Skip to main content

Dynamic VLAN Authorization Guide

– Multi-element Authentication Mechanism Integrating MAC / Portal / RADIUS

1 Introduction

In modern enterprise wireless networks, with diverse terminal types and complex user identities, traditional static VLANs can no longer meet the requirements for flexible isolation and security control. Dynamic VLAN authorization technology achieves efficient isolation of multiple users with different network policies under the same SSID through identity-based automatic allocation mechanisms.
The Asterfusion wireless solution, based on OpenWiFi architecture, extends support for enterprise-grade network access control features, including role mapping and dynamic isolation mechanisms. After terminal access, VLANs can be automatically allocated according to preset policies, achieving “connect and isolate” elastic network security capabilities to meet multi-tenant and fine-grained permission control requirements.

2 Technical Background and Pain Points

Traditional static VLAN configuration methods typically require network administrators to pre-partition fixed VLANs on switches and wireless access points and configure corresponding VLANs for different SSIDs. This model has many limitations:
Complex Configuration: When adding new user groups or business requirements, manual VLAN configuration modifications are required, resulting in long deployment cycles and error-prone operations.
Spectrum Overhead: To distinguish different users, multiple SSIDs are often used, but this occupies wireless spectrum resources, affecting signal coverage and terminal roaming experience.
Identity Blind Spots: Static VLANs cannot dynamically adjust network permissions based on actual user identity, making security policies difficult to refine.
Operational Pressure: As the scale of access devices expands, the maintenance cost and troubleshooting difficulty of static management increase exponentially.
Dynamic VLAN authorization technology combines 802.1X identity authentication with RADIUS servers to achieve VLAN dynamic allocation based on user identity. After successful access authentication, the wireless controller delivers the VLAN ID returned by RADIUS to the access point in real-time, achieving automatic binding between users and VLANs.

3 Basic Principles of Dynamic VLAN Authorization

Basic Process:
  1. After the terminal connects to wireless, it initiates PSK authentication (see diagram)
  2. AP redirects the client to Portal for identity authentication.
  3. Portal forwards the authentication request to the RADIUS server, RADIUS returns dynamic VLAN allocation information.
  4. Portal forwards VLAN information to AP, AP binds the terminal to the corresponding VLAN, allowing access.
  5. When authentication fails, Portal displays failure prompt, denying access.
PSK Authentication and Dynamic VLAN Authorization Schematic

4 Asterfusion OpenWiFi Dynamic VLAN Authorization Solution

Traditional Portal-based dynamic VLAN authorization solutions commonly have problems such as complex authentication processes, need for re-authentication during roaming, and fragmented user experience. Asterfusion has conducted deep optimization and enhancement based on the OpenWiFi architecture, introducing MAC authentication automatic recognition mechanisms and access policy cache synchronization mechanisms, enabling terminals to roam seamlessly throughout the campus after completing initial authentication without repeated login, and maintaining consistent VLAN IDs, truly achieving “authenticate once, roam throughout the network“.

4.1 STA Initial Access

Scenario Description

  • AP local authentication method is WPA2
  • Default VLAN 401, IP address segment 192.168.17.xx
  • Authorized VLAN 403, IP address segment 192.168.18.xx
  • STA initially connects to AP, enters username and password on the pop-up portal page
  • Obtains the IP address corresponding to VLAN 403

Process Description

Default VLAN 401 IP Acquisition
① STA performs PSK authentication on first access
② After PSK authentication passes, AP uses STA’s MAC address as username and password to authenticate with RADIUS server
③ RADIUS server has no corresponding table for this terminal’s MAC, returns default VLAN 401
④ PSK authentication ends
⑤ STA requests IP address 192.168.17.xx from default VLAN 401

Portal Redirection for Username/Password Authentication
⑥ STA initiates HTTP request, AP redirects HTTP request to Portal server, popup portal page appears
⑦ STA enters its own username and password for RADIUS server authentication again
⑧ After RADIUS server successfully verifies username and password, it synchronously records MAC and VLAN information to database, synchronously notifies STA of successful authentication result, redirects to authentication success page
⑨ STA requests authentication success page, redirected by Portal
Note: At this time, STA still has the default VLAN 401 IP address 192.168.17.xx

STA Re-obtains IP

⑩ Due to VLAN change, RADIUS sends disconnect packet to AP
⑪ AP actively disconnects STA’s link and replies to RADIUS server
⑫ STA performs PSK authentication again, MAC authentication (both username and password are STA’s MAC address)
⑬ After successful authentication, RADIUS server sends VLAN 403 information to AP
⑭ AP simultaneously updates local MAC-VLAN table entry, PSK authentication ends
⑮ STA applies for IP address in new VLAN 403 DHCP pool, finally obtaining IP address 192.168.18.xx corresponding to VLAN 403

