Dot1x and Reject-VLAN-ID

RouterOS General
1

I have a switch I’m doing a POC on, I’m currently doing this with D-Link DGS switches and looking to migrate to MikroTik. We use MAC Authentication and I have a RADIUS server operating that authenticates by MAC and sends the Tunnel VLAN ID to the authenticating client. If the MAC address is NOT in RADIUS, the client needs to be placed in a “guest” VLAN 621.

When a client is in RADIUS and authenticated the client receives their VLAN ID and all is well in the world.

I have this configured and working on D-Link with authentication guest-vlan xxx for each interface. In MikroTik, I have for each Dot1x entry “Reject VLAN ID” set to the “guest” VLAN but when I connect a non-authenticated device, it puts me in some never-never land. I’m not on the guest VLAN according to Wireshark. DHCP Discover packets go unanswered. When I manually configure the Mikrotik interface for the “guest” VLAN and disable dot1x for that interface - I’m on the guest VLAN and all is well.

My config:

# jan/22/2021 22:32:31 by RouterOS 6.48
# software id = Q3MW-361A
#
# model = CRS210-8G-2S+
# serial number = 518A04C27174
/interface bridge
add name=ICUEN protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=ICUEN name=BR549 vlan-id=620
/interface list
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/snmp community
add addresses=xxx.xxx.xxx.xxx name=xxxxxxxx
/interface bridge port
add bridge=ICUEN frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether1
add bridge=ICUEN frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether2
add bridge=ICUEN frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether3
add bridge=ICUEN frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether4
add bridge=ICUEN frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether5
add bridge=ICUEN frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether6
add bridge=ICUEN frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether7 pvid=622
add bridge=ICUEN frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether8
add bridge=ICUEN frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=sfp-sfpplus1
add bridge=ICUEN frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=sfpplus2
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=ICUEN tagged=ether8,sfp-sfpplus1,sfpplus2 untagged=ether7 \
    vlan-ids=622
add bridge=ICUEN tagged=ICUEN,ether8,sfp-sfpplus1,sfpplus2 vlan-ids=620
add bridge=ICUEN comment="CUSTOMER VLANS" tagged=\
    ether8,sfp-sfpplus1,sfpplus2 untagged=\
    ether1,ether2,ether3,ether4,ether5,ether6 vlan-ids="631,632,633,634,635,63\
    6,637,638,639,640,641,642,643,644,645,646,647,648,649,621"
/interface dot1x server
add accounting=no auth-types=mac-auth interface=ether1 mac-auth-mode=\
    mac-as-username-and-password radius-mac-format=XXXXXXXXXXXX \
    reject-vlan-id=621
add accounting=no auth-types=mac-auth interface=ether2 mac-auth-mode=\
    mac-as-username-and-password radius-mac-format=XXXXXXXXXXXX \
    reject-vlan-id=621
add accounting=no auth-types=mac-auth interface=ether3 mac-auth-mode=\
    mac-as-username-and-password radius-mac-format=XXXXXXXXXXXX \
    reject-vlan-id=621
add accounting=no auth-types=mac-auth interface=ether4 mac-auth-mode=\
    mac-as-username-and-password radius-mac-format=XXXXXXXXXXXX \
    reject-vlan-id=621
add accounting=no auth-types=mac-auth interface=ether5 mac-auth-mode=\
    mac-as-username-and-password radius-mac-format=XXXXXXXXXXXX \
    reject-vlan-id=621
add accounting=no auth-types=mac-auth interface=ether6 mac-auth-mode=\
    mac-as-username-and-password radius-mac-format=XXXXXXXXXXXX \
    reject-vlan-id=621
/interface list member
add interface=BR549 list=MGMT
/ip address
add address=xxx.xxx.xxx.xxx/22 interface=BR549 network=172.30.0.0
/ip dns
set servers=172.30.0.15,9.9.9.9
/ip route
add distance=1 gateway=172.30.0.1
/lcd
set backlight-timeout=never default-screen=informative-slideshow \
    read-only-mode=yes touch-screen=disabled
/radius
add address=xxx.xxx.xxx.xxx comment="RADIUS" service=dot1x src-address=\
    xxx.xxx.xxx.xxx
.....
Blah blah blah SNMP and SNTP stuff
2

What happens if you manually configure interface with PVID and have 802.1x enabled? Implicit default setting in ROS is PVID=1 for any bridge port (bridge interface included) ...

3

Deleted, it’s not relevant to this topic.

4

Try to enable RSTP on bridge with “protocol-mode=rstp”. If you do not want to send BPDUs and ignore any received BPDUs, you can change the bridge port to “edge=yes”.

