Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Search instead for
Did you mean:
How to implement RADIUS-based VLAN access control features on the Access Point
How to implement RADIUS-based VLAN access control features on the Access Point.
Each SSID is mapped to a default VLAN-ID on the wired side. The IT administrator may wish to impose back end (such as RADIUS)-based VLAN access control using 802.1X or MAC address authentication mechanisms. For example, if the WLAN is set up such that all VLANs use 802.1X and similar encryption mechanisms for WLAN user access, then a user can "hop" from one VLAN to another by simply changing the SSID and successfully authenticating to the access point (using 802.1X). This may not be preferred if the WLAN user is confined to a particular VLAN.
These are the two ways to implement RADIUS-based VLAN access control features:
RADIUS-based Service Set Identifier (SSID) access control.
After a successful 802.1X or MAC address authentication, the RADIUS server passes back the allowed SSID list for the WLAN user to the Access Point (AP) or bridge. If an SSID is used on the allowed SSID list, the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the AP or bridge.
RADIUS-based VLAN assignment.
After a successful 802.1X or MAC address authentication, the RADIUS server assigns the user to a pre-determined VLAN-ID on the wired side. The SSID used for WLAN access is irrelevant because the user is always assigned to this predetermined VLAN ID.
As shown in the Figure, both RADIUS-based VLAN access control methods: VLAN assignment and SSID access control. VLAN assignment: Both "Engineering" and "Marketing" VLANs are configured to only allow 802.1X authentication (LEAP, EAP-TLS, PEAP, and so on). As shown in Figure 6, when John uses the "Engineering" SSID to gain access to the wireless LAN, the RADIUS server maps John to VLAN-ID 24. This may or may not be the default VLAN-ID mapping for the "Engineering" SSID. Using this method, a user is mapped to a fixed wired VLAN throughout an enterprise network.
RADIUS-based SSID access control: David uses the "Marketing" SSID to gain access to the wireless LAN. However, the permitted SSID list sent back by the RADIUS server indicates that David is only allowed access to the "Engineering" SSID. Upon receipt of this information, the access point disassociates David from the wireless LAN network. Using this method, a user is given access to only one SSID or to predetermined SSIDs throughout an enterprise network.
RADIUS user attributes used for VLAN-ID assignment are:
IETF 64 (Tunnel Type): Set this to "VLAN"
IETF 65 (Tunnel Medium Type): Set this to "802"
IETF 81 (Tunnel Private Group ID): Set this to VLAN-ID
RADIUS user attribute used for SSID access control is: