Security

 View Only
Back to discussions
Expand all | Collapse all

Step-by-Step Dynamic VLAN Assignment with a Netgear MS510TX

This thread has been viewed 14 times

  • 1.  Step-by-Step Dynamic VLAN Assignment with a Netgear MS510TX

    Posted Mar 10, 2025 09:46 PM
    Edited by mvanoverbeek Mar 11, 2025 08:34 AM

    I had a cheap consumer-grade Netgear switch that claimed to support dynamic VLAN assignment. The documentation was limited on how to configure it but eventually it worked. I wanted to share the configuration steps with the community to save othera spending 6 hours of tinkering (which was a meaningful experience though).

    I configured this on a MS510TX switch, all configurations are web based but it does let you download a configuration file that is readable.

    Steps I used to configure the Netgear switch:

    Step 1: Global Settings

    Menu: Security> Management Security>Global Settings

    Change Accounting Mode to "Enable and leave the other settings default (see below)

    Step 2: Server Configuration

    Menu: Security> Management Security> Server Configuration

    Configure Server IP address, port and Secret

    Step 3: Configure Accounting

    Menu: Security> Management Security> Accouting Server Configuration

    Configure Server IP address, port and Secret

    Step 4: Enable 802.1X Authentication

    Menu: Security> Port Authentication > Advanced >  802.1x Configuration

    Enable port-based authentication

    Use settings:

    Port Based Authentication State: Enable

    Guest VLAN: Disable

    Guest VLAN ID: 1 (default setting)

    Guest VLAN Period: 90 (default setting)

    EAPOL VLAN Period: 90 (default setting)

    Step 5: Enable 802.1X Authentication on a Port

    Menu: Security> Port Authentication > Advanced >  Port Authentication

    Enable Dynamic VLAN Assignment

    Starting state looks like this

    First enable Dynamic VLAN Assignment and click "Apply"

    The select the port again and now change the Port Control setting to "Auto" and click "Apply"

    Step 6: Take a snapshot at of your VLAN table

    Menu: Switching > VLAN > Basic > VLAN Configuration

    Clearpass Policy:

    Step: 7: Identifying the Service

    As a NAD, the Netgear switch isn't really sharing a lot of information in the RADIUS Access-Requests. Below information about received

    The identify the policy I used:

    Type: Radius:IETF: NAS-Port-Type Equals Ethernet (15)

    Type: Connection: NAD-IP-Address Equals IP-address-of-the-Netgear-switch

    Disclaimer: Skipping over authentication and authorization, moving straight to the Enforcement.

    Step 8: Enforcement

    Use an enforcement profile that contains these 4 settings:


    Radius:IETF: Tunnel-Medium-Type: IEEE-802 (6)

    Radius:IETF: Tunnel-Private-Group-Id: NAME OF YOUR VLAN (See step 6)

    Radius:IETF: Tunnel-Type: VLAN

    Radius:Avenda: Avenda-Tag-Id: 0

    Example used by me:

    In my case i assigned VLAN 25 name Data to the switch. It only worked by using the name "Data" (without quotes)

    In the service it looked like this:


    ------------------------------
    Martijn van Overbeek
    Architect, Netcraftsmen a BlueAlly Company
    ------------------------------



Related Content