VLAN Assign
IEEE 802.1X VLAN Assignment or Role Based Access Control is what it’s often called. It’s the ability to put people on different VLANs based on any imaginable criteria; time of day, type of computer, location connecting from, etc.
But it’s most often based on a role.
LDAP Data
When we created users we added a description attribute, and then passed it to RADIUS as the standard User-Category attribute. Let’s use that to assign a VLAN.
Add VLAN Logic
This is a simple example that uses the User-Category attribute.
vim /etc/freeradius/3.0/sites-available/wifi
# After the `authenticate` section add a `post-auth` block
...
...
authenticate {
...
...
}
post-auth {
update reply {
&Tunnel-Type = 13,
&Tunnel-Medium-Type = 6
}
if (reply:User-Category == "staff") {
update reply { &Tunnel-Private-Group-Id = "1020" }
}
elsif (reply:User-Category == "student") {
update reply { &Tunnel-Private-Group-Id = "1021" }
}
else {
update reply { &Tunnel-Private-Group-Id = "1022" }
}
}
Make sure to edit the eap file as noted here. It’s a common gotcha.
vim /etc/freeradius/3.0/mods-available/eap
use_tunneled_reply = yes
Configure APs
You must configure your AP as per your vendor’s docs. For Unifi, it means you create a RADIUS profile that with those check-boxes enabled, then create a WiFi network that uses that profile.
https://help.ui.com/hc/en-us/articles/360015268353#6
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.