network policy server dynamic vlan assignment

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Configure Network Policies

• 5 contributors

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

You can use this topic to configure network policies in NPS.

Add a Network Policy

Network Policy Server (NPS) uses network policies and the dial-in properties of user accounts to determine whether a connection request is authorized to connect to the network.

You can use this procedure to configure a new network policy in either the NPS console or the Remote Access console.

Performing authorization

When NPS performs the authorization of a connection request, it compares the request with each network policy in the ordered list of policies, starting with the first policy, and then moving down the list of configured policies. If NPS finds a policy whose conditions match the connection request, NPS uses the matching policy and the dial-in properties of the user account to perform authorization. If the dial-in properties of the user account are configured to grant access or control access through network policy and the connection request is authorized, NPS applies the settings that are configured in the network policy to the connection.

If NPS does not find a network policy that matches the connection request, the connection request is rejected unless the dial-in properties on the user account are set to grant access.

If the dial-in properties of the user account are set to deny access, the connection request is rejected by NPS.

Key settings

When you use the New Network Policy wizard to create a network policy, the value that you specify in Network connection method is used to automatically configure the Policy Type condition:

• If you keep the default value of Unspecified , the network policy that you create is evaluated by NPS for all network connection types that are using any kind of network access server (NAS).
• If you specify a network connection method, NPS evaluates the network policy only if the connection request originates from the type of network access server that you specify.

On the Access Permission page, you must select Access granted if you want the policy to allow users to connect to your network. If you want the policy to prevent users from connecting to your network, select Access denied .

If you want access permission to be determined by user account dial-in properties in Active Directory® Domain Services (AD DS), you can select the Access is determined by User Dial-in properties check box.

Membership in Domain Admins , or equivalent, is the minimum required to complete this procedure.

To add a network policy

Open the NPS console, and then double-click Policies .

In the console tree, right-click Network Policies , and click New . The New Network Policy wizard opens.

Use the New Network Policy wizard to create a policy.

Create Network Policies for Dial-Up or VPN with a Wizard

You can use this procedure to create the connection request policies and network policies required to deploy either dial-up servers or virtual private network (VPN) servers as Remote Authentication Dial-In User Service (RADIUS) clients to the NPS RADIUS server.

Client computers, such as laptop computers and other computers running client operating systems, are not RADIUS clients. RADIUS clients are network access servers — such as wireless access points, 802.1X authenticating switches, virtual private network (VPN) servers, and dial-up servers — because these devices use the RADIUS protocol to communicate with RADIUS servers such as NPSs.

This procedure explains how to open the New Dial-up or Virtual Private Network Connections wizard in NPS.

After you run the wizard, the following policies are created:

• One connection request policy
• One network policy

You can run the New Dial-up or Virtual Private Network Connections wizard every time you need to create new policies for dial-up servers and VPN servers.

Running the New Dial-up or Virtual Private Network Connections wizard is not the only step required to deploy dial-up or VPN servers as RADIUS clients to the NPS. Both network access methods require that you deploy additional hardware and software components.

To create policies for dial-up or VPN with a wizard

Open the NPS console. If it is not already selected, click NPS (Local) . If you want to create policies on a remote NPS, select the server.

In Getting Started and Standard Configuration , select RADIUS server for Dial-Up or VPN Connections . The text and links under the text change to reflect your selection.

Click Configure VPN or Dial-Up with a wizard . The New Dial-up or Virtual Private Network Connections wizard opens.

Follow the instructions in the wizard to complete creation of your new policies.

Create Network Policies for 802.1X Wired or Wireless with a Wizard

You can use this procedure to create the connection request policy and network policy that are required to deploy either 802.1X authenticating switches or 802.1X wireless access points as Remote Authentication Dial-In User Service (RADIUS) clients to the NPS RADIUS server.

This procedure explains how to start the New IEEE 802.1X Secure Wired and Wireless Connections wizard in NPS.

You can run the New IEEE 802.1X Secure Wired and Wireless Connections wizard every time you need to create new policies for 802.1X access.

Running the New IEEE 802.1X Secure Wired and Wireless Connections wizard is not the only step required to deploy 802.1X authenticating switches and wireless access points as RADIUS clients to the NPS. Both network access methods require that you deploy additional hardware and software components.

To create policies for 802.1X wired or wireless with a wizard

On the NPS, in Server Manager, click Tools , and then click Network Policy Server . The NPS console opens.

If it is not already selected, click NPS (Local) . If you want to create policies on a remote NPS, select the server.

In Getting Started and Standard Configuration , select RADIUS server for 802.1X Wireless or Wired Connections . The text and links under the text change to reflect your selection.

Click Configure 802.1X using a wizard . The New IEEE 802.1X Secure Wired and Wireless Connections wizard opens.

Configure NPS to Ignore User Account Dial-in Properties

Use this procedure to configure an NPS network policy to ignore the dial-in properties of user accounts in Active Directory during the authorization process. User accounts in Active Directory Users and Computers have dial-in properties that NPS evaluates during the authorization process unless the Network Access Permission property of the user account is set to Control access through NPS Network Policy .

