Mikrotik Radius Client Attribute/Authentication Questions

cwu46 · June 29, 2006, 10:36pm

Hi all,

To authenticate w/ our Radius servers, I need to have the Mikrotik send during the RADIUS access-request for each user the following

SSID requested by the user

In doing some research, I’ve discovered methods of doing it either through Congdon (e.g. – attached to the end of the called-station-id) or via a VSA

Does Mikrotik support this (through Congdon or a specific VSA for SSID)?

If not – how are others implementing 802.1x RADIUS-based authentication w/ Mikrotik (or is anyone doing it?)

Thanks

-Charles

cwu46 · June 29, 2006, 11:17pm

Just to expand:

from:
http://www.ieee802.org/1/files/public/docs2002/draft-congdon-radius-8021x-20.txt
Congdon RADIUS (802.1x) implementation of Called-Station-ID Attribute

3.20. Called-Station-Id

For IEEE 802.1X Authenticators, this attribute is used to store the bridge or Access Point MAC address in ASCII format, with octet values separated by a “-”. Example: “00-10-A4-23-19-C0”. In IEEE 802.11, where the SSID is known, it SHOULD be appended to the Access Point MAC address, separated from the MAC address with a “:”. Example “00-10-A4-23-19-C0:AP1”.

cwu46 · June 29, 2006, 11:27pm

So I delved deeper into the documentation, and found the Mikrotik reference dictionary:

http://www.mikrotik.com/Documentation/manual_2.9/dictionary

It looks like there’s no particular VSA for SSID =(

That said, is there any way to pass the user’s associated SSID to the radius server (is Calling-Station-ID implemented correctly per Congdon)?

thanks

-Charles

datanet · November 30, 2006, 12:34am

I need the same: is there any way to pass the user’s associated SSID to the radius server?
I have a tower with 2 wifi interfaces and I must set access to particular SSID for wireless client in the radius server.

Please advice.

Piotr

normis · November 30, 2006, 7:18am

Each SSID has its own interface in RouterOS. Radius gets interface name in NAS-Port-Id attribute.

It is possible to rename all wireless interfaces to their SSID value and then NAS-Port-Id will contain SSID of the client.

datanet · December 1, 2006, 3:02pm

Now I can check SSID with NAS-Port-Id attribute.

00:13:CE:9A:F6:82 NAS-Port-Id == wlan1

But if I turn it on - DHCP server don’t give me an IP address - I got Access-Reject.

Check SSID works fine, client can be associated with radio station, but dhcp lease stop working.

Then I remove this line from radius check table, DHCP start working, but of course I lost possibility of check SSID.

Any ideas?

jfan · January 10, 2007, 10:10pm

I have been told that v3.x will pass SSID to RADIUS. Can anyone confirm this? I am trying to prove it myself currently…

For Virtual AP, Each SSID should be able to pass to RADIUS per Congdon, right?

Jin