802.1x Authentication with Ruijie And Dynamic VLan Assignment on Ruijie Cloud

Hello everyone! I want to show you how to configure 802.1x authentication with Ruijie and how you can dynamic Vlan
assignment configuration on Ruijie Cloud. First step will be authentication with one Vlan and second will be multiple Vlans. Let's begin!

                    

                                                 802.1x Authenticationwith Ruijie                        

After we done the DC setup and Vlan configuration at gateway and switchs side, we move on to the NPS setup.
Now we set up the Active Directory Certificate Services and Network Policy and Acces Services.



   

















Afterthe installation of the services is finished, we perform the configs of ourcertificate service.





























We open our Network Policy Server and perform theregistration process.




Now we select the Radius server for 802.1x wireless or wired connections scenario from choosebar and we start the 802.1x configs.




SinceI will show the Vlan structure later, I set my policy name according to my VlanID





We add Radius Client. Here, our clients become our APs. We add the local ip of the APs and resolve their ip to verify











Then,when we enter the information of our Radius server in the portal where we manageour access points and we determine the secret key that it will ask us.




We continue when we see the name of the client we added from the list




Wechoose our Authentication method.



We add the group we created earlier in Active Directory.




And wefinish the network policy setup







We go to our management portal to make the configs on the access point side. In this scenario, I manage my ruijie products in the ruijie cloud, since we perform the ruijie Radius integration.
Now we adjust the Configuration>>Basic>>SSID settings.







Finally,we enter our Radius server information

NOTE: Do not forget to disable the Windows firewall onthe server. If you do not want to disable it, you need to write a rule for therelevant ports.

As of now, you can connect to the ssid you defined and logout to the internet with the user names and passwords you defined to the group's members (users) that will provide wireless connection with this policy. Let's continue to defining more than one VLAN with the same SSID process.

                                                     DYNAMIC VLAN ASSIGNMENT INRUIJIE               

  Our Vlans communicate with APs broadcasting SSIDs via Network Policy. We need to configure the policy separately for each vlan and configure the vlan ids and settings such as the group where the users to be connected with that vlan are defined. In the scenario we did above, we did not make these settings because we created a network with only native vlans. This time we will configure our network policy, which we previously created with native vlan, with vlan settings with 70 ID. You can also create the networkpolicy that you will create for each vlan you define as native and then configure it for the relevant vlan.


NetworkPolicy Side




Policies>>Network Policies>> We enter therelevant policy and add new ones to the standard Radius attributes.









Tunnel-Medium-Type













Tunnel-Pvt-Group-ID
The attribute where we define our Vlan ID. I added my vlan with 70 ID. You will also enter the ID you defined on the gateway and switch side in this section









Tunnel-Type
After adding this, we choose apply and we move on to theoperations on the AP side.











RuijieSide
First of all, we open Ruijie APs because SSH service isdisabled by default. By entering the interface of the AP directly;
Maintance>>System>>Telnet>>SSHServices  At here we also set the adminpassword while making ssh connection




After the SSH connection isestablished, we enter the following commands.
1 config ter
2 vlan range 2-10
3 vlan-group 10
4 vlan-assign-mode dot1x
5 vlan-list 1-10
6 default-vlan 1
7 int gi 0/1.1
8 encapsulation dot1Q group 10
9 ipdhcp snooping trust

10
interfacedot11radio 1/0.1
11 no encapsulation
12 encapsulation dot1Q group 10
13
interfacedot11radio 2/0.1
14 no encapsulation
15 encapsulation dot1Q group 10
16 end
17 wr

NOTE: Enter the vlan range and vlan list commandsconsidering your Vlan IDs.
We can see if our commands are working or not, by entering the interface of the AP, whether the Vlan list is defined or not. In the image below, because I configured the vlan list as 1-100, up to 100 vlans were defined. Or we can see the vlan list with the show vlan group command.





If you want to make this config to all your AP’s via RuijieCloud;
When we do Configuration>>Basic>>AdvancedSetting>>CLI Command>>Add  andselect the models of the devices that we want to aply the config in the windowthat opens, and then enter the command with a command on each line, the configwill be aplied on all the devices you select through those commands.





And it has done. Now, there will be one SSID and when theuser logs in with his credential, with the NPC we assign to the user and groupthat we have opened in Active Directory, he will be able to access the internetfrom the relevant VLan.



I hope i could help.


Kind Regards / Adnan AKBEL

Wonderfully Sharing!!!!!👍👍👍

Thank you for sharing.
Can you show how to customize the Ruijie login form?  

Dario Vindas replied at 2023-6-14 19:28
Thank you for sharing.
Can you show how to customize the Ruijie login form?

Hi sir,
May I know your detail demand?

Can I enable PPSK as well with 802.1x
If yes then do you have doc for that

nbctcp bun replied at 2024-7-24 13:59
Can I enable PPSK as well with 802.1x
If yes then do you have doc for that

Dear sir

Unforunately ,currently we don't relate doc about this
and for PPSK and 802.1x they can not be enabled at the same time

Best regards,
Ross