How-to: VLAN Assignment in UCS via RADIUS

Howto:

VLAN Assignment in UCS via RADIUS: Computer Authentication vs. MAC Authentication Bypass (MAB)

Summary:

This article explains the differences and configuration options for VLAN assignment in Univention Corporate Server (UCS) when using RADIUS authentication specifically addressing:

  • VLAN assignment via 802.1X Computer Authentication (host/…$)
  • VLAN assignment via MAC Authentication Bypass (MAB)
  • Typical pitfalls when mixing both approaches
  • Required UCS and switch-side configurations for MAB-enabled clients (e.g., printers, IP devices)

Background:

During testing of automated WLAN distribution using UCS RADIUS integration, administrators may notice that VLAN assignment via computer group membership does not work when using 802.1X Computer Authentication.

This behavior often leads to confusion because the Univention documentation section “Assign VLAN ID to Computer” only applies to MAC Authentication Bypass (MAB), not to 802.1X authentication.


Scenario 1: VLAN Assignment with 802.1X Computer Authentication

Observed Behavior:

When using 802.1X Computer Authentication (e.g., host/COMPUTERNAME$), the VLAN assignment configured on the computer object is ignored.
The administrator expected the VLAN ID defined in the group membership of the computer to be applied.

Root Cause:

The referenced documentation applies only to MAB, not to 802.1X authentication.
In UCS, VLAN assignment via the computer object (Virtual LAN ID property) is evaluated only during MAC-based authentication.

When a client authenticates via 802.1X (PEAP/MSCHAPv2), the RADIUS server uses the user or group context of the authentication identity and not the computer object.


Solutions:

Option 1: Device-Based VLAN Assignment (MAC Authentication Bypass)

This method should be used only if 802.1X authentication is not possible or not desired.

Configuration Steps:

  1. Enable MAC Authentication Bypass (MAB):

    ucr set freeradius/conf/allow-mac-address-authentication=true
    systemctl restart freeradius
    
  2. Create a VLAN Group:

    • Create a standard UCS group (e.g., VLAN-20-Teachers).
    • In the group’s RADIUS tab, define the VLAN ID (e.g., 20).
  3. Assign VLAN Group to Device:

    • Edit the computer object.
    • Under Advanced settings → Groups, add the VLAN group via the “Virtual LAN ID” object property, not as a standard group membership.

Important Notes:

  • This configuration is only valid for MAB. It will not apply to 802.1X computer authentications.

  • If multiple VLAN groups are assigned, the lowest VLAN ID takes precedence.

  • If no VLAN group is assigned, the default VLAN defined by:

    ucr get freeradius/vlan-id
    

    will be used.

  • Ensure that your network switch or WLAN controller supports MAB and that it is enabled on the relevant ports.

Option 2: User-Based VLAN Assignment (802.1X Authentication)

When 802.1X authentication (e.g., PEAP/MSCHAPv2) is used, VLAN assignment is processed at the user/group level, not at the computer level.

Configuration Steps:

  1. Define VLAN IDs on the respective user groups (RADIUS tab → Virtual LAN ID).
    Example groups:

    • Lehrer (Teachers)
    • Verwaltung (Administration)
  2. Assign users to the appropriate groups.

  3. Optionally define a fallback VLAN ID:

    ucr set freeradius/vlan-id=<default_vlan_id>
    

To use device-based VLAN assignment instead, a deliberate switch to MAB must be made.


Scenario 2: MAB Authentication Differences Between IP Clients and Windows Workstations

An IP client and a Windows workstation were both added to UCS with their respective MAC addresses.
Both were assigned to a VLAN group.
RADIUS requests showed the following behavior:

  • IP Client aa:bb:cc:dd:ee:ffauthentication rejected
  • Windows Workstation ff:ee:dd:cc:bb:aaauthentication accepted

Explanation:

This is expected behavior and not a UCS malfunction.

  • IP clients (such as printers or embedded devices) using MAB are handled differently from Windows machines performing 802.1X authentication.
  • MAB devices do not automatically inherit VLAN assignments from user/group memberships unless MAB-specific configuration is in place.
  • Windows devices that authenticate via 802.1X (using host/<computername>$) are processed through LDAP user/group contexts and therefore receive VLAN assignments as expected.

Scenario 3: Enabling VLAN Assignment for IP Clients via MAB

Administrators may wish to assign VLANs to non-802.1X-capable devices such as printers or IP phones using MAC Authentication Bypass (MAB).

Solution: Enabling MAB in UCS

  1. Enable MAB Support in FreeRADIUS:

    ucr set freeradius/conf/allow-mac-address-authentication=true
    systemctl restart freeradius
    
  2. Define MAC Address:

    • Add the device as a UCS computer or IP client.

    • Set the macAddress attribute in lowercase with colons, e.g.:

      aa:bb:cc:dd:ee:ff
      
  3. Assign VLAN Group:

    • Create a group with the desired VLAN ID in the RADIUS tab.
    • Add the IP client as a group member.
  4. Optional: Define a Default VLAN (Fallback):

    ucr set freeradius/vlan-id=<ID>
    
  5. Restart FreeRADIUS:

    systemctl restart freeradius
    

Password Considerations for MAB

All devices using MAC Authentication Bypass share a common password, as per switch configuration.
UCS does not store or evaluate individual credentials for MAB clients.

  • The switch must use the same global MAB password for all MAC-authenticated devices.

  • Example configuration:

    mab request format attribute 2 password1
    
  • To adjust the username/password format, Cisco switches support the following:

    mab request format attribute 1 groupsize 2 separator : lowercase
    

    This corresponds to the “Configurable MAB Username and Password” option described in Cisco documentation.


Summary of Key Differences

Aspect 802.1X Authentication MAC Authentication Bypass (MAB)
Authentication identity host/<computername>$ (Kerberos/LDAP) Device MAC address
VLAN assignment source User/Group (RADIUS tab) Computer Object “Virtual LAN ID”
Default fallback freeradius/vlan-id freeradius/vlan-id
Password mechanism Per-user (LDAP-based) Shared password on switch
Typical use case Workstations, managed clients Printers, IP phones, embedded devices

Conclusion

  • For 802.1X authentication, VLAN assignment must be configured per user or group.
  • For non-802.1X-capable devices, enable MAB and configure VLAN assignment via computer object and VLAN group.
  • Always ensure MAC format correctness and switch compatibility when implementing MAB.
  • The combination of both methods provides full flexibility for mixed environments with managed workstations and unmanaged network devices.