Does anyone here use Hotspot mode and have clients using wifi bridges to connect.. and have the wifi bridges MAC as the authenticating MAC. And all computer behind it gain the DHCP IP?
If I dont use the Hotpot mode, the MAC address that shows up in the ARP table is that of the CB3 bridge. If I switch to Hotspot mode the MAC address of the client NIC is shown in the ARP table.
I believe the answer in the arp mode.
I am using a hotspot bridge with reply-only arp and wlan4 is in the bridge group and is left default on the arp value.. enabled.
name=“Hotspot” mtu=1500 arp=reply-only mac-address=00:02:6F:20:B2:E6
forward-protocols=ip,arp,appletalk,ipx,ipv6,other stp=no priority=32768 ageing-time=5m
forward-delay=15s garbage-collection-interval=5s hello-time=2s max-message-age=20s
name=“wlan4” mtu=1500 mac-address=00:02:6F:20:B2:E6 arp=enabled disable-running-check=no
interface-type=Atheros AR5212 radio-name=“00026F20B2E6” mode=ap-bridge ssid=“SNC4”
frequency=2412 band=2.4ghz-b scan-list=default-ism rate-set=default
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps basic-rates-b=1Mbps
basic-rates-a/g=6Mbps max-station-count=2007 ack-timeout=dynamic tx-power=default
noise-floor-threshold=default periodic-calibration=default burst-time=disabled fast-frames=no
dfs-mode=none antenna-mode=ant-a wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no
update-stats-interval=disabled default-authentication=yes default-forwarding=no hide-ssid=no
802.1x-mode=none disconnect-timeout=3s on-fail-retry-time=100ms
You have to authenticate the MAC of the PC/router behind the bridge and not the bridge itself.
Why would you want to authenticate the bridge? A hotspot’s traffic is somewhat insecure by nature, and the idea of a hotspot is to let user’s easily log in to an AP that doesn’t already know who the client is. The idea of using MAC authentication with a hotspot is to let known users connect to the hotspot without having to login every time. When CB3 acting as a bridge, and not a client, it cannot directly terminate the hotspot client interface, so where is the security risk of not MAC authenticating the bridge? Only devices that can act as clients will MAC authenticate, as any other way would seem without purpose…
Exactly why are you wanting to do this?
Hitek
The reason is this.
I currenly use Mikrotik for fixed wireless. But I am trying to get bandwidth limits with ease of configuration aka raduis
So If I setup users as PPPoE , the users have to have a PPPoE client.
If I use Hotspot I can set b./w limit and not have any software on clients machine.
If I just use raduis sercuity on the wireless interface I get no b.w settings.
So the logical choice is hotspot. But I dont want to have to deal with evey device each client owns. I want the service to be like other broadband services, where you buy a service and stick as many clients as you want behind your bridge.. Just Like DSL or Cable.
So the question remain… If you plan to authenticate and rate-limit using hotspot authentication, then why do you need to MAC authenticate in the first place? At what point are you wanting the hotspot connection to terminate, the bridge or the client’s computer? If you want the hotspot connection to terminate at the client’s computer, and therefore bandwidth limit each machine, then you will have to deal with each computer and each computer’s MAC address. If you just want to terminate the connection at the bridge location, thereby limiting it’s total bandwidth alone, you would want to use another mode of operation besides hotspot…
ok, Ill bite.. which mode other than hotspot will allow me do accomplish the authentication at the client bridge MAC, and allow radius b/w settings.
With hotspot, the data rate is limited at the terminating device. Since a CB3 or Deliberant bridge cannot terminate a hotspot point of access, the bridge cannot be data rate limited with hotspot. You would be able to do this if you used an MT as a bridge, because you could use an EoIP tunnel over a PPPoE link to bridge the network, and limit the bandwidth of the PPPoE link…
I think I finally understand what you are wanting to do, but this is not the nature of the equipment that you are using… The cable modem authenticates by MAC address and is a bridge, but it gets it’s data rate values from a special DOCSIS configuration file, and not by action of the MAC authentication. The standard DSL modem uses PPPoE to connect to the point of access, so it can limit the data rate in that fashion. The fact is, there are no provisions for a Senoa or Deliberant transparent bridge device to terminate a hotspot and receive PPP data rate settings…
If you just want to authenticate the bridge, did you try using standard AP mode and limiting the data rate of the IP link instead of a PPP link, similar to limiting the data rate of a client using the wireless access list? I think that the “Ascend-Data-Rate” RADIUS attribute might do this for you…
Hitek
now we are getting somewhere.. THANKS!..So you are saying I can just use the interface radius security and set speed limits?
That would be grand.. or if there is a way to use that radius to assign IP pool, like in the hotspot.
I don’t know how your bridge is going to handle broadcasts, so the usability of DHCP would be questionable. I route everything, and never bridge, so someone else might be more help to you…
Hitek
Hi, i wait you understandme, i from Argentina…
Well, i repair the same problem putting static IPs in my client and statics entries for this IP in the mangle to mark all packets from this IP with the hs-auth mark-flow and generating statics Simple Queues to this IP with the b/w to this client… all work fine… MAC Authentication in theses cases is impossible…
Regards and wait help you
Alessio