Skip to content

Dynamic VLAN Assignment with Windows NPS and Cisco IOS β€” Markdown Documentation

Dynamic VLAN Assignment with Windows NPS and Cisco WS-C2960S

This document describes how to implement dynamic VLAN assignment on Cisco switches (WS-C2960S-48FPS-L) using 802.1X, RADIUS (Windows Network Policy Server), and fallback methods (MAB). It includes NPS policy attribute examples, Cisco IOS switch configuration, testing and troubleshooting steps, and best practices.

Overview

Dynamic VLAN assignment lets the network place users and devices into the correct VLAN automatically after authentication. The authenticator (switch) sends authentication requests to the RADIUS server (Windows NPS). When authentication succeeds, NPS returns RADIUS attributes that instruct the switch which VLAN to place the port into.

Key concepts: - 802.1X: Port-based authentication for devices that support it. - RADIUS (NPS): Authenticates users/devices and returns VLAN assignment attributes. - MAB (MAC Authentication Bypass): Fallback for devices that lack 802.1X. - Dynamic VLAN attributes: Tunnel-Type, Tunnel-Medium-Type, Tunnel-PVT-Group-ID (VLAN ID) and related Service-Type values.

VLANs and Addresses (example for this site)

  • Infrastructure VLAN: 1 (management, switches, routers)
  • Admin VLAN: 10
  • Sales VLAN: 20
  • Engineering VLAN: 30
  • Guest VLAN: 40
  • VoIP VLAN: 50
  • Printers VLAN: 60

Windows NPS / DHCP server: 10.4.27.5
Router/gateway SVI per VLAN: 10.4.xx.1 (as previously defined)

Windows NPS Configuration (step-by-step)

1. Install and prepare NPS

  • Add the Network Policy and Access Services role and install NPS.
  • Register NPS in Active Directory if you will use AD credentials.

2. Add RADIUS client (your switch)

  • In NPS console: RADIUS Clients and Servers β†’ RADIUS Clients β†’ New
  • Friendly name: Switch2960-01
  • Address (IP): management IP of the switch or switch stack
  • Shared secret: choose a strong secret (must match switch config)

3. Create Connection Request Policy (optional)

  • If you need request-time routing or vendor conditions, create a connection request policy that forwards to the correct network policy.

4. Create Network Policy(s)

  • Create one Network Policy per group or class of devices/users you want to place into a VLAN.
  • Conditions: e.g., Windows Groups, NAS Port Type, or Machine Authentication.
  • Grant Access: Access granted on success.

5. Configure RADIUS Attributes to return dynamic VLAN

Under the policy’s Constraints or Settings (depending on server version), add the RADIUS attributes shown below. The critical attributes for Cisco dynamic VLAN assignment are:

  • Service-Type = Framed-User or framed (or Framed)
  • Tunnel-Type = VLAN
  • Tunnel-Medium-Type = 802 (value 6 for IEEE 802)
  • Tunnel-PVT-Group-ID = (example: 20)

Example attribute set to assign a user to VLAN 20: - Service-Type = Framed-User - Tunnel-Type = VLAN - Tunnel-Medium-Type = 6 - Tunnel-PVT-Group-ID = 20

Notes: - Some switches/vendors require Tunnel-Private-Group-ID or a Vendor-Specific Attribute (VSA) variant. For Cisco IOS, the standard Tunnel-* attributes above are accepted by many models and NPS supports them via the Tunnel-PVT-Group-ID element. - If your switch requires vendor-specific attributes, configure the appropriate VSA; many deployments use the standard Tunnel attributes and succeed.

Example NPS Policy Mapping Table

Policy name Match condition Returned VLAN attributes
Admin-802.1X AD Group: Admins Tunnel-Type=VLAN; Tunnel-Medium-Type=6; Tunnel-PVT-Group-ID=10
Guest-802.1X AD Group: Guests Tunnel-Type=VLAN; Tunnel-Medium-Type=6; Tunnel-PVT-Group-ID=40
MAB-Printers MAC list / device group Tunnel-Type=VLAN; Tunnel-Medium-Type=6; Tunnel-PVT-Group-ID=60

Cisco Switch Configuration (IOS) β€” 802.1X + MAB + Dynamic VLAN

Replace 10.4.27.5 and YourSecret with your NPS server IP and shared secret.

