Skip to content

Vlan Assignment



vlan-assignment (vlan-id | vlan-name);

Hierarchy Level

[edit protocols dot1xauthenticatorauthentication-profile-namestatic (Protocols 802.1X)mac-address];[edit ethernet-switching-optionsauthentication-whitelist];[edit switch-options authentication-whitelist]

Release Information

Statement introduced in Junos OS Release 9.0 for EX Series switches.

Statement added to the [edit ethernet-switching-options authentication-whitelist] hierarchy in Junos OS Release 10.1 for EX Series switches.

Statement added to the [edit switch-options authentication-whitelist] hierarchy in Junos OS Release 13.2X50-D10 for EX Series switches.

Statement introduced in Junos OS Release 14.1X53-D30 for the QFX Series.


Configure the VLAN that is associated with the list of MAC addresses that are excluded from RADIUS authentication.


vlan-id | vlan-name—The name of the VLAN or the VLAN tag identifier to associate with the device. The VLAN already exists on the switch.

Required Privilege Level

routing—To view this statement in the configuration.
routing-control—To add this statement to the configuration.

Modified: 2017-03-03

In my previous post, Wireless Network Segmentation Options, I described the need to minimize wireless SSIDs and provided 3 options for practical network segmentation within complex networks.

As a follow-up, I would like to briefly show administrators how to implement the second option, dynamic VLAN assignment. This allows a single SSID to serve multiple user roles tied to separate back-end network VLANs (as long as the same wireless authentication, key management, and encryption ciphers are used).

To prevent client devices from associating to the access point using an unauthorized VLAN, you can assign the user or group to a VLAN on your RADIUS authentication server.

The VLAN-mapping process consists of these steps:

  1. A client device associates to the access point using any SSID configured on the access point.
  2. The client begins RADIUS authentication.
  3. When the client authenticates successfully, the RADIUS server maps the client to a specific VLAN, regardless of the VLAN mapping defined for the SSID the client is using on the access point. If the server does not return any VLAN attribute for the client, the client is assigned to the VLAN specified by the SSID mapped locally on the access point.

The RADIUS attributes to configure for VLAN assignment are IETF RADIUS attributes 64, 65, and 81, which control VLAN assignment of users and groups. See RFC 2868 for more information.

  • 64 (Tunnel-Type) should be set to VLAN (Integer = 13)
  • 65 (Tunnel-Medium-Type) should be set to 802 (Integer = 6)
  • 81 (Tunnel-Private-Group-ID) should be set to the VLAN number. This can also be set to VLAN name if using a Cisco IOS device (excludes Aironet and Wireless Controllers however).

Cisco Autonomous Environment Notes
Unicast and multicast cipher suites advertised in WPA information element (and negotiated during 802.11 association) may potentially mismatch with the cipher suite supported in an explicitly assigned VLAN. If the RADIUS server assigns a new VLAN ID which uses a different cipher suite from the previously negotiated cipher suite, there is no way for the access point and client to switch back to the new cipher suite. Currently, the WPA and CCKM protocols do not allow the cipher suite to be changed after the initial 802.11 cipher negotiation phase. In this scenario, the client device is disassociated from the wireless LAN.

Cisco Unified Environment Notes
The Allow AAA Override option of a WLAN allows you to configure the WLAN for identity networking. It allows you to apply VLAN tagging, QoS, and ACLs to individual clients based on the returned RADIUS attributes from the AAA server.

Cisco wireless LAN controllers also support Airespace vendor specific attributes that can allow an administrator to define a WLC Interface-Name, QoS-Level, or Access Control List (ACL) to be applied to the user or group being authenticated.

Radius attribute 26 (Vendor Specific Attribute) should be used to configure the Airespace values. The Airespace Vendor ID is 14179.
  • Aire-Interface-Name (Type 5) should be a string matching the name of the WLC interface to map the user into
  • Aire-QoS-Level (Type 2) should be a value (0-3) mapping to the following QoS levels:
    • 0 = Bronze (Background)
    • 1 = Silver (Best Effort)
    • 2 = Gold (Video)
    • 3 = Platinum (Voice)
  • Aire-ACL-Name (Type 6) should be a string matching the name of the ACL to apply to the user session

Also, ensure that the RADIUS server is using a NAS type of "Cisco-Airespace" when returning Airespace VSAs, otherwise the attributes will not be returned to the controller. If not using Airespace VSAs, a NAS type of "Cisco-Aironet" will work.