Specifications

ManualsBrandsCisco ManualsComputer equipmentAironet 340 Series

100

4-7

Cisco Aironet Access Point Software Configuration Guide

OL-0657-07

Chapter 4 Configuring VLANs

RADIUS-Based VLAN Access Control

There are two ways to implement RADIUS-based VLAN access control on the access point:

1. RADIUS-based VLAN assignment—upon successful IEEE 802.1x authentication, the RADIUS

server assigns the user to a particular VLAN ID on the wired side. Regardless of which SSID is used

for WLAN access, the user is always assigned to a particular VLAN ID.

2. RADIUS-based SSID access control—Upon successful IEEE 802.1x authentication, the RADIUS

server passes back the allowed SSID list and the user is allowed to associate to the WLAN.

Otherwise, the user is disassociated from the access point or bridge.

Figure 4-4 illustrates both RADIUS-based VLAN access control methods. In the figure, both

Engineering and Marketing VLANs are configured to allow only IEEE 802.1x authentication (LEAP,

EAP-TLS, PEAP, etc.). When user John uses the Engineering SSID to access the WLAN, the RADIUS

server maps John to VLAN ID 24, which may or may not be the default VLAN ID mapping for the

Engineering SSID. Using this method, a user can be mapped to a fixed wired VLAN throughout an

enterprise network.

Figure 4-4 also shows an example for RADIUS-based SSID access control. In the figure, David uses the

Marketing SSID to access the WLAN however, the permitted SSID list sent back by the RADIUS server

allows David to access only the Engineering SSID and the access point disassociates him from the

WLAN. Using RADIUS-based SSID access, a user can be given access to one or multiple SSIDs

throughout the enterprise network.

Figure 4-4 RADIUS-Based VLAN Access Control

RADIUS user attributes used for VLAN ID assignment are:

• IETF 64 (Tunnel Type)—Set this to VLAN

• IETF 65 (Tunnel Medium Type)—Set this to 802

• IETF 81 (Tunnel Private Group ID)—Set this to VLAN ID

The Cisco IOS/PIX/RADIUS Attribute (009\001 cisco-av-pair) user attribute is used for SSID control.

For example, this attribute allows a user to access the WLAN using the Engineering and Marketing

SSIDs only.

802.1Q trunk

Management

VLAN

RADIUS

server

81663

SSID = Guest

SSID = Marketing

SSID = Engineering

Access

point/bridge

EAP-Request (user-id: John)

EAP-Success (user-id: John, VLAN-id=24)

Enterprise

network

EAP-Request (user-id: David)

EAP-Success (user-id: David, SSID=Engineering)