Dynamic VLAN Assignment separates and isolates devices into different network segments based on the device or user authorization and their characteristics.
Set up NPS on Windows Server 2019
Scenario & Topology
In most networks, administrators may have to restrict devices on a variety of networking devices for security purposes.
A common way to achieve this kind of network restriction is via static VLAN assignments. Administrators therefore create VLANs and configure the corresponding VLAN number to each switch port with access mode. Conversely, administrator only needs to set switch port as trunk and fixed port and a few policies on RADIUS server for Dynamic VLAN Assignment. It mitigates considerable actions/jobs for network administrator.
The purpose of this configuration guide demonstrates every step to configure Dynamic VLAN Assignment on both switch and RADIUS Server.
Configuration
The following steps are applicable for switches supported on compound authentication. Supported switch are GS2220 and XGS2210 in standalone mode and collocated with a RADIUS Server (Windows Server 2019).
Switch configuration
- Configure RADIUS IP address, Shared secret, and AAA settings at:
Advanced Application > AAA > RADIUS Server Setup & AAA Setup
- Configure 802.1x, MAC authentication, and Guest VLAN as well as Compound Authentication on client port at
Advanced Application > Port Authentication
- Keep Compound Authentication Mode as strict for client port
Set up NPS on Windows Server 2019
Open Network Policy Server and right-click on RADIUS Clients > New, to configure Friendly name, IP address, and Shared secret.
Configure Connection Request Policies(CRP)
- Right-click on CRP > New
- Specify CRP policy name
- Specify Conditions
We suggest to use NAS Identifier (device hostname) and NAS IPv4 Address here if you are unfamiliar in this page. In addition, if you have a lot of devices that plans to be added into RADIUS clients, you can use symbol * to avoid adding many conditions for a CRP, for example, “GS22*” or “192.168*”.
- Specify Connection Request Forwarding > Next
- Specify Authentication Methods > Next
- Configure Settings > Next
- Check everything you just configure, and click Finish.
Configure Network Policies
- Right-click on Network Policies > New
- Specify Network Policy name
- Specify Conditions > Add > choose Windows Groups
- Specify Access Permission > Next
- Configure Authentication Methods
- Configure Constraints > Next
- Configure Settings.
- Check everything you configure, and click Finish.
Set up user/device account on Windows Server 2019
- Open Active Directory Users and Computers
- Right-click on domain > New > User
- Create accounts for 802.1x and MAC authentication
Notice: for MAC authentication user, the User logon name should be filled in exactly the same format as setting in switch MAC authentication page.
- Plus, user password should be matched to switch setting as well.
Verification
- Client passes compound authentication; it gets IP address of Data VLAN
- Client fails compound authentication; it gets IP address of Guest VLAN
Note:
- Make sure DHCP Server functions in the network.
- L3 switch should enable DHCP Smart Relay and point to DHCP server.
- If your NPS server is installed in VM, and NPS service is not functioning even it is running, you should STOP and START NPS service again.