Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

How to implement RADIUS-based VLAN access control features on the Access Point

Introduction:-

How to implement RADIUS-based VLAN access control features on the Access Point.

Resolution:-


Each SSID is mapped to a default VLAN-ID on the wired side. The IT administrator may wish to impose back end (such as RADIUS)-based VLAN access control using 802.1X or MAC address authentication mechanisms. For example, if the WLAN is set up such that all VLANs use 802.1X and similar encryption mechanisms for WLAN user access, then a user can "hop" from one VLAN to another by simply changing the SSID and successfully authenticating to the access point (using 802.1X). This may not be preferred if the WLAN user is confined to a particular VLAN.

These are the two ways to implement RADIUS-based VLAN access control features:

  • RADIUS-based Service Set Identifier (SSID) access control.

After a successful 802.1X or MAC address authentication, the RADIUS server passes back the allowed SSID list for the WLAN user to the Access Point (AP) or bridge. If an SSID is used on the allowed SSID list, the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the AP or bridge.

  • RADIUS-based VLAN assignment.

After a successful 802.1X or MAC address authentication, the RADIUS server assigns the user to a pre-determined VLAN-ID on the wired side. The SSID used for WLAN access is irrelevant because the user is always assigned to this predetermined VLAN ID.

As shown in the Figure, both RADIUS-based VLAN access control methods: VLAN assignment and SSID access control. VLAN assignment: Both "Engineering" and "Marketing" VLANs are configured to only allow 802.1X authentication (LEAP, EAP-TLS, PEAP, and so on). As shown in Figure 6, when John uses the "Engineering" SSID to gain access to the wireless LAN, the RADIUS server maps John to VLAN-ID 24. This may or may not be the default VLAN-ID mapping for the "Engineering" SSID. Using this method, a user is mapped to a fixed wired VLAN throughout an enterprise network.

RADIUS-based SSID access control: David uses the "Marketing" SSID to gain access to the wireless LAN. However, the permitted SSID list sent back by the RADIUS server indicates that David is only allowed access to the "Engineering" SSID. Upon receipt of this information, the access point disassociates David from the wireless LAN network. Using this method, a user is given access to only one SSID or to predetermined SSIDs throughout an enterprise network.

RADIUS user attributes used for VLAN-ID assignment are:

  • IETF 64 (Tunnel Type): Set this to "VLAN"
  • IETF 65 (Tunnel Medium Type): Set this to "802"
  • IETF 81 (Tunnel Private Group ID): Set this to VLAN-ID

RADIUS user attribute used for SSID access control is:

  • Cisco IOS/PIX RADIUS Attribute, 009\001 cisco-av-pair

    • Example: Configure the above attribute to allow a user to access the WLAN using "Engineering" and "Marketing" SSIDs only:
    • ssid = Engineering
    • ssid = Marketing

For more information, refer to Wireless Virtual LAN Deployment Guide.


For more information on SSID based user authentication, refer to the How to configure Wireless LAN Controller (WLC) authentication for users by SSID verification

Version history
Revision #:
1 of 1
Last update:
‎06-22-2009 05:26 PM
Updated by: