I have a question regarding Radius Server with Dynamic Vlan Assignment for SSD profiles.
Basically I would like to have Dynamic VLAN Assignment and VLAN pooling enabled. I am running 7.4.5 code version and whenever I enable Dynamic VLAN Assignment, it disabled the VLAN pooling. I did find a documentation that it is possible 7.4.1 version came that both dynamic vlan assignment and vlan pooling is possible, reference:
However; this is not working in code 7.4.5 code version. I would really like to have this feature that support vlan pooling with Radius because this setting in Cisco called RADIUS Server Overwrite interface, Meru called Radius With VLAN Pooling, allows us to have restricted access and unrestricted access at the same time based on the Network Policy server rules. This makes it easier to have users in groups tied to authentication where if a user is not allowed, will still have restricted access and allowed to have unrestricted access where server send a tag or called vlan id back to the controller to designate user in to a specific vlan.
I would like this as a feature request if any engineer see this if this is not possible or if it is possible, how to achieve it.
Thank You.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
According to the referred guide/method by you at the beginning of the conversation, you do not need to enable this option.
Please look at my config.
However, if you would like to use "VLAN assignment by FortiAP group" or "VLAN assignment by VLAN pool", you will need it. Please look at the below docs.
https://docs.fortinet.com/document/fortiap/7.6.0/fortiwifi-and-fortiap-configuration-guide/153336/vl...
https://docs.fortinet.com/document/fortiap/7.6.0/fortiwifi-and-fortiap-configuration-guide/84238/vla...
Just by having 'Dynamic VLAN assignment' enabled is enough to move hosts to the desired VLANs based on the policies in the RADIUS server. All the necessary host grouping is done through the RADIUS server policies. VLAN pooling is some basic technique to share the hosts in different VLANs just randomly to distribute the load.
Are you able to elaborate a bit more on what is not working when you have Dynamic VLAN assignment enabled? As per the document, it should assign clients round-robin to the VLANs just like in VLAN Pooling.
So, basically when I enable the Dynamic VLAN assignment, it turns off the VLAN pooling.
According to the link I pasted, you see for SSID interface, where we can enable dynamic vlan assignment and then specify the vlan pool which is not possible in 7.4.5 code version.
This commands below is not possible in the code version 7.4.5
config wireless-controller vap
edit "wifi.fap.02"
set ssid "Example_SSID"
set dynamic-vlan enable config vlan-name edit "data" set vlan-id 100 200 300 next edit "voip" set vlan-id 100 next end next end
To elaborate what is trying to accomplish that: there are two groups, Group A and Group B users in the windows server. Group A (Filtered Group with restriction, Group B Unfiltered) , When a user connect to 802.x , server will look at users in group and identify that this specific users is in filtered group and send the tag for example vlan 200 back to the controller, then controller process it and put the user in to vlan 200. Another example when a user connect who has full access, user connect to radius server and then the server looks up the policy and decide this user does have full access and then put in to vlan 300.
Instead of user put in to one vlan, I need multiple filtered vlans that a user have limited right to be placed on by the Radius server. That is the question, what configuration would accomplish this both to have multiple restricted vlans that a user can be placed on based based on the Radius server NPS policy defined to pass a tag called 300 if user found to be unfiltered.
Just by having 'Dynamic VLAN assignment' enabled is enough to move hosts to the desired VLANs based on the policies in the RADIUS server. All the necessary host grouping is done through the RADIUS server policies. VLAN pooling is some basic technique to share the hosts in different VLANs just randomly to distribute the load.
Created on 10-01-2024 10:23 AM Edited on 10-01-2024 10:24 AM
When radius server sends the override tag let's say place a user to filtered vlan, controller has to place the client in to the desired vlan which vlan-pooling will full fill the function. So, as it is without using VLAN Pooling, suppose we have filtered vlans 100,200,300, 400 vlans and does this mean that user will be always placed only in vlan 100 , not 200, 300, 400 filtered vlans if according to the policy of radius server put a client to filtered vlan? Therefore; like you said the load balancing option is not available.
The new feature you are mentioning 'Dynamic VLAN assignment with multiple VLAN IDs per Name Tag' isn't related to the 'VLAN pooling' and for now seems configurable only from the CLI.
As shown in the guide, if the RADIUS server is configured to respond with a tag, it will round robing to up to 8 different VLANs:
This update allows for multiple VLAN IDs to be configured per name tag, up to a maximum of 8 VLAN IDs. Once wireless clients connect to the SSID, the FortiGate wireless controller can assign the VLAN ID by a Round-robin method from the pool to ensure optimal utilization of VLAN resources.
and with the pool it refers to:
config vlan-name
edit "data"
set vlan-id 100 200 300
not to:
set vlan-pooling round-robin
config vlan-pool
edit 3
next
Hi,
I have tested the below-explained configuration in my lab with FOS 7.4.5 and it works properly.
FGT 60 F Version 7.4.5
Radius FortiNAC
The below part of the configuration is just to assign the VLAN ID by a Round-robin method from the pool to ensure optimal utilization of VLAN resources.
config vlan-name edit "data" set vlan-id 100 200 300 next edit "voip" set vlan-id 100 next
When you use the configuration, you need to send from the Radius server "data" or "VoIP" values with the "tunnel-private-group-id" attribute instead of sending a VLAN ID.
On the other hand, you do not have to use "config vlan-name" configuration. In that case, you just need to send a VLAN ID with "tunnel-private-group-id", the host will have the VLAN ID directly sent by Radius "tunnel-private-group-id".
Created on 09-29-2024 09:12 PM Edited on 09-29-2024 09:21 PM
Hello!
You do not have this command defined-
set dynamic-vlan enable
In GUI, if I enable dyamic vlan, it disables vlan pooling. So, without defining set dynamic vlan enable and have vlan ids define like you tested, would send radius override tag still work? Also, set vlan id 100 200 300 , does this enable vlan pooling or if not where to enable vlan pooling? My understanding is set dynamic-vlan enable will enable radius to send the tag id and select any vlan defined by set vlan-id 100 200 300 command.
Hi,
I have configured "set dynamic-vlan enable" and "config vlan-name". I checked it again and disabled and enabled "set dynamic-vlan enable" option via GUI but it did not remove any config under SSID.
If you have only "set dynamic-vlan enable", you need to send the VLAN ID directly from your Radius with "Tunnel-private-group-ID".
If you have "set dynamic-vlan enable" and "config vlan-name", you need to send tag like "data" or whatever you configured.
When you use the "config vlan-name", FGT should assign the next VLAN to the next client like below.
Client 1 --> VLAN 100
Client 2 --> VLAN 200
Client 3 -->VLAN 300
Client 4--> VLAN 100
However when you set just "set dynamic-vlan enable", you need to send VLAN ID directly and it should be assigned to the client.
What I am saying is if you enable dynamic-vlan enable in the GUI, it disable vlan pooling slider. That prevents assign multiple vlans in the 7.4.5 code version. Have you tried that?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1633 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.