Related Documentation
- AX, SRX Series
- Example: Configuring a Virtual Access Point for No Security and HTTP Redirect
- Example: Configuring a Virtual Access Point for WPA Enterprise and MAC Filtering
- Additional Information
- WLAN Feature Guide for Security Devices
Understanding Virtual Access Points and VLANs
When a wireless client connects to the access point, the access point tags traffic from the client with a VLAN ID. The VLAN ID can be one of the following:
- Untagged VLAN ID (the default is VLAN 1)
- Default VLAN ID configured for the virtual access point (the default is VLAN 1)
- VLAN ID returned by a RADIUS server when the client is authenticated by the server
An access point can support multiple VLANs. These VLANs can be distributed across virtual access points and radios.
The same VLAN can be configured for multiple virtual access points.
The VLANs can be assigned to wireless clients by the RADIUS server when the clients associate and authenticate. RADIUS-assigned VLANs are created and deleted dynamically as clients associate and disassociate. The first client assigned to a particular VLAN causes the access point to create the VLAN. When the last client using that VLAN disassociates, the VLAN is deleted from the access point. The maximum number of dynamic VLANs is equal to the maximum number of configurable clients on the access point.
The RADIUS server attributes for configuring a VLAN (defined in RFC 3580, IEEE 802.1x Remote Authentication Dial In User Service (RADIUS) Usage Guidelines) are as follows:
RADIUS Server Attribute | Value | Description |
|---|---|---|
Tunnel-Type | 13 | For VLAN tunnels |
Tunnel-Medium-Type | 6 | 802 medium |
Tunnel-Private-Group-ID | vlan-id | VLAN ID assigned to the client (in the range 1–4094) |
Frames sent from wireless into wired media are assigned to a VLAN returned by the RADIUS server or the default VLAN for the virtual access point. For unicast frames received from the wired network, the access point looks up destination MAC and VLAN and sends the frame to the appropriate virtual access point(s). For multicast frames a different multicast encryption key is used for each VLAN in the same virtual access point to avoid data leakage between VLANs.
Related Documentation
- AX, SRX Series
- Example: Configuring a Virtual Access Point for No Security and HTTP Redirect
- Example: Configuring a Virtual Access Point for WPA Enterprise and MAC Filtering
- Additional Information
- WLAN Feature Guide for Security Devices
Published: 2014-05-22
Related Documentation
- AX, SRX Series
- Example: Configuring a Virtual Access Point for No Security and HTTP Redirect
- Example: Configuring a Virtual Access Point for WPA Enterprise and MAC Filtering
- Additional Information
- WLAN Feature Guide for Security Devices
