Networking | Cloud | DevOps | IaC

How to Provision 802.1 X Authentication Step By Step With Dynamic VLAN Assignment With Windows Radius Server For 802.1x Clients

IEEE 802.1X Authentication and Dynamic VLAN Assignment with NPS Radius Server

IEEE 802.1X Authentication and Dynamic VLAN Assignment with NPS Radius Server is an important element to networking in the real world. User location cannot be predicted as they may be at and out of a desk and up and about should they need to do so. Tying them to a local VLAN may only be helpful if they are bound to desks in those locations, although the most ideal outcome, it is not the most practical.

It is only wise to incorporate IEEE 802.1X Authentication and Dynamic VLAN Assignment with NPS Radius Server in areas where you expect different teams to come to. Meeting rooms could for a moment have the accounting group or the development group meeting there and based on the intelligent and dynamic vlan assignmnet with 802.1x authentication, users port-access are defined their appropriate vlans for their respective access to resources on the network.

How to Provision 802.1 X Authentication Step By Step With Dynamic VLAN Assignment With Windows Radius Server For 802.1x Clients.

A typical configuration for a system under IEEE 802.1x Authentication control is shown in the following figure.

In this scenario, “Lady Smith” wishes to use services offered by servers on the LAN behind the switch. There are multiple VLANs with resources available based on user vlan membership. Her laptop computer is connected to a port on the Aruba 2920 Edge Switch that has 802.1x port authentication control enabled.

The laptop computer must therefore act in a supplicant role. Message exchanges take place between the supplicant and the authenticator which is the Aruba 2920 Switch, and the authenticator passes the supplicant’s credentials which is her (Windows Active Directory User Account Credentials) to the authentication server for verification. The NPS Server which is the authentication server then informs the authenticator whether or not the authentication attempt succeeded, at which point “Lady Smith” is either granted or denied access to the LAN behind the switch.

Setup Structure for IEEE 802.1X Authentication and Dynamic VLAN Assignment with NPS Radius Server

  • Supplicant: Laptop running Microsoft Windows 10 or Windows 7
  • Authenticator: HP Aruba 2920 Edge Switch
  • Authentication Server: Microsoft NPS (Network Policy Server) running on Windows Server 2012 R2.
  • User Database : Active Directory

For Windows Infrastructure

Create NPS Server – Add Role on Windows Server 2012 R2

  • Create DHCP Scopes for VLANS

Create RADIUS Client on NAC using Network Policy Server

  • Create Network Policies
  • Configure a Network Policy for VLANs
  • Start Wired Auto-Config Service
  • Enable Network Authentication

Create the DHCP Scopes for VLAN100 and VLAN200 Groups

  • Development Group Scope – VLAN 100

SVI: ip address 172.16.80.254 255.255.255.0 Scope Subnet: 172.16.80.1/24

  • Accounting Group Scope – VLAN 200

SVI:ip address 172.16.70.254 255.255.255.0 Scope Subnet: 172.16.70.0/24

Secret Key: secret12

Add Edge Switch Management IP as the RADIUS Client

The Shared Secret Key: secret12 will be used in the Switch Configuration.

Create Network Policy Settings for Accounting Group for VLAN 200

Configuration Example

Here’s an example of how you might consider when configuring Microsoft NPS Server to assign users to a VLAN based on their user group, using NPS for the authentication and authorization of users. This configuration has worked flawlessly on the HP Aruba 2920 Switch. The key to getting this to work is the use of a RADIUS element called: ‘Tunnel-PVT-Group-ID’. This is a RADIUS attribute that may be passed back to the authenticator (i.e. the Aruba 2920 Switch) by the authentication server (i.e. Microsoft NPS Server) when a successful authentication has been achieved. There are a few other elements which need to accompany it, but this is the key element, as it specifies the VLAN number that the user should be assigned to.

The other elements that need to be returned by the NPS Server are as follows:

  • Tunnel-PVT-Group-ID: 200
  • Service-Type: Framed
  • Tunnel-Type: VLAN
  • Tunnel-Medium-Type: 802

For Client Infrastructure

On the Supplicant, Windows 7 or 10 configure the following steps on the Ethernet Adapter to enable IEEE 802.1X Authentication

For Network Infrastructure

Connect Server Infrastructure to VLAN 400

Create VLAN for Accounting Group

Create VLAN for Development Group

Create AAA Configuration on Switch for Radius Authentication

Download the Switch Configuration:

Test the IEEE 802.1X Authentication and Dynamic VLAN Assignment with NPS Radius Server

Verify Port-Access with the following user groups – VLAN 100 and VLAN 200

Think of what other clever things you can do from the information below;

Breakdown of Commands for RADIUS Authentication

Verification Commands

Thanks for reading. Please share your thoughts in the comment box below;

Published in Configuring , Design , Installing and Configuring , Networking , Security and Switching

  • 802.1 x authentication step by step aruba
  • 802.1 x authentication step by step cisco
  • 802.1 x wireless authentication step by step
  • 802.1x authentication process
  • 802.1x authentication windows 10
  • 802.1x authentication windows server 2012
  • 802.1x certificate authentication
  • assignment wlc
  • cisco dot1x
  • cisco ise dynamic vlan
  • cisco ise dynamic vlan assignment wlc
  • cisco wireless radius attributes
  • configuration example
  • dynamic vlan assignment cisco 2960 dynamic vlan configuration in packet tracer
  • dynamic vlan assignment with windows radius server
  • dynamic vlan cisco
  • dynamic vlan ruckus
  • meraki dynamic vlan assignment
  • nps mac authentication wired
  • nps policy for mac-based authentication
  • radius multiple vlans
  • vlan radius server
  • vlan steering
  • vmps server

