Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Automatic Client VLAN Assignments

You can set up the WLAN so that users are automatically connected to a given VLAN according to the username/password they enter. You do this by configuring dynamic VLANs in the Mist portal, in conjunction with a RADIUS server. For unknown clients, you can send them to the Guest Network. The RADIUS server should already be connected to you switch. Likewise, your access points (APs) should be connected to the switch, with the correct VLANs configured.

The following VLAN types are supported for dynamic VLANs: Airespace-Interface-Name and Tunnel-Private-Group-ID.

RADIUS Setup

Although the specific RADIUS-side configuration will vary by provider, in general the idea is to configure a shared secret for encrypting and signing client traffic, to allow inbound traffic from the clients IP addresses, and to have a users list that identifies the WLAN clients you want to segment, and their associated VLAN IDs.

Using FreeRADIUS server as an example, you would edit the following files: clients.conf and users.

Configure the network and a secret for client requests in clients.conf, like so:

Configure the /etc/freeradius/user file with a list of WLAN users (including their user name, password, and VLAN association) like so:

If you are using FreeRADIUS server and it is not returning tunnel attributes in the Access-Accept request, and/or if the user is not being assigned correct IP address (from the VLAN), then you may need to add a line to the /etc/freeradius/mods-available/eap.conf file:

use_tunneled_reply = yes

WLAN Setup

Figure 1: Dynamic VLAN is available with WPA3 and WPA2 Security Types Dynamic VLAN is available with WPA3 and WPA2 Security Types

As noted, you can set up your WLAN so when users log on to it, they are automatically connected to a selected VLAN. In the Mist portal, this is called Dynamic VLANs, and you can enable the feature as follows:

  1. In the Juniper Mist portal, click Organization > Wireless | WLAN Templates, and on the WLAN Templates page, click Add WLAN (or select from the list the WLAN you want to use).
  2. Give the SSID a name (or select in from the WLANs section of the template). Typically, the SSID name is the same as the name of the WLAN so that it's easy to find and remember.
  3. In the WLAN window, under the Security panel, select WPA3 or WPA2 for the Security Type and Enterprise (802.1X). This action also unlocks the Dynamic option in the VLAN section.
  4. In the Authentication Servers panel, select RADIUS.

    • Click Add Server and specify the IP address of your RADIUS server.

    • Add the shared secret that is already configured on your RADIUS server.

    • Click the check mark icon when done to post your changes (you still need to click Save in the upper right corner when finished with all the steps).

  5. In the VLAN panel, choose Dynamic and then specify the following, as appropriate:

    • Static VLAN ID(s)—You can specify static VLANs or VLAN pool IDs (requires AP firmware version 0.14.x or later). Alternatively, you can specify a variable or use both VLAN IDs and variables. Delimit multiple values with a comma, no space.

    • VLAN Type supports both Airespace-Interface-Name and Tunnel-Private-Group-ID RADIUS attributes. Note that VLAN Type works on a per-WLAN basis. In other words, you can't use two different types on the same SSID.

      • VLAN ID—(also called Standard) This is the Tunnel-Private-Group-ID. Specify the VLAN IDs as configured in your users file on your RADIUS server.

      • Named— This is the Airespace-Interface-Name. Specify the interface names configured in your users file, and along side it, the corresponding VLAN ID you want to use.

  6. Fill out the rest of the configuration as needed.
  7. Click Save at the top of the screen when you are done.