Configure Access Point Dynamic VLANs

Applies To: WatchGuard Cloud-managed Access Points (AP130, AP330, AP332CR, AP430CR, AP432)

When you enable WPA2 or WPA3 Enterprise security on an SSID, you can dynamically assign VLAN IDs to the wireless client based on the user information provided by the RADIUS server after successful authentication.

If there is no VLAN attribute returned from the RADIUS server for a user, you can set the VLAN as untagged, or you can use the VLAN ID you configured for the SSID.

For more information about VLANs with wireless networks, go to Access Points and VLANs.

Dynamic VLAN requirements:

  • Dynamic VLANs require access point firmware v2.2 or higher.
  • You cannot use Dynamic VLANs when NAT is enabled on the SSID.
  • You cannot use Dynamic VLANs at the same time as the Captive Portal or Network Access Enforcement features on the SSID.
  • If you enable VLAN tagging for SSIDs on a WatchGuard access point or enable a tagged management VLAN for an access point, you must also enable VLANs on the network switch, Firebox, or other gateway device that the access point connects to.

You can also configure SSID settings in an Access Point Site and apply the configuration to multiple access points. For more information, go to About Access Point Sites.

  1. Select Configure > Devices.
  2. Select the access point you want to configure.
  3. Select Device Configuration.
    The device configuration page opens.

Screen shot of the main Device Configuration page for access points in WatchGuard Cloud

  1. In the Wi-Fi Networks tile, click SSIDs.
  2. Select an existing SSID, or add a new SSID.

Screen shot of the SSID wireless settings page with Dynamic VLANs

  1. Configure the SSID Name, SSID Type (Private or Guest), and Radio.
  2. In the Security settings, select WPA2 Enterprise or WPA3 Enterprise, and select your Authenticaton Domain with the required RADIUS servers.
  3. From the VLAN drop-down list, select Dynamic VLAN assigned by RADIUS.
  4. In the Unassigned RADIUS Clients section, select how to assign a VLAN if no VLAN attribute is returned from the RADIUS server:
  5. Untagged VLAN — The client is assigned to the untagged VLAN. No tagged VLAN ID is assigned.
  6. VLAN assigned by SSID — Assign the VLAN ID that you manually configure for the SSID.
  1. Click Save.
  2. Deploy the configuration to the access point.

If you enable VLAN tagging for SSIDs on a WatchGuard access point or enable a tagged management VLAN for an access point, you must also enable VLANs on the network switch, Firebox, or other gateway device that the access point connects to.

Related Topics

Configure Access Point Device Settings

Configure Access Point Radio Settings

About Access Point Sites

About Virtual Local Area Networks (VLANs)

Configure Firebox VLANs