Configuring the External RADIUS Server
Configuring User-Based Authentication and Dynamic VLANs
You can configure an entry in the external RADIUS server to pass a users credentials to the access point and to dynamically assign the user to a VLAN.
Dynamic VLANs allow you to assign a user to a VLAN, and switches dynamically use this information to configure the port on the switch automatically. Selection of the VLAN is usually based on the identity of the user. The RADIUS server informs the access point of the selected VLAN as part of the authentication. This setup enables users of Dynamic VLANs to move from one location to another without intervention and without having to make any changes to the switches.
If you use an external RADIUS server to manage VLANs, you configure the server to use Tunnel attributes in
The VLAN attributes defined in RFC3580 are as follows:
•
•
•
NOTE: The FreeRADIUS dictionary maps the 802 string value to the integer 6, which is why client entries use 6 for the
To create a user and assign the user to a particular VLAN by using FreeRADIUS, open the etc/raddb/users file, which contains the user account information, and add for the new user.
The following example shows the entry for a user in the users file. The username is “johndoe,” the password is “test1234.” The user is assigned to VLAN 77.
johndoe
NOTE: Do not use the management VLAN ID of the AP for the value of the Tunnel-
The
The default management VLAN ID for all APs is 1. The only way to change an AP’s management VLAN ID is by using the set management
After you change the etc/raddb/users file, you must restart the RADIUS server daemon to apply the changes.
FreeRADIUS Example for Wireless Client Configuration 185
