windows nps vlan assignment

Microsoft NPS as a RADIUS Server for WiFi Networks: Dynamic VLAN Assignment

Configuration Example Here’s an example of how to configure NPS to assign users to a VLAN based on their user group, using NPS for the authentication and authorization of users. The key to getting this to work is the use of a RADIUS element called: ‘Tunnel-PVT-Group-ID’.  This is a RADIUS attribute that may be passed back to the authenticator (i.e. the WLC or AP) by the authentication server (i.e.NPS) when a successful authentication has been achieved. There are a few other elements which need to accompany it, but this is the key element, as it specifies the VLAN number that the user should be assigned to. The other elements that need to be returned by NPS are:

• Service-Type: Framed
• Tunnel-Type: VLAN
• Tunnel-Medium-Type: 802
• Tunnel-PVT-Group-ID: <VLAN Number>

We’ll have  a look at how we specify each of these attributes in an NPS policy.  For our example, we’ll assign all ‘staff’ users to VLAN 10 and all ‘student’ users to VLAN 20.  Here is an overview of what the network might look like (this is obviously very simplified, but gives an overview of the type of thing that might be achieved):

VLAN 10 has an ACL (access control list) that allows users on this VLAN to access all systems across the school network. The ACL would generally be configured on the layer 3 switch or router that interconnects the school VLANs) VLAN 20 has an ACL which only allow access to the learning system VLAN and the Internet related services. By studying the example above, you can see that if we can control a users VLAN assignment, based on their AD group membership, we can ensure that they only receive the network access to which they are entitled (purely via their AD group membership). Also, note that this is all being done on a single SSID (“School” in this case). Now we’ll take a look at how we achieve this using NPS. NPS Configuration To configure NPS to provide the VLAN assignments outlined above, we will create 2 policies within NPS:

• School Wireless – Staff  (to assigned members of the staff AD group to VLAN 10)
• School Wireless – Students  (to assign members of the students AD group to VLAN 20)

The screen-shots below outline the configuration required. Here is the policy summary screen within NPS. Note that when configuring multiple policies, the order of the policies is important. Policies are assessed top-down, so make sure the policies that need to be hit are enabled and above any disabled polices.

Staff Policy 1. Create the policy and enable it:

2. Add the NAS type and AD group membership conditions (must be members of the staff group):

3. Select and configure an EAP type (note this may be PEAP or EAP-TLS – we’ve shown PEAP just as an example)

4. Configure the settings for this policy to assign any users which match this policy to VLAN 10:

Students Policy 1. Create the policy and enable it:

2. Add the NAS type and AD group membership conditions: (must be members of the students group to match this policy)

4. Configure the settings for this policy to assign any users which match this policy to VLAN 20:

Once NPS has been configured with policies similar to those shown above, users can be dynamically assigned to an appropriate VLAN based on their AD group membership.  As we’ve already discussed, this provides great benefits in reducing additional overheads associated with multiple SSIDs on a WiFi network. In addition, it simplifies user wireless management by allowing all users to be configured with a single wireless client profile, with their access being configured via Microsoft AD. One caveat to note when trying to use this technique is that all users must be using the same security mechanisms to join the SSID. For instance, all users must be using 802.1x (EAP) – you can’t have a mix of PSK & 802.1x authenticated devices on the same SSID. Generally, they should also be using the same WPA version (i.e. WPA or WPA2).

Related Articles

How to use openpath mobile pass (avigilon alta), integrate your existing network policy server (nps) infrastructure with azure ad multi-factor authentication, how to find out who the user profile disk belongs to terminal server rds, how to sign up and use chatgpt, sage 50 payroll – change database path, generate a report of all passwords for all cameras on your milestone xprotect vms., leave a reply cancel reply.

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.

Power by IT Capture

Network Guys

Share your knowledge!

How to use 802.1x/mac-auth and dynamic VLAN assignment

Hello guys! Today I want to show you how to secure your edge-switches with 802.1x and mac-authentication fallback in combination with HPE comware-based switches. The 802.1x protocol is used for network access control. For devices like printers, cameras, etc. we will use mac-authentication as a fallback. We will also use dynamic VLAN assignment for the connected ports.

Our radius server will be Microsoft NPS. You can activate this role on the Windows server:

After the installation, open the NPS console and register the radius server in your Active Directory:

add your switches or your management network as a radius-client:

the shared secret will be used in the switch configuration. In created two groups within my test environment:

• “ VLAN2-802.1x ” containing computer accounts
• “ VLAN3-MAC-Auth ” containing user accounts (username+password = mac-address of the device)

So we will now configure two network policies for our network access control:

I also configured a NAS Identifier so no other device can use the radius server. The clients will use their computer certificate so you will need a running internal certification authority. Choose PEAP only as the authentication method:

the next step is for our dynamic VLAN assignment. Dot1x devices are bound to VLAN 2:

the final dot1x configuration in the NPS:

the second network policy is for the mac-based authentication:

Comware switches are sending MAC-Auth-requests via PAP (maybe you know how to change it to CHAP):

final MAC auth profile:

for now we have built up our authentication server. Now let’s go to the switch configuration. You have global configuration parameters and parameters for each interface. The best way is to use interface-range command to be safe at your configuration. Users who cant authenticate, will be forced to VLAN 999 (quarantine VLAN with no gateway). Here are the global parameters with explanations inline:

now we will configure the interfaces: Added 2 entries

the last part is to configure all windows clients to send 802.1x auth data to the cable network. I’ve done this via a global group policy. You can find the settings under Computer Configuration / Policies / Windows Settings / Security Settings / Wired Network (IEEE 802.3) Policies:

So how does a working 802.1x-auth looks like?

