This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Wireless
- ExtremeWireless (General)
- Re: WPA2-Enterprise and dynamic vlan assignment
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
WPA2-Enterprise and dynamic vlan assignment
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-09-2019 02:26 PM
Hello everyone,
I would like to merge all network SSID's to one. So when you connect to WiFi with your logins you will be put in a different vlan.
I'm asking your help to achieve this because i'm struggling, without documentation I don't know how to do it.
Can someone help me with that or point me out where to look ?
I have a vx9000 and mostly 7522 AP's to work with.
Thanks for your help !
I would like to merge all network SSID's to one. So when you connect to WiFi with your logins you will be put in a different vlan.
I'm asking your help to achieve this because i'm struggling, without documentation I don't know how to do it.
Can someone help me with that or point me out where to look ?
I have a vx9000 and mostly 7522 AP's to work with.
Thanks for your help !
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-12-2019 09:10 AM
Hello Sinfo,
On Freeradius you have to configure RFC3580-related attributes for relevant resources, have a look here: https://stuff.purdon.ca/?page_id=279
Regarding wireless, please also consider increasing minimum basic rate to get rid of 11b support if possible, this will reduce the impact of beacons from too many SSIDs: http://www.revolutionwifi.net/revolutionwifi/p/ssid-overhead-calculator.html
Also remember to use WPA2 CCMP, as weaker options do not work with 11n and 11ac rates - but with WPA2-ENT I believe you'll definitely have it in place. 😉
So if you configure AAA Policy on your WiNG controller (and it can specify whether the controller or AP acts as a RADIUS Client - with FreeRADIUS and NPS it is rather easy as you can specify entire subnet for authenticators in one line, so if it is needed there's no problem to have APs acting as NASes).
Authentication handling has nothing to do with WLAN bridging mode (local/tunnel) as it comes before any traffic being allowed. Bridging mode is set per WLAN.
If you want to achieve RBAC with RADIUS-based VLANs, remember to tick the "Allow RADIUS Override" box in basic part of WLAN configuration in GUI (or see CLI example below).
Wherever you are going to bridge the wireless traffic, make sure to go to the device (APs' or controller's) profile and modify ge1 interface settings so it will have intended VLAN IDs in the list of allowed VLANs. Via CLI it would be:
This way (or GUI way) your devices will understand that they can bridge dot11 traffic of a certain user (or certain WLAN at all - no matter if RADIUS is used or not for this prerequisite) and they can accept q-tagged traffic on the wired to possibly pass it to the wireless users that are bound to the VLAN ID.
You don't have to specify SVIs (CLI: interface vlanX) for any VLANs unless it is needed for some purpose (WiNG device acting as a captive portal, DHCP server, default gateway and so on).
Let us know if anything needs further clarification. 🙂
Hope that helps,
Tomasz
On Freeradius you have to configure RFC3580-related attributes for relevant resources, have a look here: https://stuff.purdon.ca/?page_id=279
Regarding wireless, please also consider increasing minimum basic rate to get rid of 11b support if possible, this will reduce the impact of beacons from too many SSIDs: http://www.revolutionwifi.net/revolutionwifi/p/ssid-overhead-calculator.html
Also remember to use WPA2 CCMP, as weaker options do not work with 11n and 11ac rates - but with WPA2-ENT I believe you'll definitely have it in place. 😉
So if you configure AAA Policy on your WiNG controller (and it can specify whether the controller or AP acts as a RADIUS Client - with FreeRADIUS and NPS it is rather easy as you can specify entire subnet for authenticators in one line, so if it is needed there's no problem to have APs acting as NASes).
Authentication handling has nothing to do with WLAN bridging mode (local/tunnel) as it comes before any traffic being allowed. Bridging mode is set per WLAN.
If you want to achieve RBAC with RADIUS-based VLANs, remember to tick the "Allow RADIUS Override" box in basic part of WLAN configuration in GUI (or see CLI example below).
code:
wlan TMELABS-DOT1X
ssid TMELABS-DOT1X
vlan 23
bridging-mode tunnel (or local)
encryption-type ccmp
authentication-type eap
radius vlan-assignment <<<<<<
use aaa-policy freeradius-aaa
Wherever you are going to bridge the wireless traffic, make sure to go to the device (APs' or controller's) profile and modify ge1 interface settings so it will have intended VLAN IDs in the list of allowed VLANs. Via CLI it would be:
code:
enable
configure
profile ...
interface ge1
switchport trunk allowed vlan [and a list]
commit write
This way (or GUI way) your devices will understand that they can bridge dot11 traffic of a certain user (or certain WLAN at all - no matter if RADIUS is used or not for this prerequisite) and they can accept q-tagged traffic on the wired to possibly pass it to the wireless users that are bound to the VLAN ID.
You don't have to specify SVIs (CLI: interface vlanX) for any VLANs unless it is needed for some purpose (WiNG device acting as a captive portal, DHCP server, default gateway and so on).
