Scribd Logo
Upload

Welcome to Scribd!

  • Dynamic VLAN Assignment Using RADIUS

    Uploaded by

    vecanoc954
    57 views6 pages
    This document describes how to use RADIUS for dynamic VLAN assignment on a Netgear switch. The RADIUS server FreeRADIUS is configured with VLAN assignments for different users. When clients connect to the switch and authenticate via RADIUS, they will be placed in the appropriate VLAN based on their credentials. This allows clients on the same physical network to be logically separated by VLAN.

    Original Description:

    Original Title

    Dynamic VLAN Assignment using RADIUS

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document describes how to use RADIUS for dynamic VLAN assignment on a Netgear switch. The RADIUS server FreeRADIUS is configured with VLAN assignments for different users. When clients connect to the switch and authenticate via RADIUS, they will be placed in the appropriate VLAN based on their credentials. This allows clients on the same physical network to be logically separated by VLAN.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    57 views6 pages

    Dynamic VLAN Assignment Using RADIUS

    Uploaded by

    vecanoc954
    This document describes how to use RADIUS for dynamic VLAN assignment on a Netgear switch. The RADIUS server FreeRADIUS is configured with VLAN assignments for different users. When clients connect to the switch and authenticate via RADIUS, they will be placed in the appropriate VLAN based on their credentials. This allows clients on the same physical network to be logically separated by VLAN.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 6

    Dynamic VLAN assignment using RADIUS

    This document describes how to dynamically assign clients to VLANs using RADIUS. This is
    useful is you have multiple clients using the same physical network and need to assign them to
    different VLANs depending on their logon credentials. This process removes the need to
    manually assign ports into VLANs.

    This applies to Netgear managed switches running firmware version 8.0.1.2 or later.

    Equipment used:
    • FreeRADIUS for Windows
    • GSM7224v2
    • 1 management PC
    • 2 client PCs for testing (2 x Win XP Pro SP3)
    • DHCP provided by DHCP server on VLAN2

    Network Diagram

    Dynamic VLAN Assignment using RADIUS Version 1.0


    Switch Configuration

    The starting configuration for the switch is to have all ports in VLAN1 with a management IP
    address on the switch of 192.168.0.254.

    • Go to Switching ->
    VLAN -> Basic ->
    VLAN Configuration
    • Add VLAN2 with the
    settings as shown
    on the left
    • Press Add

    • Go to Security ->
    Port Authentication
    -> Advanced -> Port
    Authentication
    • Select Ports 0/1 and
    0/2
    • Set the Control
    Mode for these 2
    ports to Force
    Authorized
    • Press Apply
    • This is done so that
    the RADIUS server
    and the
    management PC do
    not have get locked
    out from the switch

    • Go to Security ->
    Port Authentication -
    > Advanced ->
    802.1X
    Configuration
    • Set Administrative
    Mode and VLAN
    Assignment Mode to
    Enable
    • Press Apply

    Dynamic VLAN Assignment using RADIUS Version 1.0


    • Go to Security ->
    Management
    Security ->
    Authentication List
    -> Dot1x
    Authentication List
    • Select the option for
    dot1xList and
    choose Radius for
    the first Field
    • Press Apply

    • Go to Security ->
    Management
    Security -> RADIUS
    -> Server
    Configuration
    • Add Radius Server
    IP Address as
    192.168.0.253
    • Set Secret
    Configured to Yes
    • Set Secret to
    123456
    • Press Add

    Dynamic VLAN Assignment using RADIUS Version 1.0


    RADIUS Server Configuration

    Download and install FreeRADIUS for Windows. Once installed, the icon will appear in the
    system tray.

    Right click on the FreeRADIUS icon and choose Edit Radius Clients.conf – in this file we need to
    add an entry for our RADIUS client, the GSM7224v2. To do this, add the following code and save
    the file:

    client 192.168.0.253/24 {
    secret = 1232456
    shortname = gsm7224v2
    }

    Next, right click on the FreeRADIUS icon and choose Edit Users – in this file we need to add
    some users together with what VLAN we want these users to be assigned to. To do this, add the
    following code and save the file:

    user1 User-Password == "password1"


    Tunnel-Type = "VLAN",
    Tunnel-Medium-Type = "IEEE-802",
    Tunnel-Private-Group-Id = "2"

    user2 User-Password == "password2"


    Tunnel-Type = "VLAN",
    Tunnel-Medium-Type = "IEEE-802",
    Tunnel-Private-Group-Id = "2"

    Finally, restart FreeRADIUS by right clicking on the icon and choosing Restart Service.

    Dynamic VLAN Assignment using RADIUS Version 1.0


    Client configuration

    Since we are using FreeRADIUS, the network cards on client PC1 and client PC2 need to be
    configured for MD5. To do this right click on the Local Area Connection and choose Properties.
    Go to the Authentication tab and choose MD5 as shown:

    Note: If you do not see the Authentication tab, it will be because the Wired AutoConfig service in
    Windows has not started. Start it in services.msc

    Dynamic VLAN Assignment using RADIUS Version 1.0


    Testing

    Connect PC1 and PC2 to any port on the switch other than ports 0/1 and 0/2. Once connected,
    Windows will prompt for credentials. For credentials, use:

    PC1
    Username: user1
    Password: password1

    PC2
    Username: user2
    Password: password2

    Once successfully authenticated, PC1 and PC2 will become members of VLAN2 even though the
    ports to which they are connected were originally members of VLAN1.

    To test, verify the following:

    1: PC1 can successfully ping PC2.


    2: PC1 and PC2 cannot ping the management PC

    Notes

    To assist with any troubleshooting, check the FreeRADIUS logs in


    C:\FreeRADIUS.net\var\log\radius\radius.log

    The RADIUS statistics on the GSM7224v2 are also helpful – these can be found under Security
    -> Management Security -> RADIUS -> Server Configuration -> Statistics

    Dynamic VLAN Assignment using RADIUS Version 1.0

    You might also like