%Jan 3 01:59:59:531 2013 edge-switch-01 DOT1X/6/DOT1X_LOGIN_SUCC: -IfName=GigabitEthernet1/0/10-MACAddr=0023-2415-42a3-AccessVLANID=1- AuthorizationVLANID=2 -Username= host/PC123.mycompany.local ; User passed 802.1X authentication and came online.

Successful Mac-Authentication of a printer:

%Jan 3 01:31:28:782 2013 de-pad-l19-edg01 MACA/6/MACA_LOGIN_SUCC: -IfName=GigabitEthernet1/0/9-MACAddr=0017-c82d-e9bf-AccessVLANID=1- AuthorizationVLANID=3 -Username= 0017c82de9bf -UsernameFormat=MAC address; User passed MAC authentication and came online.

I tried to draw a flow chart which shows the authentication process, I hope it’s ok for you :)

Do you have questions? Feel free to write them into the comments and I will try to answer.

Have a nice and sunny day!

/edit: If you can’t see success and failure events, follow this instruction:  NPS / Radius Server is not logging

/edit 2018-05-14: I corrected the global and interface configuration, we had problems with the old configuration

12 Responses

Thanks for this, I need to setup dynamic VLAN assignment in the near future but for Juniper equipment.

This at least gives me a good starting point, thanks for the write up.

Many thanks for the perfect tutorial on How to use 802.1x/Mac-Auth and dynamic VLAN assignment. Many of us can take help from it. Really nice.

Nice write-up. This was a great starting point for configuring the base for dynamic polices. Thanks!

hi Mike, how ‘s about hybrid port with voice-vlan? does it work?

thanks Tung Duong

we had several problems with this config, currently we are investigating hyprid ports with “port security” command. I will update this post if we have prooved this version.

Can you tell me why I would do this over conventional static VLANs? What are the benefits radius dynamic VLANs?

we have customers which want to divide the network for clients, printers and “special devices”. So you have different group/radius-policies to directly place the devices in the right VLAN. Dynamic VLAN is only a bonus feature which you can use. Of course, you can use only the 802.1x and Mac authentication for security purpose.

I’m on the desktop side of things, so apologies if I use any incorrect terminology here.

Our Infrastructure team are looking at introducing 8021x in our schools. They have a test setup where all 8021x devices pick up a data centre VLAN regardless of which building they’re in – eg 10.100.50.

Each building WIRED has its own unique IP – SchoolA=10.120, SchoolB = 10.130 and so on.

I’ve asked if the 8021x setup can be where 8021x devices in SchoolA will get 10.120.50; SchoolB will get 10.130.50

This would allow us to easily determine which building LaptopA actually is, in the same way as we can with our wired desktops. It also saves on SCCM boundary issues causing applications/updates to be pulled over the WAN rather than the LAN.

It’s been suggested that this may not be possible. Could someone confirm this?

Thanks in advance.

Hello! This is of course possible!

My idea (with examples):

SchoolA=10.120 (Location: Chicago) SchoolB=10.130 (Location: Dallas)

So at Chicago you will have VLAN 333, every device is getting an IP address with 10.120.x.x. At Dallas every device in VLAN 333 is getting an IP address with 10.130.x.x. So the VLAN ID “333” is the same at every school but the DHCP scope and default gateway has it’s own address. So the device is getting the VLAN 333 at every location but another IP address. It’s very simple.

It’s not working if all schools are connected via Layer2 so VLAN333 can’t be a “standalone VLAN” at each geographical location.

Ask me any questions, I will try to help you.

• Pingback: 802.1x, MAC-Authentication and VLAN assignment at ProCurve/aruba Switches – Network Guy
• Pingback: Port Auth, Dynamic VLAN and Radius | samuelnotes
• Pingback: HPE Comware problem with mac authentication and printer - Network Guy

Leave a Reply Cancel reply

Click on the button to load the content from jetpack.wordpress.com.

Load content

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Certificates

Post Categories

Post archives, recent posts.

• Sophos UTM 9.712-13 HA update problem 14. November 2022
• Sophos UTM 9.712-12 update released 24. August 2022
• Aruba OS Switch automatic vlan assignment for aruba APs 5. May 2022
• Sophos UTM 9.711-5 update released 22. April 2022
• Sophos UTM 9.710-1 update released 20. March 2022

Recent Comments

• Sophos Ssl Vpn Client Anmeldung - Login and Portal on Auto-Logon with Sophos SSL VPN Client (OpenVPN)
• Russell on Install Sophos UTM from USB Stick
• arno on Problems with incoming mails
• GigaTech IT on Installing Realtek Driver on ESXi 6.7
• Sophos User Portal Login Ssl Vpn - Online Login on Auto-Logon with Sophos SSL VPN Client (OpenVPN)

Franky’s Web  Website from my friend Frank. News and Tricks about Microsoft products, primarly Exchange Server

Copyright by networkguy.de

Imprint · Privacy Policy

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Wireless (Ruckus) and Dynamic VLAN Assignment via Microsoft NPS

Our current 802.11 setup has a large number of SSIDs to segregate traffic by subnet. This isn't ideal, and I've been attempting to consolidate to a single SSID but use dynamic VLANs instead.

This is on a Ruckus Zonedirector 3000 and Microsoft NPS as the RADIUS server.

My test clients connect to the SSID, and are prompted for credentials. I can see the credentials accepted on the NPS server, and wireshark confirms the Access-Accept message contains the Tunnel-Private-Group-ID value for the desired VLAN.

