Dynamic VLAN assignment helps you to quickly on-board a new device by allowing it to connect to a single SSID irrespective of the VLAN it has access to. Users can get access to their respective VLANs by connecting to a single corporate SSID.
With dynamic VLAN assignment RADIUS server maps these users to their respective VLANs at the back end. The APs need to be connected to a trunk port that carries all the VLANs.
There are two methods to assign Dynamic VLANs:
- Google OU
RADIUS Based Assignment
To achieve this, the following tasks must be performed:
- To create a RADIUS server template in CloudVision WiFi, navigate to Configure > WiFi > RADIUS and select ‘Add RADIUS Server’.
- Enter the RADIUS details. In this example, the server name is “RADIUS Example”.
- Under Configure > WiFi > SSID, click ‘Add SSID’.
- In this example the SSIDs name is “Example”. Select WPA2 and 802.1x for security.
- Select the configured RADIUS template in RADIUS Setting.
- Enable ‘Dynamic VLANs’ and enter the VLAN IDs.
- Create users and groups in Active Directory (AD) and assign the users to the respective groups.
- Define policies in the Network Policy Server (NPS) for each group, to ensure that user traffic is routed based on the VLAN IDs defined in the policy for a group.
A few points to keep in mind:
- If the RADIUS server returns a VLAN ID that is not configured in Dynamic VLANs section of the SSID profile, the user will be assigned the default VLAN configured in the Network section of SSID profile.
- If an AD user/group for which the VLAN ID is not configured in the NPS server accesses the SSID, the users will be assigned the default VLAN ID configured in the SSID.
- The AP communicates with the RADIUS server over the communication VLAN i.e. the RADIUS traffic should be allowed between the AP subnet and the RADIUS server subnet.
- The IP address of the AP must be added as RADIUS client on the NPS server.
- If an AD user/group for which the VLAN ID is not configured in the NPS server accesses the SSID, the users will be assigned the default VLAN ID configured in the SSID
- NAT, captive portal and firewall cannot be configured in the SSID Profile if Dynamic VLAN is enabled.
Google OU Based Assignment
Below are the steps required to enable Google OU role based VLAN assignment.
- On CloudVision WiFi, navigate to Configure > WiFi > Role Profiles and select ‘Add Role Profile’.
- Enter the details required for the profile. In Role-Specific Settings, enable ‘VLAN’ and add the VLAN ID. For this example, we assigned VLAN 100 to the “IT” profile.
- Repeat the step for all Roles required.
- Under Configure > WiFi > SSID, click ‘Add SSID’. In this example the SSID name is “Example”.
- Leave the Security as “Open”. Other security settings could be used.
- Under the Access Control tab, enable ‘Client Authentication’ with “Google Integration”.
- Also enable ‘Role Based Control’ and select “Google OU”.
- Enter the details of the role and select an appropriate Role Profile in the ‘Assign Role’ field. Use the + icon to add more roles.