Active directory and VLAN match

  • 1
  • Question
  • Updated 4 years ago
Is it possible to change the VLAN of a user based on his/her AD group, using guest pass, captive portal or zero-it? I know that this can be done by authenticating users via 802.1x but we want to know if there's a way to do it using other types of authentication.
Photo of Erick Muller

Erick Muller

  • 1 Post
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of Primož Marinšek

Primož Marinšek, AlphaDog

  • 413 Posts
  • 48 Reply Likes
DVLAN works by passing attributes to a RADIUS and receiving a reply of a VLAN ID called a "Tunnel-Private-Group-ID" so 1X is required to achieve that.

And you can only use 1X with the "Standard usage" or "HotSpot 2.0" Type of WLAN you create and only if choosing WPA or WPA2 (not Mixed).

That's because a user needs to authenticate before it gets an IP, so that the proper IP is given to a user, and that can only be achieved if a user is verified at Layer 2. Guest portals and such verify users at Layer 3 when a user already has an IP.