Dynamic VLAN assignment using RADIUS attribute string 6.4.6
With the Tunnel-Private-Group-Id RADIUS attribute, a wireless controller can now accept a VLAN name as a string, and match the VLAN sub-interface attached to a VAP interface when dynamically assigning a VLAN. Users logging into an SSID can be dynamically assigned to the proper VLAN based on the VLAN configurations in RADIUS for the particular user. Previously, only a numeric value was supported.
To dynamically assign the VLAN using the RADIUS attribute string:
- Configure the SSID with RADIUS authentication and dynamic VLAN enabled:
config wireless-controller vap edit "wifi.fap.02" set ssid "wifi-ssid.fap.02" set security wpa2-only-enterprise set auth radius set radius-server "peap" set schedule "always" set dynamic-vlan enable next end
- Configure the VLAN sub-interface:
config system interface edit "wifi2-vlan100" set vdom "vdom1" set ip 10.100.80.1 255.255.255.0 set device-identification enable set role lan set snmp-index 28 set interface "wifi.fap.02" set vlanid 100 next end
- Configure the DHCP server:
config system dhcp server edit 7 set dns-service default set default-gateway 10.100.80.1 set netmask 255.255.255.0 set interface "wifi2-vlan100" config ip-range edit 1 set start-ip 10.100.80.2 set end-ip 10.100.80.254 next end next end
- In FreeRADIUS, create a user account with the Tunnel-Private-Group-Id attribute set to the VLAN sub-interface:
user0100 Cleartext-Password := "123456" Tunnel-Type = "VLAN", Tunnel-Medium-Type = "IEEE-802", Session-Timeout=180, Tunnel-Private-Group-Id = wifi2-vlan100
- Verify the client connection in FortiOS:
# diagnose wireless-controller wlac -d sta online vf=1 wtp=1 rId=2 wlan=wifi.fap.02 vlan_id=100 ip=10.100.80.2 ip6=:: mac=**:**:**:**:**:** vci= host=fosqa-PowerEdge-R210 user=user0100 group=peap signal=-15 noise=-95 idle=5 bw=0 use=6 chan=149 radio_type=11AX_5G security=wpa2_only_enterprise mpsk= encrypt=aes cp_authed=no online=yes mimo=2