In this example we will create a wireless VAP in tunnel mode with dynamic VLAN assignment via radius server based on group membership.
First we create a new SSID, traffic mode is “Tunnel to wireless controller”, an IP address doesn’t need to be configured here unless some users/groups won’t be assigned a VLAN.
Next we turn on dynamic vlan via cli:
config wireless controller-vap edit dvlantunnel set dynamic-vlan enable end
Now we create a new VLAN (or several depending on the number of required groups), at the time of this writing it is not possible to associate a VLAN with a VAP interface in the GUI so this must be done via CLI:
config system interface edit vlan101 set vdom root set ip 192.168.101.1/24 set interface dvlantunnel set vlanid 101
Edit the newly created VLAN in the GUI to enable the DHCP server:
Next create a new firewall policy for the VLAN with appropriate webfilter:
Now we’re ready to test dynamic VLAN assignment with a wireless client.