1. Global RADIUS / AAA and 802.1X

aaa new-model
radius server NPS1
 address ipv4 10.4.27.5 auth-port 1812 acct-port 1813
 key YourSecret

aaa group server radius NPS_GROUP
 server name NPS1

aaa authentication dot1x default group NPS_GROUP
aaa authorization network default group NPS_GROUP
dot1x system-auth-control

2. Enable MAB and 802.1X on access ports (example)

interface range GigabitEthernet0/1 - 24
switchport mode access
switchport access vlan 1        ! initial guest or fallback VLAN
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast

Notes: - switchport access vlan 1 sets a fallback VLAN while authentication is in progress or if no assignment is returned. - authentication host-mode multi-auth allows multiple hosts on the same port (useful for phones + PC). - authentication order and authentication priority control whether 802.1X or MAB is attempted first.

3. Optional: Enable VLAN assignment from RADIUS

Most modern IOS releases accept the Tunnel attributes returned by NPS and will dynamically set the access VLAN. No extra IOS CLI is required beyond enabling 802.1X and RADIUS auth/authorization. If your platform requires explicit fallback or mappings, configure authentication event fail action authorize vlan <vlan>.

Example to place port into a fallback VLAN on failure: 

interface GigabitEthernet0/1
authentication event fail action authorize vlan 1
authentication event server dead action authorize vlan 1

4. Save configuration

write memory

MAC Authentication Bypass (MAB) specifics

  • For devices without 802.1X (printers, cameras), enable mab on the port.
  • NPS must be configured to accept MAC as username (commonly macaddress$) and authorize it via group or a static list.
  • MAB authentication typically uses the device MAC as the username and a shared secret as password or pre-provisioned account in AD/NPS.

DHCP and IP assignment after VLAN change

  • When the switch places the port into the assigned VLAN, the client needs to release/renew DHCP to receive an IP in the new subnet.
  • Ensure DHCP scopes exist for each VLAN on the DHCP server (10.4.27.5) and that the router has ip helper-address 10.4.27.5 configured on each VLAN interface.

Testing and Validation

  1. Verify RADIUS reachability from the switch: 
    test aaa group NPS_GROUP username <testuser> password <password> legacy
  2. On the switch, view authentication status: 
    show authentication sessions interface GigabitEthernet0/1
show dot1x all
  3. On NPS, check logs for Access-Accept and returned attributes.
  4. Confirm the port VLAN after authentication: 
    show interface GigabitEthernet0/1 switchport
  5. Confirm client received DHCP address in correct subnet and has internet access.

Troubleshooting Tips

  • If VLAN is not assigned, check NPS logs to confirm the Tunnel attributes were sent in the Access-Accept.
  • If NPS does not show the expected attributes, ensure they were added under the correct Network Policy and that the policy matched the request.
  • Some Cisco platforms expect Tunnel-Private-Group-ID spelled differently or require VSAs; consult platform docs if standard Tunnel attributes fail.
  • Use packet captures (on the switch uplink or NPS) to see RADIUS Access-Request and Access-Accept payloads.
  • Ensure shared secret matches on both switch and NPS and that UDP ports 1812/1813 are reachable.

Best Practices

  • Test with a single port and a test user/group before wide deployment.
  • Use restrict logging or monitoring before enforcing shutdown behavior on violations.
  • Maintain a documented mapping of AD groups to VLAN IDs and corresponding NPS policies.
  • For high availability, use multiple NPS servers and configure RADIUS server groups on the switch.
  • Keep a fallback VLAN (like VLAN 1 or a quarantine VLAN) for unauthenticated or problematic devices.

References and further reading

  • Microsoft NPS documentation on configuring RADIUS attributes for VLAN assignment and vendor VSAs.
  • Practical examples and vendor notes describing Tunnel-PVT-Group-ID and related attribute usage.

