Apr 5, 2018 · by Razvan

Wireless Dynamic Wlan based on Microsoft NPS Server Policies

Two methods for setup

This setup requires knowledge of Wireless Access Points administration, 802.1x protocol authentication, Radius server roles,  Microsoft Network Policy Server configuration, usage, and administration.

There are two main sections: Wireless configuration and Microsoft Network Policy Server setup.

Wireless Infrastructure

Whether we use a standalone infrastructure based on unique access points or a centralized and managed access points,  the infrastructure can be configured to allow users connecting a unique SSID to reside in different WLANs. This setup makes the access points aware of the particularities that the NPS server sends when authentication takes place.

For this setup the below requirements are necessary:

  • Wireless infrastructure must support Dynamic WLAN Access VLAN screenshot
  • Wireless infrastructure must support WPA2 Enterprise Auth Method screenshot

By enabling dynamic WLAN the radius clients look for other directives sent by the Radius server. For example: Wlan ID sent by the radius server delivers the ID to the client’s device.

From the wireless configuration point of view, the setup is simple. Make sure the Network policy server is present on the access points or controller and the unit is able to query the NPS. You can verify the NPS queries in Event viewer on the NPS server.

Network Policy Server

Windows Network Policy Server supports more than just authenticating users. Each rule can be individually configured to send to the radius client (access point or controller) the WLAN id based on the rule it matches.

The client authenticates using Active Directory credentials. Assuming the credentials match the ones stored in Active Directory, the NPS server takes action based on the policy conditions.

There are many other settings available, but we’ll stick to the ones we need in order to authenticate and push the correct WLAN to the client.

Network policy server example of the policy rule that matches a certain WLAN:

settings image

As shown above, if the policy conditions are met NPS server proceeds to pushing Tunnel-Type = VLAN, Tunnel-Medium-Type = 802 .1x (the one we’re interested for) and Framed-Interface-Id = (VLAN id) to the Radius client (Zone Director in our case). These settings complete other matching criteria and rules for this NPS policy. The result is completely transparent to the supplicant (the end user).

This setup was tested using Ruckus wireless infrastructure with Zone Director 3000 and Windows 2016 network policy server.

For more information about configuring a Ruckus Wireless Zone Director and Microsoft NPS server, follow the links below:



IT Network Team Lead
Razvan has been a member of Softvision IT Team for the past 5 years. Having another 5 years of IT background helped his team manage and develop the infrastructure and services we use today in this growing environment. He graduated with a masters in business administration and informatics and in his spare time he truly loves to travel.

Latest posts by Razvan

Share This Article
  • Prithvija K
    Posted at 09:39h, 28 June Reply

    I had basic idea about networks, but your article is great, which helped me to know about dynamic WLAN.

  • Prithvija
    Posted at 10:27h, 29 June Reply

    I had basic idea about networks, but your article is great, which helped me to know about dynamic WLAN.

Post A Comment