Configuring User-Based Authentication And Dynamic Vlans - D-Link Unified Access System DWS-3000 Series User Manual

Configuring User-Based Authentication and Dynamic VLANs

You can configure an entry in the external RADIUS server to pass a users credentials to the
access point and to dynamically assign the user to a VLAN.
Dynamic VLANs allow you to assign a user to a VLAN, and switches dynamically use this
information to configure the port on the switch automatically. Selection of the VLAN is
usually based on the identity of the user. The RADIUS server informs the access point of the
selected VLAN as part of the authentication. This setup enables users of Dynamic VLANs to
move from one location to another without intervention and without having to make any
changes to the switches.
If you use an external RADIUS server to manage VLANs, you configure the server to use
Tunnel attributes in Access-Accept messages in order to inform the access point about the
selected VLAN. These attributes are defined in RFC 2868 and their use for dynamic VLAN is
specified in RFC 3580.
The VLAN attributes defined in RFC3580 are as follows:
• Tunnel-Type=VLAN (13)
• Tunnel-Medium-Type=802
• Tunnel-Private-Group-ID=VLANID
The FreeRADIUS dictionary maps the 802 string value to the integer 6, which
NOTE:
is why client entries use 6 for the Tunnel-Medium-Type value.
To create a user and assign the user to a particular VLAN by using FreeRADIUS, open the
etc/raddb/users
The following example shows the entry for a user in the
"johndoe," the password is "test1234." The user is assigned to VLAN 77.
johndoe Auth-Type: = EAP, User-Password == "test1234"
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-ID = 77
Tunnel-Type and Tunnel-Medium-Type use the same values for all stations. Tunnel-Private-
Group-ID is the selected VLAN ID and can be different for each user.
Do not use the management VLAN ID of the AP for the value of the Tunnel-
NOTE:
Private-Group-ID.
The dynamically-assigned RADIUS VLAN cannot be the same as the AP's management
VLAN. If the RADIUS server attempts to assign a dynamic VLAN to a client that associates
with an AP with that VLAN as the management VLAN, the AP ignores the dynamic VLAN
assignment and a newly associated client is assigned to the default VLAN for that VAP. A re-
authenticating client retains its previous VLAN ID.
The default management VLAN ID for all APs is 1. The only way to change an AP's
management VLAN ID is by using the
After you change the
apply the changes.
file, which contains the user account information, and add for the new user.
set management vlan-id
file, you must restart the RADIUS server daemon to
etc/raddb/users
FreeRADIUS Example for Wireless Client Configuration
Configuring the External RADIUS Server
file. The username is
users
command from the CLI.
185