This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Wireless
- ExtremeWireless (General)
- WPA2-Enterprise and dynamic vlan assignment
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
WPA2-Enterprise and dynamic vlan assignment
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-09-2019 02:26 PM
Hello everyone,
I would like to merge all network SSID's to one. So when you connect to WiFi with your logins you will be put in a different vlan.
I'm asking your help to achieve this because i'm struggling, without documentation I don't know how to do it.
Can someone help me with that or point me out where to look ?
I have a vx9000 and mostly 7522 AP's to work with.
Thanks for your help !
I would like to merge all network SSID's to one. So when you connect to WiFi with your logins you will be put in a different vlan.
I'm asking your help to achieve this because i'm struggling, without documentation I don't know how to do it.
Can someone help me with that or point me out where to look ?
I have a vx9000 and mostly 7522 AP's to work with.
Thanks for your help !
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-12-2019 09:10 AM
Hello Sinfo,
On Freeradius you have to configure RFC3580-related attributes for relevant resources, have a look here: https://stuff.purdon.ca/?page_id=279
Regarding wireless, please also consider increasing minimum basic rate to get rid of 11b support if possible, this will reduce the impact of beacons from too many SSIDs: http://www.revolutionwifi.net/revolutionwifi/p/ssid-overhead-calculator.html
Also remember to use WPA2 CCMP, as weaker options do not work with 11n and 11ac rates - but with WPA2-ENT I believe you'll definitely have it in place. 😉
So if you configure AAA Policy on your WiNG controller (and it can specify whether the controller or AP acts as a RADIUS Client - with FreeRADIUS and NPS it is rather easy as you can specify entire subnet for authenticators in one line, so if it is needed there's no problem to have APs acting as NASes).
Authentication handling has nothing to do with WLAN bridging mode (local/tunnel) as it comes before any traffic being allowed. Bridging mode is set per WLAN.
If you want to achieve RBAC with RADIUS-based VLANs, remember to tick the "Allow RADIUS Override" box in basic part of WLAN configuration in GUI (or see CLI example below).
Wherever you are going to bridge the wireless traffic, make sure to go to the device (APs' or controller's) profile and modify ge1 interface settings so it will have intended VLAN IDs in the list of allowed VLANs. Via CLI it would be:
This way (or GUI way) your devices will understand that they can bridge dot11 traffic of a certain user (or certain WLAN at all - no matter if RADIUS is used or not for this prerequisite) and they can accept q-tagged traffic on the wired to possibly pass it to the wireless users that are bound to the VLAN ID.
You don't have to specify SVIs (CLI: interface vlanX) for any VLANs unless it is needed for some purpose (WiNG device acting as a captive portal, DHCP server, default gateway and so on).
Let us know if anything needs further clarification. 🙂
Hope that helps,
Tomasz
On Freeradius you have to configure RFC3580-related attributes for relevant resources, have a look here: https://stuff.purdon.ca/?page_id=279
Regarding wireless, please also consider increasing minimum basic rate to get rid of 11b support if possible, this will reduce the impact of beacons from too many SSIDs: http://www.revolutionwifi.net/revolutionwifi/p/ssid-overhead-calculator.html
Also remember to use WPA2 CCMP, as weaker options do not work with 11n and 11ac rates - but with WPA2-ENT I believe you'll definitely have it in place. 😉
So if you configure AAA Policy on your WiNG controller (and it can specify whether the controller or AP acts as a RADIUS Client - with FreeRADIUS and NPS it is rather easy as you can specify entire subnet for authenticators in one line, so if it is needed there's no problem to have APs acting as NASes).
Authentication handling has nothing to do with WLAN bridging mode (local/tunnel) as it comes before any traffic being allowed. Bridging mode is set per WLAN.
If you want to achieve RBAC with RADIUS-based VLANs, remember to tick the "Allow RADIUS Override" box in basic part of WLAN configuration in GUI (or see CLI example below).
code:
wlan TMELABS-DOT1X
ssid TMELABS-DOT1X
vlan 23
bridging-mode tunnel (or local)
encryption-type ccmp
authentication-type eap
radius vlan-assignment <<<<<<
use aaa-policy freeradius-aaa
Wherever you are going to bridge the wireless traffic, make sure to go to the device (APs' or controller's) profile and modify ge1 interface settings so it will have intended VLAN IDs in the list of allowed VLANs. Via CLI it would be:
code:
enable
configure
profile ...
interface ge1
switchport trunk allowed vlan [and a list]
commit write
This way (or GUI way) your devices will understand that they can bridge dot11 traffic of a certain user (or certain WLAN at all - no matter if RADIUS is used or not for this prerequisite) and they can accept q-tagged traffic on the wired to possibly pass it to the wireless users that are bound to the VLAN ID.
