First time configuring User manager

gigabyte091 · Thu Sep 21, 2023 5:15 pm

Hello, is there any tutorial that you can recommend for someone that would like to try and configure user manager for the first time.

My goal is to have one SSID for multiple VLAN's and as far as i can see for now this is the only way.

My test setup includes RB4011 with installed wifiwave2 package, user manager package, and RB4011 acts as CAPsMAN controller, CAP is hAP ax2.

gigabyte091 · Fri Sep 22, 2023 6:02 pm

So I tried to play a little bit with user manager.

In Radius menu i created service "wireless", IP address is 127.0.0.1 as service is local on the router so i presume 127.0.0.1 is a valid choice.

In incoming i selected accept, and in user manager i created new router with same address and secret as service in radius menu and enabled user manager. But now im stuck, how to define users, for eg my phone to be one user ?

I tried to export configuration but there is no user manager or radius section.

pe1chl · Fri Sep 22, 2023 6:10 pm

You need to enable "MAC authentication" in your wireless security profile, select a MAC format, MAC "as username", and add "usernames" that are the MAC addresses of the devices you want to accept (in that same format). The users have no password.
To assign a VLAN to the users you put them in a group, and you define groups like this (that is the only tricky thing):

/user-manager user group
add attributes="Mikrotik-Wireless-Forward:1,Mikrotik-Wireless-VLANIDtype:0,Mikrotik-Wireless-VLANID:10" name=VLAN10 outer-auths=pap

The users who are member of group VLAN10 will be put in VLAN 10 when connecting to your WiFi SSID. Of course the name can be different.

gigabyte091 · Fri Sep 22, 2023 7:23 pm

I presume that there should be RADIUS tab here:

RADIUS missing.jpg

gigabyte091 · Sat Sep 23, 2023 10:03 am

Is it the problem that I'm using CAPsMAN ? I can't find MAC authentication at all...

gigabyte091 · Sat Sep 23, 2023 9:30 pm

I found this video, and guy have RADIUS menu and everything but he is using legacy WiFi as far as I can see but I'm using wifiwave2

https://www.youtube.com/watch?v=XEqjPqx ... sPointKft.

pe1chl · Sat Sep 23, 2023 10:46 pm

I don't have any wifiwave2 devices so I can't comment...

gigabyte091 · Sun Sep 24, 2023 6:44 am

Okay, I took my old hAP AC3, it's running legacy drivers for wifi, updated to latest beta version, installed user manager, did everything i did before on RB4011.

I created new security profile, only enabled MAC authentication, created VLAN10, set both of my wireless interfaces to this new profile, in User manager i created user with mac address of my phone and when i try to connect it says can't connect to the network.

Setup_1.jpg

Also here is config:

# 2023-02-05 11:56:54 by RouterOS 7.12beta7
# software id = 
#
# model = RBD53iG-5HacD2HnD
# serial number = 
/interface bridge
add admin-mac= auto-mac=no comment=defconf \
    ingress-filtering=no name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=VLAN10 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    radius-mac-authentication=yes supplicant-identity=MikroTik
add name=profile1 radius-mac-authentication=yes supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n country=croatia disabled=no \
    distance=indoors frequency=2437 installation=indoor mode=ap-bridge \
    security-profile=profile1 ssid=Mikrotik wireless-protocol=802.11 \
    wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-n/ac channel-width=20/40mhz-XX \
    country=croatia disabled=no distance=indoors frequency=5500 installation=\
    indoor mode=ap-bridge security-profile=profile1 ssid=Mikrotik5 \
    wireless-protocol=802.11 wps-mode=disabled
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=dhcp_pool2 ranges=10.10.10.2-10.10.10.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
add address-pool=dhcp_pool2 interface=VLAN10 name=dhcp1
/user-manager user group
add attributes="Mikrotik-Wireless-Forward:1,Mikrotik-Wireless-VLANIDtype:0,Mik\
    rotik-Wireless-VLANID:10" name=VLAN10 outer-auths=pap
/user-manager user
add group=VLAN10 name=00:C3:0A:B7:ED:1C
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=no interface=\
    wlan1 pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=no interface=\
    wlan2 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=wlan1,wlan2 vlan-ids=10
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireless cap
set caps-man-addresses=127.0.0.1
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.10.10.1/24 comment=TEST interface=VLAN10 network=10.10.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether5
/ip dhcp-server lease
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 \
    ipsec-policy=in,ipsec protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="allow ipsec-esp" protocol=ipsec-esp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ppp secret
add name=vpn profile=vpn service=l2tp
add name=l2tp profile=vpn service=l2tp
/radius
add address=127.0.0.1 service=wireless
/radius incoming
set accept=yes
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=Mikrotik
/system leds
set 0 disabled=yes interface=wlan1 leds=led1,led2,led3,led4,led5 type=\
    wireless-signal-strength
set 1 leds=poe-led type=poe-out
set 2 interface=ether5 leds=led5
set 3 interface=ether4
set 4 interface=ether3 leds=led3
add interface=ether2 leds=led2 type=interface-activity
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/user aaa
set use-radius=yes
/user-manager
set certificate=*0 enabled=yes
/user-manager router
add address=127.0.0.1 name=router1

