access-list + radius not working.

BobCat · January 30, 2024, 8:52am

We have multiple AP’s at work with same SSID.

device mac-auth is controlled by daloradius server which is working fine.

I want to use access-list to remove wireless devices with weak signal.

The issue is that when i setup access-list then router ignores radius server and any device with password can connect.

My question is how can i use access-list together with radius server.

I want to be able to remove device with weak signal but still want them to use radius for mac auth.

Thank you

vingjfg · January 30, 2024, 8:58am

Can you post your ACL configuration?

BobCat · January 30, 2024, 9:03am

/interface wireless access-list
add signal-range=-85..120
add authentication=no forwarding=no

vingjfg · January 30, 2024, 9:13am

That’s … not a lot.

Is your ACL set to reject the clients with signal in the range -85..-120?

I created one (using wifi, not wireless) - here is what it looks like.

/interface wifi access-list
add action=reject disabled=no signal-range=-85..120

The second “add”, is it an ACL?

BobCat · January 30, 2024, 9:22am

Yes if it falls below that thresholds then device will be disconnected after 10 seconds.
Th issue im facing is that radius does not have control when rules is enabled. In the logs it will show radius rejected device but then acl will allow the same device.

erlinden · January 30, 2024, 9:48am

My settings are a bit different, your range is incorrect:

/interface wifi access-list
add action=accept allow-signal-out-of-range=10s disabled=no signal-range=-90..0
add action=reject allow-signal-out-of-range=10s disabled=no signal-range=-120..-91

Anything above -90 is accepted, anything below rejected.
Your current range is from -80 to 120, which is the range you would probably like to accept.

vingjfg · January 30, 2024, 9:49am

Can you modify your ACL to the following?

This means that the clients with signal -65..0 are accepted but when the signal dips under -65, they are disconnected.

/interface wireless access-list
add signal-range=-65..0
add authentication=no forwarding=no signal-range=-120..-66

The way your ACL was written meant: “if a client has a signal in the range -85..120, okay, otherwise disconnect”

vingjfg · January 30, 2024, 10:49am

I am reading the page on interface/wireless, specifically the section on Radius MAC authentication

RADIUS MAC authentication
Note: RADIUS MAC authentication is used by access point for clients that are not found in the access-list, similarly to the default-authentication property of the wireless interface. It controls whether client is allowed to proceed with authentication, or is rejected immediately.

When radius-mac-authentication=yes, access point queries RADIUS server by sending Access-Request with the following attributes:

User-Name - Client MAC address. This is encoded as specified by the radius-mac-format setting. Default encoding is “XX:XX:XX:XX:XX:XX”.
Nas-Port-Id - name of wireless interface.
User-Password - When radius-mac-mode=as-username-and-password this is set to the same value as User-Name. Otherwise this attribute is empty.
Calling-Station-Id - Client MAC address, encoded as “XX-XX-XX-XX-XX-XX”.
Called-Station-Id - MAC address and SSID of the access point, encoded as “XX-XX-XX-XX-XX-XX:SSID” (minus separated pairs of MAC address digits, followed by colon, followed by SSID value).
Acct-Session-Id - Added when radius-mac-accounting=yes.

If I understand that correctly - unfortunately I no longer have an old-style wifi device to test - whatever is not matched by the ACL goes to MAC auth: so if accepted → no MAC auth, if rejected → no MAC auth.

Provided you have radius-mac-authentication=yes set, something like this should then be used:

/interface wireless access-list
add authentication=no forwarding=no signal-range=-120..-66

That will drop whatever is out of signal and the rest will have to go through radius.

snuggerbonzen · January 31, 2024, 9:08am

Could you share the relevant capsman and caps configs that make this work? I am trying to achieve the same, but so far I only got auth and vlan assignment working with EAP, but not for mac auth.

BobCat · February 13, 2024, 12:52pm

Im not using capsman but have setup access list on each router.

BobCat · February 13, 2024, 12:54pm

I am reading the page on interface/wireless, specifically the section on Radius MAC authentication

RADIUS MAC authentication
Note: RADIUS MAC authentication is used by access point for clients that are not found in the access-list, similarly to the default-authentication property of the wireless interface. It controls whether client is allowed to proceed with authentication, or is rejected immediately.

When radius-mac-authentication=yes, access point queries RADIUS server by sending Access-Request with the following attributes:

User-Name - Client MAC address. This is encoded as specified by the radius-mac-format setting. Default encoding is “XX:XX:XX:XX:XX:XX”.
Nas-Port-Id - name of wireless interface.
User-Password - When radius-mac-mode=as-username-and-password this is set to the same value as User-Name. Otherwise this attribute is empty.
Calling-Station-Id - Client MAC address, encoded as “XX-XX-XX-XX-XX-XX”.
Called-Station-Id - MAC address and SSID of the access point, encoded as “XX-XX-XX-XX-XX-XX:SSID” (minus separated pairs of MAC address digits, followed by colon, followed by SSID value).
Acct-Session-Id - Added when radius-mac-accounting=yes.

If I understand that correctly - unfortunately I no longer have an old-style wifi device to test - whatever is not matched by the ACL goes to MAC auth: so if accepted → no MAC auth, if rejected → no MAC auth.

Provided you have radius-mac-authentication=yes set, something like this should then be used:
/interface wireless access-list
add authentication=no forwarding=no signal-range=-120..-66
That will drop whatever is out of signal and the rest will have to go through radius.

Thank you. It seems to be working after trying your suggestion.

BobCat · February 6, 2025, 11:59am

I decided to try this configuration again.

I think i might have found why it was not working.

/interface wireless access-list
add signal-range=-75..120
add authentication=no forwarding=no signal-range=-120..-76

should be

/interface wireless access-list
add signal-range=-75
add authentication=no forwarding=no signal-range=-120..-76

After making this change devices stays disconnected when radius server rejects or when radius server is down.