4-7
Cisco Aironet 1200 Series Access Point Software Configuration Guide
OL-2159-05
Chapter4 Configuring VLANs
RADIUS-Based VLAN Access Control
If a client or infrastructure device (such as a workgroup bridge) sends a probe reque st with a secondary
SSID, the access point or bridge responds with a probe response w ith a secondary SSID.
You can map the primary SSID to the VLAN ID on the wired infrastructure in different ways. For
example, in an enterprise rollout scenario, the primary SSID could be mapped to the unencry pted VLAN
on the wired side to provide guest VLAN access.
RADIUS-Based VLAN Access ControlYou may want to impose RADIUS-based VLAN access control. For example, if the WLAN setup is such
that all VLANs use IEEE 802.1x and similar authentication mechanisms for WLAN user access, the user
can hop from one VLAN to another by changing the SSID and successfully aut henticating to the access
point. However, this process may not be ideal if the wireless user is to be confined to a particular VLAN.
There are two ways to implement RADIUS-based VLAN access control on the access point:
1. RADIUS-based VLAN assignment—upon successful IEEE 802.1x or MAC authentication, the
RADIUS server can be configured to assign the user to a particul ar VLAN ID on the wired side.
Regardless of which SSID is used for WLAN access, the user is always assigne d to a particular
VLAN ID.
2. RADIUS-based SSID access control—Upon successful IEEE 802.1x or MAC authentication, the
RADIUS server passes back the allowed SSID list and the user is allowed to associate to the WLAN.
Otherwise, the user is disassociated from the access point or bridge.
Figure 4-4 illustrates both RADIUS-based VLAN access control methods. In the figure, both
Engineering and Marketing VLANs are configured to allow only IEEE 802.1x authenticat ion (LEAP,
EAP-TLS, PEAP, etc.). When user John uses the Engineering SSID to access the WLAN, the RADIUS
server maps John to VLAN ID 24, which may or may not be the default VLAN ID mapping for the
Engineering SSID. Using this method, a user can be mapped to a fixed wired VLAN throughout an
enterprise network.
Figure 4-4 also shows an example for RADIUS-based SSID access control. In the figure, David uses the
Marketing SSID to access the WLAN however, the permitted SSID list sent back by the RADIUS server
allows David to access only the Engineering SSID and the access point di sassociates him from the
WLAN. Using RADIUS-based SSID access, a user can be given access to one or multiple SSIDs
throughout the enterprise network.