How to implement RADIUS-based VLAN access control features on the Access Point.
Each SSID is mapped to a default VLAN-ID on the wired side. The IT administrator may wish to impose back end (such as RADIUS)-based VLAN access control using 802.1X or MAC address authentication mechanisms. For example, if the WLAN is set up such that all VLANs use 802.1X and similar encryption mechanisms for WLAN user access, then a user can "hop" from one VLAN to another by simply changing the SSID and successfully authenticating to the access point (using 802.1X). This may not be preferred if the WLAN user is confined to a particular VLAN.
These are the two ways to implement RADIUS-based VLAN access control features:
RADIUS-based Service Set Identifier (SSID) access control.
After a successful 802.1X or MAC address authentication, the RADIUS server passes back the allowed SSID list for the WLAN user to the Access Point (AP) or bridge. If an SSID is used on the allowed SSID list, the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the AP or bridge.
RADIUS-based VLAN assignment.
After a successful 802.1X or MAC address authentication, the RADIUS server assigns the user to a pre-determined VLAN-ID on the wired side. The SSID used for WLAN access is irrelevant because the user is always assigned to this predetermined VLAN ID.
As shown in the Figure, both RADIUS-based VLAN access control methods: VLAN assignment and SSID access control. VLAN assignment: Both "Engineering" and "Marketing" VLANs are configured to only allow 802.1X authentication (LEAP, EAP-TLS, PEAP, and so on). As shown in Figure 6, when John uses the "Engineering" SSID to gain access to the wireless LAN, the RADIUS server maps John to VLAN-ID 24. This may or may not be the default VLAN-ID mapping for the "Engineering" SSID. Using this method, a user is mapped to a fixed wired VLAN throughout an enterprise network.
RADIUS-based SSID access control: David uses the "Marketing" SSID to gain access to the wireless LAN. However, the permitted SSID list sent back by the RADIUS server indicates that David is only allowed access to the "Engineering" SSID. Upon receipt of this information, the access point disassociates David from the wireless LAN network. Using this method, a user is given access to only one SSID or to predetermined SSIDs throughout an enterprise network.
RADIUS user attributes used for VLAN-ID assignment are:
IETF 64 (Tunnel Type): Set this to "VLAN"
IETF 65 (Tunnel Medium Type): Set this to "802"
IETF 81 (Tunnel Private Group ID): Set this to VLAN-ID
RADIUS user attribute used for SSID access control is:
Hi Team, I have query for newly launched cisco 9100 serioes APs and 9800 WLC models. I have check and found that 9100 are backward compatible with 3504 model WLC and have below query? (1)If i buy one 9100 AP with DNA essentials license, sho...
Hi guys, Could someone please explain dhcp proxy mode "GLOBAL". I find the official guide of dhcp setup for wlcs not very detailed. Is it true that we should specify interface which should be used only when Global is set. If yes, what happe...
Hello friends. I have several AIR-AP1852I-E-K9 and AIR-AP1562E-E-K9 administered centrally in a controller which is configured in one of the AIR-AP1852I-E-K9. Specifically the AIR-AP1562E-E-K9 are attached with two AIR-ANT2547VG-N antennas connected...
Good day.We have Cisco WLC 2504 with fw ver. 184.108.40.206 that already works with few access points.We purchase new AP 1815i but it has 220.127.116.11 fw ver ( newer than WLC ) All other APs, that we connect to WLC earler, was automaticly updated t...