Table of Contents
Advertisement
Appendix B: Security Settings on Wireless Clients/RADIUS Server
Configuring RADIUS Server For VLAN tags
B.11
Configuring RADIUS Server For VLAN tags
A VLAN is a grouping of ports on a switch or a grouping of ports on different switches.
Dynamic VLANs allow you to assign a user to a VLAN, and switches dynamically use this
information to configure the port on the switch automatically.
Selection of the VLAN is usually based on the identity of the user. The RADIUS server
informs the NAS (for example the access point) of the selected VLAN as part of the authen-
tication. This setup enables users of Dynamic VLANs to move from one location to another
without intervention and without having to make any changes to the switches.
In the case of the 9160 G2 Wireless Gateway, if the user has selected to use an external
RADIUS server (configured on the Security page), then an External RADIUS server will try
to authenticate the user. A user's authentication credentials are passed to a RADIUS server.
If these credentials are found to be valid, the NAS configures the port to the VLAN indi-
cated by the RADIUS authentication server.
B.11.1 Configuring A RADIUS Server
A RADIUS server needs to be configured to use Tunnel attributes in Access-Accept mes-
sages, in order to inform the access point about the selected VLAN. These attributes are
defined in RFC 2868 and their use for dynamic VLAN is specified in RFC 3580.
In the case of FreeRADIUS server, the following options may be set in the users file to add
the necessary attributes.
example-user
Tunnel-Type and Tunnel-Medium-Type use the same values for all stations. Tunnel-Private-
Group-ID is the selected VLAN ID, however it can be different for each user.
B-40
Psion Teklogix 9160 G2 Wireless Gateway User Manual
Auth-Type :=EAP, User-Password == "password"
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-ID = 7
Advertisement
Table of Contents
