I'm trying to assign VLANs based on a user authentification (so EAP and no PSK), for example if user2 logs in he automatically assigns VLAN2 and recieves a 192.168.202.0/24 IP-Address from the DHCP Server
Used Software/Packages:
Freeradius Version 3.0.11
Router OS v6.35.4
CapsmanV2
Wireless-cm2
My Configuration on RouterOS: (ether1 = WAN = 192.168.0.149/24, as you can see in my plan)
Code: Select all
/interface bridge
add name=bridge-lan protocol-mode=none
/interface vlan
add interface=bridge-lan name=vlan1 vlan-id=1
add interface=bridge-lan name=vlan2 vlan-id=2
add interface=bridge-lan name=vlan3 vlan-id=3
add interface=bridge-lan name=vlan4 vlan-id=4
/caps-man configuration
add channel.extension-channel=Ce channel.frequency=2412 channel.width=20 \
country=austria datapath.bridge=bridge-lan datapath.vlan-mode=use-tag mode=\
ap name=wlan-2 rx-chains=0,1,2 security.authentication-types=wpa2-eap \
security.eap-methods=passthrough security.eap-radius-accounting=yes \
security.encryption=aes-ccm,tkip security.group-encryption=aes-ccm ssid=\
testcl01 tx-chains=0,1,2
/caps-man interface
add arp=enabled configuration=wlan-2 datapath.vlan-mode=use-tag disabled=no \
l2mtu=1600 mac-address=E4:8D:8C:72:D6:32 master-interface=none mtu=1500 \
name=cap1 radio-mac=E4:8D:8C:72:D6:32 security.authentication-types=\
wpa2-eap security.eap-methods=passthrough security.eap-radius-accounting=no \
security.encryption=aes-ccm security.group-encryption=aes-ccm
add arp=enabled configuration=wlan-2 datapath.vlan-mode=use-tag disabled=no \
l2mtu=1600 mac-address=E4:8D:8C:69:BC:53 master-interface=none mtu=1500 \
name=cap3 radio-mac=E4:8D:8C:69:BC:53
/caps-man security
add authentication-types=wpa2-eap eap-radius-accounting=yes encryption=\
aes-ccm,tkip group-encryption=aes-ccm name=security-t1
add authentication-types=wpa2-eap eap-methods=passthrough \
eap-radius-accounting=yes encryption=aes-ccm name=test
/caps-man configuration
add channel.band=5ghz-a/n/ac channel.extension-channel=eeCe channel.frequency=\
5540 country=austria datapath.bridge=bridge-lan datapath.vlan-mode=use-tag \
mode=ap name=wlan-5 rx-chains=0,1,2 security=test \
security.authentication-types=wpa2-eap security.eap-methods=passthrough \
security.eap-radius-accounting=yes security.encryption=aes-ccm ssid=\
testcl02 tx-chains=0,1,2
/caps-man interface
add arp=enabled configuration=wlan-5 configuration.multicast-helper=full \
datapath.bridge=bridge-lan datapath.vlan-mode=use-tag disabled=no l2mtu=\
1600 mac-address=E4:8D:8C:72:D6:31 master-interface=none mtu=1500 name=cap2 \
radio-mac=E4:8D:8C:72:D6:31 security.encryption=aes-ccm,tkip
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
/ip pool
add name=dhcp-pool ranges=192.168.1.20-192.168.1.200
add name=server-vlan2-pool ranges=192.168.202.20-192.168.202.200
add name=server-vlan1-pool ranges=192.168.201.20-192.168.201.200
add name=server-vlan3-pool ranges=192.168.203.20-192.168.203.200
add name=server-vlan4-pool ranges=192.168.204.20-192.168.204.200
/ip dhcp-server
add address-pool=server-vlan1-pool disabled=no interface=vlan1 lease-time=2m \
name=server-vlan1
add address-pool=dhcp-pool disabled=no interface=bridge-lan name=server1
add address-pool=server-vlan2-pool disabled=no interface=vlan2 lease-time=2d \
name=server-vlan2
add address-pool=server-vlan3-pool disabled=no interface=vlan3 lease-time=2d \
name=server-vlan3
add address-pool=server-vlan4-pool disabled=no interface=vlan4 lease-time=2d \
name=server-vlan4
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/interface bridge port
add bridge=bridge-lan interface=ether2
add bridge=bridge-lan interface=ether3
add bridge=bridge-lan interface=ether4
add bridge=bridge-lan interface=ether5
/ip address
add address=192.168.1.1/24 interface=bridge-lan network=192.168.1.0
add address=192.168.201.1/24 interface=vlan1 network=192.168.201.0
add address=192.168.202.1/24 interface=vlan2 network=192.168.202.0
add address=192.168.203.1/24 interface=vlan3 network=192.168.203.0
add address=192.168.204.1/24 interface=vlan4 network=192.168.204.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \
interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1,8.8.8.8 gateway=192.168.1.1
add address=192.168.201.0/24 dns-server=192.168.201.1,8.8.8.8 gateway=\
192.168.201.1
add address=192.168.202.0/24 dns-server=192.168.202.1,8.8.8.8 gateway=\
192.168.202.1
add address=192.168.203.0/24 dns-server=192.168.203.1,8.8.8.8 gateway=\
192.168.203.1
add address=192.168.204.0/24 dns-server=192.168.204.1,8.8.8.8 gateway=\
192.168.204.1
/ip firewall filter
add chain=forward dst-address=192.168.0.0/16 src-address=192.168.0.0/16
add chain=input dst-address=192.168.0.0/16 src-address=192.168.0.0/16
add chain=output dst-address=192.168.0.0/16 src-address=192.168.0.0/16
....
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip upnp
set enabled=yes
/ppp aaa
set interim-update=5m use-radius=yes
/radius
add address=192.168.0.5 secret=XXXXXXXX service=wireless
/system identity
set name=capsman
/system logging
set 0 disabled=yes
add topics=radius
add topics=dhcp
add topics=radvd
radreply
Code: Select all
radreply
+----+----------+-------------------------------+----+-------+
| id | username | attribute | op | value |
+----+----------+-------------------------------+----+-------+
| 5 | test2 | Mikrotik-Wireless-VLANID | := | 0x2 |
| 6 | test2 | Mikrotik-Wireless-VLANID-Type | := | 0x0 |
+----+----------+-------------------------------+----+-------+
But whenever i login as Test2 i endup in VLAN1 and so I get an 192.168.201.x/24 IP-Address.
If i delete the value the same thing happens as well, does any one got advice what i'm doing wrong?
Thank you very much in advance!