[NEBULA] NWA-1123 ACHD - Dynamic VLAN assignment
Hi,
does the NWA-1123 ACHD support "dynamic vlan assignment" from a RADIUS server? I know that some switches by Zyxel are capable of that but somehow I am not able to get it to work with the mentioned device. I am trying to do this via a freeradius policy:
update reply {
&Tunnel-Type = 13,
&Tunnel-Medium-Type = 6,
&Tunnel-Private-Group-Id = "vlan100"
}
Anybody able to help?
Thanks!
Bye
All Replies
-
Hallo zusammen,
Thema hat sich erledigt. Nachdem ich meine Logik in den outer Tunnel (default site) unter "post-auth" eingetragen habe funktionierte es auf Anhieb. Vielleicht hilft es ja jemandem.
Gruss
0 -
Hi @Talkabout ,
Basically, NWA1123-AC HD do support dynamic VLAN assignment via radius server, but be ensured that the radius server is configured correctly.
Hope it helps
Thanks,
Jonas
Jonas,0 -
Sorry Jonas,
I answered in German... Yes, it is working correctly after applying the reply attributes in the outer tunnel, thanks!
Bye
1 -
What about NWA210AX (in stand-alone Mode)? While reading the manual it seems that I can only set static VLAN IDs for an SSID. So how do you configured your access point to work with dynamic VLAN?
0 -
Hi @Michael1330
You can register your NWA210AX on the Nebula, and here is the functions on Nebula which supports dynamic VLAN.
1. Use radius server.
Please refer to our handbook chapter 4.5 and start from page 145 for the radius server setting.
4.5 How to Configure 802.1x to secure the Wireless Environment with Dynamic VLAN by Using
External AAA server?
2. DPPSK. Create the DPPSK for 802.1x users. Assign the VLAN id.
So far, dynamic VLAN is not supported in stand-alone mode.
Hope it helps.
Joslyn0 -
You stated: ‘Dynamic VLAN is not supported in stand-alone mode’. Is this true for ‘Dynamic VLAN by radius server attribute’ = Tunnel-Private-Group-ID from RFC 3580 and the latest firmware 06.xx as well?
I am unsure, what is the difference to this newer thread … furthermore, I tested a NWA1123ACv3 with the latest firmware 6.5x, and nothing had to be configured; it works out of the box after creating a WPA Enterprise security profile. No extra switch or option to tick like with other vendors. Same in Nebula Cloud Control (NCC). There, adding an external RADIUS server was sufficient; again, no extra option. I could but did not have to go for Nebula Cloud Authentication or DPPSK. 😀
0 -
@Zyxel_Joslyn does radius dynamic vlan assignment needs nebula pro pack?
0 -
What's with NWA110AX? Is this also supported (without nebula pro package)?
I can't get it work :(freeradius
(26) Sent Access-Accept Id 188 from xxx:1812 to xxx:41162 length 213
freeradius
(26) MS-MPPE-Recv-Key = xxx
freeradius
(26) MS-MPPE-Send-Key = xxx
freeradius
(26) EAP-Message = 0x03xxxxxx
freeradius
(26) Message-Authenticator = 0x00000000000000000000000000000000
freeradius
(26) User-Name = "xxx"
freeradius
(26) Proxy-State = 0x31xxxx
freeradius
(26) Tunnel-Type = VLAN
freeradius
(26) Tunnel-Medium-Type = IEEE-802
freeradius
(26) Tunnel-Private-Group-Id = "vlan22"
freeradius
(26) Framed-MTU += 994
freeradius
(26) Finished request
freeradius
Waking up in 3.7 seconds.
freeradius
(27) Received Accounting-Request Id 87 from xxx:34419 to 172.19.0.32:1813 length 148
freeradius
(27) User-Name = "xxx"
freeradius
(27) Acct-Session-Id = "xxx"
freeradius
(27) Acct-Status-Type = Start
freeradius
(27) Acct-Authentic = RADIUS
freeradius
(27) NAS-IP-Address = 127.0.0.1
freeradius
(27) NAS-Port = 0
freeradius
(27) NAS-Port-Type = Ethernet
freeradius
(27) Calling-Station-Id = "xx-xx-xx-xx-xx-xx"
freeradius
(27) Called-Station-Id = "xx-xx-xx-xx-xx-xx:MyWifi"
freeradius
(27) Acct-Session-Time = 0
freeradius
(27) Event-Timestamp = "May 27 2023 20:20:36 UTC"
sites-enabled/defaut:
post-auth {# Dynamic VLAN assignment by ldap group
update reply {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-Id := "%{ldap:ldap:///ou=groups,dc=example,dc=com?cn?one?(&(cn=vlan*)(uniqueMember=%{control:Ldap-UserDn})(objectClass=groupOfUniqueNames))}"
}
# …
}
0 -
Hi @teRceLde ,
Thank you for giving us your feedback.
Dynamic VLAN is a feature provided by the RADIUS server. Once wireless clients have successfully completed the 802.1x authentication process, they will be assigned the appropriate VLAN based on the correct configuration of attributes on the RADIUS server. This functionality is independent of the managed mode you are utilizing.
Additionally, Nebula Cloud Authentication or DPPSK are features available for users who wish to configure Dynamic VLANs without relying on a RADIUS server.
Judy
See how you've made an impact in Zyxel Community this year!
0 -
HI @baba ,
You do not require the Nebula Pro pack if you are configuring dynamic VLANs using a RADIUS server.
Please change the value of Tunnel-Private-Group-Id to 22 (a numerical value) instead of vlan22 to verify if it functions correctly. Also, ensure that you add your access point (AP) to the trusted client list on the RADIUS server.
If the configuration is accurate but dynamic VLANs still do not work, please share the packet captured by port mirroring and the RADIUS server logs that include the wireless client connection process here or via private message.
Judy
See how you've made an impact in Zyxel Community this year!
1
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 148 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight