This is just a short blog post outlining the configuration that is required when using Dynamic VLAN assignment to wireless devices on a particular SSID when using Xirrus AP’s. This post is going to assume that you have:
- Installed FreeRADIUS 3.0 or abover to your server
- Configured the clients.conf file on your FreeRADIUS install to allow connections from the management VLAN/address range of your Xirrus Access Points
- Have a user authentication/SQL backend to your users and groups
- Are using XMS Cloud to manage your AP’s
- Have enabled VLAN Support within XMS
What you’ll want to do is SSH into your FreeRADIUS box and configure the users file
Add a section towards the top of the file containing the configuration specific information we need. Here we have defined a ‘Default VLAN’ of VLAN 10 because 99% of our users need that, and the other 1% need VLAN 3 which we are going to explicitly specify. Tunnel-Private-Group-Id is where you’re going to specify this.
DEFAULT NAS-Port-Type == Wireless-802.11 Tunnel-Type = 13, Tunnel-Private-Group-Id = "10", Tunnel-Medium-Type = 6, Fall-Through = Yes
We now want to setup some tunnel specific settings in our eap file. In FreeRADIUS 3.0 this file is kept in /etc/freeradius/3.0/mods-available/eap
Find the section copy_request_to_tunnel = no and use_tunneled_reply = no and change them to yes. Note that this will likely appear twice in your file. Once in the main EAP config and once in the PEAP section further down.
copy_request_to_tunnel = yes use_tunneled_reply = yes
Now that’s done, let’s head over and setup a group for our subset of power users and overwrite the VLAN assignment and give them VLAN 3. We’re using SQL to hold this information so we will head over and run a command there. If you’re not using SQL, grab the attribute values we use below and place them in whatever configuration structure you are using.
mysql -u root -p use radius; insert into radgroupreply (groupname, attribute, op, value) values ('Power', 'Tunnel-Private-Group-Id', ':=', 3);
Notice how we used the operator := in the statement above. This means overwrite whatever was there before if it existed in the reply and if not then add it. If we just used an equals sign = then we wouldn’t end up overwriting that attribute.
Reload the FreeRADIUS service if you already had it running so that we can see the changes to our config and test:
systemctl reload freeradius radtest yourusername yourpassword 127.0.0.1 0 testing123 -X
You should receive back something like this (in this case we had a power user authed so we got back VLAN 3)
Sent Access-Request Id 17 from 0.0.0.0:57472 to 127.0.0.1:1812 length 110 User-Name = "yourusername" User-Password = "yourpassword" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x00 Framed-Protocol = PPP Cleartext-Password = "yourpassword" Received Access-Accept Id 17 from 127.0.0.1:1812 to 0.0.0.0:0 length 35 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Tunnel-Private-Group-Id:0 = "3"
Now head over to your XMS Cloud and login and bring up the profile for your network. We want to specifically head to the SSID’s tab and hit the “+ NEW SSID” button on the right. Give it a name, select bands, make sure the Encryption/Authentication is set to WPA2/802.1x (or whatever suits your environment) and pop in all VLANs that you are going to use. In our case we are using 10 and 3.
Hover over the WPA2/802.1x or whatever you have configured and make sure that you select ‘Configure’ and then head to the authentication tab. We want to pop our RADIUS server details in there.
After that, head to the ‘Network’ tab and scroll to the bottom. Under VLAN Support we also need to list the VLANs we are goingt o be using for dynamic assignment.
Hit save and away you go. Please configure your FreeRADIUS server to suit your needs. This guide is not intended to have you finish configuration here as each environment is different, but rather gives you the quick and dirty to get dynamic VLAN assignment working with Xirrus and FreeRADIUS.