I have elegantly demonstrated how to set up a WPA Enterprise architecture using PEAP-MSCHAPv2 🤢 and EAP-TLS 🥰. The configuration works seamlessly. However, in my network, there are different user profiles for Wi-Fi access, each requiring access to specific VLANs. So, how can we ensure that certain users are directed to the ADMINS VLAN, while others are assigned to the USERS VLAN?
There are two strategies to achieve this: the first involves multiple SSID configurations (one for each VLAN), requiring a separate RADIUS server for each VLAN management. However, this approach can become complex and unwieldy. The more efficient solution is to leverage RADIUS attributes such as Tunnel-Private-Group-ID, Tunnel Medium Type, and Tunnel Type to enable dynamic VLAN assignment. By doing so, we can manage all the VLANs from a single NPS server, and users will only need to connect to a single SSID. In this guide, we will delve into this latter method.
- For the duration of this guide, let's establish the following assumptions:
- We have successfully configured either a functional PEAP-MSCHAPv2 or EAP-TLS setup.
- The VLANs have been properly established within our network.
UniFi Network Server
We need to configure several settings within the UniFi Network Server. Let's take a closer look at the process.
In this scenario, let's consider a setup with three distinct networks: 192.168.1.0/24 designated for Servers and WiFi access points, 192.168.10.0/24 allocated for Users, and 192.168.100.0/24 specifically reserved for Administrators.
- Within the RADIUS profile, activate RADIUS Assigned VLAN Support for Wireless Networks:
- Ensure that your VLANs are accurately configured:
Authentication Server (NPS)
- Open the Network Policy Server Console:
You should establish two separate Network Policies: one dedicated to the ADMINS and another for the USERS.
- Click New in the Network Policies folder:
- Give a name to the Policy:
- Click Add to specify the condition:
- Select User Groups, and click Add Groups…:
- Add an Active Directory group of users, such as Domain Admins for ADMINS:
- Click Next:
- Select Access granted:
- In the Configure Settings section, you can eliminate the pre-existing entry for Framed-Protocol PPP and then proceed to click on Add…:
- Now, let's proceed to add these three entries:
- Tunnel-Type: Virtual LANs (VLAN)
- Tunnel-Pvt-Group-ID: Set to 100 for ADMINS or 10 for USERS
- Tunnel-Medium-Type: 802 (including all 802 media along with Ethernet canonical format)
- Add Tunnel-Type parameter:
- Add Tunnel-Pvt-Group-ID parameter:
- Add Tunnel-Medium-Type parameter:
- Once you have entered all the parameters, proceed by clicking Next…:
- Lastly, click Finish to finalize the creation of the Policy:
- Now, you just need to repeat the same process for the USERS VLANs, and you're done!