Answered by:
Wireless Access Points requirement for Dynamic VLAN assignment

Question
-
We are looking for cheap test unit (wireless access point) that works with Microsoft NPS to dynamically assign VLAN to a client depending on active directory security group membership. What standards should we look for?
Are there alternatives to RFC 3580?
Do you have examples of actual products that will work as requested?
Wednesday, August 31, 2011 1:49 PM
Answers
-
Hi Jonas,
Thanks for update.You are right , since RADISU will specific and set RADIUS standard attributes (Tunnel-Medium-Type, Tunnel-Pvt-Group-ID, and Tunnel-Type.) for VLAN redirection , We’d suggest to consult with hardware vendor in order to purchase the proper AP devices which compatible with RADIUS authentication:
VLAN Attributes Used in Network Policy
http://technet.microsoft.com/en-us/library/cc754422(WS.10).aspx
RADIUS Clients
http://technet.microsoft.com/en-us/library/cc754033(WS.10).aspx
Thanks.
Tiger Li
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.- Marked as answer by Tiger LiMicrosoft employee Wednesday, September 7, 2011 7:31 AM
Monday, September 5, 2011 7:39 AM
All replies
-
Hi Jonas,
Thanks for posting here.All wire/wireless devices should compatible with 802.1x authentication protocol :
Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller Configuration Example
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
Appendix A: 802.1X Authenticated Wireless Access Requirements
http://technet.microsoft.com/en-us/library/dd348514(WS.10).aspx
Thanks.
Tiger Li
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.Thursday, September 1, 2011 9:31 AM -
Thanks for your reply, but 802.1x is not the issue here, it is dynamic assignment of VLAN depending on AD group membership.
Please, correct me if I am wrong: In order to achieve whats defined above, the wireless AP must support the receiving of specific attributes from the NPS server and assign the client to a VLAN depending of the value of the attribute. Is that correct?
Link1: That option seems to require the following components:
-
Cisco 4400 WLC that runs firmware release 5.2
-
Cisco 1130 Series LAP
-
Cisco 802.11a/b/g Wireless Client Adapter that runs firmware release 4.4
-
Cisco Aironet Desktop Utility (ADU) that runs version 4.4
-
CiscoSecure Access Control Server (ACS) that runs version 4.1
-
Cisco 2950 series switch
I out for a single unit (just an advanced wireless router / AP)
Link2: Does not mention VLAN at all..
Thursday, September 1, 2011 11:44 AM -
-
Hi Jonas,
Thanks for update.You are right , since RADISU will specific and set RADIUS standard attributes (Tunnel-Medium-Type, Tunnel-Pvt-Group-ID, and Tunnel-Type.) for VLAN redirection , We’d suggest to consult with hardware vendor in order to purchase the proper AP devices which compatible with RADIUS authentication:
VLAN Attributes Used in Network Policy
http://technet.microsoft.com/en-us/library/cc754422(WS.10).aspx
RADIUS Clients
http://technet.microsoft.com/en-us/library/cc754033(WS.10).aspx
Thanks.
Tiger Li
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.- Marked as answer by Tiger LiMicrosoft employee Wednesday, September 7, 2011 7:31 AM
Monday, September 5, 2011 7:39 AM