[NEBULA] NWA-1123 ACHD - Dynamic VLAN assignment

Talkabout
Talkabout Posts: 34  Freshman Member
First Comment Friend Collector
edited April 2021 in Nebula

Hi,


does the NWA-1123 ACHD support "dynamic vlan assignment" from a RADIUS server? I know that some switches by Zyxel are capable of that but somehow I am not able to get it to work with the mentioned device. I am trying to do this via a freeradius policy:


update reply {

            &Tunnel-Type = 13,

            &Tunnel-Medium-Type = 6,

            &Tunnel-Private-Group-Id = "vlan100"

}


Anybody able to help?


Thanks!

Bye

«1

All Replies

  • Talkabout
    Talkabout Posts: 34  Freshman Member
    First Comment Friend Collector

    Hallo zusammen,


    Thema hat sich erledigt. Nachdem ich meine Logik in den outer Tunnel (default site) unter "post-auth" eingetragen habe funktionierte es auf Anhieb. Vielleicht hilft es ja jemandem.


    Gruss

  • Zyxel_Jonas
    Zyxel_Jonas Posts: 313  Zyxel Employee
    25 Answers First Comment Friend Collector Fifth Anniversary

    Hi @Talkabout ,


    Basically, NWA1123-AC HD do support dynamic VLAN assignment via radius server, but be ensured that the radius server is configured correctly.


    Hope it helps

    Thanks,

    Jonas

    Jonas,
  • Talkabout
    Talkabout Posts: 34  Freshman Member
    First Comment Friend Collector

    Sorry Jonas,


    I answered in German... Yes, it is working correctly after applying the reply attributes in the outer tunnel, thanks!


    Bye

  • Michael1330
    Michael1330 Posts: 2  Freshman Member
    First Comment
    edited September 2020
    What about NWA210AX (in stand-alone Mode)? While reading the manual it seems that I can only set static VLAN IDs for an SSID. So how do you configured your access point to work with dynamic VLAN?
  • Zyxel_Joslyn
    Zyxel_Joslyn Posts: 360  Zyxel Employee
    25 Answers First Comment Friend Collector Fourth Anniversary
    Hi @Michael1330

    You can register your NWA210AX on the Nebula, and here is the functions on Nebula which supports dynamic VLAN.
    1. Use radius server.

        Please refer to our handbook chapter 4.5 and start from page 145 for the radius server setting.
        4.5 How to Configure 802.1x to secure the Wireless Environment with Dynamic VLAN by Using
        External AAA server? 
        
    2. DPPSK. Create the DPPSK for 802.1x users. Assign the VLAN id.

    So far, dynamic VLAN is not supported in stand-alone mode.
    Hope it helps.

    Joslyn
  • teRceLde
    teRceLde Posts: 1
    First Comment

    You stated: ‘Dynamic VLAN is not supported in stand-alone mode’. Is this true for ‘Dynamic VLAN by radius server attribute’ = Tunnel-Private-Group-ID from RFC 3580 and the latest firmware 06.xx as well?

    I am unsure, what is the difference to this newer thread … furthermore, I tested a NWA1123ACv3 with the latest firmware 6.5x, and nothing had to be configured; it works out of the box after creating a WPA Enterprise security profile. No extra switch or option to tick like with other vendors. Same in Nebula Cloud Control (NCC). There, adding an external RADIUS server was sufficient; again, no extra option. I could but did not have to go for Nebula Cloud Authentication or DPPSK. 😀

  • baba
    baba Posts: 280  Master Member
    First Comment Friend Collector First Anniversary

    @Zyxel_Joslyn does radius dynamic vlan assignment needs nebula pro pack?

  • baba
    baba Posts: 280  Master Member
    First Comment Friend Collector First Anniversary
    edited May 2023

    What's with NWA110AX? Is this also supported (without nebula pro package)?

    I can't get it work :(

    freeradius

    (26) Sent Access-Accept Id 188 from xxx:1812 to xxx:41162 length 213

    freeradius

    (26) MS-MPPE-Recv-Key = xxx

    freeradius

    (26) MS-MPPE-Send-Key = xxx

    freeradius

    (26) EAP-Message = 0x03xxxxxx

    freeradius

    (26) Message-Authenticator = 0x00000000000000000000000000000000

    freeradius

    (26) User-Name = "xxx"

    freeradius

    (26) Proxy-State = 0x31xxxx

    freeradius

    (26) Tunnel-Type = VLAN

    freeradius

    (26) Tunnel-Medium-Type = IEEE-802

    freeradius

    (26) Tunnel-Private-Group-Id = "vlan22"

    freeradius

    (26) Framed-MTU += 994

    freeradius

    (26) Finished request

    freeradius

    Waking up in 3.7 seconds.

    freeradius

    (27) Received Accounting-Request Id 87 from xxx:34419 to 172.19.0.32:1813 length 148

    freeradius

    (27) User-Name = "xxx"

    freeradius

    (27) Acct-Session-Id = "xxx"

    freeradius

    (27) Acct-Status-Type = Start

    freeradius

    (27) Acct-Authentic = RADIUS

    freeradius

    (27) NAS-IP-Address = 127.0.0.1

    freeradius

    (27) NAS-Port = 0

    freeradius

    (27) NAS-Port-Type = Ethernet

    freeradius

    (27) Calling-Station-Id = "xx-xx-xx-xx-xx-xx"

    freeradius

    (27) Called-Station-Id = "xx-xx-xx-xx-xx-xx:MyWifi"

    freeradius

    (27) Acct-Session-Time = 0

    freeradius

    (27) Event-Timestamp = "May 27 2023 20:20:36 UTC"

    sites-enabled/defaut:
    post-auth {

            # Dynamic VLAN assignment by ldap group

            update reply {

                    Tunnel-Type := VLAN

                    Tunnel-Medium-Type := IEEE-802

                    Tunnel-Private-Group-Id := "%{ldap:ldap:///ou=groups,dc=example,dc=com?cn?one?(&(cn=vlan*)(uniqueMember=%{control:Ldap-UserDn})(objectClass=groupOfUniqueNames))}"

            }

    # …

    }

  • Zyxel_Judy
    Zyxel_Judy Posts: 1,637  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula

    Hi @teRceLde ,

    Thank you for giving us your feedback.

    Dynamic VLAN is a feature provided by the RADIUS server. Once wireless clients have successfully completed the 802.1x authentication process, they will be assigned the appropriate VLAN based on the correct configuration of attributes on the RADIUS server. This functionality is independent of the managed mode you are utilizing.

    Additionally, Nebula Cloud Authentication or DPPSK are features available for users who wish to configure Dynamic VLANs without relying on a RADIUS server.

    Judy

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • Zyxel_Judy
    Zyxel_Judy Posts: 1,637  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula

    HI @baba ,

    You do not require the Nebula Pro pack if you are configuring dynamic VLANs using a RADIUS server.

    Please change the value of Tunnel-Private-Group-Id to 22 (a numerical value) instead of vlan22 to verify if it functions correctly. Also, ensure that you add your access point (AP) to the trusted client list on the RADIUS server.

    If the configuration is accurate but dynamic VLANs still do not work, please share the packet captured by port mirroring and the RADIUS server logs that include the wireless client connection process here or via private message.

    Judy

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

Nebula Tips & Tricks