WESM zl Management and Configuration Guide WT.01.28 and greater

4-86

Wireless Local Area Networks (WLANs)

VLAN Assignment

Identity-Based, or Dynamic, VLAN Assignment

The Wireless Edge Services zl Module can also divide traffic from wireless users

into VLANs based on those users’ identities. This capability (variously called user-

based VLANs or identity-based VLANs, as well as dynamic VLAN assignment)

allows you to:

■ configure one WLAN for your wireless network with a single SSID and unified

wireless security policy

■ simultaneously retain granular control over the network rights of each wireless

user

In order for your Wireless Edge Services zl Module to implement dynamic VLAN

assignment in a WLAN, stations must authenticate to a RADIUS server. This server

can be either the module’s internal server or an external network server.

You must also manually enable dynamic VLAN assignment on the WLAN.

You should not use dynamic VLANs in certain circumstances:

■ You must place the WLAN in a Layer 3 mobility domain—Dynamic VLANs

disable Layer 3 mobility on the WLAN. See Chapter 9: “Fast Layer 2 Roaming

and Layer 3 Mobility” for guidelines on when a network requires Layer 3

mobility.

■ The WLAN requires Web-Auth—Dynamic VLANs are actually a possibility

with Web-Auth. However, they can cause complications because the Web-Auth

station receives an IP address before it authenticates. Take care to set the DHCP

lease for the static VLAN very low if you allow dynamic VLAN assignment.

On the Wireless Edge Services zl Module, to enable dynamic VLAN assignment on

a WLAN, complete these steps:

1. Access the Edit screen for the WLAN:

a. Select Network Setup > WLAN Setup and click the Configuration tab.

b. Select the WLAN and click the Edit button. The Edit screen is displayed.

2. Verify that the WLAN uses 802.1X EAP, Web-Auth, or MAC authentication.

3. Check the Dynamic Assignment box.

4. Click the OK button.