VLAN assignment by RADIUS
You can assign each individual user to a VLAN based on information stored in the RADIUS authentication server. If the user’s RADIUS record does not specify a VLAN ID, the user is assigned to the default VLAN for the SSID.
The RADIUS user attributes used for the VLAN ID assignment are:
Attribute type |
Attributes value |
Note |
---|---|---|
IETF 64 (Tunnel-Type) |
13 |
VLAN |
IETF 65 (Tunnel-Medium-Type) |
6 |
IEEE-802 |
IETF 81 (Tunnel-Private-Group-ID) |
1–4094 |
One VLAN ID per user. See Reserved VLAN IDs. You can assign via name tag. See VLAN assignment by Name Tag. |
To configure dynamic VLAN assignment, you need to:
- Configure access to the RADIUS server.
- Create the SSID and enable dynamic VLAN assignment.
- Create a FortiAP Profile and add the local bridge mode SSID to it.
- Create the VLAN interfaces and their DHCP servers.
- Create security policies to allow communication from the VLAN interfaces to the Internet.
- Authorize the FortiAP unit and assign the FortiAP Profile to it.
To configure access to the RADIUS server
- Go to User & Authentication > RADIUS Servers and select Create New.
- Enter a Name, the name or IP address in Primary Server IP/Name, and the server secret in Primary Server Secret.
- Select OK.
To create the dynamic VLAN SSID
- Go to WiFi and Switch Controller > SSIDs, select Create New > SSID and enter:
- Select OK.
- Under Additional Settings, enable Dynamic VLAN assignment. If you do not see the toggle, you can enable from the CLI:
config wireless-controller vap
edit dynamic_vlan_ssid
set dynamic-vlan enable
set vlanid 10
end
Optionally, you can also assign a VLAN ID to set the default VLAN for users without a VLAN assignment. See Reserved VLAN IDs.
Name |
An identifier, such as dynamic_vlan_ssid. |
Traffic Mode |
Local bridge or Tunnel, as needed. |
SSID |
An identifier, such as DYNSSID. |
Security Mode |
WPA2 Enterprise |
Authentication |
RADIUS Server. Select the RADIUS server that you configured. |
To create the FortiAP profile for the dynamic VLAN SSID
- Go to WiFi and Switch Controller > FortiAP Profiles, select Create New and enter:
- Adjust other radio settings as needed.
- Select OK.
Name |
A name for the profile, such as dyn_vlan_profile. |
Platform |
The FortiAP model you are using. If you use more than one model of FortiAP, you will need a FortiAP Profile for each model. |
Radio 1 and Radio 2 |
|
SSID |
Select the SSID you created (example dynamic_vlan_ssid). Do not add other SSIDs. |
To create the VLAN interfaces
- Go to Network > Interfaces and select Create New > Interface.
- Enter:
- Select OK.
- Repeat the preceding steps to create other VLANs as needed.
Name |
A name for the VLAN interface, such as VLAN100. |
Interface |
The physical interface associated with the VLAN interface. |
VLAN ID |
The numeric VLAN ID, for example 100. |
Addressing mode |
Select Manual and enter the IP address / Network Mask for the virtual interface. |
DHCP Server |
Enable and then select Create New to create an address range. |
Security policies determine which VLANs can communicate with which other interfaces. These are the simple Firewall Address policy without authentication. Users are assigned to the appropriate VLAN when they authenticate.
To connect and authorize the FortiAP unit
- Connect the FortiAP unit to the FortiGate unit.
- Go to WiFi and Switch Controller > Managed FortiAPs.
- When the FortiAP unit is listed, double-click the entry to edit it.
- In FortiAP Profile, select the FortiAP Profile that you created.
- Select Authorize.
- Select OK.