Portnox_Logo_White

  • PORTNOX CLOUD Zero trust access control
  • How it works Vendor agnostic, cloud-native security
  • What's New AI-driven with IoT fingerprinting & profiling
  • Pricing Clear and easy pricing
  • Why Portnox Manage your security with ease

Unraveling the Cause and Impact of Third-Party Contractor Breaches

  • How it works Understanding cloud RADIUS authentication
  • What's New Device-related security bolsters zero-trust

Top Network Access Control Challenges and How to Tackle Them

  • How it works Network device administration simplified
  • The first cloud-native TACACS+ Manage your security with ease

Filling the Access Security Gap With Certificate-Based Authentication

  • Network Visibilty
  • Network Authentication
  • Network Access Control
  • Endpoint Risk Monitoring
  • Endpoint Remediation
  • Network Device Administration
  • Guest Management

Initiatives

  • Passwordless

Capabilities

Integrations.

  • Active Directory
  • RESTful API
  • Case Studies
  • Infographics
  • Product Briefs
  • White Papers
  • Cloud Documentation

Compliance Center

Regulations, cybersecurity center.

  • What is 802.1X? What are the benefits of NAC? How does zero trust work? Why go passwordless? What is IoT profiling? Explore All »
  • Reseller Program
  • Managed Services
  • Become a Partner
  • Register a Deal
  • Get Started

Network Access Control , Network Security

Segmenting your network with dynamic vlan.

network segmentation with Portnox CLEAR

What is Dynamic VLAN?

VLANs (Virtual Local Area Networks) enable segmentation of the main organizational network. In practice, VLANs allow network administrators to keep devices and network resources separated despite being connected to the same physical network.

Dynamic VLAN assignment separates and isolates devices into different network segments based on the device or user authorization and their characteristics. The flow of traffic between those VLANs is governed by a firewall or another routing device which can then enforce specific network access rules.

Why Use Dynamic VLANs?

Segmenting the network is a security best practice, and in some cases is even a regulatory requirement – such as with PCI. Network segmentation is a measure that improves the effectiveness of all the current investments in other security tools, and can by itself help to prevent significant damage to critical organizational data across the network after a company has been breached.

Automating VLAN assignments and eliminating the need for manual intervention has historically been a challenge for network security teams. Today, automatic VLAN assignment is best implemented by the use of a RADIUS service, which functions as follows:

  • A device connects to one of several the network access layers: wired ethernet switch or WiFi SSID
  • The network access layer sends a request to the RADIUS server with the user’s credentials or certificates (using 802.1X)
  • The RADIUS server sends a reply which contains attributes that provide the switch or access point with information on the device VLAN, result in properly VLAN assignment

Common Dynamic VLAN Assignment Use Cases

Network and security administrator most commonly encounter these use cases for dynamic VLAN assignment:

  • The Sales & Marketing department does not need access to R&D resources, while R&D should not have access to the Finance Department resources. Using dynamic VLANs, each department will be placed in the correct VLAN with the required access.
  • Devices that fail to authenticate due to wrong credentials or incorrect/expired certificate will be placed in a quarantine VLAN with internet access only.
  • IP Phones using a dedicated voice VLAN and should be placed on that VLAN upon successful authentication.
  • MAC bypass for devices that do not support 802.1X should be placed in their own dedicated VLAN.
  • Devices that fail posture assessment (such as those without updated AntiVirus) should be placed in a quarantine VLAN with limited access.
  • Employees connecting to one single WiFi SSID and get different access (VLANs) based on their authentication repository LDAP groups.

Dynamic VLAN Assignment with Portnox CLEAR

As mentioned earlier, the implementation of dynamic VLAN assignment has often been challenging for organizations since additional servers were needed on-site at the datacenter. This forced network teams to manage redundancies, complex configurations, and on-going maintenance.

To paint a clearer picture of this headache, consider this:

Take the case of connecting a new department, branch, or merely onboarding a lot of new employees at once…this can cause a surge in demand, which will in turn cause the whole network to “shutdown,” thus not accepting anyone who tries to connect.

Portnox CLEAR  is a network access control solution, deployed as a cloud service, that provides all the mentioned use cases and more. CLEAR simplifies the implementation process of dynamic VLAN assignment. CLEAR allows you to easily set-up a cloud RADIUS server in a single click, and integrate with various authentication repositories like on-premise Active Directory, Azure AD, GSuite, OKTA. Plus, you can enforce your own unique access control policy to dynamically assign users to their respective VLANs.

In addition to VLAN assignment based on credentials authorization, CLEAR also allows you to implement dynamic VLAN assignment based on risk violation. This means that even devices that have authenticated successfully to the wired or wireless network can be dynamically moved to a dedicated VLAN if they fall out of compliance.

dynamic vlan assignment in Portnox CLEAR

In the diagram above:

  • PCs are dynamically assigned to the VLAN based on their credentials/certificate.
  • IP Phones are assigned to the VOIP VLAN.
  • Printers are assigned to the printers VLAN.
  • Guests devices assigned to the internet-only access/quarantine VLAN.

How it Works – Setting up Dynamic VLAN Assignment in Portnox CLEAR:

1. enable cloud radius.

