We recently purchased some Mikrotik products and I have a question.
We bought,
1-CCR1009
3-CRS354
14 cAP ac
I have the network design and am going to control all wireless via Capsman in CCR1009.
There will be 3 vlans running
vlan10 for building 1 and admin wireless
vlan11 for building 2
vlan12 for building 3
vlan20 for all guest wireless
The customer would like to implement the network and get all devices plugged in and working or on wireless and then lock the network down to the existing registered MAC addresses and force an admin to add them to the Mikrotik router moving forward as they add devices. Completely rejecting anything new that either gets plugged in to the switches or connects to the admin wireless. Leaving the guest wireless to itself without these rules.
Can this be done? I’ve read about wireless access lists but that doesn’t cover ethernet on my switches, so I’m not sure how to move forward.
MAC addresses are easy to spoof, you should really be looking at 802.1x for wired and WPA2-Enterprise for wireless authentication against a RADIUS server
Not always possible. Depends on the devices. If these devices have no “supplicant” embedded in their software, MAC-authentication is the best thing you can do.
I’ve deployed such environment that contains hundreds of industrial controllers, sensors, PLC’s unaware of the concept of 802.1X supplicant code.
Not on Mikrotik, but full Cisco SDAccess, so fabric running VXLAN etc.
Cisco ISE takes care of all AAA-aspects
Yes, however it is possible to use MAC-auth and 802.1x at the same time, and minimise the use of MAC-auth to those devices which are unable to perform 802.1x. Any MAC-authed devices can hopefully be restricted to a small number of heavily-firewalled networks, there should be no modern (< 10 years old) client desktop/laptop/tablet/phone/printer which can’t do better.