There are two circumstances where you might want to configure NPS to ignore the dial-in properties of user accounts in Active Directory:

When you want to simplify NPS authorization by using network policy, but not all of your user accounts have the Network Access Permission property set to Control access through NPS Network Policy . For example, some user accounts might have the Network Access Permission property of the user account set to Deny access or Allow access .

When other dial-in properties of user accounts are not applicable to the connection type that is configured in the network policy. For example, properties other than the Network Access Permission setting are applicable only to dial-in or VPN connections, but the network policy you are creating is for wireless or authenticating switch connections.

You can use this procedure to configure NPS to ignore user account dial-in properties. If a connection request matches the network policy where this check box is selected, NPS does not use the dial-in properties of the user account to determine whether the user or computer is authorized to access the network; only the settings in the network policy are used to determine authorization.

Membership in Administrators , or equivalent, is the minimum required to complete this procedure.

Double-click Policies , click Network Policies , and then in the details pane double-click the policy that you want to configure.

In the policy Properties dialog box, on the Overview tab, in Access Permission , select the Ignore user account dial-in properties check box, and then click OK .

To configure NPS to ignore user account dial-in properties

Configure nps for vlans.

By using VLAN-aware network access servers and NPS in Windows Server 2016, you can provide groups of users with access only to the network resources that are appropriate for their security permissions. For example, you can provide visitors with wireless access to the Internet without allowing them access to your organization network.

In addition, VLANs allow you to logically group network resources that exist in different physical locations or on different physical subnets. For example, members of your sales department and their network resources, such as client computers, servers, and printers, might be located in several different buildings at your organization, but you can place all of these resources on one VLAN that uses the same IP address range. The VLAN then functions, from the end-user perspective, as a single subnet.

You can also use VLANs when you want to segregate a network between different groups of users. After you have determined how you want to define your groups, you can create security groups in the Active Directory Users and Computers snap-in, and then add members to the groups.

Configure a Network Policy for VLANs

You can use this procedure to configure a network policy that assigns users to a VLAN. When you use VLAN-aware network hardware, such as routers, switches, and access controllers, you can configure network policy to instruct the access servers to place members of specific Active Directory groups on specific VLANs. This ability to group network resources logically with VLANs provides flexibility when designing and implementing network solutions.

When you configure the settings of an NPS network policy for use with VLANs, you must configure the attributes Tunnel-Medium-Type , Tunnel-Pvt-Group-ID , Tunnel-Type , and Tunnel-Tag .

This procedure is provided as a guideline; your network configuration might require different settings than those described below.

To configure a network policy for VLANs

In the policy Properties dialog box, click the Settings tab.

In policy Properties , in Settings , in RADIUS Attributes , ensure that Standard is selected.

In the details pane, in Attributes , the Service-Type attribute is configured with a default value of Framed . By default, for policies with access methods of VPN and dial-up, the Framed-Protocol attribute is configured with a value of PPP . To specify additional connection attributes required for VLANs, click Add . The Add Standard RADIUS Attribute dialog box opens.

In Add Standard RADIUS Attribute , in Attributes, scroll down to and add the following attributes:

Tunnel-Medium-Type . Select a value appropriate to the previous selections you have made for the policy. For example, if the network policy you are configuring is a wireless policy, select Value: 802 (Includes all 802 media plus Ethernet canonical format) .

Tunnel-Pvt-Group-ID . Enter the integer that represents the VLAN number to which group members will be assigned.

Tunnel-Type . Select Virtual LANs (VLAN) .

In Add Standard RADIUS Attribute , click Close .

If your network access server (NAS) requires use of the Tunnel-Tag attribute, use the following steps to add the Tunnel-Tag attribute to the network policy. If your NAS documentation does not mention this attribute, do not add it to the policy. If required, add the attributes as follows:

In policy Properties , in Settings , in RADIUS Attributes , click Vendor Specific .

In the details pane, click Add . The Add Vendor Specific Attribute dialog box opens.

In Attributes , scroll down to and select Tunnel-Tag , and then click Add . The Attribute Information dialog box opens.

In Attribute value , type the value that you obtained from your hardware documentation.

Configure the EAP Payload Size

In some cases, routers or firewalls drop packets because they are configured to discard packets that require fragmentation.

When you deploy NPS with network policies that use the Extensible Authentication Protocol (EAP) with Transport Layer Security (TLS), or EAP-TLS, as an authentication method, the default maximum transmission unit (MTU) that NPS uses for EAP payloads is 1500 bytes.

This maximum size for the EAP payload can create RADIUS messages that require fragmentation by a router or firewall between the NPS and a RADIUS client. If this is the case, a router or firewall positioned between the RADIUS client and the NPS might silently discard some fragments, resulting in authentication failure and the inability of the access client to connect to the network.

Use the following procedure to lower the maximum size that NPS uses for EAP payloads by adjusting the Framed-MTU attribute in a network policy to a value no greater than 1344.

To configure the Framed-MTU attribute

In Settings , in RADIUS Attributes , click Standard . In the details pane, click Add . The Add Standard RADIUS Attribute dialog box opens.

In Attributes , scroll down to and click Framed-MTU , and then click Add . The Attribute Information dialog box opens.