If the setup still does not work, enable dot1x and radius logging and see if you get more details.

5

While its not in the pasted config snippet, I did set PVID=622 on the interfaces but to no avail. Only when I removed 802.1x from the interface did I access VLAN 622.

6

Will do and I’ll report back later today

7 
Jan/25/2021 14:46:28 dot1x,debug s ether1 BLOCK
Jan/25/2021 14:46:31 dot1x,debug s ether1 "" mac-auth start: 70:88:6B:87:63:04
Jan/25/2021 14:46:31 radius,debug new request 82:15c code=Access-Request service=dot1x called-id=4C-5E-0C-9E-B5-14
Jan/25/2021 14:46:31 radius,debug sending 82:15c to [IP of RADIUS]:1812
Jan/25/2021 14:46:31 radius,debug,packet sending Access-Request with id 227 to [IP of RADIUS]:1812
Jan/25/2021 14:46:31 radius,debug,packet     Signature = 0x51b7667559a4ba71450b7fb6340bf64d
Jan/25/2021 14:46:31 radius,debug,packet     NAS-Port-Type = 15
Jan/25/2021 14:46:31 radius,debug,packet     Called-Station-Id = "4C-5E-0C-9E-B5-14"
Jan/25/2021 14:46:31 radius,debug,packet     Calling-Station-Id = "70-88-6B-87-63-04"
Jan/25/2021 14:46:31 radius,debug,packet     Service-Type = 2
Jan/25/2021 14:46:31 radius,debug,packet     Framed-MTU = 1400
Jan/25/2021 14:46:31 radius,debug,packet     User-Password = 0x373038383642383736333034
Jan/25/2021 14:46:31 radius,debug,packet     User-Name = "70886B876304"
Jan/25/2021 14:46:31 radius,debug,packet     Acct-Session-Id = "860000d8"
Jan/25/2021 14:46:31 radius,debug,packet     Unknown-Attribute(type=102) = 0x00
Jan/25/2021 14:46:31 radius,debug,packet     NAS-Identifier = "SWITCH"
Jan/25/2021 14:46:31 radius,debug,packet     NAS-IP-Address = [IP of SWITCH]
Jan/25/2021 14:46:31 radius,debug,packet received Access-Reject with id 227 from [IP of RADIUS]:1812
Jan/25/2021 14:46:31 radius,debug,packet     Signature = 0x0243c646c4d8f2149c62239142a1eb50
Jan/25/2021 14:46:31 radius,debug received reply for 82:15c
Jan/25/2021 14:46:31 dot1x,debug s ether1 "70886B876304" rejected

I set the Bridge STP to RSTP, and set edge=yes on all the ports that are served by dot1x. Still no joy. It appears RADIUS is doing its job, but dot1x is not assigning the Reject VLAN ID to the port.

Here’s the current config:

# jan/25/2021 14:54:49 by RouterOS 6.48
# software id = Q3MW-361A
#
# model = CRS210-8G-2S+
# serial number = 518A04C27174
/interface bridge
add name=ICUEN vlan-filtering=yes
/interface vlan
add interface=ICUEN name=BR549 vlan-id=620
/interface list
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=ICUEN edge=yes frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether3 pvid=621
add bridge=ICUEN edge=yes frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether4 pvid=621
add bridge=ICUEN edge=yes frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether5 pvid=621
add bridge=ICUEN edge=yes frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether6 pvid=621
add bridge=ICUEN frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether7 pvid=622
add bridge=ICUEN frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether8
add bridge=ICUEN frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=sfp-sfpplus1
add bridge=ICUEN frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=sfpplus2
add bridge=ICUEN edge=yes frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether1 pvid=621
add bridge=ICUEN edge=yes frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether2 pvid=621
/interface bridge vlan
add bridge=ICUEN tagged=ether8,sfp-sfpplus1,sfpplus2 untagged=ether7 \
    vlan-ids=622
add bridge=ICUEN tagged=ICUEN,ether8,sfp-sfpplus1,sfpplus2 vlan-ids=620
add bridge=ICUEN comment="CUSTOMERS" tagged=\
    ether8,sfp-sfpplus1,sfpplus2 untagged=\
    ether1,ether2,ether3,ether4,ether5,ether6 vlan-ids="631,632,633,634,635,63\
    6,637,638,639,640,641,642,643,644,645,646,647,648,649,621"
/interface dot1x server
add accounting=no auth-types=mac-auth interface=ether1 mac-auth-mode=\
    mac-as-username-and-password radius-mac-format=XXXXXXXXXXXX \
    reject-vlan-id=621
add accounting=no auth-types=mac-auth interface=ether2 mac-auth-mode=\
    mac-as-username-and-password radius-mac-format=XXXXXXXXXXXX \
    reject-vlan-id=621
add accounting=no auth-types=mac-auth interface=ether3 mac-auth-mode=\
    mac-as-username-and-password radius-mac-format=XXXXXXXXXXXX \
    reject-vlan-id=621
add accounting=no auth-types=mac-auth interface=ether4 mac-auth-mode=\
    mac-as-username-and-password radius-mac-format=XXXXXXXXXXXX \
    reject-vlan-id=621
add accounting=no auth-types=mac-auth interface=ether5 mac-auth-mode=\
    mac-as-username-and-password radius-mac-format=XXXXXXXXXXXX \
    reject-vlan-id=621
add accounting=no auth-types=mac-auth interface=ether6 mac-auth-mode=\
    mac-as-username-and-password radius-mac-format=XXXXXXXXXXXX \
    reject-vlan-id=621
....IP DEFAULT ROUTE ITEMS REMOVED....
/radius
add address=[IP of RADIUS] comment="ICUEN NPS" service=dot1x src-address=\
    [IP of SWITCH]
8

