WPA2-Enterprise and dynamic vlan assignment

  • 9 July 2019
  • 8 replies

Hello everyone,

I would like to merge all network SSID's to one. So when you connect to WiFi with your logins you will be put in a different vlan.

I'm asking your help to achieve this because i'm struggling, without documentation I don't know how to do it.

Can someone help me with that or point me out where to look ?

I have a vx9000 and mostly 7522 AP's to work with.

Thanks for your help !

8 replies

Userlevel 5
Hello Sinfo,

You will need a RADIUS server for this, that will assign a VLAN based on some criteria (user group in AD, user location, time of authentication etc.) and send back a relevant attribute (RFC3580-based Tunnel-Private-Group-ID et al.) with VLAN id in place to the authenticator (aka NAS, RADIUS client, the AP/controller that proxies the initial authentication steps).
Your RADIUS client can be either AP or the controller (for Extreme Access Control I'd go for controller being a RADIUS client), your RADIUS server can be EAC, Microsoft NPS+AD, onboard RADIUS (WiNG controller, APs), FreeRADIUS etc.
Briefly said, you will have to create AAA Policy in Configuration section (or are you a CLI guy?) to specify RADIUS server that will be assigned to your SSID in Security section of WLAN settings. If you want to use onboard RADIUS you'll have to create RADIUS-related settings (RADIUS Policy, RADIUS User Group, RADIUS User Pool(s)) in Configuration->Services) and assign the RADIUS policy to either AP or controller in their configuration profiles, depending on where the server should be running.

Please let us know some more on your conditions and we'll help you sort it out.

Hope that helps,
Hello Tomasz,

Thanks you for your help ! It is exactly what I wanted to know.

For testing purpose, I'm working with VMs, to do NAC on extreme switchs. I use 3 VMs :
  • VM1 : Freeradius
  • VM2 : extremeOS switch
  • VM3: Client
I can authentificate client by mac address with success.

As I'm working for an enterprise, I think that wpa2-enterprise with vlan assignment will help us a lot, like instead of having 4 SSID, you'll have just one SSID. And with your logins to connect you will be set in the right VLAN.

I have tried to use extreme documentation to achieve this, but I don't have all the informations. For instance if I'd go with the controller for the NAS client. I don't know how to it for the controller, like do I need to create vlan on the AP, in a tunneled way ? Or can I create the vlan with freeradius and apply it to the AP ?

I miss some documentation on what to do and how, and I can't find any. Do you think you can help me on that?

Thanks for your answer I'm gonna keep trying to solve this with what you said ! 🙂
Userlevel 5
Hello Sinfo,

On Freeradius you have to configure RFC3580-related attributes for relevant resources, have a look here:

Regarding wireless, please also consider increasing minimum basic rate to get rid of 11b support if possible, this will reduce the impact of beacons from too many SSIDs:
Also remember to use WPA2 CCMP, as weaker options do not work with 11n and 11ac rates - but with WPA2-ENT I believe you'll definitely have it in place. ;)

So if you configure AAA Policy on your WiNG controller (and it can specify whether the controller or AP acts as a RADIUS Client - with FreeRADIUS and NPS it is rather easy as you can specify entire subnet for authenticators in one line, so if it is needed there's no problem to have APs acting as NASes).
Authentication handling has nothing to do with WLAN bridging mode (local/tunnel) as it comes before any traffic being allowed. Bridging mode is set per WLAN.
If you want to achieve RBAC with RADIUS-based VLANs, remember to tick the "Allow RADIUS Override" box in basic part of WLAN configuration in GUI (or see CLI example below).
vlan 23
bridging-mode tunnel (or local)
encryption-type ccmp
authentication-type eap
radius vlan-assignment <<<<<<
use aaa-policy freeradius-aaa

Wherever you are going to bridge the wireless traffic, make sure to go to the device (APs' or controller's) profile and modify ge1 interface settings so it will have intended VLAN IDs in the list of allowed VLANs. Via CLI it would be:
profile ...
interface ge1
switchport trunk allowed vlan [and a list]
commit write

This way (or GUI way) your devices will understand that they can bridge dot11 traffic of a certain user (or certain WLAN at all - no matter if RADIUS is used or not for this prerequisite) and they can accept q-tagged traffic on the wired to possibly pass it to the wireless users that are bound to the VLAN ID.
You don't have to specify SVIs (CLI: interface vlanX) for any VLANs unless it is needed for some purpose (WiNG device acting as a captive portal, DHCP server, default gateway and so on).

Let us know if anything needs further clarification. :)

Hope that helps,
Hello Tomasz,
First of all, Thanks you !!
Thanks you for the time you have taken to write your last answer, it made me win a lot of time !

Thanks to you now I can assign vlan by MAC or EAP authentification with WPA2 and that’s amazing.

I have further more questions now J

To achieve MAC or EAP authentification I use freeradius, because I can’t see the logs on the VX9000, so I don’t know what’s going on, do you know if it’s possible to have logs on the internal radius of the vx9000?

For switchs, I know that it’s possible to untag a vlan for a specific port, but is it possible to also tag and untag a different vlan on that same port at the same time? I’m asking that for a specific scenario when you have a switch connected to an IP Phone and a PC attached to the IP Phone.
And so if you can tag vlan, can you do it on the interconnection port?

By the way, thank for the useful tips about the 802.11b, I’m going to work on it too :)

Thank you again for your help !
Userlevel 5
Hello Sinfo,

I think you might find these interesting:
But with WiNG you are also able to filter out events displayed in real time to troubleshoot certain features live. One of the examples (RADIUS related) attached (sorry for not yet rebranded material, didn't see that here: Check out page 14 and:
remote-debug wireless rf-domain twinpeaks-domain clients all max-events 999 duration 999 events eap radius wpa-wpa2 management

As you can see you can debug per site (RF Domain) or per device, you can debug all clients or few certain MAC addresses, and you can filter event types (EAP, RADIUS, WPA/WPA2 and mgmt frames in the example above). Try it out!

For the tagging, it's hardware dependent but with Extreme EXOS for instance, sure, you're good to go with as many VLANs per port as you wish, and no limitation on how many VLANs the port is tagged member of. Just one untagged VLAN per port (not talking about protocol-based VLANs now). There is no such thing as 'voice vlan' and 'data vlan' on EXOS, neither 'switchport mode', you drive the reality here. :)
You might like the docs for EXOS then:
Just a quick briefing for EXOS VLANs:
create vlan [name] tag [vid]
create vlan [vid or range]
configure vlan [vid or range or name] add/del port [port range] [untagged by default]
configure vlan [vid or range or name] add/del port [port range] tagged
conf [name] also works

Hope that helps,
Hello Tomasz,

Thanks you for everything, you helped me a lot !

For the VLANs I know about untag and tag etc. What I ment was if it is possible to assign VLANs dynamically on switch with freeradius, 1 untagged vlan and on the same port 1 or more tagged VLAN. But nevermind and again thanks you !
Userlevel 5
Hello Sinfo,

I see. If you are authenticating many devices on a single port, for EXOS switch it doesn't practically matter how many are there - each authenticated device can have its own vlan, either tagged or untagged. This is possible thanks to mac-based VLANs. How does that sound?

Hope that helps,
Hello Tomasz,

That sounds good 🙂
Thank you for your great help !