In the CLEAR portal, create your one-click cloud RADIUS server: Go to  Settings > Services > CLEAR RADIUS Service , and add your RADIUS service instance:

cloud radius service in Portnox CLEAR

And point your network equipment: wired switches and/or wireless controllers to work with these CLEAR Radius service details.

2. Creating an Access Control Policy – Dynamic VLAN Assignment:

In Policies > Access Control Policies , add or edit your existing access control policy, select the required access layer and add the correct VLAN ID or VLAN name for each event you want to create dynamic VLAN assignment for: successful authentication, authentication violation, risk assessment, blocked by admin. Then, map the access control policy to the relevant groups and users.

setting access control policy with Portnox CLEAR

Related Reading

dynamic vlan assignment with radius server

Unraveling the Cause and Impact of Third-Party Contractor Breaches

account takeover portnox

Battling the Beast: Overcoming Account Takeover Cyber Attacks

mitigate byod security risks with portnox

Eliminating BYOD Security Risks with NAC

Try portnox cloud for free today.

Gain access to all of Portnox's powerful zero trust access control free capabilities for 30 days!

Privacy Overview

WEBINAR: How to unify access control to improve zero trust security.

Dynamic VLANs with RADIUS

Written by Ryan Squires on January 17, 2019

Share This Article

Creating dynamic VLANs with RADIUS represents a powerful security concept, but one that’s difficult to implement. There are a lot of variables that go into its set up. Components such as  wireless access points (WAPs), RADIUS servers, and identity providers (IdPs) each contribute to its complexity. The good news is that there is a next generation cloud identity management platform that is making VLAN steering easier to execute than ever before.

What is Dynamic VLAN Assignment?

What is dynamic VLAN assignment?

Dynamic VLAN assignment is a great way for IT organizations to step up their network security efforts. The idea at play here is that users, or groups of users, can be placed into different VLANs, or segmented chunks of the same network, to increase security. For example, the sales team doesn’t need to be on the same VLAN with developers and vice versa. That means that if a bad actor were to gain access to either the sales or engineering VLAN, they still could not access other segments of that network, like the development VLAN. Effectively, this provides IT admins the ability to limit the the attack surface on a given network. Less attack surface, less potential for problems.

VLAN and RADIUS Implementation

network segmentation with VLAN

So, while the benefits of dynamic VLANs with RADIUS are hard to overstate, the implementation process can present quite the challenge to IT admins. Segmenting a network can be done through WiFi infrastructure or through the network switches and routers. Users and groups of users are assigned VLANs and those assignments are placed into the RADIUS server , which is backended by an identity provider which validates credentials. All of these different components, network gear, RADIUS servers, directory services, and even endpoints need to be tied together to make the process of dynamic VLAN assignments work effectively. Of course, that can be a tall order for many IT organizations which is why the adoption of network segmentation hasn’t been nearly as high as it should be.

A Cloud-based Security Booster

Dynamic VLAN assignment with JumpCloud

Thankfully, a new generation of identity and access management solution is taking the heavy lifting out of implementing dynamic VLAN assignment with RADIUS. With an on-board RADIUS server and directory service, this cloud IAM platform has the majority of the the identity and networking components ready to use. Assuming IT admins are in possession of WAPs with VLAN capability, IT admins simply point their compatible WAPs to the cloud RADIUS solution and load their users into the cloud directory. The Directory-as-a-Service platform takes care of the rest. This ability is just one facet of JumpCloud’s security offering. With the ability to automate SSH key management , execute remote Policy and command deployment, and enable True Single Sign-On™ , your users will stay safe and your organization secure.

Learn More About JumpCloud

Directory-as-a-Service

If you’re ready to enjoy the benefits of dynamic VLANs with RADIUS without all the heavy lifting, sign up for a free JumpCloud account today. With a free JumpCloud account, you’ll be able to test all the functionality of JumpCloud while managing up to 10 users for free. Be sure to check out our Knowledge Base and YouTube channel for more information.

  • Remote Work
  • User Access

How to Reverse IT Sprawl

Reduce IT costs and complexity

' src=

Ryan Squires is a content writer at JumpCloud, a company dedicated to connecting users to the IT resources they need securely and efficiently. He has a degree in Journalism and Media Communication from Colorado State University.

Continue Learning with Related Posts

Continue learning with our newsletter.

Featured thumb

Dynamic VLAN Assignment for Cloud RADIUS

The landscape of cybersecurity is always changing, but there are a few constants. One unchanging aspect is the use of VLANs as a primary method of segmenting users and network resources. Like the Local Area Network it emulates, a VLAN is a useful tool for isolating sensitive resources and sheltering it from risk created by unnecessary access. 

Our networks are becoming increasingly virtual, as illustrated by the industry trend of moving to the cloud. That makes VLAN more important than ever and, fortunately, VLAN technology is keeping pace. In this article we will discuss the methods through which users are assigned to VLANs and how to automate the process for ease-of-use and increased security.

What is Dynamic VLAN Assignment?

Dynamic VLAN Assignment, also referred to as “ VLAN Steering ”, is exactly what it sounds like. The process of assigning users or groups of users to VLAN can be handled by a RADIUS at the time of authentication, though the infrastructure and expertise needed for dynamic VLAN assignment has historically been an obstacle for smaller organizations.

Why use Dynamic VLAN Assignment?

The default state of a wireless (or wired) network is sometimes described as “flat”. Every user in the organization is tossed into a shared network that also contains all of the resources that organization has (files, data, source code, applications, etc.). Everyone potentially has access to everything, even if there is another login portal between them and, say, the payroll system. 

That’s an unnecessary risk. Developers need access to very sensitive resources like the source code for their app, but that doesn’t imply that they require access to everything that is less confidential. It’s a basic tenet of security, cyber or not, to restrict access to only people that require it.

Those are the guiding principles that lead us to implement VLANs, but the “dynamic assignment” portion of dynamic VLAN assignment is equally important. There needs to be an automated process by which users are automatically shunted to the appropriate VLAN. Relying on IT to manually assign VLANs is short-sighted – humans are fallible and it doesn’t scale past a couple dozen users.

RADIUS Attributes for Dynamic VLAN Assignment

That’s why we configure a RADIUS server to assign users for us. It already has the responsibility of authorizing and authenticating users for network access, so it’s a relatively simple task to configure it to send users to a switch that can further sort users to a specific access point and/or a specific VLAN. 

How does a RADIUS decide where to send the user? By the attributes assigned to them. Attributes are often stored as part of the user profile in the directory or as a part of the device/client profile for MAC authentication. SecureW2’s Cloud PKI can even amend attributes to digital certificates for seamless certificate-based EAP-TLS authentication with dynamic VLAN assignment.

The majority of VLAN assignment is done by configuring these 3 attributes:

  • Tunnel-Type
  • Tunnel-Medium-Type
  • Tunnel-Private-Group-ID

SecureW2’s Cloud RADIUS supports additional VLAN assignment attributes such as:

  • Custom groups

These additional parameters allow you an even greater degree of control and flexibility in assigning users to VLANs so that you can efficiently maximize your network security.

Which RADIUS for Dynamic VLAN Assignment?

Most, though not all, RADIUS servers can be configured to support dynamic VLAN assignment. Keep in mind the other needs of your organization when choosing which to configure. 

Microsoft’s NPS is a popular DIY RADIUS solution because many organizations are already using a Microsoft environment. The ubiquitous Active Directory remains one of the most popular identity providers even though it’s mostly incompatible with many cloud-based applications and services  (including Microsoft’s own Azure AD). The lack of compatibility with cloud services more or less eliminates NPS as a choice. 

FreeRADIUS is another DIY RADIUS which actually is able to interact with cloud directories and the like. Unfortunately, the lack of a GUI is a turn off for most enterprises that want deep customizability and reporting.

SecureW2’s Cloud RADIUS is equipped with the latest in VLAN technology. Our Dynamic Policy Engine enables the RADIUS to make runtime-level policy decisions by directly referencing user attributes stored in any directory (including cloud directories like Google, Azure, and Okta). Not only does this reinforce the network segmentation of VLAN, but it also enables passwordless authentication for any cloud directory via the use of digital certificates. 

If your organization already has an 802.1X network, SecureW2’s turnkey solutions can integrate into your network without any forklift upgrades. If you’re still considering the transition to a secure WPA2-Enterprise network, you’ll be interested in our managed Cloud PKI which has all the components necessary for top-of-the-line X.509 digital certificate security right out of the box. 

We have affordable options for organizations of all sizes. See our pricing here.

dynamic vlan assignment with radius server

Patrick Grubbs

Patrick is an experienced SEO specialist at SecureW2 who also enjoys running, hiking, and reading. With a degree in Biology from College of William & Mary, he got his start in digital content by writing about his ever-expanding collection of succulents and cacti.

Related Posts

Releted thumb

How To Test RADIUS Response Time

Releted thumb

Evil Twin Attacks Explained

Releted thumb

Breaking Down the 802.1X Protocol

Releted thumb

Configure EAP-TLS Authentication for Cloud Networks

Releted thumb

Sync AD to Google for Cloud Authentication

You are using an outdated browser. Please upgrade your browser to improve your experience.

Your browser does not support JavaScript. Please turn it on for the best experience.

Configuration Guide on Dynamic VLAN with the VLAN Assignment function of RADIUS

dynamic vlan assignment with radius server

OC200 , OC300 , Omada Software Controller , Omada Cloud-Based Controller

The "This Article Applies to" section is not updated in a timely manner, to determine if your model supports a specific feature, please refer to the Specifications page of the corresponding product on the TP-Link website.

With the VLAN Assignment feature of RADIUS, the Omada SDN solution can put clients authenticated by different accounts to the corresponding VLANs. In this way, clients will obtain IP addresses from different VLANs, and you don't have to create many SSIDs bound with different VLANs for wireless networks, or bind the PVIDs of the switch ports to specific VLANs for wired networks.

To achieve the above features, you will need the Omada SDN Controller, EAP for wireless assignment, JetStream Switch for wired assignment, and an external RADIUS server. In this article, we will share the configuration guide for below network topology.

dynamic vlan assignment with radius server

Step 1. Set up the RADIUS server.

Here we run a FreeRADIUS ® server on a Linux server. For more information on installation and configuration, please refer to the official website: https://freeradius.org/

First, edit the “ clients.conf ” file, set the client IP address as “192.168.0.0/24” and the password as “tplink”.

dynamic vlan assignment with radius server

Next, edit the “ users ” file, create two accounts “test10” and “test20” in VLAN10 and VLAN20, respectively.

dynamic vlan assignment with radius server

You may also edit the “ eap.conf ” to modify the EAP type for WPA-Enterprise. After configuration, run the RADIUS server to listen for access requests.

Step 2. Create the RADIUS profile.

Go to Authentication --- RADIUS Profile, create a new profile bound with the RADIUS server, and check “Enable VLAN Assignment for Wireless Network” to assign VLANs for wireless clients.

dynamic vlan assignment with radius server

Step 3. Create more VLAN for VLAN assignments.

