FAQ- Dynamically assign VLAN from Radius server

Publication Date:  2014-12-01 Views:  795 Downloads:  0
Issue Description

Hello guys,

As we all know, RADIUS is often used in network environments that require high security and control remote user access. With Radius we can implement authentication, authorization and accounting for all the users. I don’t want to get into details because the point of this post focuses on just one aspect of all the things you can do with radius: the authorization, more specific the assignement of VLAN from the server .


.

Solution
The authorization server can deliver user authorization information such as a dynamic VLAN to a device through attributes

To assign a vlan to a user after the authentication is succesful we have to deliver the following attributes from the radius-server: (RFC2865, RFC2866, and RFC3576 define standard RADIUS attributes, which are supported by all mainstream vendors):

Standard attributes to deliver the VLAN :

Attribute No. Attribute Name Description
64 Tunnel-Type Protocol type of the tunnel. The value is fixed as 13, indicating VLAN.
65 Tunnel-Medium-Type Medium type used on the tunnel. The value is fixed as 6, indicating Ethernet.
81 Tunnel-Private-Group-ID Tunnel private group ID, which is used to deliver user VLAN IDs.

Configuration example :

As for the configuration, on our device we don’t need anything special. We just have to make sure that we configured correctly the radius server, enabled dot1x on the interface and that the vlan is created on the switch
.
Let’s say that we have two user groups, user group A and user group B. After the users authenticates successfully , if they are part of group A , they will be allowed in vlan 301, while  the others  will be allowed in vlan 501. If  the authentication fails we will assign them vlan 701


END