Well - what type of scenario are you thinking of that won't work?
This from the Zone Director user guide:
ZoneDirector also integrates network, radio frequency (RF), and location management within
a single system. User authentication is accomplished with an integrated captive portal and
internal database, or forwarded to existing Authentication, Authorization and Accounting
(AAA) servers, such as RADIUS or Active Directory. Once users are authenticated, client traffic
is not required to pass through ZoneDirector, thereby eliminating bottlenecks when higher
speed Wi-Fi technologies such as 802.11n are used.
OnBoarding typically involves some kind of 802.1x EAP and this seems to be supported:
802.1X EAP is a very secure authentication/encryption method that requires a backend authentication server such as a RADIUS server. Your choice mostly depends on what kinds of
authentication your users' client devices support and your local network authentication environment
For OnGuard where you might want to change VLAN - then yea Ruckus accepts Dynamic VLAN in the Radius Access-Accept message.
Normal Radius access-accept messages seems to work, but I can't be certain that it supports RFC3576 for CoA to work. That might or might not be a problem tho..
So there might of course be some snags to getting this to work, but for basic scenarios it seems to be fine