Using static and dynamic VLANs with AP's Follow
What's a VLAN?
A VLAN (virtual LAN) is an isolated broadcast domain used to co-locate multiple logical networks on the same physical network. Network administrators use VLANs to easily separate networks sharing the same physical interfaces. There are many useful applications of VLANs on wired and wireless networks, but for the purpose of this example, we are going to focus on wireless client/user isolation using both static and dynamic VLANs in a theoretical school campus application.
Please note: All config examples below are done via the local device UI. You can also create these configs via the cloud controller. These are generic example configs and are not to be considered best practices for any specific application of network design. Any VLANs, RADIUS servers, user credentials, etc must be supported by the rest of the network infrastructure and is beyond the scope of this conversation.
A static VLAN is a VLAN that is fixed to a particular network interface, in this instance a wireless AP SSID. Using VLAN tagging, we will create SSIDs for Students and Staff and assign them to different VLANs. When a Student or Staff member associates to their appropriate SSID, their traffic will be tagged with their corresponding VLAN ID and given the appropriate IP/routing/resources from the upstream router.
The first step is to create the VLANs that will be used to tag to the SSID on the Wireless -> VLAN Settings page. In this example, VLAN 40 is for Students and VLAN 50 is for Staff.
The second step is to create the corresponding SSIDs, one for Students and one for Staff, on the appropriate Wireless -> Radio page. To implement the VLAN tag, set the Network Behavior field to “VLAN Tag Traffic” and set the VLAN ID to the appropriate tag. The example below is the configuration for the Students SSID.
And that’s basically all there is to it. When a Student associate's to the Student SSID, their traffic will be tagged with VLAN ID 40 and put into that VLAN upstream.
In the example above, each user logging into a particular SSID will be given the same VLAN ID and network resources as anyone else on that SSID. However, what if we wanted much more granular control of the network resources allocated to each user? In this case, we can use dynamic VLANs in conjunction with 802.1X Enterprise authentication to assign individual VLANs to users when they authenticate. By doing so, each user can then be given access to as few or as many resources as the network administrator deems necessary. This also means that users can have individual access to specific peripherals that reside anywhere on the network (explained in more detail in the next section).
To configure dynamic VLANs, let’s assume that there already exists an 802.1x WPA/WPA2 Enterprise authentication mechanism (RADIUS server) on the network that has all of the user accounts in place. This server needs to be configured to allow dynamic VLANs to be used. You can set it up to hand out a specific VLAN for anyone in a specific group, individual users, etc.
We have tested with freeRADIUS and Microsoft Server 2003/2012-R2 RADIUS servers. Most RADIUS servers follow the RFCs pretty closely, so while individual configurations may differ, the AP will be looking for the below dynamic VLAN RADIUS attributes from the server for the user:
- Tunnel-Type = “VLAN”
- Tunnel-Medium-Type = “IEEE-802”
- Tunnel-Private-Group-ID = “X”, where X is the desired VLAN ID for the group/user
- If you are using a server without the above definition values and are using the RFC number values, use:
- Tunnel-Type = 13
- Tunnel-Medium-Type = 6
- Tunnel-Private-Group-ID = “X”, where X is the desired VLAN ID for the group/user
From an AP configuration perspective, all that needs to be done is set up the SSID for WPA-EAP authentication, enter the RADIUS authentication server info, and set the Network Behavior to “Dynamic VLAN”.
In the above example, the Staff SSID is configured to authenticate the users against the RADIUS authentication server at 10.10.10.15. Once the Staff user is authenticated, they will be given the assigned VLAN ID from their RADIUS profile and will have access to the corresponding resources.
Peripheral RADIUS MAC Authentication with dynamic VLANs
In the above implementation, a Staff member authenticates to the network and gets a specific VLAN ID. For the sake of discussion, let’s say her name is Susan and she works in the Physics department as a grad student TA. She and all the other Physics department grad student TA’s have access to the same network printer in the basement of the Physics building. Using RADIUS authentication and dynamic VLANs, all of the Physics department grad student TA’s are in the same user group are assigned the VLAN ID 1045. If their network printer is hooked to the network (via Ethernet cable to a switch with a VLAN ID tag of 1045), Susan and all the other TA’s will be on the same VLAN ID as the printer and can print to this printer from anywhere on the wireless network throughout campus.
Let’s now consider the case where there is a mobile peripheral that is shared amongst the other TA’s, for
instance an Ethernet/wifi enabled test meter on a mobile instruments platform. Only Susan and the other TA’s are to have access to this device from their computers. As this device is mobile, plugging into Ethernet ports all over the building and having to configure each Ethernet port for their specific VLAN is tedious, so there needs to be a way to have it log onto the wifi network and have it authenticate against the RADIUS database. But, as with the case of many peripherals with simplified network configurations, this meter only has WPA-PSK for security and not WPA-EAP. How can you authenticate this device against RADIUS now?
To do this, you can use RADIUS MAC authentication. You tell the device to connect to the SSID configured for RADIUS MAC authentication and the AP sends that MAC of the device to the RADIUS server for authentication. The server verifies the MAC is a user and then replies to the AP with the dynamic VLAN ID and other resources for the device. In our case, once this is done with the test meter, Susan and the other TA’s will now be able to access the meter from anywhere on the wifi network.
On the RADIUS server, the peripheral in question needs to be configured as a user in the database with the correct resources. Both the user ID and password will need to be set as the wifi MAC of the device without spaces/dashes/colons.
On the AP, set the SSID and enable the RADIUS MAC Auth option. Enter the RADIUS server info and set the Network Behavior to “Dynamic VLAN”.
In the example above, you would configure a RADIUS user for the test meter with the username/password of the test meter wifi MAC address and assign it to the Physics department grad student TA group with a corresponding VLAN ID of 1045. Then associate the test meter to the Peripherals SSID. Once it associates and pulls down the VLAN ID of 1045, Susan and the other TA’s will be able to reach it from anywhere on the wifi network.
Another example of using dynamic VLANs and RADIUS MAC authentication is the case of administering a community wifi network in an apartment complex where the AP’s are placed in common areas such as the hallways and shared amongst the residents. A RADIUS server can be used to give each resident their own login, and groups can be created where all residents in each apartment and their corresponding peripherals (printers, smart TVs, Roku’s, etc) are placed into the same group and have the same VLAN ID. With this configuration, residents in a specific apartment are separated into different logical networks from the other residents, and they can access their printers and other peripherals from no matter which AP they are connected to on the network.
Using static and dynamic VLANs with the IgniteNet wifi platform gives the network administrator a great amount of flexibility and granular resource control with regards to user management on wifi networks. Implementations can be configured as needed for many types and styles of deployments whether the network administrator is a member of a school campus IT department, a system integrator installing an office network for a business, or a managed services provider offering a community-wide wifi network for an apartment complex. Combined with our easy to use cloud management platform and cost-effective AP’s, Ignite gives any network administrator the tools needed to easily and affordably deploy their wifi networks.
Article is closed for comments.