Security

Does anyone know of any way to integrate the onguard/onboard captive portal redirects with a Ruckus Zone Director running 

9.5.2.0 build 15?

Ruckus can do per SSID captive portal (they call it hotspot) but you can't assign captive portals to user roles like you can on an Aruba controller. 802.1x user basic user auth works good and while I haven't set it up yet, I'm assuming guest with captive portal on CPPM will work since it's all contained within a single SSID. 

Well - what type of scenario are you thinking of that won't work?

This from the Zone Director user guide:

ZoneDirector also integrates network, radio frequency (RF), and location management within 
a single system. User authentication is accomplished with an integrated captive portal and 
internal database, or forwarded to existing Authentication, Authorization and Accounting 
(AAA) servers, such as RADIUS or Active Directory. Once users are authenticated, client traffic 
is not required to pass through ZoneDirector, thereby eliminating bottlenecks when higher 
speed Wi-Fi technologies such as 802.11n are used.

OnBoarding typically involves some kind of 802.1x EAP and this seems to be supported:

802.1X EAP is a very secure authentication/encryption method that requires a backend authentication server such as a RADIUS server. Your choice mostly depends on what kinds of 
authentication your users' client devices support and your local network authentication environment

For OnGuard where you might want to change VLAN - then yea Ruckus accepts Dynamic VLAN in the Radius Access-Accept message.

Normal Radius access-accept messages seems to work, but I can't be certain that it supports RFC3576 for CoA to work. That might or might not be a problem tho..

So there might of course be some snags to getting this to work, but for basic scenarios it seems to be fine