dynamic VLAN based on mac address

  • 1
  • Question
  • Updated 3 years ago
  • Answered
Is it possible to have a client assigned to a specific VLAN based on their mac address?
Photo of Robert Fakes

Robert Fakes

  • 24 Posts
  • 2 Reply Likes

Posted 3 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Yes via RADIUS-based MAC address authentication, this is easy.

You'll see a Service-Type attribute of Call-Check in the Access-Request packet and the client's MAC address will be in the Calling-Station-Id attribute.

Do you need any specific information?
(Edited)
Photo of Robert Fakes

Robert Fakes

  • 24 Posts
  • 2 Reply Likes
Yes please. It is simply a SSID with basic WPA2-PSK, I simply want to put some devices on a specific VLAN if they are in a list of pre determined mac addresses.
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
You can also use user-profile redirection to accomplish this. You must be in enterprise mode (not express).
Basic steps:
- create two user profiles - one that is the base VLAN, one that is for your unique client with a different VLAN.
- when both are created, modify the base user profile, enable user profile redirection.  Create a MAC object for your MAC address, and assign your unique user profile for reassignment. Save.
-  In the CHoose User Profiles box, select your base user profile as default and check enable user profile reassignment. Save.

Sample screens below:




(Edited)
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
One additional comment.  The way I outlined above is great for a handful of devices, or if your have a MAC address range you can use or OUI you can specify.  If you have lots of devices that need this treatment, go with Nick's suggestion.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
If you're not comfortable or familiar with RADIUS / you have a smaller number of MAC addresses, Andrew's will likely be the preferred method.

If you are comfortable with RADIUS / have a larger number of MAC addresses, decoupling it from HiveManager/HiveOS to dedicated RADIUS servers is the way to go. (This would always be my preferred method.)

I'll write up the RADIUS method properly and post back here.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Damn you for preempting me! :) I was writing my reply before you posted! :P
(Edited)
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
Had to give you props for the scalable answer.
Photo of Robert Fakes

Robert Fakes

  • 24 Posts
  • 2 Reply Likes
Thanks all for the answers. Following Andrew's advice, I cannot get it to work. 

1. Create new profile for devices requiring different VLAN from default
2. Create mad address object
3. Modify existing default profile with Client Classification Policy to reassign the Mac object to other user profile
4. In the Choose User Profile box tick "Enable user profile assignment based on client classification rules".
5. Update the access point nearest to the device for testing.

Any ideas? 

Thanks.
Photo of Robert Fakes

Robert Fakes

  • 24 Posts
  • 2 Reply Likes
Ah my mistake, the access point had not updated fully. Working now. Thanks all.