Configure a Network Policy for VLANs

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

Use this procedure to configure a network policy that assigns users to a VLAN. When you use VLAN-aware network hardware, such as routers, switches, and access controllers, you can configure network policy to instruct the access servers to place members of specific Active Directory groups on specific VLANs. This ability to group network resources logically with VLANs provides flexibility when designing and implementing network solutions.

When you configure the settings of an NPS network policy for use with VLANs, you must configure the attributes Tunnel-Medium-Type, Tunnel-Pvt-Group-ID, Tunnel-Type, and Tunnel-Tag.

You can use the following procedure to create a network policy that assigns users to a VLAN. This procedure is provided as a guideline; your network configuration might require different settings than those provided below.

Administrative credentials

To complete this procedure, you must be a member of the Administrators group.

To configure a network policy for VLANs

  1. On the NPS server, click Start, click Administrative Tools, and then click Network Policy Server. The NPS console opens.

  2. Double-click Policies, click Network Policies, and then in the details pane double-click the policy that you want to configure.

  3. In the policy Properties dialog box, click the Settings tab.

  4. In policy Properties, in Settings, in RADIUS Attributes, ensure that Standard is selected.

  5. In the details pane, in Attributes, the Service-Type attribute is configured with a default value of Framed. By default, for policies with access methods of VPN and dial-up, the Framed-Protocol attribute is configured with a value of PPP. To specify additional connection attributes required for VLANs, click Add. The Add Standard RADIUS Attribute dialog box opens.

  6. In Add Standard RADIUS Attribute, in Attributes, scroll down to and add the following attributes:

    1. Tunnel-Medium-Type. Select a value appropriate to the previous selections you have made for the policy. For example, if the network policy you are configuring is a wireless policy, select Value: 802 (Includes all 802 media plus Ethernet canonical format).

    2. Tunnel-Pvt-Group-ID. Enter the integer that represents the VLAN number to which group members will be assigned.

    3. Tunnel-Type. Select Virtual LANs (VLAN).

  7. In Add Standard RADIUS Attribute, click Close.

  8. If your network access server (NAS) requires use of the Tunnel-Tag attribute, use the following steps to add the Tunnel-Tag attribute to the network policy. If your NAS documentation does not mention this attribute, do not add it to the policy. Add the attributes as follows:

    1. In policy Properties, in Settings, in RADIUS Attributes, click Vendor Specific.

    2. In the details pane, click Add. The Add Vendor Specific Attribute dialog box opens.

    3. In Attributes, scroll down to and select Tunnel-Tag, and then click Add. The Attribute Information dialog box opens.

    4. In Attribute value, type the value that you obtained from your hardware documentation.