I’m not sure that correct place to make this question but I try.
I need to make mac-auth authorization of all pc in my office.
I’ve already configure radius server on Mikrotik CRS switch with dynamic vlan assignment and if I connect the pc directly on switch it work. The switch change dynamically ethernet port’s PVID according with radius configuration (Tunnel-Private-Group-Id := "xxx”).
The problem is if the pc are connected after yealink phone, at the LAN port of the phone.
It seem that the phone doesn’t doing supplicant process when pc doing boot.
I don’t see any query in the radius log when pc start.
802.1X was never intended to support multiple devices connected to a single switch port, typically when the first device connects successfuly the port will be open to any source MAC address unless the switch supports some restriction mechanisms.
Some vendors have added proprietary multiple device support or other workarounds such as voice VLAN LLDP in parallel with 802.1X, however I don’t believe Mikrotik do.
If you are using MAC auth rather than full 802.1X any supplicant on the phone or PC is not relevant.
I did a configuration like that on other brand switches (Procurve, Aruba) but instead of 802.1x I used a plain “mac authentication” on the switch which sends a RADIUS request when a MAC is first seen on a port, and puts that MAC address on a specific VLAN using the RADIUS reply. It works both with freeradius and with MikroTik user-manager, although that is not really usable for this purpose yet.
The “mac authentication” feature supports a configurable number of clients per port, you can even have a dumb switch with several PCs connected but of course that will reduce security. Well, security is already reduced because there is no real authentication, it just admits pre-defined MAC addresses and of course one could set a device to some other device’s MAC address and it would still work.
We use it mostly as a convenience feature, so we do not have to configure the untagged VLAN on each and every switchport, but connected stuff automatically gets the correct VLAN. The switch also allows to configure a default VLAN to use when the RADIUS server rejects the authenticate request, which we use to have a default guest VLAN for BYOD.
Now of course the question is: do MikroTik switches support that? I think, not. So that would have to be a feature request…