Become Part of our Team and Push Digital Sovereignty
- Teamleader IT / Project Manager (m/f/x)
- IT Consultant (m/f/x)
- Outbound Sales Represantative (m/f/x)
Let’s talk about VLANs—in this article I would like to talk about virtual networks and their benefits. I’m also going to describe how configure VLANs in Univention Corporate Server (UCS), how to increase security for your UCS environment with our RADIUS app and dynamically assign devices to specific VLANs via a RADIUS server.
Table of Contents
Virtual Local Area Networks (VLANs) divide existing physical networks into several logical networks. They are used to separate data traffic at network level. Each VLAN has its own unique VLAN ID and creates its own broadcast domain, i.e. its own logical group of network devices in the LAN (local area network). Devices in different VLANs can therefore only communicate with each other via a router that is also connected to both virtual networks.
VLANs are often used in large environments, such as in companies or on campus at schools, colleges, and universities. For example, admins in corporate networks provide separate networks for employees and guests—without having to change the cabling or set up additional WLAN routers. Some companies divide their networks into VLANs for the different departments, such as marketing, sales, etc.
Splitting up networks can be helpful for a number of reasons. Isolated subnets not only increase security, but also affect the performance. For better bandwidth management, VLANs can separate externally accessible services such as web servers from other services on the same network. Services for communication such as VoIP (Voice over IP) can also be accessible via dedicated VLANs, which then have a higher priority in the same physical network.
You configure virtual networks for your UCS domain via the Univention Management Console (UMC), in the
System / Network settings module. After clicking on
Virtual LAN as the
Interface type and specify the
Enter a VLAN ID, a unique identifier for the virtual network. Valid values range from
4095. Click the
Next button. Now assign an IP address to the VLAN interface. Make sure that it matches the assigned VLAN address range.
For more information on configuring IPv4 and IPv6 addresses, please refer to the UCS manuel.
To assign users and groups to specific VLANs, you can additionally set up a RADIUS server. This server then handles the authentication of the users and returns a VLAN ID in response. In the next two sections, I’ll briefly explain how to achieve this under UCS.
With RADIUS (Remote Authentication Dial-In User Service), you can configure access control for networks—not only for WLAN networks, but also for wired networks. RADIUS is implemented as a client-server architecture. The RADIUS server first checks whether someone is authorized to access the network. It handles authentication and authorization for users and groups. The RADIUS server’s clients are WLAN access points, network switches, etc. The users’ end devices (laptops, tablets, smartphones, etc.) do not talk directly to the RADIUS server.
With RADIUS, you can ensure that only authorized users can access a network. For more information, see our blog article How-To: Securing Networks with RADIUS.
In our Univention App Center, we provide the open source RADIUS server FreeRADIUS as an app for UCS. The service is configured to connect to the UCS LDAP directory service. After installation, you can allow users and groups access via the RADIUS menu item and clicking the checkbox
Allow network access.
The FreeRADIUS app also provides deny and allow lists for user accounts, groups, and devices—all with just a few clicks in the UCS management console.
By default, users authenticate with their domain password. Alternatively, it is possible to create an extra password for RADIUS by setting the UCR variable
radius/use-service-specific-password. In order for users to (re)set this password via our self-service, the UCR variable
umc/self-service/service-specific-passwords/backend/enabled must be set to
Tip: You can set up MAC address filters and only allow certain devices to connect. To learn more about this topic, please read the corresponding chapter in our manual.
It’s possible to configure UCS so that the system returns a VLAN ID in the RADIUS authentication process. All you need to do is assign a group to a specific VLAN ID.
You can also configure a default VLAN ID which is returned as a replacement ID if a user account is not a member of a group with a VLAN ID. You set the default VLAN ID using the UCR variable
You can conveniently configure VLANs, RADIUS, VLAN IDs, and more in the Univention Management Console, increasing security through advanced access controls.
Do you have any questions or other feedback? Feel free to leave a comment below this article.
Marie Aurich joined Univention in May 2022 as product manager and is responsible for the further development of the Open Source identity management system UCS@school.
What would be nice is if UCS supported a newer version of Freeradius that support TLS 1.3 so I don’t have to deal with the nonsense of Windows 22H2’s mandatory use of TLS 1.3.Reply