Country/Region

★ How to realize that different users with different attribute access the same SSID and enter different vlans

2022-09-23 18:30:11 Published
  • 0 Followed
  • 0Collected ,3264Browsed
LinDongliang

Network Topology

like this

Problem Description

requirement:different users access the same SSID and enter different vlans.  for example, when connect to the same ssid, guest enter van 1,student enter vlan 2, teacher enater vlan 3 or vlan 4.

Process Analysis

This function requires a return packet from the radius server during authentication, and different users carry different values of an authorization attribute. 

This authorization attribute can be of many kinds, for example  Framed-AppleTalk-Zone or Framed-Pool.  Let"s take Framed-AppleTalk-Zone as an example. The value of Framed-AppleTalk-Zone is a string of characters, not a number.

The wireless controller identifies the attribute as vlan-group after attribute conversion, and different values correspond to different vlan-groups.

Solution

 take Framed-AppleTalk-Zone as an example.  !!!or use some attribute who"s value is a string of characters.

step 1: radius server user attribute

set different value of attribute Framed-AppleTalk-Zone for users in radius server.  Different radius servers have different setup methods.

for example, value guest, student and teacher.

step 2: AC convert the attribute

# wlan service-template 1 

 ssid H3C 

 user-isolation enable 

 akm mode dot1x 

 cipher-suite ccmp 

 security-ie rsn 

 security-ie wpa 

 client-security authentication-mode dot1x 

 dot1x domain dot1x 

 service-template enable 

#

domain dot1x

 nas-id xxx

 authentication lan-access radius-scheme dot1x

 authorization lan-access radius-scheme dot1x

 accounting lan-access radius-scheme dot1x

#

radius scheme dot1x

 primary authentication xxx

 primary accounting xxx

 accounting-on enable

 accounting-on extended

 key authentication cipher $c$3$u2v6ya9HDgCcdcI6oG9yPbz49UHgzQ==

 key accounting cipher $c$3$92LcqiEtIifEDHZDfjued5D0FJfbHA==

 user-name-format without-domain

 attribute translate

 attribute 182 vendor-id 25506 vlan

 attribute convert Framed-AppleTalk-Zone to H3C-Microsegment-Id access-accept

#

step 3: defy vlan-group

#
vlan-group guest        #value of vlan-group =  H3C-Microsegment-Id access-accept Framed-AppleTalk-Zone
vlan-list 1                  
#
vlan-group student
vlan-list 2       
#
vlan-group teacher
vlan-list 3 to 4
#



Please rate this case:   
0 Comments

No Comments

Add Comments:

Copyright© 2025 H3C reserves all rights to the current version NO.1

The copyright of this icon belongs to H3C. It is only for the use of this community. Do not use it for commercial purposes. Anyone who violates this icon will be prosecuted