Dynamic VLAN Assignment — NPS (Windows Server 2022) GUI Steps, Test Plan, AD→VLAN CSV, and Cisco IOS Sample Config

This document gives you exact NPS GUI steps for Windows Server 2022, a turnkey test plan, a ready-to-use AD group β†’ VLAN mapping CSV, and a minimal Cisco IOS config for WS-C2960S. Use this to implement 802.1X + MAB dynamic VLAN assignment end-to-end.

1. NPS GUI steps (Windows Server 2022)

  1. Open Server Manager β†’ Tools β†’ Network Policy Server.
  2. (If using AD) Register NPS in AD: right-click NPS (Local) β†’ Register server in Active Directory β†’ OK.
  3. Add the switch as a RADIUS client:
  4. Left pane: RADIUS Clients and Servers β†’ RADIUS Clients β†’ New.
  5. Friendly name: Switch2960-01.
  6. Client Address: enter the switch management IP.
  7. Shared secret: Manual β†’ enter strong secret (save for switch).
  8. Vendor name: RADIUS Standard β†’ OK.
  9. Create / verify RADIUS server groups (optional): if using multiple NPS servers, add them under RADIUS Management β†’ RADIUS Server Groups.
  10. Create a Network Policy for a VLAN:
  11. Policies β†’ Network Policies β†’ New.
  12. Policy name: e.g., Admin-802.1X.
  13. Type of network access server: Unspecified β†’ Next.
  14. Add Conditions that match the users/devices for this VLAN: Add β†’ User Groups β†’ Select AD group (e.g., DOMAIN\Admins) or add NAS Port Type/Called Station ID as required β†’ Next.
  15. Grant access: select Access granted β†’ Next.
  16. Configure Constraints (authentication method): choose EAP (PEAP/MSCHAPv2) or Certificate-based EAP as required and configure EAP properties β†’ Next.
  17. Configure RADIUS attributes to return the VLAN:
  18. In the Network Policy properties β†’ Settings tab β†’ RADIUS Attributes β†’ Tunnel.
  19. Set: Service-Type = Framed (or Framed-User); Tunnel-Type = VLAN; Tunnel-Medium-Type = 802; Tunnel-PVT-Group-ID = .
  20. Apply and Finish.
  21. Repeat steps 5–9 for each AD group / device class (one policy per VLAN/class).
  22. For MAB (MAC Authentication Bypass) policies: create Network Policies that match the MAC-based username format you choose and return the same Tunnel attributes.
  23. Test with a dedicated test user and monitor Event Viewer β†’ Custom Views β†’ Server Roles β†’ Network Policy and Access Services for authentication logs.

Note: Tunnel-Type, Tunnel-Medium-Type and Tunnel-PVT-Group-ID are the RADIUS attributes NPS will return to instruct the switch which VLAN to assign.

2. Attribute reference (what to set)

  • Service-Type: Framed (or Framed-User)
  • Tunnel-Type: VLAN
  • Tunnel-Medium-Type: 802 (IEEE 802 / Ethernet)
  • Tunnel-PVT-Group-ID: VLAN ID as a string (e.g., "20")

Add these under Network Policy β†’ Settings β†’ RADIUS Attributes β†’ Tunnel.

3. Test plan (step-by-step)

Preparation - Ensure NPS (10.4.27.5) is reachable from the switch on UDP 1812/1813.
- Configure DHCP scopes for every VLAN on 10.4.27.5.
- Ensure router/gateway has ip helper-address configured for each VLAN.
- Configure the switch uplink as a trunk to the router and enable 802.1X/MAB on a test port.

Functional tests 1. T1 β€” RADIUS reachability: confirm switch can ping 10.4.27.5; validate UDP reachability (packet capture if needed).
2. T2 β€” 802.1X happy path: connect a 802.1X-capable workstation; authenticate with AD test user in the Admin group; expect Access-Accept from NPS containing Tunnel attributes; switch moves port to VLAN 10 and client receives DHCP from 10.4.10.0/24.
3. T3 β€” MAB test: connect a non-802.1X device (printer); switch should send MAC as username; NPS policy for that MAC returns Tunnel-PVT-Group-ID β†’ switch assigns VLAN 60 and device gets DHCP from 10.4.60.0/24.
4. T4 β€” Failure handling: use invalid credentials or remove group membership; port should land in fallback/quarantine VLAN (e.g., VLAN 1); verify no access to internal resources.
5. T5 β€” Multi-host (phone + PC): with host-mode multi-auth, phone authenticates via MAB to VoIP VLAN; PC authenticates via 802.1X to user VLAN. Verify both VLANs and DHCP scopes.