Assuming all Omada devices have been adopted by the controller, go to Settings --- Wired Networks --- LAN, and create two interfaces with VLAN10 and VLAN20.

dynamic vlan assignment with radius server

Step 4. VLAN assignment for wireless networks.

Go to Settings – Wireless Networks, and create a new SSID with WPA-Enterprise as below. For differences between WPA-Personal and WPA-Enterprise, please refer to FAQ500 .

dynamic vlan assignment with radius server

When connecting your client to the SSID, you will be asked to choose the authentication type of WPA-Enterprise, and enter the account username and password. After successfully authenticating with account “test10”, the client will obtain an IP address from VLAN10, while with account “test20”, it will get that from VLAN20.

Step 5. VLAN assignment for wired networks.

Go to Authentication --- 802.1X and enable the feature, select Authentication Type as “Port Based”, enable “VLAN Assignment” and check the Ports to be authenticated according to your requirements.

Not to click the ports twice to enable MAB for them.

dynamic vlan assignment with radius server

Then go to Wired Networks --- LAN --- Profile, create a new port profile, add VLAN10 and VLAN20 to untagged networks, and make sure the 802.1X Control mode is Auto.

dynamic vlan assignment with radius server

Then Go to Devices, click your switch, go to Ports, check the authentication ports, and batch edit to change the port profile to the one created just now.

dynamic vlan assignment with radius server

For 802.1X authentication, you may need to run TP-Link 802.1X Client Software (click here to download) for authentication. Please refer to FAQ787 and Step 3. For detailed guidance.

Is this faq useful?

Your feedback helps improve this site.

What’s your concern with this article?

  • Dissatisfied with product
  • Too Complicated
  • Confusing Title
  • Does not apply to me

We'd love to get your feedback, please let us know how we can improve this content.

We appreciate your feedback. Click here to contact TP-Link technical support.

Recommend Products

Omada Cloud-Based Controller

Omada Cloud-Based Controller

Omada Software Controller

Omada Software Controller

OC300

Omada Hardware Controller

Community

TP-Link Community

Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.

Visit the Community >

We have updated our Policies. Read Privacy Policy and Terms of Use here. This website uses cookies to improve website navigation, analyze online activities and have the best possible user experience on our website. You can object to the use of cookies at any time. You can find more information in our privacy policy .

Basic Cookies

These cookies are necessary for the website to function and cannot be deactivated in your systems.

accepted_local_switcher, tp_privacy_base, tp_privacy_marketing, tp_smb-select-product_scence, tp_smb-select-product_scenceSimple, tp_smb-select-product_userChoice, tp_smb-select-product_userChoiceSimple, tp_smb-select-product_userInfo, tp_smb-select-product_userInfoSimple, tp_top-banner, tp_popup-bottom, tp_popup-center, tp_popup-right-middle, tp_popup-right-bottom, tp_productCategoryType

__livechat, __lc2_cid, __lc2_cst, __lc_cid, __lc_cst, CASID

id, VISITOR_INFO1_LIVE, LOGIN_INFO, SIDCC, SAPISID, APISID, SSID, SID, YSC, __Secure-1PSID, __Secure-1PAPISID, __Secure-1PSIDCC, __Secure-3PSID, __Secure-3PAPISID, __Secure-3PSIDCC, 1P_JAR, AEC, NID, OTZ

Analysis and Marketing Cookies

Analysis cookies enable us to analyze your activities on our website in order to improve and adapt the functionality of our website.

The marketing cookies can be set through our website by our advertising partners in order to create a profile of your interests and to show you relevant advertisements on other websites.

Google Analytics & Google Tag Manager

_gid, _ga_<container-id>, _ga, _gat_gtag_<container-id>

Google Ads & DoubleClick

test_cookie, _gcl_au

cebsp_, _ce.s, _ce.clock_data, _ce.clock_event, cebs

OptanonConsent, _sctr, _cs_s, _hjFirstSeen, _hjAbsoluteSessionInProgress, _hjSessionUser_14, _fbp, ajs_anonymous_id, _hjSessionUser_<hotjar-id>, _uetsid, _schn, _uetvid, NEXT_LOCALE, _hjSession_14, _hjid, _cs_c, _scid, _hjAbsoluteSessionInProgress, _cs_id, _gcl_au, _ga, _gid, _hjIncludedInPageviewSample, _hjSession_<hotjar-id>, _hjIncludedInSessionSample_<hotjar-id>

lidc, AnalyticsSyncHistory, UserMatchHistory, bcookie, li_sugr, ln_or

FAQ How to configure dynamic vlan assignment via radius

Issue description.

  • Documentation
  • Software Download
  • Write an article

TP-Link

  • Business Community
  • Knowledge Base
  • Controllers
  • Surveillance
  • Accessories
  • Requests & Suggestions
  • Official Announcements
  • General Discussion
  • Safestream Routers
  • Pharos Wireless Bridges

Configuration Guide on Dynamic VLAN with the VLAN Assignment function of RADIUS

With the VLAN Assignment feature of RADIUS, the Omada SDN solution can put clients authenticated by different accounts to the corresponding VLANs. In this way, clients will obtain IP addresses from different VLANs, and you don't have to create many SSIDs bound with different VLANs for wireless networks, or bind the PVIDs of the switch ports to specific VLANs for wired networks.

