Fortinet black logo

Handbook

Configuring dynamic user VLAN assignment

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:376326
Download PDF

Configuring dynamic user VLAN assignment

Clients connecting to the WiFi network can be assigned to a VLAN. You can do this with RADIUS attributes when the user authenticates or with VLAN pooling when the client associates with a particular FortiAP. You cannot use both of these methods at the same time.

VLAN assignment by RADIUS

You can assign each individual user to a VLAN based on information stored in the RADIUS authentication server. If the user’s RADIUS record does not specify a VLAN ID, the user is assigned to the default VLAN for the SSID.

The RADIUS user attributes used for the VLAN ID assignment are:

Attribute type

Attribute value

Note

IETF 64 (Tunnel Type)

13

VLAN

IETF 65 (Tunnel Medium Type)

6

IEEE-802

IETF 81 (Tunnel Private Group ID)

1 - 4094

One VLAN ID per user

To configure dynamic VLAN assignment, you need to:

  1. Configure access to the RADIUS server.
  2. Create the SSID and enable dynamic VLAN assignment.
  3. Create a FortiAP Profile and add the local bridge mode SSID to it.
  4. Create the VLAN interfaces and their DHCP servers.
  5. Create security policies to allow communication from the VLAN interfaces to the Internet.
  6. Authorize the FortiAP unit and assign the FortiAP Profile to it.
To configure access to the RADIUS server
  1. Go to User & Device > RADIUS Servers and select Create New.
  2. Enter a Name, the name or IP address in Primary Server IP/Name, and the server secret in Primary Server Secret.
  3. Select OK.
To create the dynamic VLAN SSID
  1. Go to WiFi & Switch Controller > SSID, select Create New > SSID and enter:
  2. Name

    An identifier, such as dynamic_vlan_ssid.

    Traffic Mode

    Local bridge or Tunnel, as needed.

    SSID

    An identifier, such as DYNSSID.

    Security Mode

    WPA2 Enterprise

    Authentication

    RADIUS Server. Select the RADIUS server that you configured.

  3. Select OK.
  4. Enable dynamic VLAN in the CLI. Optionally, you can also assign a VLAN ID to set the default VLAN for users without a VLAN assignment.

    config wireless-controller vap

    edit dynamic_vlan_ssid

    set dynamic-vlan enable

    set vlanid 10

    end

To create the FortiAP profile for the dynamic VLAN SSID
  1. Go to WiFi & Switch Controller > FortiAP Profiles, select Create New and enter:
  2. Name

    A name for the profile, such as dyn_vlan_profile.

    Platform

    The FortiAP model you are using. If you use more than one model of FortiAP, you will need a FortiAP Profile for each model.

    Radio 1 and Radio 2

    SSID

    Select the SSID you created (example dynamic_vlan_ssid). Do not add other SSIDs.

  3. Adjust other radio settings as needed.
  4. Select OK.
To create the VLAN interfaces
  1. Go to Network > Interfaces and select Create New > Interface.
  2. Enter:
  3. Name

    A name for the VLAN interface, such as VLAN100.

    Interface

    The physical interface associated with the VLAN interface.

    VLAN ID

    The numeric VLAN ID, for example 100.

    Addressing mode

    Select Manual and enter the IP address / Network Mask for the virtual interface.

    DHCP Server

    Enable and then select Create New to create an address range.

  4. Select OK.
  5. Repeat the preceding steps to create other VLANs as needed.

Security policies determine which VLANs can communicate with which other interfaces. These are the simple Firewall Address policy without authentication. Users are assigned to the appropriate VLAN when they authenticate.

To connect and authorize the FortiAP unit
  1. Connect the FortiAP unit to the FortiGate unit.
  2. Go to WiFi & Switch Controller > Managed FortiAPs.
  3. When the FortiAP unit is listed, double-click the entry to edit it.
  4. In FortiAP Profile, select the FortiAP Profile that you created.
  5. Select Authorize.
  6. Select OK.

VLAN assignment by VLAN pool

In an SSID, you can define a VLAN pool. As clients associate to an AP, they are assigned to a VLAN. A VLAN pool can

  • assign a specific VLAN based on the AP's FortiAP group, usually for network configuration reasons, or
  • assign one of several available VLANs for network load balancing purposes (tunnel mode SSIDs only)
To assign a VLAN by FortiAP group - CLI

In this example, VLAN 101, 102, or 103 is assigned depending on the AP's FortiAP group.

config wireless-controller vap

edit wlan

set vlan-pooling wtp-group

config vlan-pool

edit 101

set wtp-group wtpgrp1

next

edit 102

set wtp-group wtpgrp2

next

edit 101

set wtp-group wtpgrp3

end

end

end

Load balancing

There are two VLAN pooling methods used for load balancing:

The choice of VLAN can be based on any one of the following criteria:

  • round-robin - from the VLAN pool, choose the VLAN with the smallest number of clients
  • hash - choose a VLAN from the VLAN pool based on a hash of the current number of SSID clients and the number of entries in the VLAN pool

If the VLAN pool contains no valid VLAN ID, the SSID's static VLAN ID setting is used.

To assign a VLAN by round-robin selection - CLI

In this example, VLAN 101, 102, or 103 is assigned using the round-robin method:

config wireless-controller vap

edit wlan

set vlan-pooling round-robin

config vlan-pool

edit 101

next

edit 102

next

edit 103

end

end

end

To assign a VLAN by hash-based selection - CLI

In this example, VLAN 101, 102, or 103 is assigned using the hash method:

config wireless-controller vap

edit wlan

set vlan-pooling hash

config vlan-pool

edit 101

next

edit 102

next

edit 103

end

end

end

Configuring dynamic user VLAN assignment

Clients connecting to the WiFi network can be assigned to a VLAN. You can do this with RADIUS attributes when the user authenticates or with VLAN pooling when the client associates with a particular FortiAP. You cannot use both of these methods at the same time.