In Attribute Value , type a value equal to or less than 1344 . Click OK , click Close , and then click OK .

For more information about network policies, see Network Policies .

For examples of pattern-matching syntax to specify network policy attributes, see Use Regular Expressions in NPS .

For more information about NPS, see Network Policy Server (NPS) .

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback .

Submit and view feedback for

Additional resources

• PORTNOX CLOUD Unified Access Control Any Device. Any Data. Anywhere.

Zero Trust Network Access Control

• Cloud-native RADIUS Stand up Portnox’s cloud-native RADIUS is minutes.
• Passwordless authentication Leverage certificates for passwordless network authentication.
• Risk posture assessment Monitor the potential risk of every connected device.
• Compliance enforcement Automate device remediation & stay compliant 24/7.
• Explore Pricing

Zero Trust Conditional Access

• How does it work? Discover how to better secure your apps with Portnox.
• Passwordless authentication Bolster application access by going passwordless.
• 24/7 risk monitoring Ensure only trusted devices gain access to your apps.
• Automated remediation Automate device-based compliance enforcement.

Zero Trust Infrastructure Administration

• How does it work? Explore cloud-native TACACS+ from Portnox.
• Admin authentication Get started with simple, secure admin authentication.
• Access policy enforcement Make sure not just anyone can tinker with your infrastructure.
• Granular accounting Keep auditors at bay with cloud-native TACACS+.

Unified Zero Trust Security

• How does it work? Learn the ins and outs of the Portnox Cloud.
• Cloud-native RADIUS authentication Spin up our cloud-native RADIUS server in minutes.
• Passwordless application security Bolster application access by going passwordless.
• Zero trust network access control See and control access for every device across your network.
• Network device administration Keep auditors at bay with cloud-native TACACS+.

• Authentication
• Access Control
• Risk Monitoring
• Remediation
• IoT Security
• Guest Access

Applications

Infrastructure.

• Authorization

Integrations

• Case Studies
• Infographics
• Product Briefs
• White Papers
• Cloud Documentation

Compliance Center

Regulations, cybersecurity center.

• What is 802.1X? What are the benefits of NAC? How does zero trust work? Why go passwordless? What is IoT profiling? Explore All »
• Reseller Program
• Managed Services
• Become a Partner
• Register a Deal
• Get Started

Network Access Control , Network Security

Segmenting your network with dynamic vlan.

What is Dynamic VLAN?

VLANs (Virtual Local Area Networks) enable segmentation of the main organizational network. In practice, VLANs allow network administrators to keep devices and network resources separated despite being connected to the same physical network.

Dynamic VLAN assignment separates and isolates devices into different network segments based on the device or user authorization and their characteristics. The flow of traffic between those VLANs is governed by a firewall or another routing device which can then enforce specific network access rules.

Why Use Dynamic VLANs?

Segmenting the network is a security best practice, and in some cases is even a regulatory requirement – such as with PCI. Network segmentation is a measure that improves the effectiveness of all the current investments in other security tools, and can by itself help to prevent significant damage to critical organizational data across the network after a company has been breached.

Automating VLAN assignments and eliminating the need for manual intervention has historically been a challenge for network security teams. Today, automatic VLAN assignment is best implemented by the use of a RADIUS service, which functions as follows:

• A device connects to one of several the network access layers: wired ethernet switch or WiFi SSID
• The network access layer sends a request to the RADIUS server with the user’s credentials or certificates (using 802.1X)
• The RADIUS server sends a reply which contains attributes that provide the switch or access point with information on the device VLAN, result in properly VLAN assignment

Common Dynamic VLAN Assignment Use Cases

Network and security administrator most commonly encounter these use cases for dynamic VLAN assignment:

• The Sales & Marketing department does not need access to R&D resources, while R&D should not have access to the Finance Department resources. Using dynamic VLANs, each department will be placed in the correct VLAN with the required access.
• Devices that fail to authenticate due to wrong credentials or incorrect/expired certificate will be placed in a quarantine VLAN with internet access only.
• IP Phones using a dedicated voice VLAN and should be placed on that VLAN upon successful authentication.
• MAC bypass for devices that do not support 802.1X should be placed in their own dedicated VLAN.
• Devices that fail posture assessment (such as those without updated AntiVirus) should be placed in a quarantine VLAN with limited access.
• Employees connecting to one single WiFi SSID and get different access (VLANs) based on their authentication repository LDAP groups.

Dynamic VLAN Assignment with Portnox CLEAR

As mentioned earlier, the implementation of dynamic VLAN assignment has often been challenging for organizations since additional servers were needed on-site at the datacenter. This forced network teams to manage redundancies, complex configurations, and on-going maintenance.

To paint a clearer picture of this headache, consider this:

Take the case of connecting a new department, branch, or merely onboarding a lot of new employees at once…this can cause a surge in demand, which will in turn cause the whole network to “shutdown,” thus not accepting anyone who tries to connect.