To achieve the above features, you will need the Omada SDN Controller, EAP for wireless assignment, JetStream Switch for wired assignment, and an external RADIUS server. In this article, we will share the configuration guide for below network topology.

dynamic vlan assignment with radius server

Step 1. Set up the RADIUS server.

Here we run a FreeRADIUS ®  server on a Linux server.

For more information on installation and configuration, please refer to the official website: https://freeradius.org/

First, edit the “ clients.conf ” file, set the client IP address as “192.168.0.0/24” and  the password as “tplink”.

dynamic vlan assignment with radius server

Next, edit the “ users ” file, create two accounts “test10” and “test20” in VLAN10 and VLAN20, respectively.

dynamic vlan assignment with radius server

You may also edit the “ eap.conf ” to modify the EAP type for  WPA-E nterprise . After configuration, run the RADIUS server to listen for the access requests.

Step 2. Create the RADIUS profile.

Go to Authentication --- RADIUS Profile, create a new profile bound with the RADIUS server, check “Enable VLAN Assignment for Wireless Network” to assign VLANs for wireless clients.

dynamic vlan assignment with radius server

Step 3. Create more interfaces for VLAN assignments.

Assuming all Omada devices have been adopted by the controller,

go to Settings -- Wired Networks -- LAN, and create two interfaces with VLAN10 and VLAN20.

dynamic vlan assignment with radius server

S t ep 4. VLAN assignment   for  wireless networks.

Go to Settings – Wireless Networks, create a new SSID with WPA-Enterprise as below.

dynamic vlan assignment with radius server

For differences between WPA-Personal and WPA-Enterprise, please refer to FAQ500 .

When connecting your client to the SSID, you will be asked to choose the authentication type of WPA-Enterprise, and enter the account username and password. After successfully authenticating with account “test10”, the client will obtain an IP address from VLAN10, while with account “test20”, it will get that from VLAN20.

Step 5. VLAN assignment  for wired networks.

Go to Authentication --- 802.1X and enable the feature, select Authentication Type as “Port Based”, enable “VLAN Assignment” and check the Ports to be authenticated according to your requirements. Then Go to Devices, click your switch, go to Ports, check the authentication ports, and batch edit to change the 802.1X Control to “Auto” mode.

dynamic vlan assignment with radius server

For 802.1X authentication, you may need to run TP-Link 802.1X Client Software (click here  to download) for authentication.

Please refer to FAQ787 and Step 3.  for detailed guidance.

Related Articles: How to configure the NPS to manage RADIUS authentication with Omada Controller?

dynamic vlan assignment with radius server

  • Report Inappropriate Content

@MatthiasLoi   Which Radius server are you using? I have 37 Omada APs with Radius authentification via Microsoft NPS and it works.

My problem is that dynamic vlan assigenment sometimes failes.

dynamic vlan assignment with radius server

Kdjjd 

  • Corporate Profile
  • Privacy Policy
  • Security Advisory

We use cookies and browser activity to improve your experience, personalize content and ads, and analyze how our sites are used. For more details, please read our Privacy Policy .

IT Capture

Microsoft NPS as a RADIUS Server for WiFi Networks: Dynamic VLAN Assignment

Configuration Example Here’s an example of how to configure NPS to assign users to a VLAN based on their user group, using NPS for the authentication and authorization of users. The key to getting this to work is the use of a RADIUS element called: ‘Tunnel-PVT-Group-ID’.  This is a RADIUS attribute that may be passed back to the authenticator (i.e. the WLC or AP) by the authentication server (i.e.NPS) when a successful authentication has been achieved. There are a few other elements which need to accompany it, but this is the key element, as it specifies the VLAN number that the user should be assigned to. The other elements that need to be returned by NPS are:

  • Service-Type: Framed
  • Tunnel-Type: VLAN
  • Tunnel-Medium-Type: 802
  • Tunnel-PVT-Group-ID: <VLAN Number>

We’ll have  a look at how we specify each of these attributes in an NPS policy.  For our example, we’ll assign all ‘staff’ users to VLAN 10 and all ‘student’ users to VLAN 20.  Here is an overview of what the network might look like (this is obviously very simplified, but gives an overview of the type of thing that might be achieved):

dynamic vlan assignment with radius server

VLAN 10 has an ACL (access control list) that allows users on this VLAN to access all systems across the school network. The ACL would generally be configured on the layer 3 switch or router that interconnects the school VLANs) VLAN 20 has an ACL which only allow access to the learning system VLAN and the Internet related services. By studying the example above, you can see that if we can control a users VLAN assignment, based on their AD group membership, we can ensure that they only receive the network access to which they are entitled (purely via their AD group membership). Also, note that this is all being done on a single SSID (“School” in this case). Now we’ll take a look at how we achieve this using NPS. NPS Configuration To configure NPS to provide the VLAN assignments outlined above, we will create 2 policies within NPS:

  • School Wireless – Staff  (to assigned members of the staff AD group to VLAN 10)
  • School Wireless – Students  (to assign members of the students AD group to VLAN 20)

The screen-shots below outline the configuration required. Here is the policy summary screen within NPS. Note that when configuring multiple policies, the order of the policies is important. Policies are assessed top-down, so make sure the policies that need to be hit are enabled and above any disabled polices.