VLAN assignment by RADIUS

You can assign each individual user to a VLAN based on information stored in the RADIUS authentication server. If the user’s RADIUS record does not specify a VLAN ID, the user is assigned to the default VLAN for the SSID.

The RADIUS user attributes used for the VLAN ID assignment are:

Attribute type

Attribute value

Note

IETF 64 (Tunnel Type)

13

VLAN

IETF 65 (Tunnel Medium Type)

6

IEEE-802

IETF 81 (Tunnel Private Group ID)

1 - 4094

One VLAN ID per user

To configure dynamic VLAN assignment, you need to:

  1. Configure access to the RADIUS server.
  2. Create the SSID and enable dynamic VLAN assignment.
  3. Create a FortiAP Profile and add the local bridge mode SSID to it.
  4. Create the VLAN interfaces and their DHCP servers.
  5. Create security policies to allow communication from the VLAN interfaces to the Internet.
  6. Authorize the FortiAP unit and assign the FortiAP Profile to it.
To configure access to the RADIUS server
  1. Go to User & Device > RADIUS Servers and select Create New.
  2. Enter a Name, the name or IP address in Primary Server IP/Name, and the server secret in Primary Server Secret.
  3. Select OK.
To create the dynamic VLAN SSID
  1. Go to WiFi & Switch Controller > SSID, select Create New > SSID and enter:
  2. Name

    An identifier, such as dynamic_vlan_ssid.

    Traffic Mode

    Local bridge or Tunnel, as needed.

    SSID

    An identifier, such as DYNSSID.

    Security Mode

    WPA2 Enterprise

    Authentication

    RADIUS Server. Select the RADIUS server that you configured.

  3. Select OK.
  4. Enable dynamic VLAN in the CLI. Optionally, you can also assign a VLAN ID to set the default VLAN for users without a VLAN assignment.

    config wireless-controller vap

    edit dynamic_vlan_ssid

    set dynamic-vlan enable

    set vlanid 10

    end

To create the FortiAP profile for the dynamic VLAN SSID
  1. Go to WiFi & Switch Controller > FortiAP Profiles, select Create New and enter:
  2. Name

    A name for the profile, such as dyn_vlan_profile.

    Platform

    The FortiAP model you are using. If you use more than one model of FortiAP, you will need a FortiAP Profile for each model.

    Radio 1 and Radio 2

    SSID

    Select the SSID you created (example dynamic_vlan_ssid). Do not add other SSIDs.

  3. Adjust other radio settings as needed.
  4. Select OK.
To create the VLAN interfaces
  1. Go to Network > Interfaces and select Create New > Interface.
  2. Enter:
  3. Name

    A name for the VLAN interface, such as VLAN100.

    Interface

    The physical interface associated with the VLAN interface.

    VLAN ID

    The numeric VLAN ID, for example 100.

    Addressing mode

    Select Manual and enter the IP address / Network Mask for the virtual interface.

    DHCP Server

    Enable and then select Create New to create an address range.

  4. Select OK.
  5. Repeat the preceding steps to create other VLANs as needed.

Security policies determine which VLANs can communicate with which other interfaces. These are the simple Firewall Address policy without authentication. Users are assigned to the appropriate VLAN when they authenticate.

To connect and authorize the FortiAP unit
  1. Connect the FortiAP unit to the FortiGate unit.
  2. Go to WiFi & Switch Controller > Managed FortiAPs.
  3. When the FortiAP unit is listed, double-click the entry to edit it.
  4. In FortiAP Profile, select the FortiAP Profile that you created.
  5. Select Authorize.
  6. Select OK.

VLAN assignment by VLAN pool

In an SSID, you can define a VLAN pool. As clients associate to an AP, they are assigned to a VLAN. A VLAN pool can

  • assign a specific VLAN based on the AP's FortiAP group, usually for network configuration reasons, or
  • assign one of several available VLANs for network load balancing purposes (tunnel mode SSIDs only)
To assign a VLAN by FortiAP group - CLI

In this example, VLAN 101, 102, or 103 is assigned depending on the AP's FortiAP group.

config wireless-controller vap

edit wlan

set vlan-pooling wtp-group

config vlan-pool

edit 101

set wtp-group wtpgrp1

next

edit 102

set wtp-group wtpgrp2

next

edit 101

set wtp-group wtpgrp3

end

end

end

Load balancing

There are two VLAN pooling methods used for load balancing:

The choice of VLAN can be based on any one of the following criteria:

  • round-robin - from the VLAN pool, choose the VLAN with the smallest number of clients
  • hash - choose a VLAN from the VLAN pool based on a hash of the current number of SSID clients and the number of entries in the VLAN pool

If the VLAN pool contains no valid VLAN ID, the SSID's static VLAN ID setting is used.

To assign a VLAN by round-robin selection - CLI

In this example, VLAN 101, 102, or 103 is assigned using the round-robin method:

config wireless-controller vap

edit wlan

set vlan-pooling round-robin

config vlan-pool

edit 101

next

edit 102

next

edit 103

end

end

end

To assign a VLAN by hash-based selection - CLI

In this example, VLAN 101, 102, or 103 is assigned using the hash method:

config wireless-controller vap

edit wlan

set vlan-pooling hash

config vlan-pool

edit 101

next

edit 102

next

edit 103

end

end

end