Let us know if anything needs further clarification. 🙂
Hope that helps,
Tomasz
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-17-2019 08:11 AM
Hello Tomasz,
First of all, Thanks you !!
Thanks you for the time you have taken to write your last answer, it made me win a lot of time !
Thanks to you now I can assign vlan by MAC or EAP authentification with WPA2 and that’s amazing.
I have further more questions now J
To achieve MAC or EAP authentification I use freeradius, because I can’t see the logs on the VX9000, so I don’t know what’s going on, do you know if it’s possible to have logs on the internal radius of the vx9000?
For switchs, I know that it’s possible to untag a vlan for a specific port, but is it possible to also tag and untag a different vlan on that same port at the same time? I’m asking that for a specific scenario when you have a switch connected to an IP Phone and a PC attached to the IP Phone.
And so if you can tag vlan, can you do it on the interconnection port?
By the way, thank for the useful tips about the 802.11b, I’m going to work on it too 🙂
Thank you again for your help !
First of all, Thanks you !!
Thanks you for the time you have taken to write your last answer, it made me win a lot of time !
Thanks to you now I can assign vlan by MAC or EAP authentification with WPA2 and that’s amazing.
I have further more questions now J
To achieve MAC or EAP authentification I use freeradius, because I can’t see the logs on the VX9000, so I don’t know what’s going on, do you know if it’s possible to have logs on the internal radius of the vx9000?
For switchs, I know that it’s possible to untag a vlan for a specific port, but is it possible to also tag and untag a different vlan on that same port at the same time? I’m asking that for a specific scenario when you have a switch connected to an IP Phone and a PC attached to the IP Phone.
And so if you can tag vlan, can you do it on the interconnection port?
By the way, thank for the useful tips about the 802.11b, I’m going to work on it too 🙂
Thank you again for your help !
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-12-2019 09:10 AM
Hello Sinfo,
On Freeradius you have to configure RFC3580-related attributes for relevant resources, have a look here: https://stuff.purdon.ca/?page_id=279
Regarding wireless, please also consider increasing minimum basic rate to get rid of 11b support if possible, this will reduce the impact of beacons from too many SSIDs: http://www.revolutionwifi.net/revolutionwifi/p/ssid-overhead-calculator.html
Also remember to use WPA2 CCMP, as weaker options do not work with 11n and 11ac rates - but with WPA2-ENT I believe you'll definitely have it in place. 😉
So if you configure AAA Policy on your WiNG controller (and it can specify whether the controller or AP acts as a RADIUS Client - with FreeRADIUS and NPS it is rather easy as you can specify entire subnet for authenticators in one line, so if it is needed there's no problem to have APs acting as NASes).
Authentication handling has nothing to do with WLAN bridging mode (local/tunnel) as it comes before any traffic being allowed. Bridging mode is set per WLAN.
If you want to achieve RBAC with RADIUS-based VLANs, remember to tick the "Allow RADIUS Override" box in basic part of WLAN configuration in GUI (or see CLI example below).
Wherever you are going to bridge the wireless traffic, make sure to go to the device (APs' or controller's) profile and modify ge1 interface settings so it will have intended VLAN IDs in the list of allowed VLANs. Via CLI it would be:
This way (or GUI way) your devices will understand that they can bridge dot11 traffic of a certain user (or certain WLAN at all - no matter if RADIUS is used or not for this prerequisite) and they can accept q-tagged traffic on the wired to possibly pass it to the wireless users that are bound to the VLAN ID.
You don't have to specify SVIs (CLI: interface vlanX) for any VLANs unless it is needed for some purpose (WiNG device acting as a captive portal, DHCP server, default gateway and so on).
Let us know if anything needs further clarification. 🙂
Hope that helps,
Tomasz
On Freeradius you have to configure RFC3580-related attributes for relevant resources, have a look here: https://stuff.purdon.ca/?page_id=279
Regarding wireless, please also consider increasing minimum basic rate to get rid of 11b support if possible, this will reduce the impact of beacons from too many SSIDs: http://www.revolutionwifi.net/revolutionwifi/p/ssid-overhead-calculator.html
Also remember to use WPA2 CCMP, as weaker options do not work with 11n and 11ac rates - but with WPA2-ENT I believe you'll definitely have it in place. 😉
So if you configure AAA Policy on your WiNG controller (and it can specify whether the controller or AP acts as a RADIUS Client - with FreeRADIUS and NPS it is rather easy as you can specify entire subnet for authenticators in one line, so if it is needed there's no problem to have APs acting as NASes).
Authentication handling has nothing to do with WLAN bridging mode (local/tunnel) as it comes before any traffic being allowed. Bridging mode is set per WLAN.