pe1chl · Sun Sep 24, 2023 12:51 pm

Under /system logging enable debug for wireless and radius (all topics) and you can see exactly what is happening.
(open the log window)
I keep logging for wireless enabled so I can see the devices joining the network performing the authentication.
Logging for radius I have disabled during normal use as it is quite a lot. But it shows you during setup what is happening.

gigabyte091 · Sun Sep 24, 2023 5:44 pm

I did like you advised and I get this:

 11:22:52 system,info UMS user <6E:23:D0:58:9D:E5> changed by tcp-msg(winbox):admi
n@192.168.88.201 (/user-manager user set *1 attributes="" disabled=no group=VLAN10
 name=6E:23:D0:58:9D:E5 shared-users=1)
 11:22:53 wireless,debug wlan2: must select channel
 11:22:53 wireless,debug wlan2: failed to select channel
 11:22:56 wireless,debug wlan1: 6E:23:D0:58:9D:E5 attempts to associate
 11:22:56 wireless,debug wlan1: 6E:23:D0:58:9D:E5 not in local ACL, query RADIUS
 11:22:56 wireless,debug send RADIUS request for 6E:23:D0:58:9D:E5 on wlan1
 11:22:56 radius,debug new request 58:11 code=Access-Request service=wireless call
ed-id=2C-C8-1B-7E-51-79:Mikrotik
 11:22:56 radius,debug sending 58:11 to 127.0.0.1:1812
 11:22:56 radius,debug,packet sending Access-Request with id 6 to 127.0.0.1:1812
 11:22:56 radius,debug,packet     Signature = 0x16b87b205296d337ab205455ba6f502c
 11:22:56 radius,debug,packet     Service-Type = 2
 11:22:56 radius,debug,packet     NAS-Port-Id = "wlan1"
 11:22:56 radius,debug,packet     NAS-Port-Type = 19
 11:22:56 radius,debug,packet     User-Name = "6E:23:D0:58:9D:E5"
 11:22:56 radius,debug,packet     Calling-Station-Id = "6E-23-D0-58-9D-E5"
 11:22:56 radius,debug,packet     Called-Station-Id = "2C-C8-1B-7E-51-79:Mikrotik"
 11:22:56 radius,debug,packet     User-Password = 0x
 11:22:56 radius,debug,packet     NAS-Identifier = "MRB_KPecar"
 11:22:56 radius,debug,packet     NAS-IP-Address = 127.0.0.1
 11:22:56 radius,debug resending 58:11
 11:22:56 radius,debug,packet sending Access-Request with id 6 to 127.0.0.1:1812
 11:22:56 radius,debug,packet     Signature = 0x16b87b205296d337ab205455ba6f502c
 11:22:56 radius,debug,packet     Service-Type = 2
 11:22:56 radius,debug,packet     NAS-Port-Id = "wlan1"
 11:22:56 radius,debug,packet     NAS-Port-Type = 19
 11:22:56 radius,debug,packet     User-Name = "6E:23:D0:58:9D:E5"
 11:22:56 radius,debug,packet     Calling-Station-Id = "6E-23-D0-58-9D-E5"
 11:22:56 radius,debug,packet     Called-Station-Id = "2C-C8-1B-7E-51-79:Mikrotik"
 11:22:56 radius,debug,packet     User-Password = 0x
 11:22:56 radius,debug,packet     NAS-Identifier = "MRB_KPecar"
 11:22:56 radius,debug,packet     NAS-IP-Address = 127.0.0.1
 11:22:57 radius,debug resending 58:11
 11:22:57 radius,debug,packet sending Access-Request with id 6 to 127.0.0.1:1812
 11:22:57 radius,debug,packet     Signature = 0x16b87b205296d337ab205455ba6f502c
 11:22:57 radius,debug,packet     Service-Type = 2
 11:22:57 radius,debug,packet     NAS-Port-Id = "wlan1"
 11:22:57 radius,debug,packet     NAS-Port-Type = 19
