Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Create a WxLAN Policy to Override Client VLANs

SUMMARY Support per site VLAN flexibility with Multi-Pre-Shared Key (mPSK) by creating WxLAN policies that override client VLANs.

Let's illustrate the value of this feature by looking at a common use case when implementing Multiple-PSK. In this scenario, Site A needs the flexibility to use VLAN A for PSK A and VLAN B for PSK B. Site X needs to use VLAN X for PSK A and VLAN Y for PSK B. You can create WxLAN policies to assign VLANs to clients based on the PSK user role. The WxLAN-driven VLANs override any other VLAN assignments on a client. For example, this policy would override a dynamic VLAN that was received from RADIUS.

You can use this feature in addition to the normal methods of assigning a user to a VLAN by policy such as through RADIUS AVPs (Tunnel-Private-GroupId or Airespace-Interface-Name) or VLAN attached to MPSK.

Requirements

  • APs must have firmware version 0.14.29091 or newer.

  • The VLANs must be configured either in the VLAN list in the WLAN settings, ETH0 port configuration, or Mist Tunnel.

To create a WxLAN policy to override client VLANs:

  1. From the left menu of the Juniper Mist portal, select Organization > Admin | Labels.
  2. Click Add Label, and set up the label for the VLAN that you want to use in your WxLAN policy:

    • Label Type—Select VLAN.

    • VLAN ID—Enter the VLAN ID that you want to associate with this label.

    In this example, vlan5 is the name of the label, and 5 is the VLAN ID.

    Example: Adding a VLAN Label
  3. Click Save to save the new label.
  4. Click Add Label, and set up the label for the PSK user role that you want to use in your WxLAN policy:

    • Label Type—Select AAA Attribute.

      Note:

      Alternatively, you could create a client label, but it is suggested to use AAA Attribute at scale.

    • Label Values—Select User Group.

    • Username Values—Enter a user role to associate with this label.

    In this example, student-psk is the name of the label, and student is the user role.

    Example: Adding a User Group Label
  5. Click Save to save the new label.
  6. Create a WxLAN Policy that assigns users to a VLAN:
    1. From the left menu of the Juniper Mist portal, select Organization > Wireless | WLAN Templates.
    2. Click the template that you want to add the policy to.
    3. In the Policy section, click Add Rule.
    4. In the User area, click the plus sign (+), and then enter the label that you created for the user role (for our example, you'd enter student-psk).
    5. In the Resources area, click the plus sign (+), and then enter the label that you created for the VLAN (for our example, you'd enter vlan5).

      As shown below, the policy assigns these users to the specified VLAN.

      Example: Specifying the User Role and VLAN in a WxLAN Policy
    6. Click Save.
    7. Click the ellipsis button (…) to enable the new rule.