cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

7951
Views
6
Helpful
11
Replies
Kevin Raditheo
Beginner

Cisco ISE with Ruckus Wireless Controller

Hi All,

Anyone have experience integrating Cisco ISE with Ruckus Wireless Controller? Such as Zone Director and Smart Zone.

I have PoV to integrating these product. So far I manage to use feature like Dot1x authentication, guest authentication with Ruckus guest portal (not CWA) and Dynamic VLAN assignment.

Anyone manage to use other feature? Such as ACL assignment or others?

Thanks for your insight.

Kevin

1 ACCEPTED SOLUTION

Accepted Solutions
thomas
Cisco Employee

Kevin,

We have support for Ruckus Wireless in ISE 2.1 as stated in our Cisco Identity Services Engine Network Component Compatibility, Release 2.1 - Cisco.

Screen Shot 2017-02-28 at 10.12.17 AM.png

VLAN assignment should work as part of basic 802.1X however you will notice that Ruckus does not support RADIUS CoA and/or URL redirection as required to do redirection for WebAuth or Guest.

Screen Shot 2017-02-28 at 9.59.08 AM.png

Our ISE Third-Party NAD Profiles and Configs does have a documented configuration for ISE working with Ruckus: Ruckus-1200-NAD-config

View solution in original post

11 REPLIES 11
thomas
Cisco Employee

Kevin,

We have support for Ruckus Wireless in ISE 2.1 as stated in our Cisco Identity Services Engine Network Component Compatibility, Release 2.1 - Cisco.

Screen Shot 2017-02-28 at 10.12.17 AM.png

VLAN assignment should work as part of basic 802.1X however you will notice that Ruckus does not support RADIUS CoA and/or URL redirection as required to do redirection for WebAuth or Guest.

Screen Shot 2017-02-28 at 9.59.08 AM.png

Our ISE Third-Party NAD Profiles and Configs does have a documented configuration for ISE working with Ruckus: Ruckus-1200-NAD-config

View solution in original post

Hi Thomas,

Yes I tried VLAN assignment and it works. URL redirect will not work so CWA doesn't supported. But I managed to use Ruckus local guest portal instead, and integrate with Cisco ISE for external identity.

How about Dynamic ACL? Have you try this feature? I tried to map Access List on NAD profile for ruckus to be Ruckus-User-Groups and I create User Role on Ruckus Controller. But it failed when ISE tried to assign a user to the role.

Thanks

Kevin

You will need to consult the Ruckus documentation for their feature support (ACLs) and exactly how they are configured.

ISE can support any RADIUS attribute. So if they do not accept one that is already included in ISE, simply import any Ruckus RADIUS dictionary file and you can use those attributes to control the sessions.

If you get it working, please share the details for others to do the same!

Hi, how did you do that? I also have a POV of ISE integration with Ruckus but endpoint is unable to authenticate. What docs did you used for your reference?

Hi Maria,

Yes I managed to integrate Cisco ISE with Ruckus SmartZone and ZoneDirector for 802.1x and Web-auth using Ruckus portal (not CWA). I don't use any doc, I just do basic config in ISE and I do some trial and error with Ruckus controller.

I don't know what Ruckus Controller do you use in your PoV, but afaik it's either SZ or ZD.

I share some screenshot of my config for our reference. If it's still not clear, you can contact me directly.

Hope this might help.

Kevin

Screenshot 2017-03-02 16.36.03.png

Screenshot 2017-02-28 17.17.20.png

Screenshot 2017-02-28 17.51.28.pngScreenshot 2017-02-28 17.51.54.pngScreenshot 2017-02-28 17.49.30.png

Screenshot 2017-02-28 17.50.27.png

Screenshot 2017-02-28 17.59.41.png

Screenshot 2017-02-28 17.59.46.png

Hi Kevin, just a question. how do you configure the guest access with Cisco ISE? Did you configured anything else other than the WLAN for guest?

Hi Marlon,

Do you mean guest access with Ruckus?

I just configure like screenshot in my last post.

Configure WLAN with Guest Web Auth with Ruckus Controller, and point AAA server to ISE.

You must add ISE as AAA Server first in the controller.

Maybe this guide will help you to configure Ruckus Guest Access.

http://www.packetu.com/2013/07/09/configuring-ruckus-zonedirector-for-wireless-guest-access/

In ISE policy, beside basic configuration, just create policy for network access authentication passed. Like screenshot below:

Screenshot 2017-02-28 17.17.20.png

Hope this might help.

Kevin

For those interested and still looking into this. Since ISE v2.1 you can use Auth Vlan feature (Release Notes for Cisco Identity Services Engine, Release 2.1 - Cisco ) to provide CWA and posture support for Ruckus deployments. I've used it and it works very well.

I've not tried ACL's yet.

Hi, 

 

I understand from your post that you managed to use the Auth VLAN to get CWA working between Cisco ISE and Ruckus, i would appreciate if you could shine me the path on how to get it working; i have a test setup in my environment where i have successfully integrate both devices, wireless user are successfully connected and gotten ip address from ISE while ISE redirect the user to guest portal, upon user key-in their username and password, we can see that the authentication is successfully, however when user tries to browse to other websites it kept looping into the same guest portal. 

 

From ISE we can see: 

Guest Authentication Passed

Dynamic Authorization failed

 

Thanks in advance.  

This is an interesting post.  Mostly because it has been two+ years since this was posted and no one responded to your inquiry.  I am now having this issue as you stated above.  I have a Ruckus wireless lab, with Cisco ISE running.  I managed to get all the pieces somewhat configured correctly it seems, as I have been able to get CWA to redirect through the Ruckus AP and the client.  The client successfully creates a guest user account, but never gets released from the SinkHole DNS and thus the client cannot browse the internet and loops back to the logon page of CWA.

 

Does anyone here in the community know of or seen this before in their trials?  I personally would love to be enlightened on where I may have missed something on the ISE setup of the authorization profile, the 802.1x_MAB-Wireless profile radius policy or the Ruckus Zone controller, which in my case is a ZD1200 running 10.0.4 version of the firmware.

 

Thank you in advance.

Hi Thomas,

Yes I think so..

I search in google for Ruckus radius dictionary and still not sure whether Ruckus-User-Groups is the correct parameter for substitute Filter-ID in Cisco Airspace ACL.

I don't have deep knowledge in Ruckus product since my company doesn't sell it

I will search for more insight and I will share if I find one.

Thanks

Regards,

Kevin

Content for Community-Ad