 11:22:57 radius,debug,packet     User-Name = "6E:23:D0:58:9D:E5"
 11:22:57 radius,debug,packet     Calling-Station-Id = "6E-23-D0-58-9D-E5"
 11:22:57 radius,debug,packet     Called-Station-Id = "2C-C8-1B-7E-51-79:Mikrotik"
 11:22:57 radius,debug,packet     User-Password = 0x
 11:22:57 radius,debug,packet     NAS-Identifier = "MRB_KPecar"
 11:22:57 radius,debug,packet     NAS-IP-Address = 127.0.0.1
 11:22:57 radius,debug timeout for 58:11
 11:22:57 wireless,debug got RADIUS timeout for 6E:23:D0:58:9D:E5 on wlan1
 11:22:58 wireless,debug wlan2: must select channel
 11:22:58 wireless,debug wlan2: failed to select channel
 11:22:59 wireless,debug wlan1: 6E:23:D0:58:9D:E5 attempts to associate
 11:22:59 wireless,debug wlan1: reject 6E:23:D0:58:9D:E5, banned (last failure - n
ot allowed by RADIUS)
 11:22:59 wireless,debug wlan1: 6E:23:D0:58:9D:E5 attempts to associate
 11:22:59 wireless,debug wlan1: reject 6E:23:D0:58:9D:E5, banned (last failure - n
ot allowed by RADIUS)
 11:22:59 wireless,debug wlan1: 6E:23:D0:58:9D:E5 attempts to associate
 11:22:59 wireless,debug wlan1: reject 6E:23:D0:58:9D:E5, banned (last failure - n
ot allowed by RADIUS)
 11:22:59 wireless,debug wlan1: 6E:23:D0:58:9D:E5 attempts to associate
 11:22:59 wireless,debug wlan1: reject 6E:23:D0:58:9D:E5, banned (last failure - n
ot allowed by RADIUS)
 11:23:03 wireless,debug wlan2: must select channel
 11:23:03 wireless,debug wlan2: failed to select channel
 11:23:08 wireless,debug wlan2: must select channel
 11:23:08 wireless,debug wlan2: failed to select channel
 11:23:09 wireless,debug wlan1: 6E:23:D0:58:9D:E5 attempts to associate
 11:23:09 wireless,debug wlan1: reject 6E:23:D0:58:9D:E5, banned (last failure - n
ot allowed by RADIUS)
 11:23:09 wireless,debug wlan1: 6E:23:D0:58:9D:E5 attempts to associate
 11:23:09 wireless,debug wlan1: reject 6E:23:D0:58:9D:E5, banned (last failure - n
ot allowed by RADIUS)
 11:23:09 wireless,debug wlan1: 6E:23:D0:58:9D:E5 attempts to associate
 11:23:09 wireless,debug wlan1: reject 6E:23:D0:58:9D:E5, banned (last failure - n
ot allowed by RADIUS)
 11:23:09 wireless,debug wlan1: 6E:23:D0:58:9D:E5 attempts to associate
 11:23:09 wireless,debug wlan1: reject 6E:23:D0:58:9D:E5, banned (last failure - n
ot allowed by RADIUS)
 11:23:13 wireless,debug wlan2: must select channel
 11:23:13 wireless,debug wlan2: failed to select channel
 11:23:18 wireless,debug wlan2: must select channel
 11:23:18 wireless,debug wlan2: failed to select channel
 11:23:23 wireless,debug wlan2: must select channel
 11:23:23 wireless,debug wlan2: failed to select channel
 11:23:28 wireless,debug wlan2: must select channel
 11:23:28 wireless,debug wlan2: failed to select channel
 11:23:33 wireless,debug wlan2: must select channel
 11:23:33 wireless,debug wlan2: failed to select channel
 11:23:34 wireless,debug wlan1: 6E:23:D0:58:9D:E5 attempts to associate
 11:23:34 wireless,debug wlan1: 6E:23:D0:58:9D:E5 not in local ACL, query RADIUS
 11:23:34 wireless,debug send RADIUS request for 6E:23:D0:58:9D:E5 on wlan1
