Configure RUCKUS SmartZone WLAN 802.1X Authentication with RADIUS Filter-Id User Role Mapping
Summary
This article describes how to configure a RUCKUS SmartZone (SZ) WLAN using 802.1X Extensible Authentication Protocol (EAP) authentication and dynamically assign User Roles based on the RADIUS Filter-Id attribute (Attribute 11). SmartZone uses the User Role Mapping feature under the Authentication Service to match the Filter-Id value returned by the RADIUS server and apply the corresponding Firewall Profile, ACLs, filtering policies, and optional VLAN assignment. User Role Mapping is limited to a maximum of 16 entries per Authentication Service. This is the only officially supported method in SmartZone to assign User Roles dynamically based on attributes received from an external RADIUS server.Question
How can SmartZone dynamically assign different User Roles and policies to users on an 802.1X WLAN based on the RADIUS Filter-Id attribute?
Customer Environment
Product: RUCKUS SmartZone (SZ) Version: 6.x and later Authentication: 802.1X EAP AAA Server: External RADIUS server Deployment type: Non-Proxy or Proxy Authentication Service Use case: Dynamic policy enforcement based on RADIUS attributesSymptoms
- Users authenticate successfully but are assigned the default role
- Incorrect Firewall Profile or ACL is applied
- VLAN assignment does not match expected user group
- Policies (L2/L3 ACL, URL Filtering, App/Device) are not enforced as expected
- Multiple user groups receive identical network access despite different RADIUS attributes
Root Cause
Incorrect or incomplete configuration of User Role Mapping prevents SmartZone from matching the RADIUS Filter-Id value and assigning the intended User Role. Additionally, SmartZone enforces design limitations: A maximum of 16 User Role Mapping entries per Authentication Service No alternative supported mechanism exists to dynamically assign User Roles using external RADIUS attributesTroubleshooting Steps
- Verify RADIUS server returns Filter-Id (Attribute 11) in Access-Accept
- Confirm Filter-Id value matches exactly the configured Group Attribute Value
- Verify User Role Mapping entries exist and are within the 16-entry limit
- Confirm User Roles are correctly mapped to Firewall Profiles
- Verify Firewall Profiles reference correct policies
- Confirm WLAN is using the correct Authentication Service
- Validate behavior using client session or logs on SmartZone
Workaround
There is no direct workaround to extend the 16-entry limit or replace User Role Mapping functionality.
Possible alternatives:
- Consolidate multiple RADIUS groups into fewer Filter-Id values
- Use multiple Authentication Services with different mappings
- Use separate WLANs per access policy
Resolution
Configure SmartZone User Role Mapping to match RADIUS Filter-Id values to User Roles.
Important:
- SmartZone supports a maximum of 16 User Role Mapping entries per Authentication Service
- User Role Mapping is the only supported method to dynamically assign User Roles based on external RADIUS attributes
Procedure
1. Create the required policies
Create the policies to be applied through Firewall Profiles:
- L2 ACL
- L3 ACL
- URL Filtering Policy
- Device Policy
- Application Policy
Example:
- L3_ALL_except_HTTP
- L3_BLOCK_ALL
- L3_GUESTS
2. Create Firewall Profiles
Create a Firewall Profile per access policy:
- Assign L2/L3 ACLs and filtering policies
- Optionally configure rate limiting
Example:
- FW_Prof_Admin
- FW_Prof_BLOCKED
- FW_Prof_GUESTS
3. Create User Roles
Create User Roles and associate them with Firewall Profiles:
- Assign Firewall Profile
- Optionally configure VLAN ID
Example:
- UserRole_Admin ? FW_Prof_Admin
- UserRole_BLOCKED ? FW_Prof_BLOCKED
- UserRole_GUESTS ? FW_Prof_GUESTS
4. Configure Authentication Service and User Role Mapping
-
Create a Non-Proxy or Proxy Authentication Service
-
Configure RADIUS server:
- IP/FQDN
- Port (default 1812)
- Shared secret
-
Navigate to User Role Mapping
-
Create mappings:
- Group Attribute Value = Filter-Id value from RADIUS
- Assign corresponding User Role
Example:
- Admin ? UserRole_Admin
- Blocked ? UserRole_BLOCKED
- Guests ? UserRole_GUESTS
IMPORTANT NOTES:
- Maximum 16 User Role mapping entries are supported per Authentication Service
- The Group Attribute Value must exactly match the Filter-Id returned by RADIUS
- Mapping is case-sensitive depending on RADIUS implementation
- This mechanism is the ONLY supported method for dynamic role assignment using external attributes
5. Configure WLAN
- Create or edit WLAN
- Select 802.1X EAP
- Assign the configured Authentication Service
- Save configuration
Example Workflow
- Client connects to WLAN
- RADIUS authenticates user
- RADIUS returns:
Filter-Id = Admin - SmartZone matches value in User Role Mapping
- Assigns:
UserRole_Admin - Applies:
FW_Prof_Admin+ associated policies
Validation Checklist
- RADIUS returns Filter-Id
- Mapping exists in SmartZone
- Total mappings ? 16
- Correct User Role assigned
- Correct Firewall Profile applied
- Policies enforced as expected
- VLAN assignment correct (if configured)
Article Number:
000015415
Updated:
June 22, 2026 07:59 AM (11 days ago)
Tags:
Configuration, virtual SmartCell Gateway, SZ100, SZ300, SZ144
Votes:
0
This article is:
helpful
not helpful