- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
-
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
-
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
-
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
-
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
-
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
-
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
-
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
-
- Support Widget
VLAN assignment via RADIUS using 802.1X authentication on SonicWall Switch
06/15/2020 
0 People found this article helpful
89,251 Views
Description
The IEEE-802.1X authentication provides a security standard for network access control with RADIUS servers and holds a network port disconnected until authentication is completed. With 802.1X authentication, the supplicant provides credentials, such as user name, password, or digital certificate to the authenticator, and the authenticator forwards the credentials to the authentication server for verification. If the authentication server determines the credentials are valid, the supplicant (client device) is allowed to access resources located on the protected side of the network. The Switch uses 802.1X to enable or disable port access control, to enable or disable the Guest VLAN, and to enable or disable the forwarding EAPOL (Extensible Authentication Protocol over LANs) frames.
Additionally, we can also have the VLAN assignment done through the RADIUS server itself.
Resolution
Please refer to Setting Up 802.1x Authentication On SonicWall Switch for 802.1X authentication related settings on the firewall and RADIUS server.
EXAMPLE: Let us consider that the RADIUS server is connected to port 1 of the switch and has static IP: 192.168.181.100. The PC that needs be authenticated is connected to port 5 on the switch which is portshielded to interface X0. Once it is successfully authenticated we need to get an IP from X0:V190 subnet.
The X0 interface is on 192.168.181.0/24 network and has two VLAN sub-interfaces X0:V190 - 192.168.190.0/24 and X0:V195 - 192.168.195.0/24.
Navigate to MANAGE | Network | Interfaces to make sure that the VLAN sub-interfaces are set up correctly.
Please refer to How Can I Configure Sub-Interfaces? to add sub-interfaces on the firewall.
Enable 802.1X Authentication on Port 5
- Navigate to MANAGE | Switch Controller | Overview tab. Click on Port 5 from physical, link or VLAN view.
- Scroll down to the 802.1x Settings.
- Select the mode as 'Auto' and Enable the toggle switch for 'RADIUS VLAN assign'. Leave other options on default.
- Click OK.
- Portshield port 5 to interface X0 but do not assign any VLANs to this port.
The following additional changes will be required on the NPS policy for VLAN assignment.
- Right click on the NPS policy and click on 'Properties'. Navigate to the Settings tab and click Add under Attributes. Select 'Tunnel-Medium-Type' from the attribute list and click on 'Add'. Click on 'Add' for the Attribute values and select the radio button for 'Commonly used for 802.1x' with the dropdown selected as '802 (includes all 802 media plus Ethernet canonical format)'. Click OK.
- Click Add under Attributes. Select Tunnel-Type from the attribute list and click on 'Add'. Click Add for the Attribute values and select the radio button for 'Commonly used for 802.1x' with the dropdown selected as 'Virtual LANs (VLAN)'. Click OK.
- Click on 'Add' under Attributes. Select 'Tunnel-Pvt-Group-ID' from the attribute list and click on 'Add'. Click on 'Add' for the Attribute values and select the radio button 'String' for 'Enter the attribute value in:' and mention the VLAN ID, which is 190 in this example. Click OK.
- You can now see all the attributed added to this NPS policy. Click OK.
On the end machine that is connected to port 5, once the successful authentication is done, it gets an IP address from X0:V190 subnet.
You can see the following states on the Ethernet adapter of the end machine:
- Press Ctrl+R and type 'ncpa.cpl' to show up all the network adapters on the end machine. You can see that the end machine is attempting to authenticate against the RADIUS server using 802.1X authentication.
- Right click the Ethernet adapter and select Status. Click on details to check the IP address that it received. The IPv4 address section shows that it got an IP from X0:V190 subnet.
Related Articles
- Daisy chain mode using SonicWall Switches
- How to upgrade SonicWall Switch Firmware from Switch UI?
- Issue: Unable to access management of switch due incorrect VLAN membership on the switch ports in Switch Policy
YES
NO