VLAN assignment by Name Tag
Typically, users can be assigned to VLANs dynamically according to the Tunnel-Private-Group-Id RADIUS attribute returned from the Access-Accept message. The value can either match a particular VLAN-ID on a VLAN interface, or a text string that matches a VLAN interface name.
However, there is a another option to match based on a vlan-name
table defined under the virtual AP. You can assign either a single VLAN ID per name, or assign multiple VLAN IDs per name, up to a maximum of 8 VLAN IDs. When assigning multiple VLAN IDs, the ID is determined by a Round-robin method to ensure optimal utilization of VLAN resources.
Example use case
In the following example scenario, the customer site has set up the following topology:
- FortiAP broadcasts a bridge mode SSID with
dynamc-vlan
enabled; - FortiGate needs to assign VLAN-ID=100 to the client if vlan-name is "voip", and assign multiple VLAN-IDs to the client if vlan-name is "data".
VLAN Name |
VLAN ID |
---|---|
|
100, 200, 300 You can assign up to 8 VLAN IDs. |
|
100 |
Instead of creating VLAN interfaces on the FortiGate and naming them "print" and "voip" respectively, you can add the vlan-name
table in the SSID:
To configure assigning VLAN IDs by VLAN name tag:
-
Set up an SSID with
dynamic-vlan
enabled, and configurevlan-name
with the IDs you want to assign undervlan-id
.config wireless-controller vap edit "wifi.fap.02" set ssid "Example_SSID" set security wpa2-only-enterprise set voice-enterprise disable set auth radius set radius-server "peap" set schedule "always" set dynamic-vlan enable config vlan-name edit "data" set vlan-id 100 200 300 next edit "voip" set vlan-id 100 next end next end
-
Create user accounts in the Radius server with the
Tunnel-Private-Group-Id
matching the previously configuredvlan-name
.data Cleartext-Password := "123456" Tunnel-Type = "VLAN", Tunnel-Medium-Type = "IEEE-802", Tunnel-Private-Group-Id = data voip Cleartext-Password := "123456" Tunnel-Type = "VLAN", Tunnel-Medium-Type = "IEEE-802", Tunnel-Private-Group-Id = voip
After the wireless clients connects the SSID, when its attribute "Tunnel-Private-Group-Id" is "print", it will be assigned with VLAN-ID=100; when its attribute "Tunnel-Private-Group-Id" is "voip", it will be assigned with VLAN-ID=200.
Once wireless clients connect to the SSID, the FortiGate wireless controller assigns VLAN ID based on its Tunnel-Private-Group-Id
. If the Tunnel-Private-Group-Id
is "voip", it will be assigned to VLAN ID 100. If the Tunnel-Private-Group-Id
is "data", it will be assigned to either VLAN ID 100, 200, 300.
To verify the clients connect and are assigned to the correct VLAN ID:
-
Connect four WiFi clients with
user=data
to verify that they can be assigned to the VLAN IDs from the VLAN Pool 100, 200, and 300 using a Round-robin method:-
Connect the first client and verify that it is assigned VLAN ID 100.
vf=2 mpId=6 wtp=2 rId=2 wlan=wifi.fap.02 vlan_id=100 ip=100.1.10.2 ip6=:: mac=00:0e:c9:9f:77:04 vci= host= user=data group= signal=-40 noise=-95 idle=25 bw=0 use=5 chan=48 radio_type=11N_5G security=wpa2_only_enterprise mpsk= encrypt=aes cp_authed=no l3r=1,0 G=0.0.0.0:0,0.0.0.0:0-0-0 -- 0.0.0.0:0 0,0 online=yes mimo=2
-
Connect the second client and verify that it is assigned VLAN ID 200.
vf=2 mpId=6 wtp=2 rId=2 wlan=wifi.fap.02 vlan_id=200 ip=100.2.10.2 ip6=:: mac=00:0e:ce:2d:e0:dd vci= host= user=data group= signal=-40 noise=-95 idle=0 bw=0 use=5 chan=48 radio_type=11N_5G security=wpa2_only_enterprise mpsk= encrypt=aes cp_authed=no l3r=1,0 G=0.0.0.0:0,0.0.0.0:0-0-0 -- 0.0.0.0:0 0,0 online=yes mimo=2
-
Connect the third client and verify that it is assigned VLAN ID 300.
vf=2 mpId=6 wtp=2 rId=2 wlan=wifi.fap.02 vlan_id=300 ip=100.3.10.2 ip6=fe80::20e:95ff:fef3:f124 mac=00:0e:95:f3:f1:24 vci= host= user=data group=peap signal=-41 noise=-95 idle=0 bw=0 use=5 chan=48 radio_type=11N_5G security=wpa2_only_enterprise mpsk= encrypt=aes cp_authed=no l3r=1,0 G=0.0.0.0:0,1.149.24.1:39198-0-0 -- 0.0.0.0:0 0,0 online=yes mimo=2
-
Connect the fourth client and verify that it is assigned VLAN ID 100 again.
vf=2 mpId=6 wtp=2 rId=2 wlan=wifi.fap.02 vlan_id=100 ip=100.1.10.3 ip6=:: mac=00:0e:44:9e:71:e5 vci= host= user=data group= signal=-40 noise=-95 idle=29 bw=0 use=5 chan=48 radio_type=11N_5G security=wpa2_only_enterprise mpsk= encrypt=aes cp_authed=no l3r=1,0 G=0.0.0.0:0,0.0.0.0:0-0-0 -- 0.0.0.0:0 0,0 online=yes mimo=2
-
-
As a comparison, connect two WiFi clients stations with
user=voip
. They are assigned VLAN ID 100 as it matches the VLAN name "voip".vf=2 mpId=6 wtp=2 rId=2 wlan=wifi.fap.02 vlan_id=100 ip=100.1.10.5 ip6=fe80::20e:5cff:fe03:e411 mac=00:0e:5c:03:e4:11 vci= host= user=voip group=peap signal=-43 noise=-95 idle=14 bw=0 use=5 chan=48 radio_type=11N_5G security=wpa2_only_enterprise mpsk= encrypt=aes cp_authed=no l3r=1,0 G=0.0.0.0:0,0.0.0.0:0-0-0 -- 0.0.0.0:0 0,0 online=yes mimo=2 vf=2 mpId=6 wtp=2 rId=2 wlan=wifi.fap.02 vlan_id=100 ip=100.1.10.4 ip6=:: mac=f8:e4:e3:d8:5e:af vci= host=WiFi-Client-2 user=voip group=peap signal=-39 noise=-95 idle=4 bw=0 use=5 chan=48 radio_type=11AX_5G security=wpa2_only_enterprise mpsk= encrypt=aes cp_authed=no l3r=1,0 G=0.0.0.0:0,2.3.81.76:29193-0-0 -- 0.0.0.0:0 0,0 online=yes mimo=2
-
Check the VLAN assignment count using the following diagnostic command:
Diagnose wpa wpd vlan-name <SSID_NAME>
.# diagnose wpa wpad vlan-name Example_SSID No SSID is configured in hostapd. No SSID is configured in hostapd. SSID config: SSID(Example_SSID) VAP(wifi.fap.02) refcnt(2) Vlan info (1): v100.wifi => 100 Vlan info (2): v200.wifi => 200 Vlan info (3): v300.wifi => 300 Vlan info (4): wqtn.50.wifi.fa => 4093 Vlan info (5): data => 100(2) 200(1) 300(1) Vlan info (6): voip => 100(2)