It turns out that “reject-vlan-id” dot not correctly apply in the 6.48 version for MAC authentication, will be fixed in upcoming versions. In the meantime, please try with the previous RouterOS stable version (6.47.8).

9

I’ll just wait for the next ROS version release and pick this back up at that time. Thanks.

10

I upgraded to the 6.49 beta and this issue is now resolved. Here’s the working config for future reference:

/interface bridge
add name=BR549 vlan-filtering=yes
/interface vlan
add interface=BR549 name=TESTNET vlan-id=620
/interface list
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/snmp community
add addresses=[SNMP SERVER] name=[COMMUNITY]
/interface bridge port
add bridge=BR549 edge=yes frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=621
add bridge=BR549 edge=yes frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=621
add bridge=BR549 edge=yes frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 pvid=621
add bridge=BR549 edge=yes frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether6 pvid=621
add bridge=BR549 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether7 pvid=622
add bridge=BR549 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether8
add bridge=BR549 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp-sfpplus1
add bridge=BR549 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfpplus2
add bridge=BR549 edge=yes frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether1 pvid=621
add bridge=BR549 edge=yes frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=621
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=BR549 tagged=ether8,sfp-sfpplus1,sfpplus2 untagged=ether7 vlan-ids=622
add bridge=BR549 tagged=BR549,ether8,sfp-sfpplus1,sfpplus2 vlan-ids=620
add bridge=BR549 comment="CUSTOMERS VLANS" tagged=ether8,sfp-sfpplus1,sfpplus2 untagged=ether1,ether2,ether3,ether4,ether5,ether6 vlan-ids="631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,621"
/interface dot1x server
add accounting=no auth-types=mac-auth interface=ether1 mac-auth-mode=mac-as-username-and-password radius-mac-format=XXXXXXXXXXXX reject-vlan-id=621
add accounting=no auth-types=mac-auth interface=ether2 mac-auth-mode=mac-as-username-and-password radius-mac-format=XXXXXXXXXXXX reject-vlan-id=621
add accounting=no auth-types=mac-auth interface=ether3 mac-auth-mode=mac-as-username-and-password radius-mac-format=XXXXXXXXXXXX reject-vlan-id=621
add accounting=no auth-types=mac-auth interface=ether4 mac-auth-mode=mac-as-username-and-password radius-mac-format=XXXXXXXXXXXX reject-vlan-id=621
add accounting=no auth-types=mac-auth interface=ether5 mac-auth-mode=mac-as-username-and-password radius-mac-format=XXXXXXXXXXXX reject-vlan-id=621
add accounting=no auth-types=mac-auth interface=ether6 mac-auth-mode=mac-as-username-and-password radius-mac-format=XXXXXXXXXXXX reject-vlan-id=621
/interface list member
add interface=TESTNET list=MGMT
/ip address
add address=[SWITCH IP] interface=TESTNET network=[TEST NETWORK]
/ip dns
set servers=[DNS SERVERS]
/ip route
add distance=1 gateway=[DEFAULT GATEWAY]
/lcd
set backlight-timeout=never default-screen=informative-slideshow read-only-mode=yes touch-screen=disabled
/radius
add address=[RADIUS IP] comment="RADIUS SERVER" secret=****SECRET**** service=dot1x src-address=[SWITCH IP]
***SNMP STUFF***
/system clock
set time-zone-autodetect=no time-zone-name=UTC
**SYSTEM IDENTITY***
/system ntp client
set enabled=yes server-dns-names=time.nist.gov,us.pool.ntp.org
/tool mac-server
set allowed-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=MGMT