I've been playing with VLAN steering on my CRS125 but have had limited success. I'm testing using a Virtual-AP. Bridged to a single VLAN, the RADIUS authentication works fine. If the radius server returns "Mikrotik_Wireless_VLANID = 4094", then the CRS appears to act upon it - but I don't establish a network connection. I guess this is expected as the tagged VLAN traffic needs to be presented to the Virtual-AP interface?

Before I experiment further, will the current config work or do I need to configure the wireless to be managed under CAPsMAN in order to get VLAN steering to work?

Thanks.

Check the wireless package being used, only wireless-fp and wireless-cm2 support this (see http://wiki.mikrotik.com/wiki/Manual:In ... AN_tagging )

Thanks for the info.

I am using the wireless-cm2 package but the wireless interface is not configured as being CAPs managed. Does VLAN steering work without CAPs?

If I have three vlans that I wish to make available via a single wireless virtual AP, then I need to connect the three tagged vlans to the wireless virtual AP interface?

No need to be CAPs managed.

Not sure what do you want to achieve, to have specific clients traffic assigned to a VLAN depending on radius attributes?

In such case (previous wiki entry),

Per-interface VLAN tag can be overridden on per-client basis by means of access-list and RADIUS attributes (for both - regular wireless and wireless controller).

This way traffic can be separated between wireless clients even on the same interface, but must be used with care - only "interface VLAN" broadcast/multicast traffic will be sent out. If working broadcast/multicast is necessary for other (overridden) VLANs as well, multicast-helper can be used for now (this changes every multicast packet to unicast and then it is only sent to clients with matching VLAN ids).

Thanks again for the helpful reply.

What I'd like to achieve (and, perhaps, I've misunderstood how this works) is that each user on the single virtual AP instance gets placed on a vlan, determined by the "Mikrotik_Wireless_VLANID" returned for that user by the RADIUS server.

So, user1 ends up on VLAN 10 and user2 ends up of VLAN 20, etc. Both users are connected at the same time.

Is that possible?

This is not quite the "designed" purpose of this attribute. The idea is that you have some pre-built VLANs (i.e. secure vlan, standard vlan, guest vlan, etc., or vlans which lead to router1 for gold customers, router2 for platinum customers, or router3 for trial accounts - whatever) and the RADIUS profile tells the AP which vlan tag to use, but the vlans all go to specific pre-defined places.

If you just want client isolation, then use default-forward=no on the AP.

Hi,

Thanks for the info.

I wasn't clear. Yes, I do have some pre-defined VLANS. Some users need to join a development network VLAN and others join a finance VLAN, etc. Which network they join is determined by the RADIUS server.

In order to do this, I simply present the Virtual AP interface with the tagged VLANs the users need to access?

Thanks.

To conclude this, I now have this working on a CRS125-24g-1s-2hnd-in.

I can now associate clients with vlans controlled by their user accounts on the FreeRadius server.

Now, if only the CRS125 native switch supported 802.3ad....