Dynamic VLAN Assignment

By Zach DeMeyer Posted February 13, 2019

Dynamic VLAN Assignment

As IT admins work to increase the overall security stance of their network, one feature gaining popularity is dynamic VLAN (virtual local area network) assignment. Traditionally done with wired networks through switches, IT organizations are leveraging this capability for their WiFi networks and access points through a cloud RADIUS implementation. Let’s explore dynamic VLAN assignment with cloud RADIUS.

What is Dynamic VLAN Assignment?

The concept of dynamic VLAN assignment (aka VLAN steering or tagging) is quite simple. A VLAN is a segment of the whole of the network, which only provides access to a selection of network resources. Based on a user’s identity, the WiFi access point (WAP) is told which VLAN the user should be placed in. This process can step up security, help with compliance, and potentially balance load and quality of service. Regardless of the reason or requirement, the process is the same.

What is VLAN steering or tagging?

A user or group of users are assigned to a specific VLAN through RADIUS attributes. These attributes are placed into the RADIUS server. When a user attempts to authenticate to the network, there are multiple levels of assessment. The first is whether the user’s credentials are correct—this assessment is done via the on-board directory service in the case of RADIUS-as-a-Service. Then, assuming a successful authentication, the user’s identity and group information is used to lookup which VLAN assignment they have. As part of the RADIUS server’s reply to the wireless access point, the VLAN assignment is passed along. The WAP uses that information to then assign the user to the specific VLAN.

The Value of VLAN Assignment

The process of implementing VLAN assignment is tedious but straightforward, although the value it brings significantly outweighs the undertaking. IT organizations can leverage dynamic VLAN steering to help support compliance activities and security programs. By excluding users from sensitive resources they do not need to access, the attack vectors sourced from compromised credentials are cut down severely.

Of course, many organizations don’t take advantage of VLAN assignment due to the process of implementing it network-wide. While it isn’t necessarily difficult, not every organization has the proper network and identity management tools to implement VLAN assignments effectively. After all, in order to control which resources are tied to which VLANs, each user’s core identity in the directory service needs to be linked directly to the WAP. This can be simply done through leveraging JumpCloud® Directory-as-a-Service®.

VLAN Assignment with JumpCloud®

With JumpCloud’s Directory-as-a-Service platform, the entire process of implementing VLAN assignment is made easier. JumpCloud’s RADIUS-as-a-Service includes the ability to assign reply attributes, has an onboard directory service, and doesn’t require IT admins to configure endpoints with the correct supplicants. Simply point the WAP to the virtual RADIUS server, and your end users’ core credentials are leveraged for their access to the network.

VLAN assignment with Directory-as-a-Service

You can learn more about dynamic VLAN assignment with RADIUS-as-a-Service by checking out our blog, or our YouTube channel. You can also contact us with your questions and comments. Directory-as-a-Service is available completely free for your first ten users, forever, with competitive pricing for more users.

Zach DeMeyer

Zach is a writer and researcher for JumpCloud with a degree in Mechanical Engineering from the Colorado School of Mines. He loves being on the cutting edge of new technology, and when he's not working, he enjoys all things outdoors, making music, and soccer.

Recent Posts