Dynamic VLAN from RADIUS server

networking-solutions

#1

Have someone tried the “Dynamic VLAN” from a RADIUS server?

I tried with FreeRadius and the AP successfully authenticated the devices but still connected them to the default VLAN of the group of the SSID.

I can see the info for the VLAN sent to the AP but it looks like it was ignored.

This is what I added to the user in FreeRADIUS “users” file:

    Tunnel-Type             = VLAN,
    Tunnel-Medium-Type      = IEEE-802,
    Tunnel-Private-Group-Id = 100

And set the following in “eap.conf” in the “peap” section:
use_tunneled_reply = yes

This is a very useful feature to have, so it would be nice to get it working.


#2

Useful to mention that I created additional groups with no IP and the VLAN tag that matches the ones assigned by the RADIUS server, but that didn’t worked either.

And there is a DHCP server ready to assign IPs on those tagged networks.


#3

Hi, CyFo,

I think your original configuration is correct.
Just to confirm your scenario.

  1. Have default unTAGed network group with SSID using radius.
  2. Radius server gives VLAN ID 100 to the specific account that wifi client is going to use,
  3. Have a VLAN100 network group on GWN7610/7600 and VLAN100 network in you LAN setup available.
  4. Remember to check “Enable Dynamic VLAN (beta)” option below the wifi authentication configurations.

Please let me know if you have all these checked and still have issues.


#4

Yes. I was using an “Additional SSID” for this, and following your suggestion I also tried the main SSID of the network group with the same results, but got the same results (an IP from the untagged network.)


#5

I just updated the 7600 to 1.0.6.37 and no dice. The client keeps getting an IP from the untagged network.


#6

Hi, cyfo,

Just two points I want to confirm.

  1. if you can see log from server when you run debug mode:
    Sending Access-Accept of xxx
    Tunnel-Type:0 = VLAN
    Tunnel-Medium-Type:0 = IEEE-802
    Tunnel-Private-Group-Id:0 = "100"
    To make sure server passes the VLAN ID.

  2. Did you create another VLAN with 100 on AP? Not even need a broadcasting SSID for that VLAN100 network.
    The purpose of creating VLAN 100 SSID(fw1.0.6.x) / Networkgroup(fw1.0.4.x or 1.0.5.x) is to create VLAN100 interface on GWN AP, so that when client tags its packet with VLAN tag100, AP can forward it correctly to VLAN100’s interface, even client was authenticated through default network group without VLAN.


#7

I imagined that and tried with and without the additional network. In the future it shouldn’t need that additional network because that defeats part of the purpose and might even hit a limitation on the amounts of networks configured in the WAP. But I can live with it.

Anyway, also attaching the values from “Access-Accept” with the VLAN in there as it should.

It was done with an Android phone.

GSDynVLAN-nope