D-Link DWL-8500AP - AirPremier AG Wireless Switching 108 Dualband Access Point Administrator's Manual page 123

valid, the NAS configures the port to the VLAN indicated by the RADIUS authentication
server.
A RADIUS server needs to be configured to use Tunnel attributes in Access-Accept messages,
in order to inform the access point about the selected VLAN. These attributes are defined in
RFC 2868 and their use for dynamic VLAN is specified in RFC 3580.
If you use an external RADIUS server to manage VLANs, the server must use the following
VLAN attributes (as defined in RFC3580):
• Tunnel-Type=VLAN (13)
• Tunnel-Medium-Type=802
• Tunnel-Private-Group-ID=VLANID
In the case of FreeRADIUS server, the following options may be set in the users file to add the
necessary attributes.
example-user Auth-Type :=EAP, User-Password =="nopassword"
Tunnel-Type = 13,
Tunnel-Medium-Type = 802,
Tunnel-Private-Group-ID = 7
Tunnel-Type and Tunnel-Medium-Type use the same values for all stations. Tunnel-Private-
Group-ID is the selected VLAN ID and can be different for each user.
NOTE: Do not use the management VLAN ID for the value of the Tunnel-Private-
Group-ID. The dynamically-assigned RADIUS VLAN cannot be the same as
the management VLAN. If the RADIUS server attempts to assign a dynamic
VLAN that is also the management VLAN, the AP ignores the dynamic
VLAN assignment, and a newly associated client is assigned to the default
VLAN for that VAP. A re-authenticating client retains its previous VLAN ID.
A Wireless Client Settings and RADIUS Server Setup
Configuring the RADIUS Server for VLAN Tags 123