 11:23:34 radius,debug new request 58:12 code=Access-Request service=wireless call
ed-id=2C-C8-1B-7E-51-79:Mikrotik
 11:23:34 radius,debug sending 58:12 to 127.0.0.1:1812
 11:23:34 radius,debug,packet sending Access-Request with id 7 to 127.0.0.1:1812
 11:23:34 radius,debug,packet     Signature = 0xb201a563629e2957d72f0c028ad8f136
 11:23:34 radius,debug,packet     Service-Type = 2
 11:23:34 radius,debug,packet     NAS-Port-Id = "wlan1"
 11:23:34 radius,debug,packet     NAS-Port-Type = 19
 11:23:34 radius,debug,packet     User-Name = "6E:23:D0:58:9D:E5"
 11:23:34 radius,debug,packet     Calling-Station-Id = "6E-23-D0-58-9D-E5"
 11:23:34 radius,debug,packet     Called-Station-Id = "2C-C8-1B-7E-51-79:Mikrotik"
 11:23:34 radius,debug,packet     User-Password = 0x
 11:23:34 radius,debug,packet     NAS-Identifier = "MRB_KPecar"
 11:23:34 radius,debug,packet     NAS-IP-Address = 127.0.0.1
 11:23:34 radius,debug resending 58:12
 11:23:34 radius,debug,packet sending Access-Request with id 7 to 127.0.0.1:1812
 11:23:34 radius,debug,packet     Signature = 0xb201a563629e2957d72f0c028ad8f136
 11:23:34 radius,debug,packet     Service-Type = 2
 11:23:34 radius,debug,packet     NAS-Port-Id = "wlan1"
 11:23:34 radius,debug,packet     NAS-Port-Type = 19
 11:23:34 radius,debug,packet     User-Name = "6E:23:D0:58:9D:E5"
 11:23:34 radius,debug,packet     Calling-Station-Id = "6E-23-D0-58-9D-E5"
 11:23:34 radius,debug,packet     Called-Station-Id = "2C-C8-1B-7E-51-79:Mikrotik"
 11:23:34 radius,debug,packet     User-Password = 0x
 11:23:34 radius,debug,packet     NAS-Identifier = "MRB_KPecar"
 11:23:34 radius,debug,packet     NAS-IP-Address = 127.0.0.1
 11:23:35 radius,debug resending 58:12
 11:23:35 radius,debug,packet sending Access-Request with id 7 to 127.0.0.1:1812
 11:23:35 radius,debug,packet     Signature = 0xb201a563629e2957d72f0c028ad8f136
 11:23:35 radius,debug,packet     Service-Type = 2
 11:23:35 radius,debug,packet     NAS-Port-Id = "wlan1"
 11:23:35 radius,debug,packet     NAS-Port-Type = 19
 11:23:35 radius,debug,packet     User-Name = "6E:23:D0:58:9D:E5"
 11:23:35 radius,debug,packet     Calling-Station-Id = "6E-23-D0-58-9D-E5"
 11:23:35 radius,debug,packet     Called-Station-Id = "2C-C8-1B-7E-51-79:Mikrotik"
 11:23:35 radius,debug,packet     User-Password = 0x
 11:23:35 radius,debug,packet     NAS-Identifier = "MRB_KPecar"
 11:23:35 radius,debug,packet     NAS-IP-Address = 127.0.0.1
 11:23:35 radius,debug timeout for 58:12
 11:23:35 wireless,debug got RADIUS timeout for 6E:23:D0:58:9D:E5 on wlan1
 11:23:35 wireless,debug wlan1: 6E:23:D0:58:9D:E5 attempts to associate
 11:23:35 wireless,debug wlan1: reject 6E:23:D0:58:9D:E5, banned (last failure - n
ot allowed by RADIUS)
 11:23:35 wireless,debug wlan1: 6E:23:D0:58:9D:E5 attempts to associate
 11:23:35 wireless,debug wlan1: reject 6E:23:D0:58:9D:E5, banned (last failure - n
ot allowed by RADIUS)
 11:23:35 wireless,debug wlan1: 6E:23:D0:58:9D:E5 attempts to associate
 11:23:35 wireless,debug wlan1: reject 6E:23:D0:58:9D:E5, banned (last failure - n
ot allowed by RADIUS)

