[NEBULA] NWA-1123 ACHD - Dynamic VLAN assignment

Talkabout

Hi,

does the NWA-1123 ACHD support "dynamic vlan assignment" from a RADIUS server? I know that some switches by Zyxel are capable of that but somehow I am not able to get it to work with the mentioned device. I am trying to do this via a freeradius policy:

update reply {

            &Tunnel-Type = 13,

            &Tunnel-Medium-Type = 6,

            &Tunnel-Private-Group-Id = "vlan100"

}

Anybody able to help?

Thanks!

Bye

Talkabout

Hallo zusammen,

Thema hat sich erledigt. Nachdem ich meine Logik in den outer Tunnel (default site) unter "post-auth" eingetragen habe funktionierte es auf Anhieb. Vielleicht hilft es ja jemandem.

Gruss

Zyxel_Jonas

Hi @Talkabout ,

Basically, NWA1123-AC HD do support dynamic VLAN assignment via radius server, but be ensured that the radius server is configured correctly.

Hope it helps

Thanks,

Jonas

Talkabout

Sorry Jonas,

I answered in German... Yes, it is working correctly after applying the reply attributes in the outer tunnel, thanks!

Bye

Michael1330

What about NWA210AX (in stand-alone Mode)? While reading the manual it seems that I can only set static VLAN IDs for an SSID. So how do you configured your access point to work with dynamic VLAN?

Zyxel_Joslyn

Hi @Michael1330

You can register your NWA210AX on the Nebula, and here is the functions on Nebula which supports dynamic VLAN.
1. Use radius server.

    Please refer to our handbook chapter 4.5 and start from page 145 for the radius server setting.
    4.5 How to Configure 802.1x to secure the Wireless Environment with Dynamic VLAN by Using
    External AAA server? 
    
2. DPPSK. Create the DPPSK for 802.1x users. Assign the VLAN id.

So far, dynamic VLAN is not supported in stand-alone mode.
Hope it helps.

Joslyn

teRceLde

You stated: ‘Dynamic VLAN is not supported in stand-alone mode’. Is this true for ‘Dynamic VLAN by radius server attribute’ = Tunnel-Private-Group-ID from RFC 3580 and the latest firmware 06.xx as well?

I am unsure, what is the difference to this newer thread … furthermore, I tested a NWA1123ACv3 with the latest firmware 6.5x, and nothing had to be configured; it works out of the box after creating a WPA Enterprise security profile. No extra switch or option to tick like with other vendors. Same in Nebula Cloud Control (NCC). There, adding an external RADIUS server was sufficient; again, no extra option. I could but did not have to go for Nebula Cloud Authentication or DPPSK. 😀

baba

@Zyxel_Joslyn does radius dynamic vlan assignment needs nebula pro pack?

baba

What's with NWA110AX? Is this also supported (without nebula pro package)?

I can't get it work :(

freeradius	(26) Sent Access-Accept Id 188 from xxx:1812 to xxx:41162 length 213
freeradius	(26) MS-MPPE-Recv-Key = xxx
freeradius	(26) MS-MPPE-Send-Key = xxx
freeradius	(26) EAP-Message = 0x03xxxxxx
freeradius	(26) Message-Authenticator = 0x00000000000000000000000000000000
freeradius	(26) User-Name = "xxx"
freeradius	(26) Proxy-State = 0x31xxxx
freeradius	(26) Tunnel-Type = VLAN
freeradius	(26) Tunnel-Medium-Type = IEEE-802
freeradius	(26) Tunnel-Private-Group-Id = "vlan22"
freeradius	(26) Framed-MTU += 994
freeradius	(26) Finished request
freeradius	Waking up in 3.7 seconds.
freeradius	(27) Received Accounting-Request Id 87 from xxx:34419 to 172.19.0.32:1813 length 148
freeradius	(27) User-Name = "xxx"
freeradius	(27) Acct-Session-Id = "xxx"
freeradius	(27) Acct-Status-Type = Start
freeradius	(27) Acct-Authentic = RADIUS
freeradius	(27) NAS-IP-Address = 127.0.0.1
freeradius	(27) NAS-Port = 0
freeradius	(27) NAS-Port-Type = Ethernet
freeradius	(27) Calling-Station-Id = "xx-xx-xx-xx-xx-xx"
freeradius	(27) Called-Station-Id = "xx-xx-xx-xx-xx-xx:MyWifi"
freeradius	(27) Acct-Session-Time = 0
freeradius	(27) Event-Timestamp = "May 27 2023 20:20:36 UTC"

sites-enabled/defaut:
post-auth {

        # Dynamic VLAN assignment by ldap group

        update reply {

                Tunnel-Type := VLAN

                Tunnel-Medium-Type := IEEE-802

                Tunnel-Private-Group-Id := "%{ldap:ldap:///ou=groups,dc=example,dc=com?cn?one?(&(cn=vlan*)(uniqueMember=%{control:Ldap-UserDn})(objectClass=groupOfUniqueNames))}"

        }

# …

}

Zyxel_Judy

Hi @teRceLde ,

Thank you for giving us your feedback.

Dynamic VLAN is a feature provided by the RADIUS server. Once wireless clients have successfully completed the 802.1x authentication process, they will be assigned the appropriate VLAN based on the correct configuration of attributes on the RADIUS server. This functionality is independent of the managed mode you are utilizing.

Additionally, Nebula Cloud Authentication or DPPSK are features available for users who wish to configure Dynamic VLANs without relying on a RADIUS server.

Zyxel_Judy

HI @baba ,

You do not require the Nebula Pro pack if you are configuring dynamic VLANs using a RADIUS server.

Please change the value of Tunnel-Private-Group-Id to 22 (a numerical value) instead of vlan22 to verify if it functions correctly. Also, ensure that you add your access point (AP) to the trusted client list on the RADIUS server.

If the configuration is accurate but dynamic VLANs still do not work, please share the packet captured by port mirroring and the RADIUS server logs that include the wireless client connection process here or via private message.