cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3427
Views
5
Helpful
8
Replies
Phanikumar Dharmavarapu
Cisco Employee

ISE 2.2 support for RUCKUS Wireless LAN controllers

Team,

Please share what features we support with RUCKUS WLAN controller as I see from ISE2.1 and ISE2.2 compatibility guide that we have only Authentication and Profiling support, and it doesn't support Posturing, BYOD and URL redirection.

Please confirm as we need to confirm a proposal to customer which will be Ordered in next week.

Thanks,

Phanikumar

1 ACCEPTED SOLUTION

Accepted Solutions
thomas
Cisco Employee

Phanikumar,


Our ISE Compatibility Guides outline support based on these feature requirements:

Feature

Functionality

AAA

802.1X, MAB, VLAN Assignment, dACL

Profiling

RADIUS CoA and Profiling Probes

BYOD

RADIUS CoA, URL Redirection + SessionID

Guest

RADIUS CoA, URL Redirection + SessionID, Local Web Auth

Guest Originating URL

RADIUS CoA, URL Redirection + SessionID, Local Web Auth

Posture

RADIUS CoA, URL Redirection + SessionID

MDM

RADIUS CoA, URL Redirection + SessionID

TrustSec

SGT Classification

Ruckus does not natively support URL Redirection therefore we do not document that supports those scenarios in our Compatibilty Guide.


The document ISE 2.1 Integration with Ruckus 1200 Wireless: BYOD & Posture using Auth VLAN shows how to do a workaround using the DNS/DHCP capabilities to get them to do those things:

3.5      Configuring the DHCP/DNS services in ISE for Auth VLAN flow

The Auth VLAN flow designated to third party device which doesn’t support URL-redirection option.

How Auth VLAN flow works:

1.       The guest endpoint connects to the network device.

2.       The device sends Radius/MAB request to ISE.

3.       ISE runs the MAB Authentication/Authorization policy

4.       ISE stores the Guest Portal details on the user session on Session cache.

5.       ISE responds with the Radius Access carrying the Guest VLAN name.

6.       The guest endpoint obtains network access.

7.       The endpoint broadcasts a DHCP request and obtains a client IP address and the ISE sinkhole DNS IP address from the ISE DHCP service.

8.       Endpoint browser sends a DNS query and receives the ISE’s IP address.

9.       Endpoint HTTP/S request is directed to the ISE box.

10.   ISE maps the client IP address to the MAC address using DHCP query.

11.   ISE searches the user session by the MAC address, extracts the Guest portal details and builds the portal URL

12.   ISE responses with HTTP 301/Moved providing the guest portal URL.

13.   The endpoint browser redirects to the Guest portal page.

14.   The client authenticates in Guest portal

15.   ISE issues a CoA request with authorization details.

16.   Endpoint obtains an access to the corporate network

17.   Endpoint receives an IP address from the enterprise DHCP.

We also publicly document our Ruckus integration in Third Party NAD Profile & Config .

View solution in original post

8 REPLIES 8
Charlie Moreton
Cisco Employee

According to the Cisco Identity Services Engine Network Component Compatibility, Release 2.2, it seems that Ruckus has the same support.

RuckusCompatibility.PNG

Hi,

Ruckus ZD 1200 tested with ISE 2.2 using AuthVLAN flow.

for more info please check out  this link:

Integration Between ISE2.1 and Ruckus 1200 Wireless -BYOD/Posture flows using Auth VLAN

thomas
Cisco Employee

Phanikumar,


Our ISE Compatibility Guides outline support based on these feature requirements:

Feature

Functionality

AAA

802.1X, MAB, VLAN Assignment, dACL

Profiling

RADIUS CoA and Profiling Probes

BYOD

RADIUS CoA, URL Redirection + SessionID

Guest

RADIUS CoA, URL Redirection + SessionID, Local Web Auth

Guest Originating URL

RADIUS CoA, URL Redirection + SessionID, Local Web Auth

Posture

RADIUS CoA, URL Redirection + SessionID

MDM

RADIUS CoA, URL Redirection + SessionID

TrustSec

SGT Classification

Ruckus does not natively support URL Redirection therefore we do not document that supports those scenarios in our Compatibilty Guide.


The document ISE 2.1 Integration with Ruckus 1200 Wireless: BYOD & Posture using Auth VLAN shows how to do a workaround using the DNS/DHCP capabilities to get them to do those things:

3.5      Configuring the DHCP/DNS services in ISE for Auth VLAN flow

The Auth VLAN flow designated to third party device which doesn’t support URL-redirection option.

How Auth VLAN flow works:

1.       The guest endpoint connects to the network device.

2.       The device sends Radius/MAB request to ISE.

3.       ISE runs the MAB Authentication/Authorization policy

4.       ISE stores the Guest Portal details on the user session on Session cache.

5.       ISE responds with the Radius Access carrying the Guest VLAN name.

6.       The guest endpoint obtains network access.

7.       The endpoint broadcasts a DHCP request and obtains a client IP address and the ISE sinkhole DNS IP address from the ISE DHCP service.

8.       Endpoint browser sends a DNS query and receives the ISE’s IP address.

9.       Endpoint HTTP/S request is directed to the ISE box.

10.   ISE maps the client IP address to the MAC address using DHCP query.

11.   ISE searches the user session by the MAC address, extracts the Guest portal details and builds the portal URL

12.   ISE responses with HTTP 301/Moved providing the guest portal URL.

13.   The endpoint browser redirects to the Guest portal page.

14.   The client authenticates in Guest portal

15.   ISE issues a CoA request with authorization details.

16.   Endpoint obtains an access to the corporate network

17.   Endpoint receives an IP address from the enterprise DHCP.

We also publicly document our Ruckus integration in Third Party NAD Profile & Config .

View solution in original post

Hi Thomas,

I am doing POC at my client. I tried the method of Auth VLAN, it works at first try. However, on my subsequent tries on the same device, the user is redirected but the browser show that it can't reach the page anymore. Any inputs on this ?

Dns problem? Acl problem? Troubleshoot with tac as well

Hi Jason,

Thanks, but it doesn't seem like DNS / ACL problem since it works in the first attempt. Anyway, I am trying to replicate the issue in my lab and let's see whether it can be resolved.

try to remove the MAC address from endpoints page.

also try to send CoA from MnT (live session page) to kill that session.

sr2290723
Beginner

Hi all,

I have tested in my lab, it seems that the issue only happen on Ruckus ZD1200 version 9 software. I have tested using software version 10, and everything works perfectly fine.

Content for Community-Ad