Enabling VLAN via RADIUS Attributes

This describes how to configure VLAN settings through RADIUS attributes and add them to a client. For further info look here. To enable general attributes check out Enabling RADIUS Attributes for setup information.

1. Create the Attribute Set

Go to the 'RADIUS Attributes' page and click the 'Add Attributes' button. Name your Attribute Set to create it.

2313

RADIUS Attributes interface

2. Configure the constant attributes

Click the 'Add Attribute' button in the 'Constant Attributes' section. Select 'Tunnel-Medium-Type' as the attribute and '6' (or whatever represents all 802 media) as the value to be returned. (Note: Check your RADIUS vendor-specific documentation for the appropriate values.) Do the same for the 'Tunnel-Type' attribute and enter the value as 'VLAN'.

Constant attributes are returned with any successful login, regardless of user.

2313

RADIUS Attributes interface

3. Configure the group conditional attributes

Click the 'Add Attribute' button in the 'Conditional Attributes' section. Select the attribute 'Tunnel-Private-Group-ID' and the default VLAN value to be returned. Click the 'Add Condition' button to add conditions to the return value.

Conditional attributes are evaluated in order. The first group listed that the authenticated user is a member of determines the value returned. If the user is not a member of any of the groups listed, the default value is returned.

2313

RADIUS Attributes interface

4. Configure the MAC address attributes

Click the 'Add Attribute' button in the 'MAC Address Conditional Attributes' section. Select the attribute 'Tunnel-Private-Group-ID' and the default VLAN value to be returned. Click the 'Add Condition' button to add conditions to the return value.

MAC address conditional attributes are evaluated by the longest matching prefix first. The longest MAC entry matching prefix determines the value returned. If the MAC address does not match any MAC entries listed, the default value is returned. If the MAC address does not match any MAC entries at all, the request is rejected.

5. Assign the attributes to a client

Go to the 'RADIUS Clients' page. In the 'RADIUS Attributes' column, select the Attribute Set you just created. Whenever a request is sent to that client, successful logins will return attributes according to that Attribute Set's specifications.

2316

RADIUS Clients interface

NOTE: In order to delete an Attribute Set, it must not be associated with any RADIUS Clients.