As far as I understand, random MAC was on, i set it up to be device mac and again this error.

pe1chl · Sun Sep 24, 2023 10:49 pm

When you get no reply from the RADIUS server, usually the secret is wrong between them.
You have no secret configured in the radius server and user-manager, maybe that is mandatory (I do not know, I do have it).
Also I do not use 127.0.0.1 but the IP of the router on the LAN, but that should not be the problem.

gigabyte091 · Mon Sep 25, 2023 6:19 am

I put some basic password, like 123456, both on RADIUS service I created and User Manager settings.

I tried again but same results, can't connect to the network. I checked multiple times MAC address I entered and it's correct one.

pe1chl · Mon Sep 25, 2023 11:10 am

The problem is not the MAC address, the problem is that the RADIUS server does not answer your query.
So you need to fix that first. Try to use the router LAN address instead of 127.0.0.1
Make sure the input rules of the firewall don't block RADIUS (UDP port 1812-1813,3799)

gigabyte091 · Mon Sep 25, 2023 4:29 pm

Changed addresses from 127.0.0.1 to 192.168.88.1 and I added firewall input rule:

chain=input action=accept protocol=udp dst-port=1812,1813,3799 log=no 
      log-prefix=""

Now when i tried to connect to network i get same error but i can see in filter rules that 6 packets are recieved in this new rule i created.

EDIT: Now I get to the point where it says obtaining IP address but it fail to obtain a IP address, LOG looks like this:

