Why Use Dynamic VLANs?

Written by Zach DeMeyer on December 16, 2018

Share This Article

We are in a time that is saturated with data breaches. An amateur mathematician observing the trend could liken the rise of weekly breaches to that of the Fibonacci sequence. Hyperbole aside, the rise in compromises has led many an IT admin to reevaluate their organization’s security posture. One area that has gained a particular amount of traction is network security through segmentation via dynamic VLANs (virtual local area networks). Compared to other approaches of increasing network security, skeptics may ask why use dynamic VLANs?

What are Dynamic VLANs?

radius-reply-attributes

Before we can answer why an organization should implement dynamic VLANs (also known as VLAN tagging or VLAN steering), we should explain what dynamic VLANs means. Effectively, dynamic VLANs are used by network admins/engineers to fragment a network into tiered sections based on resource authorization. Users in an organization are then segmented into these dynamic VLANs based on the resources they can access.

The process works as follows: IT admins create separate segments of their network, often known as VLANs. These segments could be for different departments or different user needs. Users or groups of users are assigned to each VLAN segment within a RADIUS server. When a user logs in, that user’s credentials are passed through the WiFi access point to the RADIUS server and then confirmed with the identity provider (IdP). When the directory service confirms the user authentication to the RADIUS server, it will attach what are known as RADIUS reply attributes, which will assign the user to the correct VLAN. The WAP will honor this VLAN assignment by placing the user in the correct VLAN.

So, Why Use Dynamic VLANs?

Network Authentication RADIUS

Now that we’ve explained the process, why IT admins use dynamic VLANs is fairly straightforward: security and control. IT organizations can dramatically step-up their security by segmenting their users into different networks. For instance, sales teams often don’t need to access source code nor do other customer-facing teams need access to the production network. Devs may not need access to financial systems. By logically segmenting the network, IT admins can enforce greater security.

The challenge with the use of dynamic VLANs historically has been the difficulty in implementing it. With so many different moving parts and integrations, IT admins have often felt the work isn’t worth the benefits, and many have yet to embrace VLAN segmentation. Additionally, dynamic VLAN steering, historically, has mainly used by larger companies. This is due to the fact that, in smaller organizations, there may be only one or two users per VLAN, making the effort required to set up the VLANs seem excessive compared to its negligible results. An ideal VLAN tagging tool would help to alleviate the work demands that come with configuring a VLAN network and smaller organizations can benefit from the security practices larger organizations know and use.

Dynamic VLAN Segmentation with RADIUS-as-a-Service

The good news is that a next generation cloud identity management platform is simplifying the process of executing dynamic VLANs within a network. By combining RADIUS and RADIUS reply attributes directly with the identity provider, IT admins have less to worry about for implementing dynamic VLANs. Of course, the process of configuring your WAP to segment the network with VLANs still remains, but is made considerably easier. This is due to the fact that since this RADIUS-as-a-Service is directly correlated to the IdP, users are already authenticated to the network via RADIUS. Thanks to a sleek API and/or PowerShell module interface, admins can effectively partition users to their respective network segments based on their needs.

This RADIUS-as-a-Service is a part of the greater whole of the JumpCloud® Directory-as-a-Service® suite. Using JumpCloud, IT admins can federate their end users’ identities to their required IT resources, be they systems, applications, file servers, or networks. As a third-party, cloud-based directory, Directory-as-a-Service does so regardless of platform, protocol, provider, or location (on-prem or in the cloud). Regarding networks especially, JumpCloud now offers enhanced configurability for network segmentation via dynamic VLAN steering through RADIUS-as-a-Service.

Learn More

To learn more about why you should use dynamic VLANs with JumpCloud Directory-as-a-Service, be sure to contact us, or visit our YouTube channel. You can see the product for yourself by signing up for a free JumpCloud account, which includes ten users, free forever, to get you started.

Zach DeMeyer

Zach is a Product Marketing Specialist at JumpCloud with a degree in Mechanical Engineering from the Colorado School of Mines. He loves being on the cutting edge of new technology, and when he's not working, he enjoys all things outdoors, music, and soccer.

Continue Learning with our Newsletter