Zyxel AP/WLAN Controller support for vlan pool / aaa override

syure_p Posts: 4
edited April 14 in WirelessLAN
We have a radius server setup that allows VLAN allocation using a pool. Is there a way to setup Zyxel to support vlan pooling or aaa override instead of static or individual dynamic vlan.

Here is the high-level traffic flow.
User A connects to the Zyxel AP WiFi SSID ---> Authentication/Authorisation is exchanged through an External Radius ---> External Radius Server provides the VLAN ID TAG pulled from a Vlan pool configured on the radius itself

Accepted Solution

  • Zyxel_Freda
    Zyxel_Freda Posts: 397  Zyxel Employee
    Accepted Answer
    Hi @syure_p ,
    Because the Zyxel AP will auto override when the Radius server set the dynamic VLAN attributes, you don't have to do any configuration setting on the AP or controller.
    As you expect, when you set the dynamic VLAN on the radius server, the client will use the VLAN that the RADIUS server assign, and if the client is not assigned to any VLAN, it will use the SSID's VLAN.

All Replies

  • Zyxel_Freda
    Zyxel_Freda Posts: 397  Zyxel Employee
    edited December 2020
    Hi @syure_p ,

    There are two ways to use the dynamic VLAN for doing the 802.1x authentication.

    1. By radius server attribute -  you have to set the three attributes, Tunnel-Medium-Type, Tunnel-Pvt-Group-ID, and Tunnel Type, in the radius server, and then do the AAA server setting on the controller. When the users connect to the SSID for asking the authentication, the server will reply the attributes to let the users get correct VLANs.
    Here's the controller configuration for your reference.
    • 1-1. CONFIGURATION > Object > AAA Server > RADIUS
    • 1-2. CONFIGURATION > Object > Auth. Method

    2.  By External User Group - You can set the "Filter-ID" on the radius server and then set the controller with below steps to let the users connect to the SSID with their VLANs.
    • 2-1. CONFIGURATION > Object > AAA Server > RADIUS

    • 2-2. CONFIGURATION > Object > Auth. Method
    • 2-3. Configuration > Object > User/Group > User > Add/Edit 

    Hope it's helpful.
  • syure_p
    syure_p Posts: 4
    edited December 2020

    Looks like option 1 is the way to go. But my concern is when you configure an SSID it still requires a static or single VLAN to be assigned.  There is no option for the vlan to be overriden by the radius.

    I have checked this so far on Nebula and on stand-alone deployment. Is it a different case if its a dedicated Zyxel controller? Can you share how the VLAN field requirement can be overriden on the SSID configuration?

  • Zyxel_Freda
    Zyxel_Freda Posts: 397  Zyxel Employee
    Hi @syure_p ,
    The option 1 is the standard of the dynamic VLAN with the radius server. That means if your radius server set the attributes correctly, the wireless client will get the VLAN after they have done the 802.1x authentication. 
    So, it can be used in standalone, Nebula management, and NXC management mode.
    You may check the radius packet that if the attributes are sent. Here's my packet for your reference.

    Please note that the DHCP server and the gateway need to set the VLAN interface to let the client get the IP and go to the Internet after authentication successful.
  • @Nebula_Freda Thanks for the prompt response. I have those attributes configured already and are confirmed working on another environment setup. I am looking for something similar to these functions on either the controller or nebula cloud.

    The expected outcome that I am after is:
    1. Wireless client associates to the AP on specific WLAN.
    2. Wireless Client start RADIUS authentication process.
    3. When the wireless client authenticates successfully, the RADIUS server assign this client to a specific VLAN (vlan pool configured on RADIUS server), regardless of the VLAN assigned to SSID the client is using on the AP. 
    4. If the RADIUS server does not return any VLAN attribute for the wireless client, the client is assigned to the VLAN specified by the SSID mapped locally on the AP.