11:54:20 radius,debug,packet sending Access-Request with id 14 to 192.168.88.1:18
12
 11:54:20 radius,debug,packet     Signature = 0xc8254c5d8bcb3633c4caea374eac9874
 11:54:20 radius,debug,packet     Service-Type = 2
 11:54:20 radius,debug,packet     NAS-Port-Id = "wlan1"
 11:54:20 radius,debug,packet     NAS-Port-Type = 19
 11:54:20 radius,debug,packet     User-Name = "6E:23:D0:58:9D:E5"
 11:54:20 radius,debug,packet     Calling-Station-Id = "6E-23-D0-58-9D-E5"
 11:54:20 radius,debug,packet     Called-Station-Id = "2C-C8-1B-7E-51-79:Mikrotik"
 11:54:20 radius,debug,packet     User-Password = 0x
 11:54:20 radius,debug,packet     NAS-Identifier = "Mikrotik"
 11:54:20 radius,debug,packet     NAS-IP-Address = 192.168.88.1
 11:54:20 radius,debug,packet received Access-Accept with id 14 from 192.168.88.1:
1812
 11:54:20 radius,debug,packet     Signature = 0x8f2646f37c17e54e7dea8863aeed27e7
 11:54:20 radius,debug,packet     MT-Wireless-Forward = 1
 11:54:20 radius,debug,packet     MT-Wireless-VLAN-ID-Type = 0
 11:54:20 radius,debug,packet     MT-Wireless-VLAN-ID = 10
 11:54:20 radius,debug,packet     Class = 0xf9ac972a6230191e
 11:54:20 radius,debug,packet     Message-Authenticator = 0x5de7e598a5ce30fa103506
76807e2d18
 11:54:20 radius,debug received reply for 58:1d
 11:54:20 wireless,debug got RADIUS accept for 6E:23:D0:58:9D:E5 on wlan1
 11:54:20 wireless,info 6E:23:D0:58:9D:E5@wlan1: connected, signal strength -30
 11:54:27 dhcp,warning dhcp1 offering lease 10.10.10.254 for 6E:23:D0:58:9D:E5 wit
hout success
 11:54:39 wireless,info 6E:23:D0:58:9D:E5@wlan1: disconnected, received deauth: se
nding station leaving (3), signal strength -30

gigabyte091 · Mon Sep 25, 2023 6:33 pm

So I played a little bit more.

From User groups, where I created VLAN10 group in attributes I only left Mikrotik-Wireless-Forward:1 and now my phone connects without a problem.

Don't know what is with VLANs, I created VLAN10, i tried to untag wireless interfaces to VLAN10 but that didn't work. Also in user manager i can't see that anything is connected.

But progress is made. Also phone reports that there is no security. Like network is open.

pe1chl · Mon Sep 25, 2023 7:37 pm

Of course you need to configure it so that the VLANs actually work. I did not check that in the config, but you would need a DHCP server on each VLAN etc.
I still do have a (common) WPA2-PSK password on the SSID, that makes it "secure". Without password it will indicate insecure. And of course it is, anyone that spoofs the MAC can connect then.
It is not a replacement for DPSK etc, you cannot assign a PSK in the user manager entry.
(with wireless access-list that is possible, but then you have to keep the same config on every AP manually instead of in one place)

gigabyte091 · Mon Sep 25, 2023 8:12 pm

I do have VLAN10 configured and working, but in this case, how should be configured ?

Usually i assign PVID to port or wireless interface and i untag that port or interface, but here user manager is doing that ?

gigabyte091 · Mon Sep 25, 2023 9:08 pm

This is what I get now:

