Configuration Guide on Dynamic VLAN with the VLAN Assignment function of RADIUS
With the VLAN Assignment feature of RADIUS, the Omada SDN solution can put clients authenticated by different accounts to the corresponding VLANs. In this way, clients will obtain IP addresses from different VLANs, and you don't have to create many SSIDs bound with different VLANs for wireless networks, or bind the PVIDs of the switch ports to specific VLANs for wired networks.
To achieve the above features, you will need the Omada SDN Controller, EAP for wireless assignment, JetStream Switch for wired assignment, and an external RADIUS server. In this article, we will share the configuration guide for below network topology.
Step 1. Set up the RADIUS server.
Here we run a FreeRADIUS® server on a Linux server. For more information on installation and configuration, please refer to the official website: https://freeradius.org/
First, edit the “clients.conf” file, set the client IP address as “192.168.0.0/24” and the password as “tplink”.
Next, edit the “users” file, create two accounts “test10” and “test20” in VLAN10 and VLAN20, respectively.
You may also edit the “eap.conf” to modify the EAP type for WPA-Enterprise. After configuration, run the RADIUS server to listen for the access requests.
Step 2. Create the RADIUS profile.
Go to Authentication --- RADIUS Profile, create a new profile bound with the RADIUS server, check “Enable VLAN Assignment for Wireless Network” to assign VLANs for wireless clients.
Step 3. Create more interfaces for VLAN assignments.
Assuming all Omada devices have been adopted by the controller, go to Settings --- Wired Networks --- LAN, and create two interfaces with VLAN10 and VLAN20.
Step 4. VLAN assignment for wireless networks.
Go to Settings – Wireless Networks, create a new SSID with WPA-Enterprise as below. For differences between WPA-Personal and WPA-Enterprise, please refer to FAQ500.
When connecting your client to the SSID, you will be asked to choose the authentication type of WPA-Enterprise, and enter the account username and password. After successfully authenticating with account “test10”, the client will obtain an IP address from VLAN10, while with account “test20”, it will get that from VLAN20.
Step 5. VLAN assignment for wired networks.
Go to Authentication --- 802.1X and enable the feature, select Authentication Type as “Port Based”, enable “VLAN Assignment” and check the Ports to be authenticated according to your requirements.
Then Go to Devices, click your switch, go to Ports, check the authentication ports, and batch edit to change the 802.1X Control to “Auto” mode.
Esta FAQ é útil?
Your feedback helps improve this site.