Home > Wireless LAN > Client Addressing and Bridging > Tagging Client VLANs with RADIUS Attributes

Tagging Client VLANs with RADIUS Attributes

Table of contents
No headers

A RADIUS server has the ability to send VLAN information to the AP in RADIUS Access Accept messages. To send VLAN information, three required RADIUS attributes must be configured in your RADIUS policy:

  • Tunnel-Medium-Type: Choose 802 (Includes all 802 media plus Ethernet canonical format) for the Attribute value Commonly used for 802.1X.  
  • Tunnel-Pvt-Group-ID: Choose String and enter the VLAN desired (ex. "500")This string will specify the VLAN ID 500.
  • Tunnel-Type: Choose  Attribute value Commonly used for 802.1X and select Virtual LANs (VLANs).


Sample freeRADIUS user configuration (/etc/freeradius/users):

Tunnel-Medium-Type = 6,
Tunnel-Private-Group-ID = [VLAN_ID],
Tunnel-Type = VLAN

Note: According to RFC 2868, a value of "6" for Tunnel-Medium-Type denotes all 802 media. Check your RADIUS vendor-specific documentation for the appropriate values.


To configure the AP to accept the VLAN information sent from by the RADIUS server, enable set "Radius Override" to "RADIUS Response Can Override VLAN tag." This setting can override the configured SSID VLAN or apply a VLAN if one is not specified:


Note: RADIUS override can only be used with WPA2-Enterprise or MAC-based access control

You must to post a comment.
Last modified
12:18, 25 Mar 2016


This page has no custom tags.


This page has no classifications.

Article ID

ID: 1642

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case