rss logo

Managing VLANs on a RADIUS NPS Server with UniFi Access Points

WiFi Logo

I have elegantly demonstrated how to set up a WPA Enterprise architecture using PEAP-MSCHAPv2 🤢 and EAP-TLS 🥰. The configuration works seamlessly. However, in my network, there are different user profiles for Wi-Fi access, each requiring access to specific VLANs. So, how can we ensure that certain users are directed to the ADMINS VLAN, while others are assigned to the USERS VLAN?

There are two strategies to achieve this: the first involves multiple SSID configurations (one for each VLAN), requiring a separate RADIUS server for each VLAN management. However, this approach can become complex and unwieldy. The more efficient solution is to leverage RADIUS attributes such as Tunnel-Private-Group-ID, Tunnel Medium Type, and Tunnel Type to enable dynamic VLAN assignment. By doing so, we can manage all the VLANs from a single NPS server, and users will only need to connect to a single SSID. In this guide, we will delve into this latter method.

  • For the duration of this guide, let's establish the following assumptions:
    • We have successfully configured either a functional PEAP-MSCHAPv2 or EAP-TLS setup.
    • The VLANs have been properly established within our network.
Network diagram showing dynamic VLAN assignment on a RADIUS architecture between a WiFi supplicant, an authenticator and a RADIUS server

UniFi Network Server

We need to configure several settings within the UniFi Network Server. Let's take a closer look at the process.

In this scenario, let's consider a setup with three distinct networks: designated for Servers and WiFi access points, allocated for Users, and specifically reserved for Administrators.

  • Within the RADIUS profile, activate RADIUS Assigned VLAN Support for Wireless Networks:
  • Ensure that your VLANs are accurately configured:

Authentication Server (NPS)

  • Open the Network Policy Server Console:
Windows Run window with 'nps.msc' in the Open field

You should establish two separate Network Policies: one dedicated to the ADMINS and another for the USERS.

  • Click New in the Network Policies folder:
Screenshot of adding a new Network Policy in the Ubiquiti Wi-Fi RADIUS setup
  • Give a name to the Policy:
Screenshot of naming the Network Policy in the Ubiquiti Wi-Fi RADIUS setup
  • Click Add to specify the condition:
Screenshot of adding a condition to the Network Policy in the Ubiquiti Wi-Fi RADIUS setup
  • Select User Groups, and click Add Groups…:
Screenshot of selecting User Groups and adding groups to the Network Policy in the Ubiquiti Wi-Fi RADIUS setup
  • Add an Active Directory group of users, such as Domain Admins for ADMINS:
Screenshot of adding an Active Directory group to the Network Policy in the Ubiquiti Wi-Fi RADIUS setup
  • Click Next:
Screenshot of proceeding to the next step in the Network Policy setup
  • Select Access granted:
Screenshot of selecting Access granted in the Network Policy setup
  • In the Configure Settings section, you can eliminate the pre-existing entry for Framed-Protocol PPP and then proceed to click on Add…:
Screenshot of the Configure Settings section
  • Now, let's proceed to add these three entries:
    • Tunnel-Type: Virtual LANs (VLAN)
    • Tunnel-Pvt-Group-ID: Set to 100 for ADMINS or 10 for USERS
    • Tunnel-Medium-Type: 802 (including all 802 media along with Ethernet canonical format)
  • Add Tunnel-Type parameter:
  • Add Tunnel-Pvt-Group-ID parameter:
  • Add Tunnel-Medium-Type parameter:
  • Once you have entered all the parameters, proceed by clicking Next…:
Screenshot of configure settings on a NPS server
  • Lastly, click Finish to finalize the creation of the Policy:
Screenshot of clicking Finish to create the Policy in the Ubiquiti Wi-Fi EAP-TLS setup
  • Now, you just need to repeat the same process for the USERS VLANs, and you're done!