Dynamic VLAN assignment

Larger WLAN infrastructures often require individual WLAN clients to be assigned to certain networks. Assuming that the WLAN clients are always within range of the same access points, then assignment can be realized via the SSID in connection with a particular IP network. If on the other hand the WLAN clients frequently change their position and logon to different access points then, depending on the configuration, they may find themselves in a different IP network.

For WLAN clients to remain within a certain network independent of their current WLAN network, dynamically assigned VLANs can be used. Unlike the situation where VLAN IDs are statically configured for a certain SSID, in this case a RADIUS server directly assigns the VLAN ID to the WLAN client.

Example:

The WLAN clients of two employees log into an access point in the WPA-secured network with the SSID 'INTERNAL'. During registration, the RADIUS requests from the WLAN clients are directed to the access point. If the corresponding WLAN interface is in the operating mode 'managed' the RADIUS requests are automatically forwarded to the WLAN controller. This forwards the request in turn to the defined RADIUS server. The RADIUS server can check the access rights of the WLAN clients. It can also use the MAC address to assign a certain VLAN ID, for example for a certain department. The WLAN client in Marketing, for example, receives the VLAN ID '10' and WLAN client from Research & Development receives '20'. If no VLAN ID is specified for the user, the SSID's primary VLAN ID is used.
The WLAN clients of the guests log into the same access point in the unsecured network with the SSID 'PUBLIC'. This SSID is statically bound to the VLAN ID '99' and leads the guests into a certain network. Static and dynamic VLAN assignment can be elegantly operated in parallel.

Note: Assignment of the VLAN ID by the RADIUS server can be controlled by other criteria, such as a combination of user name and password, for example. In this way the unknown MAC address of a visitor to a company can be assigned a VLAN ID that permits guest access for Internet access only, for example, but that prohibits access to other network resources.

Note: As an alternative to an external RADIUS server, WLAN clients can be assigned with a VLAN ID via the internal RADIUS server or the stations table in the LANCOM WLAN controller.

Activate VLAN tagging for the WLAN controller. This is done in the physical parameters of the profile by entering a value greater than '0' for the management VLAN ID.
For authentication via 802.1x, go to the encryption settings for the profile's logical WLAN network and choose a setting that triggers an authentication request.
To check the MAC addresses, activate the MAC check for the profile's logical WLAN network.
Note: For the management of WLAN modules with a WLAN controller, a RADIUS server is required to operate authentication via 802.1x and MAC-address checks. The WLAN controller automatically defines itself as the RADIUS server in the access points that it is managing—all RADIUS requests sent to the access points are then directly forwarded to the WLAN controller, which can either process the requests itself or forward them to an external RADIUS server.
To forward RADIUS requests to another RADIUS server, use LANconfig to enter its address into the list of forwarding servers in the configuration section 'RADIUS servers' on the Forwarding tab. Alternatively, external RADIUS servers can be entered in WEBconfig under LCOS menu tree > Setup > RADIUS > Server > Forward server. Also, set the standard realm and the empty realm to be able to react to different types of user information (with an unknown realm, or even without a realm).
Configure the entries in the RADIUS server so that WLAN clients placing requests will be assigned the appropriate VLAN IDs as based on the identification of certain characteristics.

Note: Further information about RADIUS is available in the documentation for your RADIUS server.