Observability checks - On NPS: review Event Viewer β†’ Custom Views β†’ Server Roles β†’ Network Policy and Access Services for Access-Request/Accept and returned attributes.
- On switch: show authentication sessions; show dot1x all; show interface GiX/Y switchport.
- On client: ipconfig /renew and confirm gateway/DNS and internet.

Rollback plan - If problems occur, remove dot1x/mab config from problematic ports or disable NPS policy. Reassign ports to static access VLANs temporarily.

4. AD group β†’ VLAN mapping CSV (ad-group-to-vlan.csv)

Save this CSV as a reference or for scripting bulk NPS policy creation.

AD_Group,VLAN_ID,VLAN_Name,Policy_Name,Description
DOMAIN\\Admins,10,Admin,Admin-802.1X,Admin users to VLAN 10
DOMAIN\\Sales,20,Sales,Sales-802.1X,Sales users to VLAN 20
DOMAIN\\Engineering,30,Engineering,Eng-802.1X,Engineering users to VLAN 30
DOMAIN\\GuestUsers,40,Guest,Guest-802.1X,Guest authenticated Wi-Fi to VLAN 40
DOMAIN\\VoIPDevices,50,VoIP,VoIP-MAB,Phones to VLAN 50 via MAB
DOMAIN\\Printers,60,Printers,Printers-MAB,Printers to VLAN 60 via MAB

Notes: Use double backslashes for domain\group in CSVs or adapt to your tooling. Use this sheet when creating NPS policies and documenting mappings.

5. Minimal Cisco IOS config (WS-C2960S β€” LAN Base, 15.x) β€” tailored sample

Assumptions - NPS server: 10.4.27.5, shared secret: YourSecret
- Uplink to router: Gi0/1 (trunk)
- Test access port: Gi0/10
- Fallback VLAN: 1

Global AAA / RADIUS / 802.1X 

aaa new-model

radius server NPS1
 address ipv4 10.4.27.5 auth-port 1812 acct-port 1813
 key YourSecret

aaa group server radius NPS_GROUP
 server name NPS1

aaa authentication dot1x default group NPS_GROUP
aaa authorization network default group NPS_GROUP

dot1x system-auth-control

VLAN creation (if not present) 

vlan 1
 name Infrastructure
vlan 10
 name Admin
vlan 20
 name Sales
vlan 30
 name Engineering
vlan 40
 name Guest
vlan 50
 name VoIP
vlan 60
 name Printers

Uplink trunk 

interface GigabitEthernet0/1
 description Uplink-to-Router
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk allowed vlan 1,10,20,30,40,50,60
 no shutdown

Sample access port with 802.1X + MAB + multi-host 

interface GigabitEthernet0/10
 description Test-Port-802.1X-MAB
 switchport mode access
 switchport access vlan 1
 spanning-tree portfast

 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto

 mab
 dot1x pae authenticator

 authentication event fail action authorize vlan 1
 authentication event server dead action authorize vlan 1
 no shutdown

Save 

write memory

Verification 

show dot1x all
show authentication sessions interface GigabitEthernet0/10
show interface GigabitEthernet0/10 switchport
show running-config | section radius

Notes - If your IOS rejects the radius server syntax, use the legacy form: radius-server host 10.4.27.5 auth-port 1812 key YourSecret.
- Confirm the 2960S image supports dot1x and mab (check show version).

6. NPS specifics for MAB (practical details)

  • For MAB, switches typically send the MAC in the username field. Decide on the MAC format (no separators or with dashes) and ensure NPS matching policy uses that format.
  • Create a Network Policy that matches the MAB β€œusername” or a dedicated AD group of device accounts and returns the Tunnel attributes for the printer/phone VLAN.
  • Optionally pre-provision device accounts in AD for printers/phones to simplify authorization.