dynamic vlan assignment with radius server

Staff Policy 1. Create the policy and enable it:

dynamic vlan assignment with radius server

2. Add the NAS type and AD group membership conditions (must be members of the staff group):

dynamic vlan assignment with radius server

3. Select and configure an EAP type (note this may be PEAP or EAP-TLS – we’ve shown PEAP just as an example)

dynamic vlan assignment with radius server

4. Configure the settings for this policy to assign any users which match this policy to VLAN 10:

dynamic vlan assignment with radius server

Students Policy 1. Create the policy and enable it:

dynamic vlan assignment with radius server

2. Add the NAS type and AD group membership conditions: (must be members of the students group to match this policy)

dynamic vlan assignment with radius server

4. Configure the settings for this policy to assign any users which match this policy to VLAN 20:

dynamic vlan assignment with radius server

Once NPS has been configured with policies similar to those shown above, users can be dynamically assigned to an appropriate VLAN based on their AD group membership.  As we’ve already discussed, this provides great benefits in reducing additional overheads associated with multiple SSIDs on a WiFi network. In addition, it simplifies user wireless management by allowing all users to be configured with a single wireless client profile, with their access being configured via Microsoft AD. One caveat to note when trying to use this technique is that all users must be using the same security mechanisms to join the SSID. For instance, all users must be using 802.1x (EAP) – you can’t have a mix of PSK & 802.1x authenticated devices on the same SSID. Generally, they should also be using the same WPA version (i.e. WPA or WPA2).

Related Articles

How to use openpath mobile pass (avigilon alta), integrate your existing network policy server (nps) infrastructure with azure ad multi-factor authentication, how to find out who the user profile disk belongs to terminal server rds, how to sign up and use chatgpt, sage 50 payroll – change database path, generate a report of all passwords for all cameras on your milestone xprotect vms., leave a reply cancel reply.

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.

Power by IT Capture

  • Technical Forums

802.1X /w Dynamic VLAN Assignment

  • Subscribe to RSS Feed
  • Mark Topic as New
  • Mark Topic as Read
  • Float this Topic for Current User
  • Printer Friendly Page

whistleblower

  • Mark as New
  • Report Inappropriate Content
  • All forum topics
  • Previous Topic

PhilipDAth

  • New February 14: Valentine’s Contest ‌💌‌ — Share some ‌💘‌ for a community member and you could BOTH win swag
  • February 5: Enhanced Reporting for Inappropriate Content = Better Community Experience
  • February 5: Recognizing the January 2024 Members of the Month

View all community news »

  • Interfaces 204
  • Layer 2 220
  • Layer 3 157

custom.footer.

  • Community Guidelines
  • Cisco Privacy
  • Khoros Privacy
  • Terms of Use

IMAGES

  1. Configuration Guide on Dynamic VLAN with the VLAN Assignment function

    dynamic vlan assignment with radius server

  2. Dynamic vlan assignment microsoft nps radius

    dynamic vlan assignment with radius server

  3. Use case 1: 802.1X authentication with dynamic VLAN assignment

    dynamic vlan assignment with radius server

  4. Configure Dynamic VLAN Assignment with NGWC and ACS 5.2

    dynamic vlan assignment with radius server

  5. Dynamic VLAN assignment using RADIUS attribute string 6.4.6

    dynamic vlan assignment with radius server

  6. How to configure the switch & RADIUS server to implement 802.1x Port

    dynamic vlan assignment with radius server

VIDEO

  1. Radius server

  2. Xác thực 802.1x cho Wireless

  3. Radius Usermanager Hotspot & Dial PPPOE

  4. Gán VLAN tự động

  5. Configuring RADIUS on Windows 2008

  6. Introducing TTDP & DHCP under TTDP

COMMENTS

  1. IEEE 802.1X Authentication and Dynamic VLAN Assignment with NPS Radius

    Published 25th February 2019 by Samuel O IEEE 802.1X Authentication and Dynamic VLAN Assignment with NPS Radius Server is an important element to networking in the real world. User location cannot be predicted as they may be at and out of a desk and up and about should they need to do so.

  2. PDF Configure a RADIUS Server and WLC for Dynamic VLAN Assignment

    Dynamic VLAN assignment is one such feature that places a wireless user into a specific VLAN based on the credentials supplied by the user. This task of assigning users to a specific VLAN is handled by a RADIUS authentication server, such as CiscoSecure ACS.

  3. Configure Dynamic VLAN Assignment with ISE and Catalyst 9800 ...

    Step 1. Configure the Catalyst WLC as an AAA Client on the Cisco ISE server Step 2. Configure internal users on Cisco ISE Step 3. Configure the RADIUS (IETF) attributes used for dynamic VLAN Assignment Configure the Switch for Multiple VLANs Catalyst 9800 WLC Configuration Step 1. Configure the WLC with the Details of the Authentication Server

  4. Switch [Dynamic VLAN]

    Configuration The following steps are applicable for switches supported on compound authentication. Supported switch are GS2220 and XGS2210 in standalone mode and collocated with a RADIUS Server (Windows Server 2019). Switch configuration Configure RADIUS IP address, Shared secret, and AAA settings at:

  5. Segmenting Your Network with Dynamic VLAN

    Today, automatic VLAN assignment is best implemented by the use of a RADIUS service, which functions as follows: A device connects to one of several the network access layers: wired ethernet switch or WiFi SSID The network access layer sends a request to the RADIUS server with the user's credentials or certificates (using 802.1X)

  6. Configure Dynamic VLAN Assignment with NGWC and ACS 5.2

    Document ID: 116494 Bias-Free Language Contents Introduction Prerequisites Requirements Components Used Dynamic VLAN Assignment with RADIUS Server Configure Network Diagram Assumptions Configure WLC with CLI Configure WLAN Configure RADIUS Server on WLC Configure DHCP Pool for Client VLAN Configure WLC with GUI Configure WLAN

  7. Configure Dynamic VLAN Assignment with WLCs Based on ISE to Active

    Dynamic VLAN Assignment with RADIUS Server. In most WLAN systems, each WLAN has a static policy that applies to all clients associated with a Service Set Identifier (SSID), or WLAN in the controller terminology. Although powerful, this method has limitations because it requires clients to associate with different SSIDs in order to inherit ...

