Support Dynamic VLAN assignment by Name Tag 7.0.4
Before this enhancement, users can be assigned to VLANs dynamically according to the Tunnel-Private-Group-Id RADIUS attribute returned from the Access-Accept message. The value can either match a particular VLAN-ID on a VLAN interface, or a text string that matches a VLAN interface name.
This enhancement adds a third option to match based on a vlan-name table defined under the virtual AP.
To enable dynamic VLAN:
Under wireless-controller vap, there is a new config vlan-name option available to enable dynamic-vlan in VAP.
config wireless-controller vap
edit wifi.fap.02
FortiGate-101F (wifi.fap.02) # sh
config wireless-controller vap
edit "wifi.fap.02"
set ssid "wifi-ssid.fap.02"
set security wpa2-only-enterprise
set auth radius
set radius-server "peap"
set local-bridging enable
next
end
set dynamic-vlan enable
config vlan-name
FortiGate-101F (vlan-name) # edit print
FortiGate-101F (print) # set vlan-id 100
FortiGate-101F (print) # sh
config vlan-name
edit "print"
set vlan-id 100
next
end
end
Example use case
In the following example scenario, the customer site has set up the following topology:
- FortiGate manages a FortiSwitch and a FortiAP which is connecting through the FortiSwitch;
- FortiAP broadcasts a bridge mode SSID with dynamc-vlan enabled;
- FortiGate needs to assign VLAN-ID=100 on the station if vlan-name is "print", and assign VLAN-ID=200 on the station if vlan-name is "voip".
|
VLAN Name |
VLAN ID |
|---|---|
|
|
100 |
|
voip |
200 |
Instead of creating VLAN interfaces on the FortiGate and naming them "print" and "voip" respectively, you can add one vlan-name table in the SSID:
config wireless-controller vap
edit "wifi.fap.02"
set ssid "wifi-ssid.fap.02"
set security wpa2-only-enterprise
set auth radius
set radius-server "peap"
set local-bridging enable
set dynamic-vlan enable
config vlan-name
edit "print"
set vlan-id 100
next
edit "voip"
set vlan-id 200
next
end
next
end
After the wireless station connects the SSID, when its attribute "Tunnel-Private-Group-Id" is "print", it will be assigned with VLAN-ID=100; when its attribute "Tunnel-Private-Group-Id" is "voip", it will be assigned with VLAN-ID=200.
To create user accounts in the radius server (freeradius):
voip Cleartext-Password := "123456"
Tunnel-Type = "VLAN",
Tunnel-Medium-Type = "IEEE-802",
Tunnel-Private-Group-Id = voip
print Cleartext-Password := "123456"
Tunnel-Type = "VLAN",
Tunnel-Medium-Type = "IEEE-802",
Tunnel-Private-Group-Id = print
To verify the client connects and recieved the correct VLAN ID and IP address:
vf=1 wtp=2 rId=2 wlan=wifi.fap.02 vlan_id=100 ip=10.100.80.101 ip6=:: mac=f8:e4:e3:d8:5e:af vci= host=WiFi-Client-2 user=print group=peap signal=-39 noise=-95 idle=0 bw=2 use=6 chan=149 radio_type=11AX_5G security=wpa2_only_enterprise mpsk= encrypt=aes cp_authed=no online=yes mimo=2
vf=1 wtp=2 rId=2 wlan=wifi.fap.02 vlan_id=200 ip=10.200.80.101 ip6=:: mac=f8:e4:e3:d8:5e:af vci= host=WiFi-Client-2 user=voip group=peap signal=-39 noise=-95 idle=20 bw=0 use=6 chan=149 radio_type=11AX_5G security=wpa2_only_enterprise mpsk= encrypt=aes cp_authed=no online=yes mimo=2