Larger WLAN infrastructures often require individual WLAN clients to be assigned to certain networks. Assuming that the WLAN clients are always within range of the same APs, then assignment can be realized via the SSID in connection with a particular IP network. If on the other hand the WLAN clients frequently change their position and logon to different APs then, depending on the configuration, they may find themselves in a different IP network.
For WLAN clients to remain within a certain network independent of their current WLAN network, dynamically assigned VLANs can be used. Unlike the situation where VLAN IDs are statically configured for a certain SSID, in this case a RADIUS server directly assigns the VLAN ID to the WLAN client.
Example:
- The WLAN clients of two employees log into an AP in the WPA2-secured network with the SSID 'INTERNAL'. During registration, the RADIUS requests from the WLAN clients are directed to the AP. If the corresponding WLAN interface is in the operating mode 'managed' the RADIUS requests are automatically forwarded to the WLC. This forwards the request in turn to the defined RADIUS server. The RADIUS server can check the access rights of the WLAN clients. It can also use the MAC address to assign a certain VLAN ID, for example for a certain department. The WLAN client in Marketing, for example, receives the VLAN ID '10' and WLAN client from Research & Development receives '20'. If no VLAN ID is specified for the user, the SSID's primary VLAN ID is used.
- The WLAN clients of the guests log into the same AP in the unsecured network with the SSID 'PUBLIC'. This SSID is statically bound to the VLAN ID '99' and leads the guests into a certain network. Static and dynamic VLAN assignment can be elegantly operated in parallel.
Note: Assignment of the VLAN ID by the RADIUS server can be controlled by other criteria, such as a combination of user name and password, for example. In this way the unknown MAC address of a visitor to a company can be assigned a VLAN ID that permits guest access for Internet access only, for example, but that prohibits access to other network resources.
Note: As an alternative to an external RADIUS server, WLAN clients can be assigned with a VLAN ID via the internal RADIUS server or the stations table in the WLC.
- Activate VLAN tagging for the WLC. This is done in the physical parameters of the profile by entering a value greater than '0' for the management VLAN ID.
- For authentication via 802.1x, go to the encryption settings for the profile's logical WLAN network and choose a setting that triggers an authentication request.
- To check the MAC addresses, activate the MAC check for the profile's logical WLAN network.Note: For the management of WLAN modules with a WLC, a RADIUS server is required to operate authentication via 802.1x and MAC-address checks. The WLC automatically defines itself as the RADIUS server in the APs that it is managing—all RADIUS requests sent to the AP are then directly forwarded to the WLC, which can either process the requests itself or forward them to an external RADIUS server.
- To forward RADIUS requests to another RADIUS server, use LANconfig to enter its address into the list of forwarding servers in the configuration section 'RADIUS servers' on the Forwarding tab. Alternatively, external RADIUS servers can be entered in WEBconfig under . Also, set the standard realm and the empty realm to be able to react to different types of user information (with an unknown realm, or even without a realm).
- Configure the entries in the RADIUS server so that WLAN clients placing requests will be assigned the appropriate VLAN IDs as based on the identification of certain characteristics.
Note: Further information about RADIUS is available in the documentation for your RADIUS server.
