cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

5775
Views
6
Helpful
10
Replies
Highlighted
Beginner

Cisco ISE with Ruckus Wireless Controller

Hi All,

Anyone have experience integrating Cisco ISE with Ruckus Wireless Controller? Such as Zone Director and Smart Zone.

I have PoV to integrating these product. So far I manage to use feature like Dot1x authentication, guest authentication with Ruckus guest portal (not CWA) and Dynamic VLAN assignment.

Anyone manage to use other feature? Such as ACL assignment or others?

Thanks for your insight.

Kevin

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: Cisco ISE with Ruckus Wireless Controller

Kevin,

We have support for Ruckus Wireless in ISE 2.1 as stated in our Cisco Identity Services Engine Network Component Compatibility, Release 2.1 - Cisco.

Screen Shot 2017-02-28 at 10.12.17 AM.png

VLAN assignment should work as part of basic 802.1X however you will notice that Ruckus does not support RADIUS CoA and/or URL redirection as required to do redirection for WebAuth or Guest.

Screen Shot 2017-02-28 at 9.59.08 AM.png

Our ISE Third-Party NAD Profiles and Configs does have a documented configuration for ISE working with Ruckus: Ruckus-1200-NAD-config

View solution in original post

10 REPLIES 10
Highlighted
Cisco Employee

Re: Cisco ISE with Ruckus Wireless Controller

Kevin,

We have support for Ruckus Wireless in ISE 2.1 as stated in our Cisco Identity Services Engine Network Component Compatibility, Release 2.1 - Cisco.

Screen Shot 2017-02-28 at 10.12.17 AM.png

VLAN assignment should work as part of basic 802.1X however you will notice that Ruckus does not support RADIUS CoA and/or URL redirection as required to do redirection for WebAuth or Guest.

Screen Shot 2017-02-28 at 9.59.08 AM.png

Our ISE Third-Party NAD Profiles and Configs does have a documented configuration for ISE working with Ruckus: Ruckus-1200-NAD-config

View solution in original post

Highlighted
Beginner

Re: Cisco ISE with Ruckus Wireless Controller

Hi Thomas,

Yes I tried VLAN assignment and it works. URL redirect will not work so CWA doesn't supported. But I managed to use Ruckus local guest portal instead, and integrate with Cisco ISE for external identity.

How about Dynamic ACL? Have you try this feature? I tried to map Access List on NAD profile for ruckus to be Ruckus-User-Groups and I create User Role on Ruckus Controller. But it failed when ISE tried to assign a user to the role.

Thanks

Kevin

Highlighted
Cisco Employee

Re: Cisco ISE with Ruckus Wireless Controller

You will need to consult the Ruckus documentation for their feature support (ACLs) and exactly how they are configured.

ISE can support any RADIUS attribute. So if they do not accept one that is already included in ISE, simply import any Ruckus RADIUS dictionary file and you can use those attributes to control the sessions.

If you get it working, please share the details for others to do the same!

Highlighted
Beginner

Re: Cisco ISE with Ruckus Wireless Controller

Hi, how did you do that? I also have a POV of ISE integration with Ruckus but endpoint is unable to authenticate. What docs did you used for your reference?

Highlighted
Beginner

Re: Cisco ISE with Ruckus Wireless Controller

Hi Maria,

Yes I managed to integrate Cisco ISE with Ruckus SmartZone and ZoneDirector for 802.1x and Web-auth using Ruckus portal (not CWA). I don't use any doc, I just do basic config in ISE and I do some trial and error with Ruckus controller.

I don't know what Ruckus Controller do you use in your PoV, but afaik it's either SZ or ZD.

I share some screenshot of my config for our reference. If it's still not clear, you can contact me directly.

Hope this might help.

Kevin

Screenshot 2017-03-02 16.36.03.png

Screenshot 2017-02-28 17.17.20.png

Screenshot 2017-02-28 17.51.28.pngScreenshot 2017-02-28 17.51.54.pngScreenshot 2017-02-28 17.49.30.png

Screenshot 2017-02-28 17.50.27.png

Screenshot 2017-02-28 17.59.41.png

Screenshot 2017-02-28 17.59.46.png

Highlighted

Re: Cisco ISE with Ruckus Wireless Controller

Hi Kevin, just a question. how do you configure the guest access with Cisco ISE? Did you configured anything else other than the WLAN for guest?

Highlighted
Beginner

Re: Cisco ISE with Ruckus Wireless Controller

Hi Marlon,

Do you mean guest access with Ruckus?

I just configure like screenshot in my last post.

Configure WLAN with Guest Web Auth with Ruckus Controller, and point AAA server to ISE.

You must add ISE as AAA Server first in the controller.

Maybe this guide will help you to configure Ruckus Guest Access.

http://www.packetu.com/2013/07/09/configuring-ruckus-zonedirector-for-wireless-guest-access/

In ISE policy, beside basic configuration, just create policy for network access authentication passed. Like screenshot below:

Screenshot 2017-02-28 17.17.20.png

Hope this might help.

Kevin

Highlighted
Beginner

Re: Cisco ISE with Ruckus Wireless Controller

For those interested and still looking into this. Since ISE v2.1 you can use Auth Vlan feature (Release Notes for Cisco Identity Services Engine, Release 2.1 - Cisco ) to provide CWA and posture support for Ruckus deployments. I've used it and it works very well.

I've not tried ACL's yet.

Highlighted
Beginner

Re: Cisco ISE with Ruckus Wireless Controller

Hi, 

 

I understand from your post that you managed to use the Auth VLAN to get CWA working between Cisco ISE and Ruckus, i would appreciate if you could shine me the path on how to get it working; i have a test setup in my environment where i have successfully integrate both devices, wireless user are successfully connected and gotten ip address from ISE while ISE redirect the user to guest portal, upon user key-in their username and password, we can see that the authentication is successfully, however when user tries to browse to other websites it kept looping into the same guest portal. 

 

From ISE we can see: 

Guest Authentication Passed

Dynamic Authorization failed

 

Thanks in advance.  

Highlighted
Beginner

Re: Cisco ISE with Ruckus Wireless Controller

Hi Thomas,

Yes I think so..

I search in google for Ruckus radius dictionary and still not sure whether Ruckus-User-Groups is the correct parameter for substitute Filter-ID in Cisco Airspace ACL.

I don't have deep knowledge in Ruckus product since my company doesn't sell it

I will search for more insight and I will share if I find one.

Thanks

Regards,

Kevin