Category Archives: Ruckus

Ruckus Zonedirector LDAP setup

Within ZD we might need to enable LDAP look ups to facilitate in using Active Directory logins to the firewall for administration, or authentication for Guest pass creation/ZeroIT.

Recently I had to do this, and it had been a while, so I decided to write a short entry on it.

So in this case I am configuring LDAP for use with Guest pass so domain users have to sponsor guest wireless accounts.

Below shows the options for our Test-AD LDAP server. There are some key things here.

Notice in this case we are not using TLS.

The Base DN and admin DN are the location of the user who can perform lookups in AD. The best way to find this info is going to AD user/computers and under “View” enable “Advanced features” then go into the details of the user account- you will have a “attribute editor” tab. The User DN is located, if you double click that attribute you can copy it directly.

Next key attribute is “sAMAccountName” under key attribute – that attribute is really just the windows user login account name.


That’s it! I will do another entry on setting up guest pass where domain users can sponsor accounts.

Enabling LLDP in Ruckus wireless

Ruckus has finally built in the ability to use LLDP to find Access points. I was so excited when I found this out, I installed the newest firmware and was ready to be blown away – and alas.. no LLDP. So, what was wrong? LLDP is not enabled by default! You have to go into the AP group via CLI and enable LLDP. No biggie.

This feature comes in software version ZDXXX GA Software Release .

To enable LLDP – SSH into the zonedirector

Then after logging in run these commands



ap-group “System Default”

LLDP enable



Here are some screenshots:


As you can see, by just doing a “Show” it is disabled:


After running the command: “LLDP enable”


And BAM: now I can find my APs no matter where they are plugged in at


Dynamic Vlans with Ruckus wireless and Microsoft NPS

Hello all, I recently was given a strange task. An office needs to have everyone in there office on different vlans. The reason for this is that each user is developing software and they need to test VIA wireless to other wireless¬† devices. Lots and Lots of broadcast, as well as different subnets. So, how can we separate each of these users wirelessly and give each of them their own “play space”? You can accomplish this a couple ways: We can have 100 different WLANs, each with their own Vlans, or use 1 SSID and use Dynamic Vlans to separate them out.

The tools I will be using are – Ruckus Wireless Zondirector, and APs, Microsoft NPS, and Wireshark to take a better look at what is happening at the packet level.

So first lets setup everything. We need to use 802.1x authentication for WLAN Access. I will not walk through all the steps here but definitely do another blog entry on setting that up. So lets assume as of now we have 802.1x working great for authentication.

Our next step is that we need to create new Security Groups in AD and add our users to them. I added groups that reflected the Vlan name. For example WIFI-VLan-150 and then added my user I want to get VLAN 150 to.

Next lets create our Radius Policies.

Create a new Network Policy- match the Group, add your Encryption and other settings. See below:


Then add your Constraints that you would like:


Next the magic happens – we have to add in our Radius attributes . These are Standard radius attributes. We will add 4 802.1x attributes.

Attributes to add:

1. Tunnel-Assignment-ID – String – Vlan ID.

2. Tunnel-Type – Select Virtual Lans (VLANS)

3. Tunnel-Medium-Type – Value – 802 – Commonly used for 802.1x

4. Tunnel-Pvt-Group-ID – Value – String – Vlan ID. Note – I did not add this at first, this attribute is what fixed my issue, and successfully pushed the Vlan ID to my client.

Here is a screenshot of all the attributes:


Make sure this policy is above your default policies. The next screen shot shows my order of policies. Notice I have one for 666 vlan, and 150. Then there is a domain computer, then a catch all for domain users.


That’s it for Radius, now we need to create the WLAN for in Ruckus for our Dynamic Vlans. Remember, we are assuming everything works great with Radius authentication from the get go.

The main thing when creating the WLAN in Ruckus is to use 802.1x for authentication, and then under “Advanced” check the “Dynamic Vlan” box. You will notice I am using “SRV-dir03” For authentication (My Radius Server). Apply this and we should be golden.


To check and make sure you are on the correct vlan/wlan you can always check your ip address or look into Ruckus and see what your info is. You Notice mine –


Ruckus wireless – Stuck in provisioning

Sometimes when we deploy Ruckus APs remotley over a VPN, they will come up in the Zondirector but will stay on provisioning. then reboot after a bit, and then come back in as provisioning. The reason this happens is that the extra overhead of the added IPSEC header

The cause is the MTU on the Ruckus ZD. Sometime you will have to lower this due to the overhead added to the packet with the IPSEC tunnel.

To lower the MTU of the ZD (First step in troubleshooting APs across a VPN) is to go to configure – APs – and towards the bottom of the page you will see the MTU setting. I would lower this all the way for testing – Lower to 850 or 900. After lowing give the APs 5 minutes to show up in the ZD.