Authenticating vlan-id with Radius/DHCP

esc · November 16, 2011, 2:55pm

Hello,

I would like to provide radius authentication for DHCP, based on the vlan/interface that the request was received on. How can I get the mikrotik to send the vlan-id with the dhcp request ie in the radius access-request packet?

I should clarify this to say that the incoming trunk is terminated directly on to the mikrotik. If I have a cisco switch inserted before the mikrotik everything is ok. Problem is this is not the topology we have.

SO basically we need the mikrotik to optionally insert dhcp option 82 on incoming DHCP requests.

Appreciate your thoughts.

Chupaka · November 20, 2011, 12:32pm

‘Called-Station-Id’ contains DHCP Server name - isn’t that enough?

esc · November 21, 2011, 10:47am

No. This would be the same for each user, where as I want to base my authentication on the vlan-id of the user. Basing the authentication on the vlan-id also means that a customer can change their mac without having to talk to us.

Chupaka · November 21, 2011, 11:01am

but you’re creating DHCP Server per interface, so each VLAN will have its own DHCP Server name, won’t it?..

esc · November 26, 2011, 12:59pm

No, I’ve added all the vlans into a bridge, and set a horizon on each vlan so they cannot “talk” to each other.

Chupaka · November 26, 2011, 1:22pm

hmmm, I don’t think that DHCP Server can know about VLANs in that case - it’s working on the bridge, so it doesn’t have information about underlying layer

esc · November 27, 2011, 11:32pm

THe dhcp server knows about the vlans from the Option 82 data.

Chupaka · November 28, 2011, 4:37am

but Option82 is being added by DHCP Relays - there’s no packet changes inside the bridge, and there’s no any info about bridged ports for the application receiving packets on the bridge. so the solution is simple - just do not bridge

http://www.facebook.com/#!/photo.php?fbid=275923005774116&set=o.184655268266805&type=1&theater