How to assign different VLAN by returned RADIUS classification?

  • 1
  • Question
  • Updated 2 years ago
Can anyone point me to the correct documentation on how I assign a different VLAN based on the returned RADIUS classification?



I was expecting to be able to assign a different vlan based on the RADIUS property?
Photo of Tiele Declercq

Tiele Declercq

  • 28 Posts
  • 2 Reply Likes

Posted 2 years ago

  • 1
Photo of Carsten Loemker

Carsten Loemker

  • 8 Posts
  • 2 Reply Likes
Hello Tiele,
couple of more questions to be asked:
What Radius server do you use, and what is the main back end ID source, what determines the VLAN association?
Cheers Carsten
Photo of Tiele Declercq

Tiele Declercq

  • 28 Posts
  • 2 Reply Likes
We're setting up NPS on Windows Server 2012 R2.

If a domain computer with a valid user is approved by the radius server, it should get the internal VLAN.

If a domain computer tries to connect without a valid user (or no user), it should get a different vlan so only remediation servers are reachable.

If a guest tries to connect, the MAC address should be verified by the radius server and it should get access to the internal network. If not, it should be directed to the guest network.

We have the knowledge on the radius part on how to set this up.. but I don't see how to assign a user profile / vlan to the returned radius attribute / property / classification (?)
Photo of Carsten Loemker

Carsten Loemker

  • 8 Posts
  • 2 Reply Likes
Hi Tiele, I am doing basically the same, Aerohive uses a bit a different attribute combination to other vendors, but if you're dealing with a Aerohive only environment thats perfectly OK.
I think that is because Aerohive tries to take a more user-centric than device-centric approach 
Now I have my Win2012R2 Radius server returning
IETF 64 (Tunnel-Type) = GRE(10)
IETF 65 (Tunnel-Medium-Type) = IP(1)
IETF 81 (Tunnel-Private-Group-ID) = not your VLAN ID, but the user profile 
and here the Classic HMOL and NG interface differ
Will draw up what I have rigged up for you tomorrow
Photo of Dianne Dunlap

Dianne Dunlap

  • 75 Posts
  • 15 Reply Likes
Photo of Tiele Declercq

Tiele Declercq

  • 28 Posts
  • 2 Reply Likes
Dianne, thanks a lot for this document. It will help us a lot it seems.
Photo of Tiele Declercq

Tiele Declercq

  • 28 Posts
  • 2 Reply Likes
Dianne,

May I ask what the Tunnel-Medium-Type and Tunnel-Type is used for? (page 5 of your doc)
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Did you take a look at the other thread I linked to?
Photo of Tiele Declercq

Tiele Declercq

  • 28 Posts
  • 2 Reply Likes
I did... but it suddenly makes a lot more sense now :-)

Thanks!
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Photo of Tiele Declercq

Tiele Declercq

  • 28 Posts
  • 2 Reply Likes
Okay.. I have my radius server set-up and returning the correct vlan... more or less...

I want to use the same radius server for requests coming from routers and access points. My radius server is returning different vlans for trusted devices (mac based), domain computers, smartphones, etc.. i.e. if a domain computer asks the radius server it will reply vlan '5'.

VLAN 5 is configured internally on our switches, this works for an AP.
Fpr our branch routers i've set each interal user profile to map the vpn vlan:



And the VLAN-VPN is mapped to the CVG for VPN access:


But when I connect my client, i'm not getting an IP and the I can see that my laptop is assigned in VLAN 5, not 4094 (VPN) as I would have thought.