Portnox CLEAR  is a network access control solution, deployed as a cloud service, that provides all the mentioned use cases and more. CLEAR simplifies the implementation process of dynamic VLAN assignment. CLEAR allows you to easily set-up a cloud RADIUS server in a single click, and integrate with various authentication repositories like on-premise Active Directory, Azure AD, GSuite, OKTA. Plus, you can enforce your own unique access control policy to dynamically assign users to their respective VLANs.

In addition to VLAN assignment based on credentials authorization, CLEAR also allows you to implement dynamic VLAN assignment based on risk violation. This means that even devices that have authenticated successfully to the wired or wireless network can be dynamically moved to a dedicated VLAN if they fall out of compliance.

In the diagram above:

• PCs are dynamically assigned to the VLAN based on their credentials/certificate.
• IP Phones are assigned to the VOIP VLAN.
• Printers are assigned to the printers VLAN.
• Guests devices assigned to the internet-only access/quarantine VLAN.

How it Works – Setting up Dynamic VLAN Assignment in Portnox CLEAR:

1. enable cloud radius.

In the CLEAR portal, create your one-click cloud RADIUS server: Go to  Settings > Services > CLEAR RADIUS Service , and add your RADIUS service instance:

And point your network equipment: wired switches and/or wireless controllers to work with these CLEAR Radius service details.

2. Creating an Access Control Policy – Dynamic VLAN Assignment:

In Policies > Access Control Policies , add or edit your existing access control policy, select the required access layer and add the correct VLAN ID or VLAN name for each event you want to create dynamic VLAN assignment for: successful authentication, authentication violation, risk assessment, blocked by admin. Then, map the access control policy to the relevant groups and users.

Related Reading

Common Endpoint Vulnerabilities that Create Risk for Corporate Networks

Zero Trust Adoption: The Power of User Account Control

Unmasking Vishing: The Hidden Threat to Your Network

Try portnox cloud for free today.

Gain access to all of Portnox's powerful zero trust access control free capabilities for 30 days!

Privacy Overview

Portnox debuts passwordless zero trust conditional access for applications

Microsoft NPS as a RADIUS Server for WiFi Networks: Dynamic VLAN Assignment

Configuration Example Here’s an example of how to configure NPS to assign users to a VLAN based on their user group, using NPS for the authentication and authorization of users. The key to getting this to work is the use of a RADIUS element called: ‘Tunnel-PVT-Group-ID’.  This is a RADIUS attribute that may be passed back to the authenticator (i.e. the WLC or AP) by the authentication server (i.e.NPS) when a successful authentication has been achieved. There are a few other elements which need to accompany it, but this is the key element, as it specifies the VLAN number that the user should be assigned to. The other elements that need to be returned by NPS are:

• Service-Type: Framed
• Tunnel-Type: VLAN
• Tunnel-Medium-Type: 802
• Tunnel-PVT-Group-ID: <VLAN Number>

We’ll have  a look at how we specify each of these attributes in an NPS policy.  For our example, we’ll assign all ‘staff’ users to VLAN 10 and all ‘student’ users to VLAN 20.  Here is an overview of what the network might look like (this is obviously very simplified, but gives an overview of the type of thing that might be achieved):

VLAN 10 has an ACL (access control list) that allows users on this VLAN to access all systems across the school network. The ACL would generally be configured on the layer 3 switch or router that interconnects the school VLANs) VLAN 20 has an ACL which only allow access to the learning system VLAN and the Internet related services. By studying the example above, you can see that if we can control a users VLAN assignment, based on their AD group membership, we can ensure that they only receive the network access to which they are entitled (purely via their AD group membership). Also, note that this is all being done on a single SSID (“School” in this case). Now we’ll take a look at how we achieve this using NPS. NPS Configuration To configure NPS to provide the VLAN assignments outlined above, we will create 2 policies within NPS:

• School Wireless – Staff  (to assigned members of the staff AD group to VLAN 10)
• School Wireless – Students  (to assign members of the students AD group to VLAN 20)

The screen-shots below outline the configuration required. Here is the policy summary screen within NPS. Note that when configuring multiple policies, the order of the policies is important. Policies are assessed top-down, so make sure the policies that need to be hit are enabled and above any disabled polices.

Staff Policy 1. Create the policy and enable it:

2. Add the NAS type and AD group membership conditions (must be members of the staff group):

3. Select and configure an EAP type (note this may be PEAP or EAP-TLS – we’ve shown PEAP just as an example)

4. Configure the settings for this policy to assign any users which match this policy to VLAN 10:

Students Policy 1. Create the policy and enable it:

2. Add the NAS type and AD group membership conditions: (must be members of the students group to match this policy)

4. Configure the settings for this policy to assign any users which match this policy to VLAN 20:

Once NPS has been configured with policies similar to those shown above, users can be dynamically assigned to an appropriate VLAN based on their AD group membership.  As we’ve already discussed, this provides great benefits in reducing additional overheads associated with multiple SSIDs on a WiFi network. In addition, it simplifies user wireless management by allowing all users to be configured with a single wireless client profile, with their access being configured via Microsoft AD. One caveat to note when trying to use this technique is that all users must be using the same security mechanisms to join the SSID. For instance, all users must be using 802.1x (EAP) – you can’t have a mix of PSK & 802.1x authenticated devices on the same SSID. Generally, they should also be using the same WPA version (i.e. WPA or WPA2).

