14-8
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-11350-01
Chapter14 Configuring VLANs
Configuring VLANs

Creating a VLAN Name

Beginning in privileged EXEC mode, follow these steps to assign a name to a VLAN:
Use the no form of the command to remove the name from the VLAN. Use the show dot11 vlan-name
privileged EXEC command to list all the VLAN name and ID pairs configured on the access point.
Using a RADIUS Server to Assign Users to VLANs
You can configure your RADIUS authentication server to assign users or groups of users to a specific
VLAN when they authenticate to the network.
Note Unicast and multicast cipher suites advertised in WPA information element (and negotiated during
802.11 association) may potentially mismatch with the cipher suite supported in an explicitly assigned
VLAN. If the RADIUS server assigns a new vlan ID which uses a different cipher suite from the
previously negotiated cipher suite, there is no way for the access point and client to switch back to the
new cipher suite. Currently, the WPA and CCKM protocols do not allow the cipher suite to be changed
after the initial 802.11 cipher negotiation phase. In this scenario, the client device is disassociated from
the wireless LAN.
The VLAN-mapping process consists of these steps:
1. A client device associates to the access point using any SSID configured on the access point.
2. The client begins RADIUS authentication.
3. When the client authenticates successfully, the RADIUS server maps the client to a specific VLAN,
regardless of the VLAN mapping defined for the SSID the client is using on the access point. If the
server does not return any VLAN attribute for the client, the client is assigned to the VLAN specified
by the SSID mapped locally on the access point.
These are the RADIUS user attributes used for vlan-id assignment. Each attribute must have a common
tag value between 1 and 31 to identify the grouped relationship.
IETF 64 (Tunnel Type): Set this attribute to VLAN
IETF 65 (Tunnel Medium Type): Set this attribute to 802
IETF 81 (Tunnel Private Group ID): Set this attribute to vlan-id
Command Purpose
Step1 configure terminal Enter global configuration mode.
Step2 dot11 vlan-name name vlan vlan-id Assign a VLAN name to a VLAN ID. The name can contain up
to 32 ASCII characters.
Step3 end Return to privileged EXEC mode.
Step4 copy running-config startup-config (Optional) Save your entries in the configuration file.