You don't have to specify SVIs (CLI: interface vlanX) for any VLANs unless it is needed for some purpose (WiNG device acting as a captive portal, DHCP server, default gateway and so on).
Let us know if anything needs further clarification. 🙂
Hope that helps,
Tomasz
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-22-2019 03:04 PM
Hello Tomasz,
That sounds good
Thank you for your great help !
That sounds good
Thank you for your great help !
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-21-2019 12:40 PM
Hello Sinfo,
I see. If you are authenticating many devices on a single port, for EXOS switch it doesn't practically matter how many are there - each authenticated device can have its own vlan, either tagged or untagged. This is possible thanks to mac-based VLANs. How does that sound?
Hope that helps,
Tomasz
I see. If you are authenticating many devices on a single port, for EXOS switch it doesn't practically matter how many are there - each authenticated device can have its own vlan, either tagged or untagged. This is possible thanks to mac-based VLANs. How does that sound?
Hope that helps,
Tomasz
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-19-2019 01:52 PM
Hello Tomasz,
Thanks you for everything, you helped me a lot !
For the VLANs I know about untag and tag etc. What I ment was if it is possible to assign VLANs dynamically on switch with freeradius, 1 untagged vlan and on the same port 1 or more tagged VLAN. But nevermind and again thanks you !
Thanks you for everything, you helped me a lot !
For the VLANs I know about untag and tag etc. What I ment was if it is possible to assign VLANs dynamically on switch with freeradius, 1 untagged vlan and on the same port 1 or more tagged VLAN. But nevermind and again thanks you !
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-19-2019 08:17 AM
Hello Sinfo,
I think you might find these interesting:
https://gtacknowledge.extremenetworks.com/articles/Q_A/How-do-I-view-log-files-in-CLI-for-WiNG-devices
But with WiNG you are also able to filter out events displayed in real time to troubleshoot certain features live. One of the examples (RADIUS related) attached (sorry for not yet rebranded material, didn't see that here: https://www.extremenetworks.com/support/documentation/wing-5-x-how-to-guides/). Check out page 14 and:
As you can see you can debug per site (RF Domain) or per device, you can debug all clients or few certain MAC addresses, and you can filter event types (EAP, RADIUS, WPA/WPA2 and mgmt frames in the example above). Try it out!
For the tagging, it's hardware dependent but with Extreme EXOS for instance, sure, you're good to go with as many VLANs per port as you wish, and no limitation on how many VLANs the port is tagged member of. Just one untagged VLAN per port (not talking about protocol-based VLANs now). There is no such thing as 'voice vlan' and 'data vlan' on EXOS, neither 'switchport mode', you drive the reality here. 🙂
You might like the docs for EXOS then: https://www.extremenetworks.com/support/documentation/extremexos-22-6/
Just a quick briefing for EXOS VLANs:
Hope that helps,
Tomasz
I think you might find these interesting:
https://gtacknowledge.extremenetworks.com/articles/Q_A/How-do-I-view-log-files-in-CLI-for-WiNG-devices
But with WiNG you are also able to filter out events displayed in real time to troubleshoot certain features live. One of the examples (RADIUS related) attached (sorry for not yet rebranded material, didn't see that here: https://www.extremenetworks.com/support/documentation/wing-5-x-how-to-guides/). Check out page 14 and:
code:
remote-debug wireless rf-domain twinpeaks-domain clients all max-events 999 duration 999 events eap radius wpa-wpa2 management
As you can see you can debug per site (RF Domain) or per device, you can debug all clients or few certain MAC addresses, and you can filter event types (EAP, RADIUS, WPA/WPA2 and mgmt frames in the example above). Try it out!
For the tagging, it's hardware dependent but with Extreme EXOS for instance, sure, you're good to go with as many VLANs per port as you wish, and no limitation on how many VLANs the port is tagged member of. Just one untagged VLAN per port (not talking about protocol-based VLANs now). There is no such thing as 'voice vlan' and 'data vlan' on EXOS, neither 'switchport mode', you drive the reality here. 🙂
You might like the docs for EXOS then: https://www.extremenetworks.com/support/documentation/extremexos-22-6/
Just a quick briefing for EXOS VLANs:
code:
create vlan [name] tag [vid]
create vlan [vid or range]
configure vlan [vid or range or name] add/del port [port range] [untagged by default]
configure vlan [vid or range or name] add/del port [port range] tagged
conf [name] also works
Hope that helps,
Tomasz
