Professional Documents
Culture Documents
Dynamic VLAN Assignment Using RADIUS
Dynamic VLAN Assignment Using RADIUS
This document describes how to dynamically assign clients to VLANs using RADIUS. This is
useful is you have multiple clients using the same physical network and need to assign them to
different VLANs depending on their logon credentials. This process removes the need to
manually assign ports into VLANs.
This applies to Netgear managed switches running firmware version 8.0.1.2 or later.
Equipment used:
• FreeRADIUS for Windows
• GSM7224v2
• 1 management PC
• 2 client PCs for testing (2 x Win XP Pro SP3)
• DHCP provided by DHCP server on VLAN2
Network Diagram
The starting configuration for the switch is to have all ports in VLAN1 with a management IP
address on the switch of 192.168.0.254.
• Go to Switching ->
VLAN -> Basic ->
VLAN Configuration
• Add VLAN2 with the
settings as shown
on the left
• Press Add
• Go to Security ->
Port Authentication
-> Advanced -> Port
Authentication
• Select Ports 0/1 and
0/2
• Set the Control
Mode for these 2
ports to Force
Authorized
• Press Apply
• This is done so that
the RADIUS server
and the
management PC do
not have get locked
out from the switch
• Go to Security ->
Port Authentication -
> Advanced ->
802.1X
Configuration
• Set Administrative
Mode and VLAN
Assignment Mode to
Enable
• Press Apply
• Go to Security ->
Management
Security -> RADIUS
-> Server
Configuration
• Add Radius Server
IP Address as
192.168.0.253
• Set Secret
Configured to Yes
• Set Secret to
123456
• Press Add
Download and install FreeRADIUS for Windows. Once installed, the icon will appear in the
system tray.
Right click on the FreeRADIUS icon and choose Edit Radius Clients.conf – in this file we need to
add an entry for our RADIUS client, the GSM7224v2. To do this, add the following code and save
the file:
client 192.168.0.253/24 {
secret = 1232456
shortname = gsm7224v2
}
Next, right click on the FreeRADIUS icon and choose Edit Users – in this file we need to add
some users together with what VLAN we want these users to be assigned to. To do this, add the
following code and save the file:
Finally, restart FreeRADIUS by right clicking on the icon and choosing Restart Service.
Since we are using FreeRADIUS, the network cards on client PC1 and client PC2 need to be
configured for MD5. To do this right click on the Local Area Connection and choose Properties.
Go to the Authentication tab and choose MD5 as shown:
Note: If you do not see the Authentication tab, it will be because the Wired AutoConfig service in
Windows has not started. Start it in services.msc
Connect PC1 and PC2 to any port on the switch other than ports 0/1 and 0/2. Once connected,
Windows will prompt for credentials. For credentials, use:
PC1
Username: user1
Password: password1
PC2
Username: user2
Password: password2
Once successfully authenticated, PC1 and PC2 will become members of VLAN2 even though the
ports to which they are connected were originally members of VLAN1.
Notes
The RADIUS statistics on the GSM7224v2 are also helpful – these can be found under Security
-> Management Security -> RADIUS -> Server Configuration -> Statistics