I’m trying to assign users to different VLANs on wireless interface basing on RADIUS authentication. Basic RADIUS authentication works as expected but MikroTik-specific attributes don’t seem to be assigned properly. This is my server side config of FreeRADIUS (mikrotik.dictionary is taken from here: https://wiki.mikrotik.com/wiki/Manual:RADIUS_Client/vendor_dictionary):
/etc/raddb/dictionary:
...
$INCLUDE mikrotik.dictionary
...
/etc/raddb/clients.conf:
client rb {
ipaddr = 192.168.10.2
secret = ***
nastype = mikrotik
}
/etc/raddb/users:
lapsio-phone Cleartext-Password := "***"
Mikrotik_Wireless_VLANID := 481,
Mikrotik_Wireless_VLANIDtype := 0,
Mikrotik-Wireless-Comment := 17
I thought it’s FreeRADIUS misconfiguration but when I enabled radius logs on mikrotik I can see following logs:
17:17:44 radius,debug new request 58:44b code=Access-Request service=wireless called-id=4E-5E-0C-65-35-31:Suse-alt
17:17:44 radius,debug sending 58:44b to 192.168.10.9:1812
17:17:44 radius,debug,packet sending Access-Request with id 210 to 192.168.10.9:1812
17:17:44 radius,debug,packet Signature = 0xe7391c6b21abd9cbda8cea58c2da4e28
17:17:44 radius,debug,packet Service-Type = 2
17:17:44 radius,debug,packet Framed-MTU = 1400
17:17:44 radius,debug,packet User-Name = "lapsio-phone"
17:17:44 radius,debug,packet NAS-Port-Id = "wlan4-alt"
17:17:44 radius,debug,packet NAS-Port-Type = 19
17:17:44 radius,debug,packet Acct-Session-Id = "82100032"
17:17:44 radius,debug,packet Acct-Multi-Session-Id = "4E-5E-0C-65-35-31-2C-4D-54-35-BC-2D-82-10-00-00-00-00-00-32"
17:17:44 radius,debug,packet Calling-Station-Id = "2C-4D-54-35-BC-2D"
17:17:44 radius,debug,packet Called-Station-Id = "4E-5E-0C-65-35-31:Suse-alt"
17:17:44 radius,debug,packet EAP-Message = 0x02000011016c617073696f2d70686f6e
17:17:44 radius,debug,packet 65
17:17:44 radius,debug,packet Message-Authenticator = 0x16ff17ac4c8cfaa8e0bf2dce9c8c082a
17:17:44 radius,debug,packet NAS-Identifier = "RB2011SWAG"
17:17:44 radius,debug,packet NAS-IP-Address = 192.168.10.2
17:17:44 radius,debug,packet received Access-Challenge with id 210 from 192.168.10.9:1812
17:17:44 radius,debug,packet Signature = 0x512c81239f2e000504a29a083cae2d93
17:17:44 radius,debug,packet EAP-Message = 0x01010016041075db65cb914f9ea9aeed
17:17:44 radius,debug,packet b454b790bc1e
17:17:44 radius,debug,packet Message-Authenticator = 0x987408929484851b6991395f3ffea998
17:17:44 radius,debug,packet State = 0x5560b0245561b49260cad83a72523c75
17:17:44 radius,debug received reply for 58:44b
17:17:44 radius,debug new request 58:44c code=Access-Request service=wireless called-id=4E-5E-0C-65-35-31:Suse-alt
17:17:44 radius,debug sending 58:44c to 192.168.10.9:1812
17:17:44 radius,debug,packet sending Access-Request with id 211 to 192.168.10.9:1812
17:17:44 radius,debug,packet Signature = 0x2966589320c22b2eae92d380b52fcb2f
17:17:44 radius,debug,packet Service-Type = 2
17:17:44 radius,debug,packet Framed-MTU = 1400
17:17:44 radius,debug,packet User-Name = "lapsio-phone"
17:17:44 radius,debug,packet State = 0x5560b0245561b49260cad83a72523c75
