Dynamic VLAN assignment using RADIUS This document describes how to dynamically assign clients to VLANs using RADIUS. This is useful is you have multiple clients using the same physical network and need to assign them to different VLANs depending on their logon credentials. This process removes the need to manually assign ports into VLANs. This applies to Netgear managed switches running firmware version 8.0.1.2 or later. Equipment used: FreeRADIUS for Windows GSM7224v2 1 management PC 2 client PCs for testing (2 x Win XP Pro SP3) DHCP provided by DHCP server on VLAN2 Network Diagram
Switch Configuration The starting configuration for the switch is to have all ports in VLAN1 with a management IP address on the switch of 192.168.0.254. Go to Switching -> VLAN -> Basic -> VLAN Configuration Add VLAN2 with the settings as shown on the left Press Add Go to Security -> Port Authentication -> Advanced -> Port Authentication Select Ports 0/1 and 0/2 Set the Control Mode for these 2 ports to Force Authorized Press Apply This is done so that the RADIUS server and the management PC do not have get locked out from the switch Go to Security -> Port Authentication - > Advanced -> 802.1X Configuration Set Administrative Mode and VLAN Assignment Mode to Enable Press Apply
Go to Security -> Management Security -> Authentication List -> Dot1x Authentication List Select the option for dot1xlist and choose Radius for the first Field Press Apply Go to Security -> Management Security -> RADIUS -> Server Configuration Add Radius Server IP Address as 192.168.0.253 Set Secret Configured to Yes Set Secret to 123456 Press Add
RADIUS Server Configuration Download and install FreeRADIUS for Windows. Once installed, the system tray. icon will appear in the Right click on the FreeRADIUS icon and choose Edit Radius Clients.conf in this file we need to add an entry for our RADIUS client, the GSM7224v2. To do this, add the following code and save the file: client 192.168.0.253/24 { secret = 1232456 shortname = gsm7224v2 } Next, right click on the FreeRADIUS icon and choose Edit Users in this file we need to add some users together with what VLAN we want these users to be assigned to. To do this, add the following code and save the file: user1 user2 User-Password == "password1" Tunnel-Type = "VLAN", Tunnel-Medium-Type = "IEEE-802", Tunnel-Private-Group-Id = "2" User-Password == "password2" Tunnel-Type = "VLAN", Tunnel-Medium-Type = "IEEE-802", Tunnel-Private-Group-Id = "2" Finally, restart FreeRADIUS by right clicking on the icon and choosing Restart Service.
Client configuration Since we are using FreeRADIUS, the network cards on client PC1 and client PC2 need to be configured for MD5. To do this right click on the Local Area Connection and choose Properties. Go to the Authentication tab and choose MD5 as shown: Note: If you do not see the Authentication tab, it will be because the Wired AutoConfig service in Windows has not started. Start it in services.msc
Testing Connect PC1 and PC2 to any port on the switch other than ports 0/1 and 0/2. Once connected, Windows will prompt for credentials. For credentials, use: PC1 Username: user1 Password: password1 PC2 Username: user2 Password: password2 Once successfully authenticated, PC1 and PC2 will become members of VLAN2 even though the ports to which they are connected were originally members of VLAN1. To test, verify the following: 1: PC1 can successfully ping PC2. 2: PC1 and PC2 cannot ping the management PC Notes To assist with any troubleshooting, check the FreeRADIUS logs in C:\FreeRADIUS.net\var\log\radius\radius.log The RADIUS statistics on the GSM7224v2 are also helpful these can be found under Security -> Management Security -> RADIUS -> Server Configuration -> Statistics