Configure RADIUS and VLANs on Cisco Switch with NPS Server

Last updated: Oct 22, 2024

I have elegantly shown how to set up a WPA Enterprise architecture using PEAP-MSCHAPv2 🤢 and EAP-TLS 🥰. The configuration works without a hitch. However, in my network, there are different user profiles for Wi-Fi access, each requiring access to specific VLANs. But how can I ensure that some users are directed to the ADMINS VLAN, while others are assigned to the USERS VLAN?

There are two strategies for achieving this: the first is to configure multiple SSIDs (one for each VLAN), which requires a separate RADIUS server to manage each VLAN. However, this approach can be complex and impractical. The more efficient solution is to exploit RADIUS attributes such as Tunnel-Private-Group-ID, Tunnel Medium Type, and Tunnel Type to enable dynamic VLAN assignment. By doing so, we can manage all VLANs from a single NPS server, and users will only need to connect to a single SSID. In this guide, we'll look at the latter method.

For the rest of this guide, we'll make the following assumptions:
- We have successfully configured a working PEAP-MSCHAPv2 or EAP-TLS installation.
- The VLANs have been set up correctly in our network.

Diagram showing RADIUS authentication with VLAN assignment using UniFi access points and an NPS server. Devices in different VLANs (Admins and Users) connect via SSID STD_ROCKS and are authenticated through EAP and RADIUS.

UniFi Network Server

We need to configure several parameters in the UniFi Network Server. Let's take a closer look at the process.

In this scenario, let's consider a configuration with three distinct networks: 192.168.1.0/24 designated for Servers and WiFi access points, 192.168.10.0/24 allocated to Users, and 192.168.100.0/24 specifically reserved for Administrators.

In the RADIUS profile, activate RADIUS Assigned VLAN Support for Wireless Networks:

Make sure that your VLANs are correctly configured:

UniFi Network interface showing virtual network configuration with two VLANs: VLAN 100 named ADMINS and VLAN 10 named USERS, using a third-party gateway.

Authentication Server (NPS)

Open the Network Policy Server Console:

Windows Run dialog box with nps.msc command for opening Network Policy Server

You need to set up two separate Network Policies: one for ADMINS and another for USERS.

Click on New in the Network Policies folder:

Network Policy Server window showing the creation of a new network policy on Windows Server

Give Policy a name:

NPS configuration window where the network policy is named 'ADMINS' and the network access server type is set to Unspecified.

Click on Add to specify the condition:

New Network Policy window on Windows Server with option to add conditions for policy evaluation

Select User Groups, and click on Add Groups…:

New Network Policy window on Windows Server showing User Groups condition with option to add groups

Add an Active Directory user group, e.g. Domain Admins for ADMINS:

Windows Server NPS configuration showing the selection of the 'Domain Admins' group as a condition in a network policy under the 'User Groups' setting.

Click on Next:

$NPS New Network Policy window showing the condition that restricts access to users in the group STD\Domain Admins.$

Select Access granted:

New Network Policy window on Windows Server showing access permission set to 'Access granted'

In the Configure Settings section, you can delete the pre-existing entry for Framed-Protocol PPP and then click on Add…:

NPS policy configuration window showing RADIUS attributes with Framed-Protocol set to PPP and Service-Type set to Framed.

Now let's add these three entries:
- Tunnel-Type: Virtual LANs (VLAN)
- Tunnel-Pvt-Group-ID: 100 for ADMINS or 10 for USERS
- Tunnel-Medium-Type: 802 (including all 802 media as well as the canonical Ethernet format)

Add Tunnel-Type parameter:

Step-by-step view of adding the Tunnel-Type RADIUS attribute in NPS and setting its value to 'Virtual LANs (VLAN)' for 802.1x authentication.

Add Tunnel-Pvt-Group-ID parameter:

Step-by-step view of configuring the Tunnel-Pvt-Group-ID RADIUS attribute in NPS with a value of 100 for VLAN assignment.

Add Tunnel-Medium-Type parameter:

Step-by-step view of adding the Tunnel-Medium-Type RADIUS attribute in NPS and setting its value to '802 (includes all 802 media plus Ethernet canonical format)'.

Once you have entered all the parameters, click Next…:

NPS window showing final list of configured RADIUS attributes including Service-Type, Tunnel-Type, Tunnel-Pvt-Group-ID, and Tunnel-Medium-Type.

Finally, click on Finish to finalize the creation of the Policy:

Summary screen of NPS wizard showing policy conditions and settings for a network policy granting access to members of the Domain Admins group with VLAN attributes.

All you have to do is repeat the same process for the USERS VLANs, and you're done!