Hi,
We’ve been running eduroam on Mikrotik - so far we’ve been using the same network for both users from our institution and for guests.
Now, I’d like to assign the VLAN to the user based on their realm. Guests from other institutions get different VLAN from locals.
I have found the trick for FreeRADIUS server, any chance to do anything with the RouterOS?
Thank you in advance.
i think this is not possible with routeros at the moment. but i also would like to have such a feature
SHTF situation.
If anyone here is fluent in MetaROUTER - do you think it might be the light at the end of the tunnel?
Basically the problem is that wireless clients do not create an interface on MT (except for WDS) so you can’t put them in a VLAN.
The workaround would be to use a Virtual AP and create two WLANs for eduroam guests and local users and bridge them to different VLANs.
Then you would have to configure freeradius to filter out the guests from the internal WLAN.
Hi Alice!
I can’t seem to send PM, so I’m asking you here…
I want to attach my Mikrotik router to eduroam network but cant manage to do it: http://forum.mikrotik.com/t/eduroam-with-mikrotik-aps/76111/1
Could you send me your working mikrotik config so I could test it?
Thanks, MAtej
Let me refresh my question:
Can CAPsMAN help me in assigning different VLANs to individual clients using the same SSID and AAA’ed by a RADIUS server?
vlan-mode and vlan-id look promising, but the description is very brief and maybe I hope too much.
Check out the access list within CAPsMAN. Based on MAC or MAC filter you can assign different VLANs. This is not exactly what you are looking for but maybe there is something that can be done based od radius reply. Just thinking…
That’s my point - I’m not exactly sure what I can do with the access list… and maybe if I did some overcomplicated packet mangling… no, I don’t have a clue yet.
thx for a reaction anyway.
Capsman can’t do 802.1x. Mikrotik can’t do eduroam at the moment. Use ubiquiti or openwrt. Or pretty much any othe vendor.
Maybe this is some misunderstanding, but I’d like to stress for a random reader of this topic that a standalone Mikrotik can do eduroam. I’ve been running ~100 units.
While I haven’t tried it with CAPsMAN yet, I have a good reason to believe it can work too.
I am only wondering whether I can do the VLAN assignment for each client based on RADIUS response.
Capsman doesn’t support 802.1xand capsman is the only one that supports radius vlan assignment.
We just rolled out eduroam. Dynamic vlan assignment is a requirement for us. We are trying to go single ssid.
Excuse me, I haven’t tried it yet (still playing with the L3 provisioning), but wouldn’t eduroam setting be done with CAPsMAN by setting security.authentication-types=wpa2-eap and security.eap-methods=passthrough ? Could you please explain the problem with eduroam more?
Im TELLING you that Capsman DOES NOT work with 802.1x.. I tried it at home. It only works with MAC based..
Once more. Caps man DOES NOT work with 802.1x. AT ALL.
EDIT: The security options exist, but they just don’t work. Im sure they will in the future, but at the moment, they don’t.
For me Radius Auth. (WPA-EAP / eap-methods=passthrough) to a Windows Radius Server checking Windows Domain Group memberships of users / computers is working with CAPsMAN.
vlan-mode and vlan-id can be only specified from the MAC RADIUS response. From the EAP RADIUS response it isn’t specified.
Any chance for quick implementation or some kind of workaround (some packet mangling)? This is strategic for our long-term strategy.
AHHH.. OK.. That would explain why it didn’t work for me when all i did as change from MAC to EAP… When do we expect that to work?
+1
fow what purposes you would use that vlan-id if we would try to add that to the EAP RADIUS response?
eduroam users must to log in at institutional WiFi with a login name in form loginname@realm with PEAP.
After successful verification of their identity thru a planet-wide RADIUS hierarchy
The trick for FreeRADIUS described for example here.
(Feasibility of this scenario has became a pretext for my manager to think seriously about replacing current Mikrotik infrastructure with now-damned-cheap HP and maybe also some other bad side-effect consequences.)