Skip to main content

1 Message


70 Points

Mon, Apr 28, 2014 4:05 AM

Active directory and VLAN match

Is it possible to change the VLAN of a user based on his/her AD group, using guest pass, captive portal or zero-it? I know that this can be done by authenticating users via 802.1x but we want to know if there's a way to do it using other types of authentication.


368 Messages


5.6K Points

7 years ago

DVLAN works by passing attributes to a RADIUS and receiving a reply of a VLAN ID called a "Tunnel-Private-Group-ID" so 1X is required to achieve that.

And you can only use 1X with the "Standard usage" or "HotSpot 2.0" Type of WLAN you create and only if choosing WPA or WPA2 (not Mixed).

That's because a user needs to authenticate before it gets an IP, so that the proper IP is given to a user, and that can only be achieved if a user is verified at Layer 2. Guest portals and such verify users at Layer 3 when a user already has an IP.