I have a Mikrotik 5.16 box and a Windows 2008 R2 server.

I also have multiple internal VLANs

VLANA - 192.168.100.0/24
VLANB - 192.168.101.0/24
VLANC - 192.168.102.0/24

I would like to assign different PPP dial-in users to different subnets (depending on some group membership which I can play around in with the Windowz RADIUS server).

My questions are:

1) Is it possible to restrict users to a specific VLAN?
2) What if they needed access to more than one VLAN?
3) What attributes would I need to send from the RADIUS server to restrict traffic?
4) Any useful tutorials for the above?

Many thanks in advance,

Chris

1) Is it possible to restrict users to a specific VLAN?
2) What if they needed access to more than one VLAN?
3) What attributes would I need to send from the RADIUS server to restrict traffic?
4) Any useful tutorials for the above?

Setup filters-chains in the firewall and use the RADIUS Filter-Id to specify a firewall filter for a user or group of users.
Read:
http://wiki.mikrotik.com/wiki/Manual:RADIUS_Client
http://wiki.mikrotik.com/wiki/Manual:PP ... r_Profiles
http://wiki.mikrotik.com/wiki/Manual:Interface/L2TP

Hi thanks for the reply, I am looking into this and would appreciate some pointers:

I am adding the following chain below:

[MikroTik] ip firewall> add chain=vlan72 out-interface=LAB2_VLAN
[MikroTik] ip firewall> add chain=vlan72 in-interface=LAB2_VLAN

Under the radius documentation it says: Filter-Id - filter rules in ppp chain that will jump to the specified chain, if a packet has come to/from the client (that means that you should first create a ppp chain and make jump rules that would put actual traffic to this chain). The same applies for HotSpot, but the rules will be created in hotspot chain.

What do I need to do to make radius authenticated traffic jump to the vlan72 chain?

Am I right to assume for the vlan72 chain I should mention in and out interfaces so traffic is restricted and let the default drop all catch the rest?

I appreciate the help.

Thanks, Chris