Feature Guide

Dynamic VLAN Assignment

Automatically place authenticated users and devices into the correct network segment based on their identity, role, or group membership.

Overview

Dynamic VLAN assignment allows NetKey to instruct the wireless controller or switch to place an authenticated client into a specific VLAN. This enables powerful network segmentation without managing multiple SSIDs.

Single SSID

One SSID, multiple VLANs based on user identity

Zero-Trust Segmentation

Enforce least-privilege network access

Automatic

No manual configuration per device

Scalable

Works with thousands of users and devices

How It Works

1
User Connects

Client connects to WiFi and authenticates

2
RADIUS Auth

Controller sends authentication to NetKey

3
VLAN Lookup

NetKey determines VLAN based on identity

4
Accept + VLAN

NetKey returns Access-Accept with VLAN attributes

5
Client Placed

Controller assigns client to the specified VLAN

RADIUS VLAN Attributes

NetKey returns these standard RFC 2868 attributes for VLAN assignment:

RADIUS Response Attributes 
Tunnel-Type = VLAN                    # Attribute 64
Tunnel-Medium-Type = IEEE-802         # Attribute 65
Tunnel-Private-Group-ID = "100"       # Attribute 81 (VLAN ID)
Attribute Value Description
Tunnel-Type 13 (VLAN) Indicates VLAN tunneling
Tunnel-Medium-Type 6 (IEEE-802) 802.1Q VLAN tagging
Tunnel-Private-Group-ID VLAN ID or Name The actual VLAN identifier

NetKey Configuration

Per-PSK VLAN Assignment

Assign VLANs to individual PSKs for different users.

1

Navigate to PSKs in the sidebar

2

Click Create PSK or edit an existing one

3

Set the VLAN ID field:

Name John's PSK
Passphrase *Generated or custom*
VLAN ID 100

Per-Endpoint VLAN Assignment

Assign VLANs to individual endpoints (devices) for iPSK.

1

Navigate to Clients in the sidebar

2

Click Add Client or edit an existing endpoint

3

Configure the endpoint with VLAN:

MAC Address aa:bb:cc:dd:ee:ff
Description Printer - Finance
VLAN ID 300

Endpoint Group VLAN Assignment

Assign VLANs at the group level for easier management.

1

Navigate to Groups in the sidebar

2

Create or edit an Endpoint Group:

Group Name IoT Devices
Default VLAN 400
VLAN Priority

If both endpoint and group have VLANs set, the endpoint's VLAN takes precedence.

VLAN via API

Set VLAN assignments programmatically using the NetKey API.

Create PSK with VLAN

curl 
curl -X POST "https://api.netkey.no/v1/psk" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Guest User 1",
    "passphrase": "SecurePass123!",
    "vlan_id": 100,
    "ssid": "Corporate-WiFi"
  }'

Create Endpoint with VLAN

curl 
curl -X POST "https://api.netkey.no/v1/endpoints" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "mac_address": "aa:bb:cc:dd:ee:ff",
    "name": "Conference Room TV",
    "passphrase": "SecurePass456!",
    "vlan_id": 300,
    "group_id": "iot-devices"
  }'

Update VLAN

curl 
curl -X PUT "https://api.netkey.no/v1/endpoints/{id}" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "vlan_id": 400
  }'

Controller Configuration

The wireless controller must be configured to accept VLAN assignments from RADIUS.

Cisco WLC 9800

Enable AAA Override in the WLAN policy profile:

IOS-XE 
wireless profile policy corp-policy
 aaa-override
 vlan-name default-vlan
 vlan VLAN0100
 vlan VLAN0200
 vlan VLAN0300

Cisco AireOS

Configure Interface Groups and enable AAA Override:

AireOS CLI 
config interface group create dynamic-vlans
config interface group interface add dynamic-vlans vlan100
config interface group interface add dynamic-vlans vlan200
config interface group interface add dynamic-vlans vlan300
config wlan interface-group 1 dynamic-vlans
config wlan aaa-override enable 1

Aruba Controller

VLANs are returned via user-role or VLAN attribute:

ArubaOS 
aaa authentication dot1x "netkey-auth"
    server-group "netkey-servers"
    enable
    
aaa profile "netkey-aaa"
    authentication-dot1x "netkey-auth"
    vlan-derivation-rules enable

UniFi

Enable VLAN Support in the RADIUS Profile:

  1. Go to Settings → Profiles → RADIUS
  2. Edit your NetKey RADIUS profile
  3. Enable "VLAN Support"
  4. Ensure VLANs exist in Settings → Networks

Common Use Cases

Corporate Network Segmentation

User/Device Type VLAN Access Level
Employees 100 Full corporate resources
Contractors 150 Limited access, no file shares
Guest WiFi 200 Internet only
IoT Devices 300 Isolated, cloud access only
Security Cameras 400 NVR access only

Education

Role VLAN Access Level
Staff 10 Admin systems, printers
Students 20 Internet, learning platforms
Lab Equipment 30 Lab network only
Guest 99 Internet only

Best Practices

Planning

  • Document your VLAN scheme - Create a map of VLANs to roles/purposes
  • Use consistent VLAN IDs - Same VLAN IDs across all sites
  • Set default VLANs - Configure fallback VLAN for unassigned users
  • Test before production - Verify VLAN assignment in a test environment

Security

  • Implement firewall rules - Block inter-VLAN traffic where not needed
  • Use least privilege - Start restrictive, grant access as needed
  • Monitor VLAN changes - Log and alert on VLAN assignments
  • Regular audits - Review VLAN assignments periodically

Operations

  • Use groups for scale - Assign VLANs at group level when possible
  • Automate with API - Integrate with provisioning systems
  • Plan for quarantine - Have a restricted VLAN for compromised devices

Troubleshooting

  • Check NetKey Auth Logs to verify returned VLAN ID
  • Verify AAA Override is enabled on controller
  • Ensure VLAN exists on controller and switch infrastructure
  • Check for typos in VLAN ID configuration
  • Verify VLAN is configured on the PSK/Endpoint in NetKey
  • Check that controller supports dynamic VLAN (some AP modes don't)
  • Verify Tunnel attributes are being returned by NetKey
  • Some controllers require VLAN pre-created before assignment
  • Verify DHCP is available on the assigned VLAN
  • Check DHCP relay/helper on the network infrastructure
  • Ensure VLAN is allowed on switch port trunks to APs
  • Verify SVI/gateway exists for the VLAN
  • Check switch port configuration for each AP
  • Verify all required VLANs are allowed on trunk ports
  • Ensure consistent controller configuration across all APs
  • Check for AP firmware differences

Viewing VLAN Assignments

Monitor VLAN assignments in NetKey Auth Logs.

1

Navigate to Auth Logs in the sidebar

2

Click on an authentication entry to see details

3

Look for Reply Attributes section showing:

  • Tunnel-Type
  • Tunnel-Medium-Type
  • Tunnel-Private-Group-ID (VLAN ID)