Hello, is there s Network Access Control (NAC) solution compatible with the switch Mikrotiks? For the management of RADIUS and MAC based VLAN Mapping. Thanks
Mikrotik has its own solution called User-Manager.
1 Like
But I don’t think MikroTik switches offer plain MAC to VLAN mapping outside of the more complicated 802.1x protocol.
Most “enterprise” switches from other manufacturers offer “aaa port-access mac-based” or “aaa authentication port-access mac-auth” where a port simply listens, and when it receives traffic from a MAC address it sends a radius access-request with that MAC address as username and password, then receives an access-accept from the RADIUS server that includes a VLAN ID, and it puts that VLAN untagged on the port for that MAC address.
I don’t think (correct me if I am wrong) MikroTik switches offer that option. User-manager is MikroTik’s RADIUS server (with very limited support for access-request, it is more oriented towards accounting).
I use User-Manager to reply the VLAN-ID of my Printer Network when one of my printers is attached to a switchport.
Please show how you have configured those switchports!
Created the Printer VLAN with VLAN-ID 23:
/interface bridge vlan
add bridge=bridgeLocal comment="Printer VLAN" disabled=no mvrp-forbidden="" tagged=bridgeLocal,bond-iccp untagged="" vlan-ids=23
Added the Port to bridgeLocal:
/interface bridge port
add bridge=bridgeLocal interface=ether6
Added the Port to the dot1x config with mac-auth enabled:
/interface dot1x server
add auth-timeout=10s auth-types=dot1x,mac-auth interface=ether6 retrans-timeout=10s
Added the Printer to User-Manager:
/user-manager user
add attributes=Tunnel-Medium-Type:6,Tunnel-Type:13,Tunnel-Private-Group-ID:23 comment="Kyocera Printer"
disabled=no group=mac-auth name=00:17:C8:XX:XX:XX shared-users=1
The switch shows the port as authorized and the vlan-id is dynamically assigned to the port:
/interface/dot1x/server/state> print
Columns: INTERFACE, STATUS
INTERFACE STATUS
0 ether6 authorized
/interface/bridge/vlan/print where untagged
Flags: D - DYNAMIC
Columns: BRIDGE, VLAN-IDS, CURRENT-UNTAGGED
BRIDGE VLAN-IDS CURRENT-UNTAGGED
....
;;; added by pvid23
D bridgeLocal 23 ether6
....
Ok thanks, that means the printer is not involved in the configuration at all? I always thought that dot1x is a protocol on top of ethernet, where the client has to present a certificate to authenticate to the network, which the client device needs to support, that certificate has to be deployed, it can expire, etc etc.
But what you show here is much like what I am using with Procurve/Aruba switches where only the MAC address determines the entire process and dot1x is not involved at all.
Pleased to hear that it is possible with MikroTik switches as well!
You may have noticed that on the user manager side there is no logging at all about this authorization, I have requested it to be added and they are looking into it. I would like to see a log message that shows the request (name, device, port) and if it was accepted or rejected. We are now using freeradius where that is logged and I would like to replace it with user-manager.
Yes. the printer has no kind of configuration regarding the authentication.
I completely agree with you regarding logging in the User Manager.