Policy Tags
If you want to use DynZone mode for non-enterprise SSIDs you have to tag the User (Groups) and the Zone.
The User can be tagged in SteelConnect > Users > Users > Policy > Policy Tags.
In this section set a Policy tag e.g. Sales for a specific User.
To match the User with a zone navigate to Network Design > Zones > VLAN > Policy Tags and set tag Sales.
Next create an SSID broadcast for the Site in WiFi > Broadcasts > New Broadcast. After adding the new Broadcast you can edit it and enable DynZone.
When a WiFi Client Device connects to the SSID the Access Point will check if a tag for that User or Device matches a tag assigned to a Zone and if it does the Client Device will be moved into the appropriate VLAN. If no tag matches the configured Default Zone is used as a fallback.
Policy Tag Priorities
- Device Tags (as ordered in Device Policy Tags)
- User Tags (as ordered in User Policy Tags)
Radius/NPS
When using DynZone via Radius/NPS it will require a RADIUS server and a WPA2 Enterprise SSID. When Radius is used for dynamic VLAN tagging all other tags e.g. Device, User and Zone tags are ignored.
If DynZone is used in combination with Radius/NPS the wireless clients will be retagged to a specific VLAN using the following Radius attributes (as specified in RFC3580, http://tools.ietf.org/html/rfc3580#section-3.31):
- Tunnel-Type=VLAN (13)
- Tunnel-Medium-Type=802
- Tunnel-Private-Group-ID=VLANID
Please refer to the following Microsoft documentation to configure VLAN attributes for the Network Policy Server:
Configuring Radius on Windows Server for dynamic VLAN tagging
Windows Server required Roles:
- Active Directory Domain Services
- Active Directory Certificate Services
- Network Policy and Access Services
- Add a Radius Client
Open Network Policy Server > NPS (local) > Radius Clients and Servers > Radius Client.
Now click on the menu Action > New. You will presented with a screen where you are required to enter the configuration information explained below.
Client Name:
A friendly name for the RADIUS client, which makes it easy to identify. Call this something like RiverbedWireless. Make sure you remember what you called it as you will need to enter the same name in the next section Add a Connection Request Policy.
Address (IP or DNS):
The Internet Protocol version 4 (IPv4) address or the Domain Name System (DNS) name of the RADIUS client. In case you have more than one Radius Client (e.g. more than one Access Point) you can also enter a network range. If your Access Points are all in a unified IP address space you can simply add the range using standard CIDR format (such as 10.10.10.0/24).
Shared secret:
Shared secrets are used to verify that RADIUS messages are sent by a RADIUS-enabled device that is configured with the same shared secret. Shared secrets also verify that the RADIUS message has not been modified in transit (message integrity). The shared secret is also used to encrypt some RADIUS attributes, such as User-Password and Tunnel-Password.
When creating and using a shared secret:
- Generate a random sequence at least 22 characters long
- Use any standard alphanumeric and special characters
- Special characters known to be working are
,;.:^!"$%&/()={[]}?\`+~*#-_<>|
- Special characters which shouldn’t be used because they are known to be causing issues
°@§ß´'
- Make the shared secret up to 64 characters in length. To protect your NPS server and your RADIUS clients from brute force attacks, use long shared secrets (more than 22 characters)
- Change the shared secret often to protect your NPS server and your RADIUS clients from dictionary attacks
- Make note of this password for use in section Configuring RADIUS on the SteelConnect
- Add a Connection Request Policy
Open Network Policy Server > NPS (local) > Policies > Connection Request Policies.
Now click on menu Action > New, then you will be presented with a screen where you have to enter the following configuration information.
Policyname:
Enter a name, in our example we have called it RiverbedWireless.
Now add the following conditions:
NAS Port Type: Wireless – IEEE 802.11
Client Friendly Name: Name of the RADIUS Client configured above (in our case RiverbedWireless)
Click Next, then hit Finish – The default settings are fine for the rest of the configuration.
- Add a Network Policy
Open Network Policy Server > NPS (local) > Policies > Network Policies.
Now click on menu Action > New, then you will presented with a screen you have to enter:
Policyname:
Enter a name, in our example we have called it RiverbedVLAN.
Now add the following conditions:
NAS Port Type: Wireless – IEEE 802.11
User Groups: Name of the User Group you want to dynamically tag into a VLAN
Click Next til you arrive at Configure Authentication Methods and add
Microsoft: Protected EAP (PEAP) in EAP-Types.
Remove MS-CHAP authentication and just leave MS-CHAPv2 in section Less secure authentication methods.
Click Next until you arrive at Configure Settings and add to Radius-Attribute Standard:
- Tunnel-Type: Virtual LANs (VLAN)
- Tunnel-Medium-Type: 802 (includes all 802 media plus Ethernet canonical format)
- Tunnel-Pvt-Group-ID: VLAN ID e.g. 1000
Click Next, then hit Finish – The default settings are fine for the rest of the configuration.
Configuring RADIUS on the SteelConnect Manager
In SteelConnect Manager navigate to the Site with the Radius Server via Network Design > Sites > RADIUS and enter your Radius Server IP address and password (the shared secret of the Radius Client you configured earlier in Configuring Radius on the Windows Server for dynamic VLAN tagging) using the following format:
ipaddress@password (e.g. 10.10.10.10@password)
Next add an SSID in WiFi > SSIDs and choose WPA2 Enterprise security. Then navigate to WiFi > Broadcasts to begin broadcasting the Enterprise SSID at the applicable Sites and enable DynZone.