If you want to achieve RBAC with RADIUS-based VLANs, remember to tick the "Allow RADIUS Override" box in basic part of WLAN configuration in GUI (or see CLI example below).
code:
wlan TMELABS-DOT1X
ssid TMELABS-DOT1X
vlan 23
bridging-mode tunnel (or local)
encryption-type ccmp
authentication-type eap
radius vlan-assignment <<<<<<
use aaa-policy freeradius-aaa
Wherever you are going to bridge the wireless traffic, make sure to go to the device (APs' or controller's) profile and modify ge1 interface settings so it will have intended VLAN IDs in the list of allowed VLANs. Via CLI it would be:
code:
enable
configure
profile ...
interface ge1
switchport trunk allowed vlan [and a list]
commit write
This way (or GUI way) your devices will understand that they can bridge dot11 traffic of a certain user (or certain WLAN at all - no matter if RADIUS is used or not for this prerequisite) and they can accept q-tagged traffic on the wired to possibly pass it to the wireless users that are bound to the VLAN ID.
You don't have to specify SVIs (CLI: interface vlanX) for any VLANs unless it is needed for some purpose (WiNG device acting as a captive portal, DHCP server, default gateway and so on).
Let us know if anything needs further clarification. 🙂
Hope that helps,
Tomasz
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-12-2019 07:39 AM
Hello Tomasz,
Thanks you for your help ! It is exactly what I wanted to know.
For testing purpose, I'm working with VMs, to do NAC on extreme switchs. I use 3 VMs :
As I'm working for an enterprise, I think that wpa2-enterprise with vlan assignment will help us a lot, like instead of having 4 SSID, you'll have just one SSID. And with your logins to connect you will be set in the right VLAN.
I have tried to use extreme documentation to achieve this, but I don't have all the informations. For instance if I'd go with the controller for the NAS client. I don't know how to it for the controller, like do I need to create vlan on the AP, in a tunneled way ? Or can I create the vlan with freeradius and apply it to the AP ?
I miss some documentation on what to do and how, and I can't find any. Do you think you can help me on that?
Thanks for your answer I'm gonna keep trying to solve this with what you said !
Thanks you for your help ! It is exactly what I wanted to know.
For testing purpose, I'm working with VMs, to do NAC on extreme switchs. I use 3 VMs :
- VM1 : Freeradius
- VM2 : extremeOS switch
- VM3: Client
As I'm working for an enterprise, I think that wpa2-enterprise with vlan assignment will help us a lot, like instead of having 4 SSID, you'll have just one SSID. And with your logins to connect you will be set in the right VLAN.
I have tried to use extreme documentation to achieve this, but I don't have all the informations. For instance if I'd go with the controller for the NAS client. I don't know how to it for the controller, like do I need to create vlan on the AP, in a tunneled way ? Or can I create the vlan with freeradius and apply it to the AP ?
I miss some documentation on what to do and how, and I can't find any. Do you think you can help me on that?
Thanks for your answer I'm gonna keep trying to solve this with what you said !
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-11-2019 08:25 PM
Hello Sinfo,
You will need a RADIUS server for this, that will assign a VLAN based on some criteria (user group in AD, user location, time of authentication etc.) and send back a relevant attribute (RFC3580-based Tunnel-Private-Group-ID et al.) with VLAN id in place to the authenticator (aka NAS, RADIUS client, the AP/controller that proxies the initial authentication steps).
Your RADIUS client can be either AP or the controller (for Extreme Access Control I'd go for controller being a RADIUS client), your RADIUS server can be EAC, Microsoft NPS+AD, onboard RADIUS (WiNG controller, APs), FreeRADIUS etc.
Briefly said, you will have to create AAA Policy in Configuration section (or are you a CLI guy?) to specify RADIUS server that will be assigned to your SSID in Security section of WLAN settings. If you want to use onboard RADIUS you'll have to create RADIUS-related settings (RADIUS Policy, RADIUS User Group, RADIUS User Pool(s)) in Configuration->Services) and assign the RADIUS policy to either AP or controller in their configuration profiles, depending on where the server should be running.
Please let us know some more on your conditions and we'll help you sort it out.
Hope that helps,
Tomasz
You will need a RADIUS server for this, that will assign a VLAN based on some criteria (user group in AD, user location, time of authentication etc.) and send back a relevant attribute (RFC3580-based Tunnel-Private-Group-ID et al.) with VLAN id in place to the authenticator (aka NAS, RADIUS client, the AP/controller that proxies the initial authentication steps).
Your RADIUS client can be either AP or the controller (for Extreme Access Control I'd go for controller being a RADIUS client), your RADIUS server can be EAC, Microsoft NPS+AD, onboard RADIUS (WiNG controller, APs), FreeRADIUS etc.
Briefly said, you will have to create AAA Policy in Configuration section (or are you a CLI guy?) to specify RADIUS server that will be assigned to your SSID in Security section of WLAN settings. If you want to use onboard RADIUS you'll have to create RADIUS-related settings (RADIUS Policy, RADIUS User Group, RADIUS User Pool(s)) in Configuration->Services) and assign the RADIUS policy to either AP or controller in their configuration profiles, depending on where the server should be running.
Please let us know some more on your conditions and we'll help you sort it out.
Hope that helps,
Tomasz