 20:00:18 wireless,debug wlan1: 00:C3:0A:B7:ED:1C attempts to associate
 20:00:18 wireless,debug wlan1: 00:C3:0A:B7:ED:1C not in local ACL, query RADIUS
 20:00:18 wireless,debug send RADIUS request for 00:C3:0A:B7:ED:1C on wlan1
 20:00:18 radius,debug new request 58:23 code=Access-Request service=wireless called-id=2C-C8-1B-7E-51-79:Mikrotik
 20:00:18 radius,debug sending 58:23 to 192.168.88.1:1812
 20:00:18 radius,debug,packet sending Access-Request with id 10 to 192.168.88.1:1812
 20:00:18 radius,debug,packet     Signature = 0xed17cd662fb1613b10a8836a7daa4d59
 20:00:18 radius,debug,packet     Service-Type = 2
 20:00:18 radius,debug,packet     NAS-Port-Id = "wlan1"
 20:00:18 radius,debug,packet     NAS-Port-Type = 19
 20:00:18 radius,debug,packet     User-Name = "00:C3:0A:B7:ED:1C"
 20:00:18 radius,debug,packet     Calling-Station-Id = "00-C3-0A-B7-ED-1C"
 20:00:18 radius,debug,packet     Called-Station-Id = "2C-C8-1B-7E-51-79:Mikrotik"
 20:00:18 radius,debug,packet     User-Password = 0x
 20:00:18 radius,debug,packet     NAS-Identifier = "Mikrotik"
 20:00:18 radius,debug,packet     NAS-IP-Address = 192.168.88.1
 20:00:18 radius,debug,packet received Access-Accept with id 10 from 192.168.88.1:1812
 20:00:18 radius,debug,packet     Signature = 0x841bb95d90408813130fd22003328c9c
 20:00:18 radius,debug,packet     MT-Wireless-Forward = 1
 20:00:18 radius,debug,packet     MT-Wireless-VLAN-ID-Type = 0
 20:00:18 radius,debug,packet     MT-Wireless-VLAN-ID = 10
 20:00:18 radius,debug,packet     Class = 0xd7756f72483d204a
 20:00:18 radius,debug,packet     Message-Authenticator = 0xae5ff7f3d5b477261cf3883ab29296ff
 20:00:18 radius,debug received reply for 58:23
 20:00:18 wireless,debug got RADIUS accept for 00:C3:0A:B7:ED:1C on wlan1
 20:00:18 wireless,info 00:C3:0A:B7:ED:1C@wlan1: connected, signal strength -38
 20:00:25 dhcp,warning dhcp1 offering lease 10.10.10.254 for 00:C3:0A:B7:ED:1C without success
 20:00:36 wireless,info 00:C3:0A:B7:ED:1C@wlan1: disconnected, received deauth: sending station leaving (3), signal strength -38

And this caught my attention when I untag wlan1 for VLAN10:

 20:00:25 dhcp,warning dhcp1 offering lease 10.10.10.254 for 00:C3:0A:B7:ED:1C without success

This is new config:

# 2023-09-25 20:03:04 by RouterOS 7.12beta7
# software id =
#
# model = RBD53iG-5HacD2HnD
# serial number = 
/interface bridge
add admin-mac=2C:C8:1B:7E:51:75 auto-mac=no comment=defconf \
    ingress-filtering=no name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=VLAN10 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    radius-mac-authentication=yes supplicant-identity=MikroTik
add name=profile1 radius-mac-authentication=yes supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n country=croatia disabled=no \
    distance=indoors frequency=2437 installation=indoor mode=ap-bridge \
    security-profile=profile1 ssid=Mikrotik wireless-protocol=802.11 \
    wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-n/ac channel-width=20/40/80mhz-eeCe \
    country=croatia disabled=no distance=indoors frequency=auto installation=\
    indoor mode=ap-bridge security-profile=profile1 ssid=Mikrotik5 \
    wireless-protocol=802.11 wps-mode=disabled
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=dhcp_pool2 ranges=10.10.10.2-10.10.10.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
add address-pool=dhcp_pool2 interface=VLAN10 name=dhcp1
/ppp profile
add local-address=192.168.89.1 name=vpn remote-address=vpn
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/user-manager user group
add attributes="Mikrotik-Wireless-Forward:1,Mikrotik-Wireless-VLANIDtype:0,Mik\
    rotik-Wireless-VLANID:10" name=VLAN10 outer-auths=pap
/user-manager user
add group=VLAN10 name=6E:23:D0:58:9D:E5
add group=VLAN10 name=00:C3:0A:B7:ED:1C
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=wlan1 vlan-ids=10
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=VLAN10 list=LAN
/interface wireless cap
set caps-man-addresses=127.0.0.1
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.10.10.1/24 comment=TEST interface=VLAN10 network=10.10.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether5
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment=RADIUS dst-port=1812,1813,3799 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat
/radius
add address=192.168.88.1 service=wireless
/radius incoming
set accept=yes
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=Mikrotik
/system leds
set 0 disabled=yes interface=wlan1 leds=led1,led2,led3,led4,led5 type=\
    wireless-signal-strength
set 1 leds=poe-led type=poe-out
set 2 interface=ether5 leds=led5
set 3 interface=ether4
set 4 interface=ether3 leds=led3
add interface=ether2 leds=led2 type=interface-activity
/system logging
add topics=radius
add topics=wireless
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/user aaa
set use-radius=yes
/user-manager
set certificate=*0 enabled=yes
/user-manager router
add address=192.168.88.1 name=router1

gigabyte091 · Tue Sep 26, 2023 6:24 am

So I think I got it, I needed to tag wireless interfaces for VLANs, not untag them, now when I connect i get IP address from the VLAN i want, i created one more VLAN just for test and now it's working.

