Hello everyone, I have a crazy question that I’m hoping someone might know the answer to.
My network consists of a number of VLAN’s for different departments, with firewall rules between them.
However, sometimes I need to get more granular per user, so I send dACL’s from the radius server to switchports as well as the VPN system.
I’m almost to the point where I don’t need the VLAN ACL rules between them, if I can get all the ports to handle it (not quite SGT tagging using TrustSEC from Cisco, but maybe next best).
One piece would be getting per user dACL’s working on the MikroTik wireless APs. I didn’t post this in the wireless forum because this question would probably span across both wireless EAP as well as dot1X.
What I’m looking for is similar to the Cisco AV-Pair radius attribute that can do things like this:
ip:inacl#10=deny ip any 192.168.13.0 255.255.255.0
ip:inacl#20=permit tcp any any eq 443
So I found a radius attribute called “Mikrotik-Address-List”, but that appears to only have IP addresses and is missing things like the source, protocol, and port information.
Is there a MikroTik radius attribute that allows a dynamic access list to be transmitted?