WESM zl Management and Configuration Guide WT.01.03 and greater
4-87
Wireless Local Area Networks (WLANs)
VLAN Assignment
Identity-Based, or Dynamic, VLAN Assignment
The Wireless Edge Services zl Module can also divide traffic from wireless
users into VLANs based on those users’ identities. This capability (variously
called user-based VLANs or identity-based VLANs, as well as dynamic VLAN
assignment) allows you to:
■ configure one WLAN for your wireless network with a single SSID and
unified wireless security policy
■ simultaneously retain granular control over the network rights of each
wireless user
In order for your Wireless Edge Services zl Module to implement dynamic
VLAN assignment in a WLAN, stations must authenticate to a RADIUS server.
This server can be either the module’s internal server or an external network
server.
You must also manually enable dynamic VLAN assignment on the WLAN.
You should not use dynamic VLANs in certain circumstances:
■ You must place the WLAN in a Layer 3 mobility domain—Dynamic VLANs
disable Layer 3 mobility on the WLAN. See Chapter 9: “Fast Layer 2
Roaming and Layer 3 Mobility” for guidelines on when a network requires
Layer 3 mobility.
■ The WLAN requires Web-Auth—Dynamic VLANs are actually a possibility
with Web-Auth. However, they can cause complications because the Web-
Auth station receives an IP address before it authenticates. Take care to
set the DHCP lease for the static VLAN very low if you allow dynamic
VLAN assignment.
On the Wireless Edge Services zl Module, to enable dynamic VLAN assignment
on a WLAN, complete these steps:
1. Access the Edit screen for the WLAN:
a. Select Network Setup > WLAN Setup and click the Configuration tab.
b. Select the WLAN and click the Edit button. The Edit screen is displayed.
2. Verify that the WLAN uses 802.1X EAP, Web-Auth, or MAC authentication.
3. Check the Dynamic Assignment box.
4. Click the OK button.