But how safe is this way ? no password, just MAC address ?

pe1chl · Tue Sep 26, 2023 5:10 pm

Yes, you get the VLAN you assign to the user as a tagged VLAN on the bridge, so when you want to do anything with it you need to create a VLAN subinterface on the bridge and configure DHCP on it. And firewall rules.
As I mentioned, I use it with a PSK on the wireless. The only reason I use the user-manager is to assign a VLAN to different types of users (LAN, Guest, IoT, etc).

gigabyte091 · Tue Sep 26, 2023 7:17 pm

This is working great I must say. I added WPA/WPA2 PSK with password and devices connects without a problem. Workaround PPSK.

Is this firewall rule good for my application ? Without this it won't work. I put it in input chain before drop rules.

chain=input action=accept protocol=udp dst-port=1812,1813,3799 log=no 
      log-prefix=""

I send support ticket to explain how to do it if possible with capsman and wifiwave2.

One more question, is there a possibility for guests to be added automatically ? So i don't have to open winbox and copy mac address in user manager ?

pe1chl · Tue Sep 26, 2023 8:29 pm

The firewall rule needs an extra parameter in-interface-list=LAN or in-interface-list=!WAN or similar, so that it won't accept RADIUS traffic from internet.

As I mentioned before, it is extremely sad that there is no possibility in user-manager to have a "default user" that determines what to do when a connection is made from an unknown user. The ACL is always checked first, so you cannot put a default rule in there because it would always match and RADIUS would never be used.
You could write a script that scans the log and whenever it sees the log text about a denied user it could pick out the MAC address and add a suitable entry to user manager. Unfortunately that is needlessly complex because there is no "logging rule" that says "send all wireless debug messages to this script". So you need to send them to memory and then schedule a job that scans the memory log buffer (e.g. every minute) and finds the proper messages. That makes it much more work and much more risky.
I already submitted a feature request to add "script" logging rules, and I got the reply that it is being considered.

gigabyte091 · Tue Sep 26, 2023 8:44 pm

The firewall rule needs an extra parameter in-interface-list=LAN or in-interface-list=!WAN or similar, so that it won't accept RADIUS traffic from internet.

I was thinking about that when I created this rule and I tried with in-interface-list set to LAN but it won't work in that case, device can't connect... i even tried to add wlan1 and 2 to LAN list but nothing... So I simply removed this and it worked... I didn't remember that i can put !WAN, i tried that now and it's working.

Regarding guest network, then I will not go that way, that would be overkill for my needs.

Now i just need response from support is it possible to do this with wifiwave2 and capsman... Because my main network is all wifiwave2... And I can't find MAC authentication in there..

EDIT: Is it possible that this is it?

AAA.jpg

First time configuring User manager

First time configuring User manager

Re: First time configuring User manager

Re: First time configuring User manager

Re: First time configuring User manager

Re: First time configuring User manager

Re: First time configuring User manager

Re: First time configuring User manager

Re: First time configuring User manager

Re: First time configuring User manager

Re: First time configuring User manager

Re: First time configuring User manager

Re: First time configuring User manager

Re: First time configuring User manager

Re: First time configuring User manager

Re: First time configuring User manager

Re: First time configuring User manager

Re: First time configuring User manager

Re: First time configuring User manager

Re: First time configuring User manager

Re: First time configuring User manager

Re: First time configuring User manager

Re: First time configuring User manager

Re: First time configuring User manager

Who is online