What's a VLAN?
A VLAN (virtual LAN) is an isolated broadcast domain used to co-locate multiple logical networks on the same physical network. Network administrators use VLANs to easily separate networks sharing the same physical interfaces. There are many useful applications of VLANs on wired and wireless networks, but for the purpose of this example we are going to focus on wireless client/user isolation using both static and dynamic VLANs in a theoretical school campus application.
Please note: All config examples below are done via the local device UI. You can also create these configs via the cloud controller. These are generic example configs and are not to be considered best practices for any specific application of network design. Any VLANs, RADIUS servers, user credentials, etc must be supported within the rest of the network infrastructure and is beyond the scope of this conversation.
A static VLAN is a VLAN that is fixed to a particular network interface, in this instance a wireless AP SSID. Using VLAN tagging, we will create SSIDs for Students and Staff and assign them to different VLANs. When a Student or Staff member associates to their appropriate SSID, their traffic will be tagged with their corresponding VLAN ID and given the appropriate IP/routing/resources from the upstream router.
The first step is to create the VLANs that will be used to
tag to the SSID on the Wireless -> VLAN Settings page. In this example, VLAN 40 is for Students and
VLAN 50 is for Staff.
The second step is to create the corresponding SSIDs, one for Students and one for Staff, on the appropriate Wireless -> Radio page. To implement the VLAN tag, set the Network Behavior field to “VLAN Tag Traffic” and set the VLAN ID to the appropriate tag. The example below is the configuration for the Students SSID.
And that’s basically all there is to it. When a Student associates to the Student SSID, their traffic will be tagged with VLAN ID 40 and put into that VLAN upstream.
In the example above, each user logging into a particular SSID will be given the same VLAN ID and network resources as anyone else on that SSID. However, what if we wanted much more granular control of the network resources allocated to each user? In this case, we can use dynamic VLANs in conjunction with 802.1X Enterprise authentication to assign individual VLANs to users when they authenticate. By doing so, each user can then be given access to as few or as many resources as the network administrator deems necessary. This also means that users can have individual access to specific peripherals that reside anywhere on the network (explained in more detail in the next section).
To configure dynamic VLANs, let’s assume that there already
exists an 802.1x WPA/WPA2 Enterprise authentication mechanism (RADIUS server)
on the network that has all of the user accounts in place. This server needs to be configured to allow
dynamic VLANs to be used. You can set it
up to hand out a specific VLAN for anyone in a specific group, individual
We have tested with freeRADIUS and Microsoft Server
2003/2012-R2 RADIUS servers. Most RADIUS
servers follow the RFCs pretty closely, so while individual configurations may
differ, the AP will be looking for the below dynamic VLAN RADIUS attributes
from the server for the user:
Tunnel-Medium-Type = “IEEE-802”
Tunnel-Private-Group-ID = “X”, where X is the desired VLAN ID for the group/user
If you are using a server without the above definition values and are using the RFC number values, use:Tunnel-Type = 13
Tunnel-Medium-Type = 6
Tunnel-Private-Group-ID = “X”, where X is the desired VLAN ID for the group/user
From an AP configuration perspective, all that needs to be
done is set up the SSID for WPA-EAP authentication, enter the RADIUS
authentication server info, and set the Network Behavior to “Dynamic
In the above example, the Staff SSID is configured to authenticate the users against the RADIUS authentication server at 10.10.10.15. Once the Staff user is authenticated, they will be given the assigned VLAN ID from their RADIUS profile and will have access to the corresponding resources.
Peripheral RADIUS MAC Authentication with dynamic VLANs
In the above implementation, a Staff member authenticates to the network and gets a specific VLAN ID. For the sake of discussion, let’s say her name is Susan and she works in the Physics department as a grad student TA. She and all the other Physics department grad student TA’s have access to the same network printer in the basement of the Physics building. Using RADIUS authentication and dynamic VLANs, all of the Physics department grad student TA’s are in the same user group are assigned the VLAN ID 1045. If their network printer is hooked to the network (via Ethernet cable to a switch with a VLAN ID tag of 1045), Susan and all the other TA’s will be on the same VLAN ID as the printer and can print to this printer from anywhere on the wireless network throughout campus.
Let’s now consider the case where there is a mobile
peripheral that is shared amongst the other TA’s, for instance an Ethernet/wifi
enabled test meter on a mobile instruments platform. Only Susan and the other TA’s are to have
access to this device from their computers.
As this device is mobile, plugging into Ethernet ports all over the
building and having to configure each Ethernet port for their specific VLAN is
tedious, so there needs to be a way to have it log onto the wifi network and
have it authenticate against the RADIUS database. But, as with the case of many peripherals
with simplified network configurations, this meter only has WPA-PSK for
security and not WPA-EAP. How can you authenticate
this device against RADIUS now?
To do this, you can use RADIUS MAC authentication. You tell the device to connect to the SSID
configured for RADIUS MAC authentication and the AP sends that MAC of the
device to the RADIUS server for authentication.
The server verifies the MAC is a valid user, and then replies to the AP
with the dynamic VLAN ID and other resources for the device. In our case, once this is done with the test
meter, Susan and the other TA’s will now be able to access the meter from
anywhere on the wifi network.
On the RADIUS server, the peripheral in question needs to be
configured as a user in the database with the correct resources. Both the user ID and password will need to be
set as the wifi MAC of the device without spaces/dashes/colons.
On the AP, set the SSID and enable the RADIUS MAC Auth option. Enter the RADIUS server info and set the
Network Behavior to “Dynamic VLAN”.
In the example above, you would configure a RADIUS user for the test meter with the username/password of the test meter wifi MAC address and assign it to the Physics department grad student TA group with corresponding VLAN ID of 1045. Then associate the test meter to the Peripherals SSID. Once it associates and pulls down the VLAN ID of 1045, Susan and the other TA’s will be able to reach it from anywhere on the wifi network.
Another example of using dynamic VLANs and RADIUS MAC authentication is the case of administering a community wifi network in an apartment complex where the AP’s are placed in common areas such as the hallways and shared amongst the residents. A RADIUS server can be used to give each resident their own login, and groups can be created where all residents in each apartment and their corresponding peripherals (printers, smart TVs, Roku’s, etc) are placed into the same group and have the same VLAN ID. With this configuration, residents in a specific apartment are separated into different logical networks from the other residents, and they can access their printers and other peripherals from no matter which AP they are connected to on the network.
Using static and dynamic VLANs with the IgniteNet wifi platform gives the network administrator a great amount of flexibility and granular resource control with regards to user management on wifi networks. Implementations can be configured as needed for many types and styles of deployments whether the network administrator is a member of a school campus IT department, a system integrator installing an office network for a business, or a managed services provider offering a community-wide wifi network for an apartment complex. Combined with our easy to use cloud management platform and cost effective AP’s, Ignite gives any network administrator the tools needed to easily and affordably deploy their wifi networks.