Wireless VLANs Managed by RAD-Series RADIUS Server

VLANs are powerful networking tools that are especially applicable to wireless and hybrid networks. Combined with the RAD-Series RADIUS Server, they are an easy and effective way of managing access to key enterprise resources.

What is a VLAN?

A VLAN is a switched network that is logically rather than physically segmented. VLANs enable workstations and other devices to have a virtual association, independent of geographic location or physical attachment to the network. These groupings can be based upon organizational unit, application, role, or any other logical grouping.

Why use a VLAN?

VLANs deliver many benefits to the network administrator.

§ Security is increased by segregating groups of users. Each group has access to only those resources that are appropriate for its projects and responsibilities within the organization.

§ Network management is made easier by allowing changes to projects, roles, and group memberships. This does not require any changes to the physical topology of the network.

§ VLANs reduce costs through the efficient sharing of network resources. Groups of users can be logically separated on shared equipment instead of physically separated on redundant equipment.

Why use VLANs with a wireless network?

The case for using VLANs in a wireless network is even stronger than for wired networks. Because there are no physical boundaries in wireless networks, logical boundaries must be built to protect sensitive data while enabling access to role-based network resources.

VLANs multiply the benefits that make wireless networking so attractive to enterprises. Wireless networks are flexible and easy to set up because there are no wires to pull. VLANs are flexible and easy to establish because they are not dependent upon a physical point of attachment to the network. Wireless networks reduce expenses by eliminating some of the physical infrastructure. VLANs further reduce expenses through the efficient sharing of network resources.

Example Wireless VLAN

Taking a look at the needs of a small software engineering company will help illustrate the power of VLANs in a wireless network. This engineering company has identified four groups that it wants to segregate on its wireless network through the establishment of VLANs:

§ Sales – the company’s executives and sales managers need access to sensitive account and sales information. When the regional sales managers visit the home office, the wireless network makes it possible for them to update account information and participate in sales meetings.

§ Network Administrator – the network administrator has privileged access to all computer systems and network devices. The wireless network facilitates the administrator’s work no matter where he is in the building.

§ Engineering – the software developers and QA engineers need access to the testbed machines. They are often working collaboratively in groups made possible by the wireless NICs in their laptops.

§ Guests – the company often hosts meetings with vendors and customers. During their visits, guests are given Internet access through the wireless network.

Each of these groups is assigned a VLAN that provides access to only the appropriate resources for that group.

Completing the VLAN picture with the RAD-Series RADIUS Server

The final and critical step in implementing wireless VLANs is the authentication and assignment of users to the correct VLAN using the RAD-Series RADIUS Server. The benefits of wireless VLANs are greatly diminished without the ease and flexibility of the central management afforded by the RAD-Series RADIUS server. At the time the user is authenticated, the RADIUS server assigns the user to the correct VLAN based upon the user’s profile or a policy involving the user’s role, group membership, or any other attribute. The RADIUS server can further improve security by requiring stronger forms of authentication for VLANs with access to the most critical resources.

The RAD-Series RADIUS Server can be configured to assign a user to a VLAN by adding the following three Reply-Items to the user’s profile:

Tunnel-Type=VLAN

Tunnel-Medium-Type=IEEE-802

Tunnel-Private-Group-Id="vlan-number"

where "vlan-number" is the number of the user’s VLAN.

Changing VLAN membership is as easy as changing the VLAN number in the user profile. It will then take effect the next time the user authenticates anywhere on the wireless network.