How to deploy 802.1X + Dynamic VLAN for Peplink Access Points

  1. Supported deployments
  • Standalone Peplink access points

  • Balance or MAX routers acting as a wireless controller managing Peplink access points

  1. Non-supported deployment
  • Local build-in access point in Balance or MAX routers are not supported
  1. Following will be my network diagram

  1. On the above network diagram
  • I have a Radius server and its IP address is 192.168.52.200

  • I have a Balance 710 router and it is acting as a wireless controller to manage AC MINI

  1. Steps to configure 802.1X + Dynamic VLAN
  • Power on AC MINI and log into its web admin page

  • Go to ‘System’ > ‘Controller’ > ‘Controller Management Settings’

  • This will make sure AC MINI connect to wireless controller at IP address 192.168.1.1

  • Save the changes at AC MINI

  • Connect AC MINI to the LAN port of Balance 710 router

  • At Balance 710 router, log into its web admin page

  • Go to ‘Network’ > ‘LAN’ > ‘Network Settings’

  • Create 3 new VLAN networks

  • The configurations at MANAGER vlan network

  • The configuration at the STAFF vlan network

  • The configuration at the GUEST vlan network

  • Go to ‘AP’ > ‘AP Controller’ and enable the AP controller feature

  • Go to ‘AP’ > ‘Wireless SSID’ and define a new SSID

  • Save and apply all the changes in Balance 710

  • At the radius server side, we need to add in 3 radius attributes in order to make dynamic vlan to work

  • Below are the 3 radius attributes that need to be added in the radius server

  • I have 3 user accounts inside the radius server

  • The first user account is ‘ohyt’ and he will be dynamically assigned to vlan 10

  • The second user account is ‘tanjp’ and he will be dynamically assigned to vlan 20

  • The third user account is ‘mary’ and she will be dynamically assigned to vlan 30

  • To perform the testing, I will be connecting to the SSID ‘DYNAMIC_LITE’ using 3 different accounts

  • When ‘ohyt’ is connected, he will be assigned to vlan 10 and obtain DHCP IP 10.0.1.10 / 24

  • When ‘tanjp’ is connected, he will be assigned to vlan 20 and obtain DHCP IP 10.0.2.10 / 24

  • When ‘mary’ is connected, she will be assigned to vlan 30 and obtain DHCP IP 10.0.3.10 / 24

  1. When ‘ohyt’ is connecting to the SSID, this is the handshake between Balance 710 and Radius server
  • ACCESS-REQUEST from Balance 710 to Radius server

  • ACCESS-CHALLENGE from Radius server to Balance 710

  • ACCESS-REQUEST from Balance 710 to Radius server

  • ACCESS-ACCEPT from Radius server to Balance 710

  • Whole authentication process is completed and user ‘ohyt’ is dynamically assigned to VLAN 10
6 Likes

Hello @Oh_Yaw_Theng,
This is great, we expect it also works just as well if setup from InControl2.
Happy to Help,
Marcus :slight_smile:

It will work too.

1 Like

Oh Yaw Theng - is there a plan to support built-in APs in Balance and MAX routers anytime soon?
Might this be in Firmware 8?
802.1X is becoming more and more requested as a requirement in Enterprise deployments.

3 Likes

setup follow https://forum.peplink.com/t/how-to-configure-radius-authentication-for-server-2012/9634. dot1x not access show (Incorrect password for “SSID”). Have guide config dot1x for peplink?

@spoiler, the provided steps by @Oh_Yaw_Theng is deploying the 802.1X. As mentioned in the ticket, the problem is related to the settings of Radius server.

2 Likes