How to deploy 802.1X + Dynamic VLAN for Peplink Access Points

Oh_Yaw_Theng · October 18, 2018, 9:26pm

Supported deployments

Standalone Peplink access points
Balance or MAX routers acting as a wireless controller managing Peplink access points

Non-supported deployment

Local build-in access point in Balance or MAX routers are not supported

Following will be my network diagram

On the above network diagram

I have a Radius server and its IP address is 192.168.52.200
I have a Balance 710 router and it is acting as a wireless controller to manage AC MINI

Steps to configure 802.1X + Dynamic VLAN

Power on AC MINI and log into its web admin page
Go to ‘System’ > ‘Controller’ > ‘Controller Management Settings’

This will make sure AC MINI connect to wireless controller at IP address 192.168.1.1
Save the changes at AC MINI
Connect AC MINI to the LAN port of Balance 710 router
At Balance 710 router, log into its web admin page
Go to ‘Network’ > ‘LAN’ > ‘Network Settings’
Create 3 new VLAN networks

The configurations at MANAGER vlan network

The configuration at the STAFF vlan network

The configuration at the GUEST vlan network

Go to ‘AP’ > ‘AP Controller’ and enable the AP controller feature

Go to ‘AP’ > ‘Wireless SSID’ and define a new SSID

Save and apply all the changes in Balance 710
At the radius server side, we need to add in 3 radius attributes in order to make dynamic vlan to work
Below are the 3 radius attributes that need to be added in the radius server

I have 3 user accounts inside the radius server
The first user account is ‘ohyt’ and he will be dynamically assigned to vlan 10

The second user account is ‘tanjp’ and he will be dynamically assigned to vlan 20

The third user account is ‘mary’ and she will be dynamically assigned to vlan 30

To perform the testing, I will be connecting to the SSID ‘DYNAMIC_LITE’ using 3 different accounts
When ‘ohyt’ is connected, he will be assigned to vlan 10 and obtain DHCP IP 10.0.1.10 / 24

When ‘tanjp’ is connected, he will be assigned to vlan 20 and obtain DHCP IP 10.0.2.10 / 24

When ‘mary’ is connected, she will be assigned to vlan 30 and obtain DHCP IP 10.0.3.10 / 24

When ‘ohyt’ is connecting to the SSID, this is the handshake between Balance 710 and Radius server

ACCESS-REQUEST from Balance 710 to Radius server

ACCESS-CHALLENGE from Radius server to Balance 710

ACCESS-REQUEST from Balance 710 to Radius server

ACCESS-ACCEPT from Radius server to Balance 710

Whole authentication process is completed and user ‘ohyt’ is dynamically assigned to VLAN 10

mldowling · October 19, 2018, 1:00am

Hello @Oh_Yaw_Theng,
This is great, we expect it also works just as well if setup from InControl2.
Happy to Help,
Marcus

Oh_Yaw_Theng · October 19, 2018, 1:06am

It will work too.

Rory_Ingen · February 20, 2019, 8:23am

Oh Yaw Theng - is there a plan to support built-in APs in Balance and MAX routers anytime soon?
Might this be in Firmware 8?
802.1X is becoming more and more requested as a requirement in Enterprise deployments.

spoiler · December 23, 2019, 10:09am

setup follow https://forum.peplink.com/t/how-to-configure-radius-authentication-for-server-2012/9634. dot1x not access show (Incorrect password for “SSID”). Have guide config dot1x for peplink?

TK_Liew · December 25, 2019, 9:05pm

@spoiler, the provided steps by @Oh_Yaw_Theng is deploying the 802.1X. As mentioned in the ticket, the problem is related to the settings of Radius server.