The source mac address that are set from RADIUS server in the Mikrotik-Switching-Filter attribute can not be set dynamically via Dot1x in the Switch rule (CRS328). The log error is shown in the attached image. My attribute value is “src-mac-address 6C:2B:59:3A:09:63/FF:FF:FF:FF:FF:FF action allow, src-mac-address 6C:3B:6B:95:A9:9B/FF:FF:FF:FF:FF:FF action allow, action drop” It does not worl. What does it happen? The switch does not support to set the mac address in the switch rule via dot1x, yet ?
Thank you for your suggestion. I understand your point.
I also read and followed that link before. I would like to secure the network after the authentication has been successfully done with access accept together with the switch rule. This means devices with incorrect source MAC address can not get shared with that switch port. With dot1X, it is possible to do port security automatically, isn’t it. Only the device that get authenticated can use the switch port. I hope the MikroTik support will take this into account.
Once a port is authenticated traffic from any source MAC address can pass, it is an architectural defect in the original 802.1X design. Various vendors have additional controls to limit or restrict source MAC addresses.
I’ve not looked to see if the dynamic rules are added before or after any static rules. If they appear before you could use Mikrotik-Switching-Filter = “action allow” plus a static rule to drop anything from the 802.1X controlled ports (maybe needs something to allow the EAPOL traffic to the CPU port), however if the dynamic rules appear after any static rules you are stuck.
The Mikrotik 802.1x implementation is fairly new, you could always suggest a feature request to Mikrotik.
What does it happen? The switch does not support to set the mac address in the switch rule via dot1x, yet ?