17:17:44 radius,debug,packet NAS-Port-Id = "wlan4-alt"
17:17:44 radius,debug,packet NAS-Port-Type = 19
17:17:44 radius,debug,packet Acct-Session-Id = "82100032"
17:17:44 radius,debug,packet Acct-Multi-Session-Id = "4E-5E-0C-65-35-31-2C-4D-54-35-BC-2D-82-10-00-00-00-00-00-32"
17:17:44 radius,debug,packet Calling-Station-Id = "2C-4D-54-35-BC-2D"
17:17:44 radius,debug,packet Called-Station-Id = "4E-5E-0C-65-35-31:Suse-alt"
17:17:44 radius,debug,packet EAP-Message = 0x020100060319
17:17:44 radius,debug,packet Message-Authenticator = 0x1a7cbc7184af745e3c83a3b02e9b99cd
17:17:44 radius,debug,packet NAS-Identifier = "RB2011SWAG"
17:17:44 radius,debug,packet NAS-IP-Address = 192.168.10.2
17:17:44 radius,debug,packet received Access-Challenge with id 211 from 192.168.10.9:1812
17:17:44 radius,debug,packet Signature = 0xf2181013d252c2f8ad496a7c33edd3c1
17:17:44 radius,debug,packet MT-Wireless-VLAN-ID = 481
17:17:44 radius,debug,packet MT-Wireless-VLAN-ID-Type = 0
17:17:44 radius,debug,packet MT-Wireless-Comment = "17"
17:17:44 radius,debug,packet EAP-Message = 0x010200061920
17:17:44 radius,debug,packet Message-Authenticator = 0xb454787b48ca34d60e38cfed6b8ad770
17:17:44 radius,debug,packet State = 0x5560b0245462a99260cad83a72523c75
17:17:44 radius,debug received reply for 58:44c
As you can see following entries are present in RADIUS response:
...
17:17:44 radius,debug,packet MT-Wireless-VLAN-ID = 481
17:17:44 radius,debug,packet MT-Wireless-VLAN-ID-Type = 0
17:17:44 radius,debug,packet MT-Wireless-Comment = "17"
...
So it seems that RADIUS sends proper attributes, yet still they’re ignored by RouterOS. So this is my RouterOS config for wifi:
/interface wireless security-profiles
add authentication-types=wpa2-eap group-key-update=1m mode=dynamic-keys name=paranoid radius-eap-accounting=yes radius-mac-mode=as-username-and-password supplicant-identity=Uncertain
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n bridge-mode=disabled compression=yes default-authentication=no default-forwarding=no disabled=no frequency=2427 hide-ssid=yes l2mtu=2290 mode=ap-bridge mtu=2000 name=wlan-root preamble-mode=long rx-chains=0 security-profile=secure ssid=- tx-chains=1 tx-power=30 tx-power-mode=all-rates-fixed wps-mode=disabled
add default-forwarding=no disabled=no hide-ssid=yes l2mtu=2290 mac-address=4E:5E:0C:65:35:31 master-interface=wlan-root mtu=2000 name=wlan4-alt security-profile=paranoid ssid=Suse-alt vlan-id=480 vlan-mode=use-tag wps-mode=disabled
/interface wireless access-list
add disabled=yes interface=wlan4-alt mac-address=2C:4D:54:35:BC:2D vlan-id=482 vlan-mode=use-tag
/radius
add address=192.168.10.9 service=wireless src-address=192.168.10.2 timeout=3s
I added entry in access-list to see whether vlan tagging works at all but it apparently does when VLAN-ID is specified on access-list. Unfortely when I disable access-list entry it doesn’t work anymore so RouterOS ignores RADIUS response directives. (by “doesn’t work” I mean that lapsio-phone is assigned to VLAN 480 and doesn’t have any comment in registration-table)
RouterOS: 6.42.6
Board: RB2011UiAS-2HnD