At this point the client stalls trying to get a DHCP lease. The DHCP server is working, as these are existing scopes and subnets and I can connect a wired client into the switch on an access port for the same vlan and get a lease.

Wireshark shows no DHCP broadcast request from the client at all.

The switchport for the AP is a trunk, with the VLAN tagged and allowed.

Any assistance would be greatly appreciated! Rob

• ieee-802.1x

• Does your capture also show the Tunnel-Type and Tunnel-Medium-Type attributes in addition to the Tunnel-Private-Group-ID? –  YLearn Commented Oct 12, 2013 at 6:15
• Yes, all three of the required attributes are showing in the packet capture. –  Network Canuck Commented Oct 15, 2013 at 16:47
• I've also tested without dynamic VLAN, using a static VLAN for the test WLAN. Clients are able to connect and receive a DHCP assignment for the correct VLAN. The full DHCP exchange is seen in Wireshark. –  Network Canuck Commented Oct 15, 2013 at 17:28

I found the answer here:

http://forums-archive.ruckuswireless.com/forums/8/topics/1278

NPS does not return AD group memberships back to the ZoneDirector without setting a vendor-specific attribute on NPS. A role has to be configured for each group on the ZoneDirector and a network policy has to be configured for each group on NPS.

This seems rather redundant as I've already got authorization and vlan assignment happening on NPS, why would the ZoneDirector also require a role to authorize access to the specified WLAN? Oh well at least it works now.

Your Answer

Sign up or log in, post as a guest.

Required, but never shown

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy .

Not the answer you're looking for? Browse other questions tagged wireless vlan dhcp ieee-802.1x or ask your own question .

• The Overflow Blog
• The hidden cost of speed
• The creator of Jenkins discusses CI/CD and balancing business with open source
• Featured on Meta
• Bringing clarity to status tag usage on meta sites
• Join Stack Overflow’s CEO and me for the first Stack IRL Community Event in...

Hot Network Questions

• Parsing and processing "resolvectl statistics" output using awk
• How to go from Asia to America by ferry
• Switching x-axis and z-axis To appear instead of each other
• Do images have propositional content?
• Can the planet Neptune be seen from Earth with binoculars?
• Unable to understand a proof of the squeeze theorem
• What was used between these countertop sections?
• Why does each leg of my 240V outlet measure 125V to ground, but 217V across the hot wires?
• What is the EPSG for Czechia (Czech) DMR 5G Lidar Data?
• What was the typical amount of disk storage for a mainframe installation in the 1980s?
• Somebody used recommendation by an in-law – should I report it?
• Understanding the parabolic state of a quantum particle in the infinite square well
• What is the missing fifth of the missing fifths?
• Why is Stam Mishna attributed to R' Meir, a fourth-generation Tannah?
• What do these expressions mean in NASA's Steve Stitch's brief Starliner undocking statement?
• Advice how to prevent sin
• Problem in solving an integral equation.
• How does registration work in a modern accordion?
• How can I make this equation look better?
• Is the warp core solely a power source or is it also the mechanism that produces the warp field?
• What exactly was Teddy KGB's tell that Mike identified?
• Are all pass filters stable?
• Analog story - US provides food machines to other nations, with hidden feature
• Correct anonymization of submission using Latex

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

[Solved] NPS VLAN assignment only when BOTH certificate & computer group membership

I am doing something that is definitely not supported. Allowing AAD ONLY joined devices (Intune managed) to connect to internal WiFi using local CA issued certificates

It is described here: https://social.technet.microsoft.com/Forums/lync/en-US/7c6dcb5c-7e24-4a10-89d0-3f8fcec55877/ndes-scep-certificate-to-connect-to-enterprise-wifi-nps-radius?forum=microsoftintuneprod

So machines that know nothing about local AD, do get 802.1x authenticated to WiFi by Windows Server NPS.

That works (almost) as much as I need it to.

But I want to assigned machines/users to different VLANs, based on group membership

So the question I had: https://social.technet.microsoft.com/Forums/lync/en-US/b8383316-d3fa-4f87-833a-889d5387b775/nps-vlan-only-when-both-certificate-amp-computer-group-membership?forum=winserverNAP

Can I combine 2 conditions: certificate existence AND machine group membership?

Windows Server A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications. 12,898 questions Sign in to follow Follow

Works perfectly fine!

"Computer ONLY authentication (no user involved)" & "machine has CA certificate" DOES work in Server 2012 R2 NPS

And machines are not even AD joined (they are only AAD joined & managed by Intune with dummy AD Computer objects)

3 additional answers

Thank you for posting in Q&A!

In regards to your issue, this is a similar case also want "NPS assigned machines/users to different VLANs, based on group membership". nps-assign-vlans-based-on-users-groups-8021x-wired He has opened a case with micorsoft support and find out the following conclusion:

" with NPS it is not possible to do an automatic re-authentication based on the user if the computer is already authenticated. For the re-authentication the NIC needs to be brought down and up again and that is only possible if you make a task scheduled item for this or to script this at user logon."

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it. Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Above is not really what I want

I need NPS to drop the machine to correct VLAN only if BOTH are fulfilled for Computer ONLY authentication ( no user involved)

• machine has CA certificate AND
• machine is in a specific AD Computer group

If machine has ONLY certificate but no group membership, it gets dropped to a different VLAN

@Sebastian Cerazy Hi，

Sorry for the late reply!

Based on my research and discussion with my colleagues, as stated in the microsoft offical document, nps-np-configure

"you can configure network policy to instruct the access servers to place members of specific Active Directory groups on specific VLANs. "

(1) So the "machine is in a specific AD Computer group" can be achieved, (2) however, unfortunately "Computer ONLY authentication (no user involved)"&"machine has CA certificate" can not be achieved in microsoft NPS server.