Process Flow Chart

4.2 STA Reconnection After Disconnection

Scenario Description

  • DHCP Release time is 30 minutes, RADIUS MAC aging time is 30 minutes
  • AP local authentication method is WPA2
  • Default VLAN 401, IP address segment 192.168.17.xx
  • Authorized VLAN 403, IP address segment 192.168.18.xx
  • STA disconnects from AP and reconnects after 15 minutes, no portal page popup
  • Obtains IP address corresponding to VLAN 403

Process Description

Direct PSK+MAC Authentication
① STA performs PSK authentication on access
② After PSK authentication establishes encrypted channel, AP uses STA’s MAC address as username and password to authenticate with RADIUS server
③ RADIUS server has corresponding table for this terminal’s MAC, returns VLAN 403
④ PSK authentication ends
⑤ STA requests IP from VLAN 403
⑥ STA obtains IP address 192.168.18.xx
Note: If STA disconnects from AP for a very short time, such as 2-3 seconds, most terminals will not resend DHCP discover, but a few terminals will still send DHCP discover messages.

Process Flow Chart

4.3 STA Roaming

Scenario Description

  • DHCP Release time is 30 minutes, RADIUS MAC aging time is 30 minutes
  • AP local authentication method is WPA2
  • Default VLAN 401, IP address segment 192.168.17.xx
  • Authorized VLAN 403, IP address segment 192.168.18.xx
  • After STA roams from AP1 to AP2, no portal page popup
  • After roaming to AP2, still has VLAN 403 address, client unaware

Process Description

Direct PSK+MAC Authentication

① STA goes offline from AP1, roams to AP2
② Initiates PSK authentication to AP2, establishes encrypted channel
③ AP2 initiates authentication to RADIUS using STA2’s MAC as username and password
④ RADIUS server has corresponding table for this terminal’s MAC, returns VLAN, PSK authentication ends
⑤ AP2 locally updates MAC VLAN table
⑥ STA will not send DHCP discover request, maintains original VLAN 403 network segment address

Note: If STA supports 802.11R, it will save the 4-way handshake time during PSK authentication, accelerating the roaming process

Process Flow Chart

5 Asterfusion OpenWiFi AP Dynamic VLAN Configuration

– Navigate to Organization -> Venue -> Configuration -> Wireless Configuration Template -> Add Wireless Configuration

  • Configure template name, corresponding AP model, configuration tags, system time zone and LED

  • Switch to Service Activation, configure SSID, WiFi band, VLAN ID, local authentication method and password, enable Force Portal Authentication (Portal)
  • Switch to Security and Services, configure Force Portal Authentication method as External-UAM
  • Under External UAM, configure domain whitelist (Portal server domain name or IP), External-UAM server, External-UAM key, External UAM-Port, Probe Port, NAS ID
  • Continue under External UAM to configure authentication server, authentication key, authentication port. If audit requirements exist, corresponding fields can also be configured. Other fields without * can be configured as needed.
  • After configuration is complete, click the save button in the upper right corner to complete wireless configuration template saving
  • Deploy configuration to AP, click the push button in the upper right corner of the wireless configuration template, select the MAC address of the AP to deploy, click push configuration

6 Appendix

6.1 RADIUS Authentication Packet

Packet identifier: Identifies the packet, each pair of request and response packets have the same ID
User-Name: Terminal MAC address
User-Password: Terminal MAC address
Acct-Session-Id: Used for accounting, identifies each session
Called-Station-Id: AP MAC address:SSID
Calling-Station-Id: Terminal MAC address
NAS-IP-Address: AP service port IP, NAS stands for Network Access Switch, referring to network access management device
NAS-Identifier: NAS identifier
Service-Type: Service type, here the type is Call-Check indicating identity authentication request
NAS-Port-Type: Connection type
NAS-Port: Interface used by network access management device

6.2 RADIUS Response Packet

Filter-Id := “vlan:403”,                        # Used to specify VLAN ID, format used here is vlan:<VLAN_ID>

Tunnel-Type := 13,                             # Specifies tunnel type, VLAN corresponding type is 13

Tunnel-Medium-Type := 6,                # Specifies tunnel medium type, usually uses 6

Tunnel-Private-Group-Id := “403”     # Here specifies VLAN ID

6.3 RADIUS Disconnect Packet

Code: Disconnect-ACK (41)

6.4 DHCP Request, Reply Packet

Client MAC address: MAC address of client requesting IP allocation Your (client) IP address: IP address allocated to client

Your (client) IP address: The IP address assigned to the client.

6.5 Portal Authentication, Authentication Success, Authentication Failure Pages
(portal UI can be configured as needed)