – I did not add this at first, this attribute is what fixed my issue, and successfully pushed the Vlan ID to my client.

Here is a screenshot of all the attributes:

attributes

Make sure this policy is above your default policies. The next screen shot shows my order of policies. Notice I have one for 666 vlan, and 150. Then there is a domain computer, then a catch all for domain users.

policies

That’s it for Radius, now we need to create the WLAN for in Ruckus for our Dynamic Vlans. Remember, we are assuming everything works great with Radius authentication from the get go.

The main thing when creating the WLAN in Ruckus is to use 802.1x for authentication, and then under “Advanced” check the “Dynamic Vlan” box. You will notice I am using “SRV-dir03” For authentication (My Radius Server). Apply this and we should be golden.

ruckus

To check and make sure you are on the correct vlan/wlan you can always check your ip address or look into Ruckus and see what your info is. You Notice mine –

jc

Ruckus wireless – Stuck in provisioning

Sometimes when we deploy Ruckus APs remotley over a VPN, they will come up in the Zondirector but will stay on provisioning. then reboot after a bit, and then come back in as provisioning. The reason this happens is that the extra overhead of the added IPSEC header

The cause is the MTU on the Ruckus ZD. Sometime you will have to lower this due to the overhead added to the packet with the IPSEC tunnel.

To lower the MTU of the ZD (First step in troubleshooting APs across a VPN) is to go to configure – APs – and towards the bottom of the page you will see the MTU setting. I would lower this all the way for testing – Lower to 850 or 900. After lowing give the APs 5 minutes to show up in the ZD.

Capture