Related Articles

How to use openpath mobile pass (avigilon alta), integrate your existing network policy server (nps) infrastructure with azure ad multi-factor authentication, how to find out who the user profile disk belongs to terminal server rds, how to sign up and use chatgpt, sage 50 payroll – change database path, generate a report of all passwords for all cameras on your milestone xprotect vms., leave a reply cancel reply.

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.

Power by IT Capture

Meraki Community

• Community Platform Help
• Contact Community Team
• Meraki Documentation
• Meraki DevNet Developer Hub
• Meraki System Status
• Technical Forums

802.1X /w Dynamic VLAN Assignment

• Subscribe to RSS Feed
• Mark Topic as New
• Mark Topic as Read
• Float this Topic for Current User
• Printer Friendly Page

• Mark as New
• Report Inappropriate Content
• All forum topics
• Previous Topic

• New April 5: Recognizing the March 2024 Members of the Month
• April 1: And we're live! New community look & feel is here!
• March 27: [LAUNCH POSTPONED] Planned downtime for the launch of the new Community look & feel
• Interfaces 217
• Layer 2 231
• Layer 3 163
• Community guidelines
• Cisco privacy
• Khoros privacy
• Terms of service

Search This Blog

Microsoft nps as a radius server for wifi networks: dynamic vlan assignment.

• Service-Type: Framed
• Tunnel-Type: VLAN
• Tunnel-Medium-Type: 802
• Tunnel -PVT-Group-ID: <VLAN Number>

• School Wireless - Staff  (to assigned members of the staff AD group to VLAN 10)
• School Wireless - Students  (to assign members of the students AD group to VLAN 20)

Popular posts from this blog

The 5ghz “problem” for wi-fi networks: dfs.

Microsoft NPS as a RADIUS Server for WiFi Networks: SSID Filtering

What Are Sticky Clients?

What is Dynamic VLAN Assignment?

Written by Sean Blanton on May 24, 2021

Share This Article

When it comes to the modern enterprise, few things are more important than network and identity security. With bad actors lurking around every corner (even inside of an organization itself), maintaining a strong, secure network along with keeping credentials safe is of utmost importance to the IT admin. Several network securing tools and techniques are being employed by IT admins today, especially during the global pandemic, but one that has been a foundational approach for many years is dynamic VLAN assignment. Since IT admins are dramatically stepping up the security of their IT environments, some are asking: what is dynamic VLAN assignment and how can it help secure the network?

Network Security with Dynamic VLAN Assignment

The simple answer is that dynamic VLAN assignment (or VLAN steering as it is sometimes called) is an excellent technique used to build on the underlying core strategy to control network access. VLAN assignments build on the use of RADIUS to control access to the network.

Via RADIUS integration, a WiFi access point (WAP) requires not only an SSID and passphrase, but a user’s unique set of credentials to access the network. Once a user has passed credentials through to the WAP to the RADIUS server and directory service, the RADIUS server will reply to the WAP that the user has been authenticated and inform what VLAN they are assigned to.

IT admins configure the system to identify which users and/or groups are assigned to which VLAN. Those VLANs can be set up on the WiFi network for any number of reasons including security and compliance. By segmenting users and authenticating them with their unique credentials, IT admins can increase security significantly. This approach helps separate out critical areas of the network, and can be especially helpful in compliance situations where, for example, the cardholder data environment (CDE) can be separated from the rest of the network making PCI Compliance far easier.

Challenges with Dynamic VLAN Assignments

The challenge with this approach is the overhead for IT admins. Traditionally, to implement dynamic VLAN assignments would require a great deal of infrastructure, configuration, and administration. For starters, IT organizations would need to set up their own FreeRADIUS server and connect that instance to the wireless access points and the identity provider (IdP), often, Microsoft ® Active Directory ® .

In many networks, the IT group would also need to configure endpoints with supplicants so that they could talk to the RADIUS server over the proper protocols. All of this ended up being a significant disincentive for IT admins, and that is why many WiFi networks are secured simply with an SSID and passphrase.

With the introduction of modern cloud RADIUS solutions, however, IT admins can virtually outsource the entire process for RADIUS authentication to WiFi and dynamic VLAN assignments. This Cloud RADIUS offering doesn’t focus on RADIUS only, but also acts as the identity management source of truth that can replace an on-prem Active Directory instance. It is available from the JumpCloud Directory Platform .

Cloud RADIUS and More

JumpCloud Directory Platform is everything a directory service was, and reimagines it for the cloud era. This includes endpoint management , identity and access management, single sign-on, multi-factor authentication, and network authentication tools such as Cloud RADIUS. Relatively new to the JumpCloud Suite is dynamic VLAN assignment functionality, so network administrators can better authorize their users’ access to crucial network resources. This feature just adds one more log to the bright flame of this cloud directory.

Interested in dynamic VLAN assignment and the rest of what the platform has to offer? Contact us , or check out our knowledge base to learn more.

