Cisco Systems DL-2159-05 manual RADIUS-Based Vlan Access Control, Vlan ID

Chapter 4 Configuring VLANs

RADIUS-Based VLAN Access Control

If a client or infrastructure device (such as a workgroup bridge) sends a probe request with a secondary SSID, the access point or bridge responds with a probe response with a secondary SSID.

You can map the primary SSID to the VLAN ID on the wired infrastructure in different ways. For example, in an enterprise rollout scenario, the primary SSID could be mapped to the unencrypted VLAN on the wired side to provide guest VLAN access.

RADIUS-Based VLAN Access Control

You may want to impose RADIUS-based VLAN access control. For example, if the WLAN setup is such that all VLANs use IEEE 802.1x and similar authentication mechanisms for WLAN user access, the user can hop from one VLAN to another by changing the SSID and successfully authenticating to the access point. However, this process may not be ideal if the wireless user is to be confined to a particular VLAN.

There are two ways to implement RADIUS-based VLAN access control on the access point:

1.RADIUS-based VLAN assignment—upon successful IEEE 802.1x or MAC authentication, the RADIUS server can be configured to assign the user to a particular VLAN ID on the wired side. Regardless of which SSID is used for WLAN access, the user is always assigned to a particular

VLAN ID.

2.RADIUS-based SSID access control—Upon successful IEEE 802.1x or MAC authentication, the RADIUS server passes back the allowed SSID list and the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the access point or bridge.

Figure 4-4illustrates both RADIUS-based VLAN access control methods. In the figure, both Engineering and Marketing VLANs are configured to allow only IEEE 802.1x authentication (LEAP, EAP-TLS, PEAP, etc.). When user John uses the Engineering SSID to access the WLAN, the RADIUS server maps John to VLAN ID 24, which may or may not be the default VLAN ID mapping for the Engineering SSID. Using this method, a user can be mapped to a fixed wired VLAN throughout an enterprise network.

Figure 4-4also shows an example for RADIUS-based SSID access control. In the figure, David uses the Marketing SSID to access the WLAN however, the permitted SSID list sent back by the RADIUS server allows David to access only the Engineering SSID and the access point disassociates him from the WLAN. Using RADIUS-based SSID access, a user can be given access to one or multiple SSIDs throughout the enterprise network.

Cisco Aironet 1200 Series Access Point Software Configuration Guide