Dot1X authentication with freeradius

Dante91 · April 30, 2020, 2:46pm

Hey,
i´m searching for an option to authenticate clients, connecting to a Routerboard or a CRS, against a freeradius server with dot1x.
At the end I want to define a list of all MAC-adresses that are allowed to access the network on the radius-server.

I found the following article on the freeradius-wiki and configured my radius accordingly
https://wiki.freeradius.org/guide/Mac-Auth
Further I configured the clients.conf for my subnet and secret
I configured the access-routerboard with the dot1x-radius-option and the server option:

ether2 is the interface where the client is connected
192.168.88.252 is the address of the radius-server

/interface dot1x server
add interface=ether2 interim-update=10s

/radius
add address=192.168.88.252 secret=radiussecret service=dot1x

When the client connects the status is assigned as un-authorized in the dot1x-state. the mikrotik sends only one radius-request, even when the client reboots.
Is there an issue i´m mising?
Thanks for any advice

floaty · May 2, 2020, 6:41pm

Is there an issue I´m mising?

… highly presumable.

did you perform a test of your freeradius-server over the network with a tool like radtest ( or similiar ) ? ( … it’s the first thing you would do !)
stop your freeradius-(service) and start the server from the command-line in debug-mode

/usr/sbin/freeradius -Xx

… your path might differ from ‘/usr/bin’ … under circumstances your binary is compiled as ‘radiusd’
3. retry your authentication-test ( rebooting is in some cases not enough … the state-machine on your supplicant [aka authenticator] needs to detect a 'link-change" … cable in/out is the 100%-task for that )
4. if you see “living” on your freeradius command-line … copy-paste is to a file and gift it to us as an attachment
.
… and a config dump with /export/hide-sensitive ( → attachment)

Dante91 · May 5, 2020, 12:26pm

Hey floaty, thanks for the quick reply.
It works, don´t ask me why, since rebooting the testing-setup the authentication works fine.
For others with the same problem:

Freeradius-Config like in the link above shown
MikroTik Configuration:

/interface bridge
add name=bridge1

/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no comment=Uplink
set [ find default-name=ether2 ] disable-running-check=no comment=Access-PC1
set [ find default-name=ether3 ] disable-running-check=no comment=Access-PC2

/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3

/interface dot1x server
add auth-types=mac-auth interface=ether2 interim-update=1m
add auth-types=mac-auth interface=ether3 interim-update=1m

/radius
add address=192.168.88.252 secret=radiussecret service=dot1x src-address=192.168.88.251

/system logging
add topics=radius

Hope this helps anybody.
@floaty: Thanks for the help