Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Create a WxLAN Policy to Override Client VLANs

Support per site VLAN flexibility with Multi-Pre-Shared Key (mPSK) by creating WxLAN policies that override client VLANs.

Let's illustrate the value of this feature by looking at a common use case when implementing Multiple-PSK. In this scenario, Site A needs the flexibility to use VLAN A for PSK A and VLAN B for PSK B. Site X needs to use VLAN X for PSK A and VLAN Y for PSK B. You can create WxLAN policies to assign VLANs to clients based on the PSK user role. The WxLAN-driven VLANs override any other VLAN assignments on a client. For example, this policy would override a dynamic VLAN that was received from RADIUS.

You can use this feature in addition to the normal methods of assigning a user to a VLAN by policy such as through RADIUS AVPs (Tunnel-Private-GroupId or Airespace-Interface-Name) or VLAN attached to MPSK.

Requirements

  • APs must have firmware version 0.14.29091 or newer.

  • The VLANs must be configured either in the VLAN list in the WLAN settings, ETH0 port configuration, or Mist Tunnel.

To create a WxLAN policy to override client VLANs:

  1. From the left menu of the Juniper Mist portal, select Organization > Admin | Labels.
  2. Click Add Label, and set up the label for the VLAN that you want to use in your WxLAN policy:

    • Label Type—Select VLAN.

    • VLAN ID—Enter the VLAN ID that you want to associate with this label.

    In this example, vlan5 is the name of the label, and 5 is the VLAN ID.

    Example: Adding a VLAN Label
  3. Click Save to save the new label.
  4. Click Add Label, and set up the label for the PSK user role that you want to use in your WxLAN policy:
    1. Fill the details in the Label Name field.
    2. Select the Label Type from drop-down.
    3. If the Label Type is AAA Attribute, then select Radius Username or User Group from the drop-down.
      • If the Label Values is User Group or User Role, enter a user group detail in the User Group Values field to associate with this label. The user roles can be assigned from SSO portal/captive portals, RADIUS servers, PSK, and so on.

      • Or, if the Label Values is Radius Username, then enter a username assigned by the Radius in the Username Values field to associate with this label.

        In the following example, assume that student-psk is the label name, student is the username, and one of the user's username is student.school2@xxx.com. If the username student partially matches the string student.school2@xxx.com, the label assigns the corresponding VLAN tag. In this example, the username can also be student.school2@xxx.com, student.school45@xxx.com, and similar values.

        Example: Adding a Username Label

    4. Or, if the Label Type is Wi-Fi Client, enter the client MAC addresses in Label Values to associate with this label.
      Note:

      It is recommended to use AAA Attribute as Label Type at scale.
    5. Click Create to create a new label.
  5. Create a WxLAN Policy that assigns users to a VLAN:
    1. From the left menu of the Juniper Mist portal, select Organization > Wireless | WLAN Templates.
    2. Click the template that you want to add the policy to.
    3. In the Policy section, click Add Rule.
    4. In the User area, click the plus sign (+), and then enter the label that you created for the user (for the current example, you would enter student-psk).
    5. In the Resources area, click the plus sign (+), and then enter the label that you created for the VLAN (for the current example, you would enter vlan5).

      As shown below, the policy assigns these users to the specified VLAN.

      Example: Specifying the User Role and VLAN in a WxLAN Policy
    6. Click Save.
    7. Click the ellipsis button (…) to enable the new rule.