• Remote Work
• User Access

Reduce IT costs and complexity

Sean Blanton is the Director of Content at JumpCloud and has spent the past decade in the wide world of security, networking and IT and Infosec administration. When not at work Sean enjoys spending time with his young kids and geeking out on table top games.

Continue Learning with Related Posts

Continue learning with our newsletter.

Network Guys

Share your knowledge!

How to use 802.1x/mac-auth and dynamic VLAN assignment

Hello guys! Today I want to show you how to secure your edge-switches with 802.1x and mac-authentication fallback in combination with HPE comware-based switches. The 802.1x protocol is used for network access control. For devices like printers, cameras, etc. we will use mac-authentication as a fallback. We will also use dynamic VLAN assignment for the connected ports.

Our radius server will be Microsoft NPS. You can activate this role on the Windows server:

After the installation, open the NPS console and register the radius server in your Active Directory:

add your switches or your management network as a radius-client:

the shared secret will be used in the switch configuration. In created two groups within my test environment:

• “ VLAN2-802.1x ” containing computer accounts
• “ VLAN3-MAC-Auth ” containing user accounts (username+password = mac-address of the device)

So we will now configure two network policies for our network access control:

I also configured a NAS Identifier so no other device can use the radius server. The clients will use their computer certificate so you will need a running internal certification authority. Choose PEAP only as the authentication method:

the next step is for our dynamic VLAN assignment. Dot1x devices are bound to VLAN 2:

the final dot1x configuration in the NPS:

the second network policy is for the mac-based authentication:

Comware switches are sending MAC-Auth-requests via PAP (maybe you know how to change it to CHAP):

final MAC auth profile:

for now we have built up our authentication server. Now let’s go to the switch configuration. You have global configuration parameters and parameters for each interface. The best way is to use interface-range command to be safe at your configuration. Users who cant authenticate, will be forced to VLAN 999 (quarantine VLAN with no gateway). Here are the global parameters with explanations inline:

now we will configure the interfaces: Added 2 entries

the last part is to configure all windows clients to send 802.1x auth data to the cable network. I’ve done this via a global group policy. You can find the settings under Computer Configuration / Policies / Windows Settings / Security Settings / Wired Network (IEEE 802.3) Policies:

So how does a working 802.1x-auth looks like?

%Jan 3 01:59:59:531 2013 edge-switch-01 DOT1X/6/DOT1X_LOGIN_SUCC: -IfName=GigabitEthernet1/0/10-MACAddr=0023-2415-42a3-AccessVLANID=1- AuthorizationVLANID=2 -Username= host/PC123.mycompany.local ; User passed 802.1X authentication and came online.

Successful Mac-Authentication of a printer:

%Jan 3 01:31:28:782 2013 de-pad-l19-edg01 MACA/6/MACA_LOGIN_SUCC: -IfName=GigabitEthernet1/0/9-MACAddr=0017-c82d-e9bf-AccessVLANID=1- AuthorizationVLANID=3 -Username= 0017c82de9bf -UsernameFormat=MAC address; User passed MAC authentication and came online.

I tried to draw a flow chart which shows the authentication process, I hope it’s ok for you :)

Do you have questions? Feel free to write them into the comments and I will try to answer.

Have a nice and sunny day!

/edit: If you can’t see success and failure events, follow this instruction:  NPS / Radius Server is not logging

/edit 2018-05-14: I corrected the global and interface configuration, we had problems with the old configuration

12 Responses

Thanks for this, I need to setup dynamic VLAN assignment in the near future but for Juniper equipment.

This at least gives me a good starting point, thanks for the write up.

Many thanks for the perfect tutorial on How to use 802.1x/Mac-Auth and dynamic VLAN assignment. Many of us can take help from it. Really nice.

Nice write-up. This was a great starting point for configuring the base for dynamic polices. Thanks!

hi Mike, how ‘s about hybrid port with voice-vlan? does it work?

thanks Tung Duong

we had several problems with this config, currently we are investigating hyprid ports with “port security” command. I will update this post if we have prooved this version.

Can you tell me why I would do this over conventional static VLANs? What are the benefits radius dynamic VLANs?

we have customers which want to divide the network for clients, printers and “special devices”. So you have different group/radius-policies to directly place the devices in the right VLAN. Dynamic VLAN is only a bonus feature which you can use. Of course, you can use only the 802.1x and Mac authentication for security purpose.

I’m on the desktop side of things, so apologies if I use any incorrect terminology here.

Our Infrastructure team are looking at introducing 8021x in our schools. They have a test setup where all 8021x devices pick up a data centre VLAN regardless of which building they’re in – eg 10.100.50.

Each building WIRED has its own unique IP – SchoolA=10.120, SchoolB = 10.130 and so on.

I’ve asked if the 8021x setup can be where 8021x devices in SchoolA will get 10.120.50; SchoolB will get 10.130.50

This would allow us to easily determine which building LaptopA actually is, in the same way as we can with our wired desktops. It also saves on SCCM boundary issues causing applications/updates to be pulled over the WAN rather than the LAN.

It’s been suggested that this may not be possible. Could someone confirm this?

Thanks in advance.

Hello! This is of course possible!

