As companies roll out wireless networks, one area of concern is how to automatically segment wireless users into the correct virtual LANs already established on the wired side. VLAN membership on wired networks typically is defined by the physical Layer 2 switch or Layer 3 router port to which a user is connected. But with wireless, users aren't tied to a physical port.

To address this problem, advances in wireless authentication have led to role-based VLAN association. This method of automatically deriving the correct VLAN membership uses a number of standard authentication methods, such as HTTP-based captive portals and 802.1X, which has become the authentication mechanism of choice.

Consider this scenario. Wireless users in a finance department might be connected securely to the Finance VLAN using a secure-link encryption method such as Wi-Fi Protected Access. However, once they roam to another access point, they no longer necessarily have access to the Finance VLAN and can't use their network resources. Reconfiguring the network to make each VLAN accessible from every point across the entire company is not a viable solution.

However, 802.1X port-based authentication provides a framework for authorizing station access to Ethernet and wireless LANs. 802.1X uses Extensible Authentication Protocol (EAP) to relay port-access requests between LAN stations (supplicants), Ethernet switches or wireless access points (authenticators), and RADIUS servers (authentication servers).

The central mechanism used to protect users in Wi-Fi networks is based on data encryption and user authentication - not typically by roles derived from an authentication method. Role-based VLAN association with 802.1X is attractive because it provides logical segmentation of workgroup traffic, and easier integration with security and traffic-engineering policies configured on wired networks.

Network administrators want to keep the same Extended Service Set IDs (ESSID) and encryption profiles for all users, and assign users in different workgroups to different VLANs as they enter the wireless LAN (WLAN), based on attributes already configured on the authentication server. Without role-based VLANs, this isn't possible unless you make a lot of changes to WLAN configuration by introducing new ESSIDs for each user group. This represents a significant capital investment and operational expense.