Hi, Would you mind letting me know the update of the problem? If you need further assistance, feel free to let me know.

Networking | Cloud | DevOps | IaC

Network Device Management with RADIUS Authentication using Windows NPS

Technologies Used In Our Scenario today to deploy Network Device Management with RADIUS Authentication using Windows NPS are the following;

• Microsoft Windows Server 2012 R2: Network Policy Server

Network Equipment

• HP Aruba 2920
• Cisco Catalyst 2960
• Cisco ASA 5505 Firewall

You have heard many say AAA is the best security model for user access and management to network devices. Well, it is and as a good professional practice, securing network devices using the Triple A process meets many best security practices of our day.

Authentication

Authentication is the first process which provides a way of identifying a user ho requires access to network resource, typically by having the user enter a valid user name and password before access is granted. The process of authentication relies on each user requiring access to having a unique set of criteria for gaining the appropriate access desired. The AAA server which in our case is the Microsoft Network Policy Server compares a user’s authentication credentials with the user credentials stored in a database which in our case is the Windows Active Directory. If the credentials match, the user is granted access to the network. If the credentials are at variance, authentication fails and network access is denied.

Authorisation

Now that the user has been successfully authenticated, a user must gain authorisation for doing certain tasks. After logging into a network device for instance, the user may try to issue commands. The authorisation process determines whether the user has the authority to issue such commands. Authorisation simply is the process of enforcing policies: determining what types or qualities of activities, resources, or services a user is permitted. Usually, authorisation occurs within the context of authentication. Once you have authenticated a user, they may be authorised for different types of access or activity.

The final plank in the AAA framework is accounting, which measures the resources a user consumes during access. This can include the amount of system time or the amount of data a user has sent and/or received during a session. Accounting is carried out by logging of session statistics and usage information and is used for authorization control, billing, trend analysis, resource utilization, and capacity planning activities.

Authentication, authorisation, and accounting services are often provided by a dedicated AAA server, a program that performs these functions. A current standard by which network access servers interface with the AAA server is the Remote Authentication Dial-In User Service (RADIUS) which we have used the Microsoft NS server for in our deployment.

Network Device Management with RADIUS Authentication using Windows NPS Step by Step Guide.

Step 1: Configure Active Directory Infrastructure

• Create New Security Group on Active Directory

Add Network Administrators to Group Created

Configure NPS Server : IEEE 802.1X Authentication and Dynamic VLAN Assignment

Step 2: Configure RADIUS Infrastructure

• RADIUS Clients
• Connection Request Policies
• Network Policies

Create RADIUS Client

Create RADIUS Client and Enable RADIUS Standard

Create Network Policy

Create Policy – Conditions

Then, in the Network Policies section create a new authentication policy. Enter its name, e.g., Network Switch Auth Policy for Network Admins. Create two conditions: in the first one, Windows Groups, specify the domain group, which members can get authentication (the accounts of the network administrators are in the AD Network Admins group in our example). The second condition, Authentication Type, is to select PAP as the authentication protocol.

Then in the Configure Authentication Methods window, uncheck all authentication types, but for Unencrypted authentication (PAP. SPAP).

Create Policy Constraints – Authentication Methods

Create Policy Settings – Standard Attributes

Framed-Protocol: PPP Service-Type: Administrative

In the Configure Settings window, change the value of the Service-Type attribute to Administrative.

Network Policy Condition

Create Connection Request Policy

Step 3: Configure Network Devices for RADIUS Authentication

For Cisco Devices – Create a Network Policy like the above but additionally include the following setting.

Under Vendor Specific we need to add to a Cisco-AV Pair to tell the router to go to privilege level 15, select next when you add the “shell:priv-lvl=15” in the Cisco-AV.

Configuring AAA on Cisco IOS

Configuring AAA for Cisco ASA

Configuring AAA on HP Aruba 2920 Switch

Enable and Specify RADIUS Authentication Server

Enable SSH Login via RADIUS

Enable Web Login via RADIUS

Enable Authentication and Accounting Parameters

PS: The following command is what will get everything working for you as without it; you will get the error below;

Access denied: no user’s authorization info supplied by the RADIUS server

Golden Command to allow SSH Sessions to Switch

Verify and Troubleshoot

Check Switch RADIUS Authentication

Check Recent SSH Logins

On Microsoft NPS Server 2012 R2 – Launch Events Viewer

Check Authentication Informational Log Reporting

Check Event Logs

I hope you have enjoyed this article on Network Device Management with RADIUS Authentication using Windows NPS .

Follow the following links for further understanding of the topic:

Published in Configuring , Design , Installing and Configuring , Networking and Switching

• add multiple radius clients nps
• configure nps for cisco radius authentication
• configure radius server 2012 r2 for cisco
• how to configure nps in windows server 2012 r2
• how to configure radius server in windows 2012 server step by step
• how to configure radius server in windows 2016 server step by step
• how to setup a radius server for wireless authentication
• how to setup radius server on windows server 2012
• network policy server
• nps radius proxy step by step
• radius server configuration step by step
• setup radius server 2012 r2 for wireless
• windows server 2016 radius setup
• windows server 2016 radius step by step
• windows server 2019 network policy server

Meraki Community

• Community Platform Help
• Contact Community Team
• Meraki Documentation
• Meraki DevNet Developer Hub
• Meraki System Status
• Technical Forums

802.1X /w Dynamic VLAN Assignment

• Subscribe to RSS Feed
• Mark Topic as New
• Mark Topic as Read
• Float this Topic for Current User
• Printer Friendly Page

• Mark as New
• Report Inappropriate Content
• All forum topics
• Previous Topic

• New September 4: Recognizing the August 2024 Members of the Month
• August 26: [CONTEST ENDED] Celebrate IT Professionals Day
• August 21: 🎁 🍰 🎈Happy 7th Birthday, Meraki Community! 🎈 🍰 🎁
• Interfaces 241
• Layer 2 269
• Layer 3 195
• Community guidelines
• Cisco privacy
• Khoros privacy
• Terms of service

Search This Blog

Microsoft nps as a radius server for wifi networks: dynamic vlan assignment.