  8. Dynamic VLANs with RADIUS

    A Cloud-based Security Booster. Thankfully, a new generation of identity and access management solution is taking the heavy lifting out of implementing dynamic VLAN assignment with RADIUS. With an on-board RADIUS server and directory service, this cloud IAM platform has the majority of the the identity and networking components ready to use.

  9. Dynamic VLAN Assignment for Cloud RADIUS

    Dynamic VLAN Assignment, also referred to as " VLAN Steering ", is exactly what it sounds like. The process of assigning users or groups of users to VLAN can be handled by a RADIUS at the time of authentication, though the infrastructure and expertise needed for dynamic VLAN assignment has historically been an obstacle for smaller organizations.

  10. Cisco Content Hub

    This document describes the concept of dynamic VLAN assignment and how to configure wireless LAN controller (WLC) and a RADIUS server to assign a wireless LAN (WLAN) clients to a specific VLAN dynamically. In this document, the RADIUS server is an Access Control Server (ACS) that runs Cisco Secure Access Control System Version 5.2.oduction

  11. Configuration Guide on Dynamic VLAN with the VLAN Assignment function

    Step 1. Set up the RADIUS server. Here we run a FreeRADIUS ® server on a Linux server. For more information on installation and configuration, please refer to the official website: https://freeradius.org/ First, edit the " clients.conf " file, set the client IP address as "192.168../24" and the password as "tplink".

  12. FAQ How to configure dynamic vlan assignment via radius

    This case is for your reference only. This case will reveal how to configure dynamic vlan assignment via radius. In some situation you would like to bind a mac-address to a specific VLAN and allow a host to get access the network only to a specific VLAN. You can use any Radius server, Huawei recommended solution is Agile Controller.

  13. PDF Dynamic VLAN Assignment using RADIUS

    Dynamic VLAN assignment using RADIUS This document describes how to dynamically assign clients to VLANs using RADIUS. This is useful is you have multiple clients using the same physical network and need to assign them to different VLANs depending on their logon credentials. This process removes the need to manually assign ports into VLANs.

  14. PDF Configure Dynamic VLAN Assignment with NGWC and ACS 5

    Dynamic VLAN assignment is one such feature that places a wireless user into a specific VLAN based on the credentials supplied by the user. This task of user assignment to a specific VLAN is handled by a RADIUS authentication server, such as a Cisco Secure ACS.

  15. Configuring the RADIUS server to support dynamic VLAN assignment for

    Dynamic VLAN assignments from the RADIUS server can be enabled in multiple formats.

  16. Configuration Guide on Dynamic VLAN with the VLAN Assignment function

    Step 1. Set up the RADIUS server. Here we run a FreeRADIUS® server on a Linux server. For more information on installation and configuration, please refer to the official website: https://freeradius.org/ First, edit the "clients.conf" file, set the client IP address as "192.168../24" and the password as "tplink".

  17. Configure a RADIUS Server and WLC for Dynamic VLAN Assignment

    Dynamic VLAN Assignment with RADIUS Server. In most WLAN systems, each WLAN has a static policy that applies to all clients associated with a Service Set Identifier (SSID), or WLAN in the controller terminology. Although powerful, this method has limitations because it requires clients to associate with different SSIDs in order to inherit ...

  18. Microsoft NPS as a RADIUS Server for WiFi Networks: Dynamic VLAN Assignment

    2. Add the NAS type and AD group membership conditions: (must be members of the students group to match this policy) 3. Select and configure an EAP type (note this may be PEAP or EAP-TLS - we've shown PEAP just as an example) 4. Configure the settings for this policy to assign any users which match this policy to VLAN 20: Once NPS has been ...

  19. 802.1X /w Dynamic VLAN Assignment

    Dynamic VLAN Assignment In lieu of CoA, MS switches can still dynamically assign a VLAN to a device by assigned the VLAN passed in the Tunnel-Pvt-Group-ID attribute. It may be necessary to perform dynamic VLAN assignment on a per computer or per user basis.

  20. Flexible authentication with dynamic VLAN assignment

    Refer to Configuring the RADIUS server to support dynamic VLAN assignment for flexible authentication for a list of the attributes that must be set on the RADIUS server. If one of the attributes in the Access-Accept message specifies a VLAN identifier, and the VLAN is available on the Brocade device, the port becomes a MAC VLAN member of the ...

  21. Dell VxRail Network Planning Guide

    Update dynamic cluster content with link to Dell published guide. Update content for VxRail Manager network exclusions. November 2021 H15300.18 Support for PowerFlex as external storage for dynamic cluster. October 2021 H15300.17 Support for satellite nodes. August 2021 H15300.16 Support for new features in 7.0.240.

  22. PDF Configure a RADIUS Server and WLC for Dynamic VLAN Assignment

    Configure the Users and the RADIUS (IETF) Attributes Used for Dynamic VLAN Assignment on the RADIUS Server This procedure explains how to configure the users in the RADIUS server and the RADIUS (IETF) attributes used to assign VLAN IDs to these users. Complete these steps: 1. From the ACS GUI, click User Setup. 2.