My idea (with examples):

SchoolA=10.120 (Location: Chicago) SchoolB=10.130 (Location: Dallas)

So at Chicago you will have VLAN 333, every device is getting an IP address with 10.120.x.x. At Dallas every device in VLAN 333 is getting an IP address with 10.130.x.x. So the VLAN ID “333” is the same at every school but the DHCP scope and default gateway has it’s own address. So the device is getting the VLAN 333 at every location but another IP address. It’s very simple.

It’s not working if all schools are connected via Layer2 so VLAN333 can’t be a “standalone VLAN” at each geographical location.

Ask me any questions, I will try to help you.

• Pingback: 802.1x, MAC-Authentication and VLAN assignment at ProCurve/aruba Switches – Network Guy
• Pingback: Port Auth, Dynamic VLAN and Radius | samuelnotes
• Pingback: HPE Comware problem with mac authentication and printer - Network Guy

Leave a Reply Cancel reply

Click on the button to load the content from jetpack.wordpress.com.

Load content

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Certificates

Post Categories

Post archives, recent posts.

• Sophos UTM 9.712-13 HA update problem 14. November 2022
• Sophos UTM 9.712-12 update released 24. August 2022
• Aruba OS Switch automatic vlan assignment for aruba APs 5. May 2022
• Sophos UTM 9.711-5 update released 22. April 2022
• Sophos UTM 9.710-1 update released 20. March 2022

Recent Comments

• Sophos Ssl Vpn Client Anmeldung - Login and Portal on Auto-Logon with Sophos SSL VPN Client (OpenVPN)
• Russell on Install Sophos UTM from USB Stick
• arno on Problems with incoming mails
• GigaTech IT on Installing Realtek Driver on ESXi 6.7
• Sophos User Portal Login Ssl Vpn - Online Login on Auto-Logon with Sophos SSL VPN Client (OpenVPN)

Franky’s Web  Website from my friend Frank. News and Tricks about Microsoft products, primarly Exchange Server

Copyright by networkguy.de

Imprint · Privacy Policy

Networking | Cloud | DevOps | IaC

Network Device Management with RADIUS Authentication using Windows NPS

Technologies Used In Our Scenario today to deploy Network Device Management with RADIUS Authentication using Windows NPS are the following;

• Microsoft Windows Server 2012 R2: Network Policy Server

Network Equipment

• HP Aruba 2920
• Cisco Catalyst 2960
• Cisco ASA 5505 Firewall

You have heard many say AAA is the best security model for user access and management to network devices. Well, it is and as a good professional practice, securing network devices using the Triple A process meets many best security practices of our day.

Authentication

Authentication is the first process which provides a way of identifying a user ho requires access to network resource, typically by having the user enter a valid user name and password before access is granted. The process of authentication relies on each user requiring access to having a unique set of criteria for gaining the appropriate access desired. The AAA server which in our case is the Microsoft Network Policy Server compares a user’s authentication credentials with the user credentials stored in a database which in our case is the Windows Active Directory. If the credentials match, the user is granted access to the network. If the credentials are at variance, authentication fails and network access is denied.

Authorisation

Now that the user has been successfully authenticated, a user must gain authorisation for doing certain tasks. After logging into a network device for instance, the user may try to issue commands. The authorisation process determines whether the user has the authority to issue such commands. Authorisation simply is the process of enforcing policies: determining what types or qualities of activities, resources, or services a user is permitted. Usually, authorisation occurs within the context of authentication. Once you have authenticated a user, they may be authorised for different types of access or activity.

The final plank in the AAA framework is accounting, which measures the resources a user consumes during access. This can include the amount of system time or the amount of data a user has sent and/or received during a session. Accounting is carried out by logging of session statistics and usage information and is used for authorization control, billing, trend analysis, resource utilization, and capacity planning activities.

Authentication, authorisation, and accounting services are often provided by a dedicated AAA server, a program that performs these functions. A current standard by which network access servers interface with the AAA server is the Remote Authentication Dial-In User Service (RADIUS) which we have used the Microsoft NS server for in our deployment.

Network Device Management with RADIUS Authentication using Windows NPS Step by Step Guide.

Step 1: Configure Active Directory Infrastructure

• Create New Security Group on Active Directory

Add Network Administrators to Group Created

Configure NPS Server : IEEE 802.1X Authentication and Dynamic VLAN Assignment

Step 2: Configure RADIUS Infrastructure

• RADIUS Clients
• Connection Request Policies
• Network Policies

Create RADIUS Client

Create RADIUS Client and Enable RADIUS Standard

Create Network Policy

Create Policy – Conditions

Then, in the Network Policies section create a new authentication policy. Enter its name, e.g., Network Switch Auth Policy for Network Admins. Create two conditions: in the first one, Windows Groups, specify the domain group, which members can get authentication (the accounts of the network administrators are in the AD Network Admins group in our example). The second condition, Authentication Type, is to select PAP as the authentication protocol.

Then in the Configure Authentication Methods window, uncheck all authentication types, but for Unencrypted authentication (PAP. SPAP).

Create Policy Constraints – Authentication Methods

Create Policy Settings – Standard Attributes

Framed-Protocol: PPP Service-Type: Administrative

In the Configure Settings window, change the value of the Service-Type attribute to Administrative.