• Service-Type: Framed
• Tunnel-Type: VLAN
• Tunnel-Medium-Type: 802
• Tunnel -PVT-Group-ID: <VLAN Number>

• School Wireless - Staff  (to assigned members of the staff AD group to VLAN 10)
• School Wireless - Students  (to assign members of the students AD group to VLAN 20)

Popular posts from this blog

The 5ghz “problem” for wi-fi networks: dfs.

Microsoft NPS as a RADIUS Server for WiFi Networks: SSID Filtering

What Are Sticky Clients?

Switch [Dynamic VLAN] - Configure RADIUS Server for dynamic VLAN Assignment

Dynamic VLAN Assignment separates and isolates devices into different network segments based on the device or user authorization and their characteristics.

Scenario & Topology

Switch configuration, set up nps on windows server 2019, verification.

In most networks, administrators may have to restrict devices on a variety of networking devices for security purposes.

A common way to achieve this kind of network restriction is via static VLAN assignments. Administrators therefore create VLANs and configure the corresponding VLAN number to each switch port with access mode. Conversely, administrator only needs to set switch port as trunk and fixed port and a few policies on RADIUS server for Dynamic VLAN Assignment. It mitigates considerable actions/jobs for network administrator.

The purpose of this configuration guide demonstrates every step to configure Dynamic VLAN Assignment on both switch and RADIUS Server.

Configuration

The following steps are applicable for switches supported on compound authentication. Supported switch are GS2220 and XGS2210 in standalone mode and collocated with a RADIUS Server (Windows Server 2019).

• Configure RADIUS IP address, Shared secret, and AAA settings at:

• Configure 802.1x, MAC authentication, and Guest VLAN as well as Compound Authentication on client port at

• Keep Compound Authentication Mode as strict for client port

Open Network Policy Server and right-click on RADIUS Clients > New, to configure Friendly name, IP address, and Shared secret.

Configure Connection Request Policies(CRP)

• Right-click on  CRP > New
• Specify CRP policy name
• Specify Conditions

We suggest to use NAS Identifier (device hostname) and NAS IPv4 Address here if you are unfamiliar in this page. In addition, if you have a lot of devices that plans to be added into RADIUS clients, you can use symbol * to avoid adding many conditions for a CRP, for example, “GS22*” or “192.168*”.

• Specify Connection Request Forwarding > Next
• Specify Authentication Methods > Next
• Configure Settings > Next
• Check everything you just configure, and click Finish.

Configure Network Policies

• Right-click on Network Policies > New
• Specify Network Policy name
• Specify Conditions > Add > choose Windows Groups

• Specify Access Permission > Next
• Configure Authentication Methods

• Configure Constraints > Next
• Configure Settings.

• Check everything you configure, and click Finish.

Set up user/device account on Windows Server 2019

• Open Active Directory Users and Computers
• Right-click on domain > New > User
• Create accounts for 802.1x and MAC authentication

Notice:  for MAC authentication user, the User logon name should be filled in exactly the same format as setting in switch MAC authentication page.

• Plus, user password should be matched to switch setting as well.

• Client passes compound authentication; it gets IP address of Data VLAN

• Client fails compound authentication; it gets IP address of Guest VLAN

• Make sure DHCP Server functions in the network.
• L3 switch should enable DHCP Smart Relay and point to DHCP server.
• If your NPS server is installed in VM, and NPS service is not functioning even it is running, you should STOP and START NPS service again.

Articles in this section

• [FAQ] Switch
• Zyxel Switch [User Privilege Level] - Configuring additional users with different rights
• Zyxel Switch [Configuration File] - How to Backing Up and Restoring Configuration Files on your ZyXEL Switch
• Zyxel Surge Protector [SUPERGO-GE] - Overview and Installation Guide for SUPERGO-GE
• Zyxel Switch [restart/reboot] - procedure to reboot or restore your ZyXEL Switch
• Network Switch [Connectivity] - Troubleshoot NTP issues (Nebula / Stand-alone)
• VLAN Isolation [Network Switch] - Configure Layer 2 isolation except for Servers or Printers
• Switch - Overview of Layer 3 (L3) Routing Features & Licensing
• Switch - Configure Two ISPs in One Switch
• GS1200/XGS1210/XGS1250 - Configure Basic Setup, VLAN, LAG, Firmware Upgrade

Please sign in to leave a comment.

Sign up for our newsletters to get the latest news!

This website uses cookies

Dear Valued Customer,

Thank you for being a part of the Zyxel family.

Although your product warranty has ended, we are pleased to offer you a special 15% discount for your next purchase on our Zyxel EU Store

Use the voucher code GEUO67B15 at checkout to enjoy this exclusive benefit. If your warranty concerns persist, please initiate a Return Merchandise Authorization (RMA) case with a copy of your invoice, and we'll gladly assist you further.

