Description:
This article describes specific issues to be observed when using RADIUS authentication with dynamic VLAN assignment on LCOS LX access points.
This applies to any form of dynamic VLAN assignment, as a RADIUS server is required.
Requirements:
- LCOS LX as of version 5.32 Rel up to and including 6.14 RU1 (download latest version)
- LANconfig as of version 5.32 Rel (download latest version)
- Any browser for access via WEBconfig
- SSH client for command-line access to the access point (e.g. PuTTY)
Specific issues:
Exclusive dynamic VLAN ID:
The ID assigned by dynamic VLAN must not already be assigned to another SSID. It must be used exclusively for dynamic assignment only.
Use an “untagged VLAN” for the WLAN profile of the dynamic VLAN:
When operating LCOS LX access points, no VLAN may be assigned to the WLAN profile used for dynamic VLAN assignment or the LAN interface. In other words, the WLAN profile must operate untagged.
Consequently in scenarios with a mix of devices, different WLAN profiles must be used for LCOS and LCOS LX access points.
1) Standalone access point:
1.1) LANconfig:
1.1.1) Connect to the access point via LANconfig and switch to the menu Wireless-LAN → WLAN-Networks → Network.
1.1.2) Make sure that the profile used has a VLAN ID set to the value 0.
1.2) WEBconfig:
Using WEBconfig, connect to the access point, navigate to the menu Wi-Fi configuration → Networks and check that the VLAN ID is set to the value 0.
2) WLAN controller scenario:
2.1) Using LANconfig, connect to the WLAN controller and navigate to the menu WLAN Controller → Profiles → Logical WLAN networks (SSIDs).
2.2) Make sure that the profile used has the VLAN mode set to the option Untagged.
Assigning a fallback dynamic VLAN ID:
If a network user cannot be authenticated, a common requirement is for this user to be assigned a certain VLAN ID in order for them to access a default network (Fallback-Dynamic-VLAN-ID).
When operating LCOS LX access points, a fallback dynamic VLAN ID can only be set on the access point itself; it cannot be rolled out by a WLAN controller. Similarly, this parameter cannot be rolled-out by script.
For this reason, the fallback dynamic VLAN ID has to be manually stored on each access point individually.
In a WLAN controller scenario, the rolled-out settings are stored in the configuration of the LCOS LX access points and can be inspected and adjusted in this way.
1) Configuration by LANconfig:
1.1) Connect to the access point via LANconfig and switch to the menu Wireless-LAN → RADIUS → RADIUS-Server.
1.2) In the relevant RADIUS profile, enter the parameter Fallback-Dynamic-VLAN-ID.
2) Configuration by WEBconfig:
2.1) Using WEBconfig, connect to the access point, navigate to the menu Wi-Fi configuration → Encryption and click Edit RADIUS profiles for the relevant network.
2.2) Enter the Fallback-Dynamic-VLAN-ID and click Save.
3) Configuration by command line:
3.1) Use the command line to connect to the access point and enter the command in the following format:
set setup/radius/radius-server <name of the RADIUS server profile> {Fallback-Dynamic-VLAN-ID} <VLAN-ID>
3.2) Enter the command flash so that the changes are boot persistent.