Network Policy Condition

Create Connection Request Policy

Step 3: Configure Network Devices for RADIUS Authentication

For Cisco Devices – Create a Network Policy like the above but additionally include the following setting.

Under Vendor Specific we need to add to a Cisco-AV Pair to tell the router to go to privilege level 15, select next when you add the “shell:priv-lvl=15” in the Cisco-AV.

Configuring AAA on Cisco IOS

Configuring AAA for Cisco ASA

Configuring AAA on HP Aruba 2920 Switch

Enable and Specify RADIUS Authentication Server

Enable SSH Login via RADIUS

Enable Web Login via RADIUS

Enable Authentication and Accounting Parameters

PS: The following command is what will get everything working for you as without it; you will get the error below;

Access denied: no user’s authorization info supplied by the RADIUS server

Golden Command to allow SSH Sessions to Switch

Verify and Troubleshoot

Check Switch RADIUS Authentication

Check Recent SSH Logins

On Microsoft NPS Server 2012 R2 – Launch Events Viewer

Check Authentication Informational Log Reporting

Check Event Logs

I hope you have enjoyed this article on Network Device Management with RADIUS Authentication using Windows NPS .

Follow the following links for further understanding of the topic:

Published in Configuring , Design , Installing and Configuring , Networking and Switching

• add multiple radius clients nps
• configure nps for cisco radius authentication
• configure radius server 2012 r2 for cisco
• how to configure nps in windows server 2012 r2
• how to configure radius server in windows 2012 server step by step
• how to configure radius server in windows 2016 server step by step
• how to setup a radius server for wireless authentication
• how to setup radius server on windows server 2012
• network policy server
• nps radius proxy step by step
• radius server configuration step by step
• setup radius server 2012 r2 for wireless
• windows server 2016 radius setup
• windows server 2016 radius step by step
• windows server 2019 network policy server

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Questions tagged [dynamic-vlan-assignment]

The dynamic-vlan-assignment tag has no usage guidance.

• Learn more…
• Unanswered (my tags)

NPS Dynamic VLAN Catch-All

• windows-server-2019
• dynamic-vlan-assignment

Yealink phones fail to get IP once assigned voice VLAN via DHCP (Mikrotik)

How does VLAN subnetting work on IPv6?

DHCPS - single mac whitelist, multiple subnets

OpenWRT Dynamic VLAN

• freeradius2

dynamic VLANs on cheap Access Point after switch

802.1x dynamic vlan assignment not assigning vlan.

Open vSwitch double VLAN tagging is ignored

• kvm-virtualization
• linux-networking
• openvswitch

Cisco switch VLANing based on MAC address

VLAN configuration

Assign VLAN per user credentials on VPN connections

How do I setup dynamic VLAN assignment on an autonomous Cisco 1142n?

• access-point

Vlan Management Policy Server ( VMPS) Configuration and Management

• cisco-catalyst

Dynamic VLANs with FreeRadius, OpenLDAP & Cisco WLC

How do I dynamically hand out dhcp and automatically put specific pc's on a specified vlan?

• network-design

Freeradius on Linux with dynamic VLAN assignment via AD

• active-directory

Need help getting Dynamic VLAN Assignment working with RADIUS and Dell PowerConnect 3524

• dell-powerconnect

How to configure FreeRadius to accept all authentication requests?

• authentication

Assign computers to specific VLANs with Dell PowerConnect 3524/6224

• mac-address
• The Overflow Blog
• How do mixture-of-experts layers affect transformer models?
• What a year building AI has taught Stack Overflow
• Featured on Meta
• New Focus Styles & Updated Styling for Button Groups
• Upcoming initiatives on Stack Overflow and across the Stack Exchange network

Related Tags

Hot network questions.

• How can I subtract a number from string elements in R?
• Confusing use of "if" in "Advanced Grammar in Use"
• Why did the US and Israel vote against making food a human right?
• Why are the Michelson-Morley experimental results interpreted more broadly than the scope of the tested medium?
• Can the Chebyshev polynomials be constructed from the extremal property?
• A suggestion on how to create a cemetery shapefile to include multiple entries in an attribute table?
• Text beside horizontal line
• Could I file a complaint against discrimination in my favor?
• How to break off outlet yoke tabs without bending
• Simple task for networking programmers
• How long is a second on the moon?
• Did any processor implement an integer square root instruction?
• Does a sentence exist if it is not written, spoken, or even thought of?
• Why does a product of elements smaller than 1 converge to infinity?
• Resources for understanding Non-unitary channels and operators
• Is the tidal force the only real force-like quality of graviry?
• Who was the first person to get a more accurate measure of the earth's circumference than Eratosthenes?
• An incomplete grid
• SEM with 50% missing data (due to distribution of items over various survey ballots/waves)
• How to exclude swearing from my thriller novel?
• Do the "set ability score to 19" magic items function while using Wild Shape?
• An Arena/Bump Allocator in C
• FTIR Spectra: Did I synthesize ethyl gallate from gallic acid?
• Staying out of the blind spot of a truck that doesn't have mirrors?