We're committed to your continued satisfaction with our products and services. Best regards,

The Zyxel Team

Zyxel France

Obadete se da govorite s predstavitel na uslugata. Stremim se da otgovorim na vsichki obazhdaniya v ramkite na 3 minuti no v natovareni vremena mozhe da ni tryabva malko poveche vreme Otvoreni rabotni dni 9: 00-17: 00 chasa

Call to speak with a service representative. We aim to answer all calls within 3 minutes but at busy times we might need a little longer Open workdays 9:00-17:00 (GMT +2)

Support utilisateur Horaires d'ouverture: Lun-Ven: 9h-13h et 14h-18h (GMT +2)

• Skip to content
• Skip to search
• Skip to footer

Configure a RADIUS Server and WLC for Dynamic VLAN Assignment

Available languages, download options.

• PDF (906.6 KB) View with Adobe Reader on a variety of devices

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document introduces the concept of dynamic VLAN assignment. The document describes how to configure the wireless LAN controller (WLC) and a RADIUS server to assign wireless LAN (WLAN) clients into a specific VLAN dynamically.

Prerequisites

Requirements.

Ensure that you meet these requirements before you attempt this configuration:

Have basic knowledge of the WLC and Lightweight Access Points (LAPs)

Have functional knowledge of the AAA server

Have thorough knowledge of wireless networks and wireless security issues

Have basic knowledge of Lightweight AP Protocol (LWAPP)

Components Used

The information in this document is based on these software and hardware versions:

Cisco 4400 WLC that runs firmware release 5.2

Cisco 1130 Series LAP

Cisco 802.11a/b/g Wireless Client Adapter that runs firmware release 4.4

Cisco Aironet Desktop Utility (ADU) that runs version 4.4

CiscoSecure Access Control Server (ACS) that runs version 4.1

Cisco 2950 series switch

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Dynamic VLAN Assignment with RADIUS Server

In most WLAN systems, each WLAN has a static policy that applies to all clients associated with a Service Set Identifier (SSID), or WLAN in the controller terminology. Although powerful, this method has limitations because it requires clients to associate with different SSIDs in order to inherit different QoS and security policies.

However, the Cisco WLAN solution supports identity networking. This allows the network to advertise a single SSID, but allows specific users to inherit different QoS or security policies based on the user credential.

Dynamic VLAN assignment is one such feature that places a wireless user into a specific VLAN based on the credentials supplied by the user. This task of assigning users to a specific VLAN is handled by a RADIUS authentication server, such as CiscoSecure ACS. This can be used, for example, to allow the wireless host to remain on the same VLAN as it moves within a campus network.

Therefore, when a client attempts to associate to a LAP registered with a controller, the LAP passes the credentials of the user to the RADIUS server for validation. Once the authentication is successful, the RADIUS server passes certain Internet Engineering Task Force (IETF) attributes to the user. These RADIUS attributes decide the VLAN ID that should be assigned to the wireless client. The SSID (WLAN, in terms of WLC) of the client does not matter because the user is always assigned to this predetermined VLAN ID.

The RADIUS user attributes used for the VLAN ID assignment are:

IETF 64 (Tunnel Type)—Set this to VLAN.

IETF 65 (Tunnel Medium Type)—Set this to 802

IETF 81 (Tunnel Private Group ID)—Set this to VLAN ID.

In this section, you are presented with the information to configure the features described in this document.

Network Diagram

This document uses this network setup:

These are the configuration details of the components used in this diagram:

The IP address of the ACS (RADIUS) server is 172.16.1.1.

The Management Interface address of the WLC is 172.16.1.30.

The AP-Manager Interface address of the WLC is 172.16.1.31.

The DHCP server address 172.16.1.1 is used to assign IP addresses to the LWAPP. The internal DHCP server on the controller is used to assign the IP address to wireless clients.

VLAN10 and VLAN11 are used throughout this configuration. The user1 is configured to be placed into the VLAN10 and user2 is configured to be placed into VLAN11 by the RADIUS server.

Note:  This document only shows all the configuration information related to user1. Complete the same procedure explained in this document for the user2.

This document uses 802.1x with LEAP as the security mechanism.

Note:  Cisco recommends that you use advanced authentication methods, such as EAP-FAST and EAP-TLS authentication, in order to secure the WLAN. This document uses LEAP only for simplicity.

Configuration

Prior to the configuration, this document assumes that the LAP is already registered with the WLC. Refer to Wireless LAN Controller and Lightweight Access Point Basic Configuration Example for more information. Refer to Lightweight AP (LAP) Registration to a Wireless LAN Controller (WLC) for information about the registration procedure involved.

Configuration Steps

This configuration is separated into three categories:

RADIUS Server Configuration

Configure the switch for multiple vlans, wlc configuration, wireless client utility configuration.

This configuration requires these steps:

Configure the WLC as an AAA Client on the RADIUS Server

Configure the Users and the RADIUS (IETF) Attributes Used for Dynamic VLAN Assignment on the RADIUS Server

Configure the aaa client for the wlc on the radius server.

This procedure explains how to add the WLC as a AAA client on the RADIUS server so that the WLC can pass the user credentials to the RADIUS server.

Complete these steps:

From the ACS GUI, click Network Configuration .

Click the Add Entry section under the AAA Clients field.

Enter the AAA Client IP Address and Key.

The IP address should be the Management Interface IP address of the WLC.

Make sure that the key you enter is the same as the one configured on the WLC under the Security window. This is the secret key used for communication between the AAA client (WLC) and the RADIUS server.

Choose RADIUS (Cisco Airespace) from the Authenticate Using field for the authentication type.

This procedure explains how to configure the users in the RADIUS server and the RADIUS (IETF) attributes used to assign VLAN IDs to these users.

From the ACS GUI, click User Setup .

