locked
Wireless Access Points requirement for Dynamic VLAN assignment RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    We are looking for cheap test unit (wireless access point) that works with Microsoft NPS to dynamically assign VLAN to a client depending on active directory security group membership. What standards should we look for? 

     

    Are there alternatives to RFC 3580? 

    Do you have examples of actual products that will work as requested?

    Wednesday, August 31, 2011 1:49 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Jonas,


    Thanks for update.

     

    You are right , since RADISU will specific and set RADIUS standard attributes (Tunnel-Medium-Type, Tunnel-Pvt-Group-ID, and Tunnel-Type.) for VLAN redirection , We’d suggest to consult with hardware vendor in order to purchase the proper AP devices which compatible with RADIUS authentication:

     

    VLAN Attributes Used in Network Policy

    http://technet.microsoft.com/en-us/library/cc754422(WS.10).aspx

     

    RADIUS Clients

    http://technet.microsoft.com/en-us/library/cc754033(WS.10).aspx

     

    Thanks.

     

    Tiger Li

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, September 5, 2011 7:39 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Jonas,


    Thanks for posting here.

     

    All wire/wireless devices should compatible with 802.1x authentication protocol :

     

    Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller Configuration Example

    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml

     

    Appendix A: 802.1X Authenticated Wireless Access Requirements

    http://technet.microsoft.com/en-us/library/dd348514(WS.10).aspx

     

    Thanks.

     

    Tiger Li

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, September 1, 2011 9:31 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Thanks for your reply, but 802.1x is not the issue here, it is dynamic assignment of VLAN depending on AD group membership. 

    Please, correct me if I am wrong: In order to achieve whats defined above, the wireless AP must support the receiving of specific attributes from the NPS server and assign the client to a VLAN depending of the value of the attribute. Is that correct? 

    Link1: That option seems to require the following components:

     

    • Cisco 4400 WLC that runs firmware release 5.2

    • Cisco 1130 Series LAP

    • Cisco 802.11a/b/g Wireless Client Adapter that runs firmware release 4.4

    • Cisco Aironet Desktop Utility (ADU) that runs version 4.4

    • CiscoSecure Access Control Server (ACS) that runs version 4.1

    • Cisco 2950 series switch

      I out for a single unit (just an advanced wireless router / AP) 

      Link2: Does not mention VLAN at all..

     

    Thursday, September 1, 2011 11:44 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Jonas,


    Thanks for update.

     

    You are right , since RADISU will specific and set RADIUS standard attributes (Tunnel-Medium-Type, Tunnel-Pvt-Group-ID, and Tunnel-Type.) for VLAN redirection , We’d suggest to consult with hardware vendor in order to purchase the proper AP devices which compatible with RADIUS authentication:

     

    VLAN Attributes Used in Network Policy

    http://technet.microsoft.com/en-us/library/cc754422(WS.10).aspx

     

    RADIUS Clients

    http://technet.microsoft.com/en-us/library/cc754033(WS.10).aspx

     

    Thanks.

     

    Tiger Li

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, September 5, 2011 7:39 AM