In the User Setup window, enter a username in the User field and click Add/Edit .

On the Edit page, enter the necessary user information as shown here:

In this diagram, notice that the password you provide under the User Setup section should be the same as the one provided at the client side during the user authentication.

Scroll down the Edit page and find the IETF RADIUS Attributes field.

In the IETF RADIUS Attributes field, check the check boxes next to the three Tunnel attributes and configure the attribute values as shown here:

Note:  In the initial configuration of the ACS server, IETF RADIUS attributes might not be displayed.

Choose Interface Configuration > RADIUS (IETF) in order to enable IETF attributes in the user configuration window.

Then, check the check boxes for attributes 64, 65, and 81 in the User and Group columns.

Note:  In order for the RADIUS server to dynamically assign the client to a specific VLAN, it is required that the VLAN-ID configured under the IETF 81 (Tunnel-Private-Group-ID) field of the RADIUS server exist on the WLC.

Check the Per User TACACS+/RADIUS attribute check box under Interface Configuration > Advanced Options in order to enable the RADIUS server for per user configurations.

Also, because LEAP is used as the Authentication protocol, ensure that LEAP is enabled in the System Configuration window of the RADIUS server as shown here:

Configure the ACS with Cisco Airespace VSA Attributes for Dynamic VLAN Assignment

In the latest ACS versions, you can also configure the Cisco Airespace [VSA (Vendor-Specific)] attribute to assign a successfully authenticated user with a VLAN interface name (not the VLAN ID) as per the user configuration on the ACS. In order to accomplish this, perform the steps in this section.

Note:  This section uses ACS 4.1 version to configure the Cisco Airespace VSA attribute.

Configure the ACS Group with Cisco Airespace VSA Attribute Option

From the ACS 4.1 GUI, click Interface Configuration from the navigation bar. Then, select RADIUS (Cisco Airespace) from the Interface Configuration page in order to configure the Cisco Airespace attribute option.

From the RADIUS (Cisco Airespace) window, check the User check box (Group check box if needed) next to Aire-Interface-Name in order to display it on the User Edit page. Then, click Submit .

Go to the user1's Edit page.

From the User Edit page, scroll down to the Cisco Airespace RADIUS Attributes section. Check the check box next to the Aire-Interface-Name attribute and specify the name of the dynamic interface to be assigned upon successful user authentication.

This example assigns the user to admin VLAN.

Click Submit .

In order to allow multiple VLANs through the switch, you need to issue these commands to configure the switch port connected to the controller:

Switch(config-if)# switchport mode trunk

Switch(config-if)# switchport trunk encapsulation dot1q

Note:  By default, most of the switches allow all VLANs created on that switch via the trunk port.

These commands vary for a Catalyst operating system (CatOS) switch.

If a wired network is connected to the switch, then this same configuration can be applied to the switch port that connects to the wired network. This enables the communication between the same VLANs in the wired and wireless network.

Note:  This document does not discuss inter-VLAN communication. This is beyond the scope of this document. You must understand that for inter-VLAN routing, a Layer 3 switch or an external router with proper VLAN and trunking configurations is needed. There are several documents that explain inter-VLAN routing configuration.

Configure the WLC with the Details of the Authentication Server

Configure the dynamic interfaces (vlans), configure the wlans (ssid).

It is necessary to configure the WLC so it can communicate with the RADIUS server to authenticate the clients, and also for any other transactions.

From the controller GUI, click Security .

Enter the IP address of the RADIUS server and the Shared Secret key used between the RADIUS server and the WLC.

This Shared Secret key should be the same as the one configured in the RADIUS server under Network Configuration > AAA Clients > Add Entry. Here is an example window from the WLC:

This procedure explains how to configure dynamic interfaces on the WLC. As explained earlier in this document, the VLAN ID specified under the Tunnel-Private-Group ID attribute of the RADIUS server must also exist in the WLC.

In the example, the user1 is specified with the Tunnel-Private-Group ID of 10 (VLAN =10) on the RADIUS server. See the IETF RADIUS Attributes section of the user1 User Setup window.

You can see the same dynamic interface (VLAN=10) configured in the WLC in this example. From the controller GUI, under the Controller > Interfaces window, the dynamic interface is configured.

Click Apply on this window.

This takes you to the Edit window of this dynamic interface (VLAN 10 here).

Enter the IP Address and default Gateway of this dynamic interface.

Note:  Because this document uses an internal DHCP server on the controller, the primary DHCP server field of this window points to the Management Interface of the WLC itself. You can also use an external DHCP server, a router, or the RADIUS server itself as a DHCP server to the wireless clients. In such cases, the primary DHCP server field points to the IP address of that device used as the DHCP server. Refer to your DHCP server documentation for more information.

Click Apply .

Now you are configured with a dynamic interface in your WLC. Similarly, you can configure several dynamic interfaces in your WLC. However, remember that the same VLAN ID must also exist in the RADIUS server for that particular VLAN to be assigned to the client.

This procedure explains how to configure the WLANs in the WLC.

From the controller GUI, choose WLANs > New in order to create a new WLAN.

The New WLANs window is displayed.

Enter the WLAN ID and WLAN SSID information.

You can enter any name to be the WLAN SSID. This example uses VLAN10 as the WLAN SSID.

Click Apply in order to go to the Edit window of the WLAN SSID10.

Normally, in a wireless LAN controller, each WLAN is mapped to a specific VLAN (SSID) so that a particular user that belongs to that WLAN is put into the specific VLAN mapped. This mapping is normally done under the Interface Name field of the WLAN SSID window.

In the example provided, it is the job of the RADIUS server to assign a wireless client to a specific VLAN upon successful authentication. The WLANs need not be mapped to a specific dynamic interface on the WLC. Or, even though the WLAN to dynamic interface mapping is done on the WLC, the RADIUS server overrides this mapping and assigns the user that comes through that WLAN to the VLAN specified under the user Tunnel-Group-Private-ID field in the RADIUS server.

Check the Allow AAA Override check box in order to override the WLC configurations by the RADIUS server.

Enable the Allow AAA Override in the controller for each WLAN (SSID) configured.

When AAA Override is enabled, and a client has AAA and controller WLAN authentication parameters that conflict, client authentication is performed by the AAA (RADIUS) server. As part of this authentication, the operating system moves clients to a VLAN returned by the AAA server. This is predefined in the controller interface configuration.

For instance, if the corporate WLAN primarily uses a Management Interface assigned to VLAN 2, and if the AAA Override returns a redirect to VLAN 100, the operating system redirects all client transmissions to VLAN 100 even if the physical port to which VLAN 100 is assigned. When AAA Override is disabled, all client authentication defaults to the controller authentication parameter settings, and authentication is only performed by the AAA server if the controller WLAN does not contain any client-specific authentication parameters.

This document uses ADU as the client utility for the configuration of the user profiles. This configuration also uses LEAP as the authentication protocol. Configure the ADU as shown in the example in this section.

From the ADU Menu bar, choose Profile Management > New in order to create a new profile.

The example client is configured to be a part of SSID VLAN10. These diagrams show how to configure a user profile on a client:

Activate the user profile you have configured in the ADU. Based on the configuration, you are prompted for a username and password. You can also instruct the ADU to use the Windows username and password for authentication. There are a number of options from which the client can receive authentication. You can configure these options under the Security > Configure tab of the user profile you have created.

In the previous example, notice that user1 is assigned to the VLAN10 as specified in the RADIUS server.

This example uses this username and password from the client side to receive authentication and to be assigned to a VLAN by the RADIUS server:

User Name = user1

Password = user1

This example shows how the SSID VLAN10 is prompted for the username and password. The username and password are entered in this example:

Once the authentication and the corresponding validation is successful, you receive success as the status message.

Then, you need to verify that your client is assigned to the proper VLAN as per the RADIUS attributes sent. Complete these steps in order to accomplish this:

From the controller GUI, choose Wireless > AP .

Click Clients , which appears on the left corner of the Access Points (APs) window.

The client statistics are displayed.

Click Details in order to identify the complete details of the client, such as IP address, the VLAN to which it is assigned, and so forth.

This example displays these details of the client, user1:

From this window, you can observe that this client is assigned to VLAN10 as per the RADIUS attributes configured on the RADIUS server.

Note:  If the dynamic VLAN assignment is based on the Cisco Airespace VSA Attribute setting, the Interface name will display it as admin as per this example on the client details page.

Use this section to confirm that your configuration works properly.

debug aaa events enable —This command can be used to ensure successful transfer of the RADIUS attributes to the client via the controller. This portion of the debug output ensures a successful transmission of RADIUS attributes:

Fri Jan 20 02:25:08 2006: 00:40:96:ac:e6:57 processing avps[0]: attribute 64, vendorId 0, valueLen 4 Fri Jan 20 02:25:08 2006: 00:40:96:ac:e6:57 processing avps[1]: attribute 65, vendorId 0, valueLen 4 Fri Jan 20 02:25:08 2006: 00:40:96:ac:e6:57 processing avps[2]: attribute 81, vendorId 0, valueLen 3 Fri Jan 20 02:25:08 2006: 00:40:96:ac:e6:57 processing avps[3]: attribute 79, vendorId 0, valueLen 32 Fri Jan 20 02:25:08 2006: 00:40:96:ac:e6:57 Received EAP Attribute (code=2, length=32,id=0) for mobile 00:40:96:ac:e6:57 Fri Jan 20 02:25:08 2006: 00000000: 02 00 00 20 11 01 00 18 4a 27 65 69 6d e4 05 f5 ........J'eim...00000010: d0 98 0c cb 1a 0c 8a 3c ........44 a9 da 6c 36 94 0a f3 <D..l6... Fri Jan 20 02:25:08 2006: 00:40:96:ac:e6:57 processing avps[4]: attribute 1, vendorId 9, valueLen 16 Fri Jan 20 02:25:08 2006: 00:40:96:ac:e6:57 processing avps[5]: attribute 25, vendorId 0, valueLen 28 Fri Jan 20 02:25:08 2006: 00:40:96:ac:e6:57 processing avps[6]: attribute 80, vendorId 0, valueLen 16 Fri Jan 20 02:25:08 2006: 00:40:96:ac:e6:57 Tunnel-Type 16777229 should be 13 for STA 00:40:96:ac:e6:57 Fri Jan 20 02:25:08 2006: 00:40:96:ac:e6:57 Tunnel-Medium-Type 16777222 should be 6 for STA 00:40:96:ac:e6:57 Fri Jan 20 02:30:00 2006: 00:40:96:ac:e6:57 Station 00:40:96:ac:e6:57 setting dot1x reauth timeout = 1800

These commands can also be useful:

debug dot1x aaa enable

debug aaa packets enable

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Note:  Dynamic VLAN assignment does not work for web authentication from a WLC.

Related Information

• EAP Authentication with RADIUS Server
• Cisco Wireless LAN Controller Configuration Guide, Release 4.0
• Technical Support & Documentation - Cisco Systems

Revision History

Was this Document Helpful?

Contact Cisco

• (Requires a Cisco Service Contract )