One dock with two computers & two VLANs

NebularWinter · July 23, 2024, 9:30pm

Hi.

Wonder if this is possible - I have one thunderbolt dock with one NIC/MAC address and I’d like to set my MikroTik router to behave so that if a specific laptop is plugged in (i.e. my work laptop), it gets connected to my guest VLAN interface (pvid 20), but for any other devices plugged into that dock, this goes to my main network (which is the bridge interface, pvid 1).

Is that possible to set up router-side?

Thanks!

spippan · July 23, 2024, 9:58pm

you would need something like user-manager (mikrotik’s implementation of RADIUS server) and some kind of (basic) dot1x setup to evaluate (and authenticate) the device/user connecting to the network

you could try to do basic mac-authentication and then set the PVID of that port to your desired VLAN and otherwise leave it at PVID 1
never done it on a setup with user-manager (additional .npk package in “all packages”)
you also could work with more sophisticated setups like EAP-PEAP and/or computer-authentification (cert. based; most likely in place in a domain network, hence the domain has an internal CA and signes computer certificates which are pushed to domain-joined computers)

but implemented dot1x with an aruba radius server which serves a variaty of access layer devices (cisco, fs, ubnt es and also mikrotik RB4011 and hEX)

the radius server has to respond with the according values to set the VLAN PVID
the 3 important values here are

Tunnel-Medium-Type (=VLAN)
Tunnel-Type (=802)
Tunnel-Private-Group-ID (=vlan pvid)

(here for example the RADIUS server is implemented via Micro$ofts NPS: https://www.expertnetworkconsultant.com/configuring/ieee-802-1x-authentication-and-dynamic-vlan-assignment-with-nps-radius-server/ )

spippan · July 23, 2024, 10:00pm

also a good read maybe

https://administrator.de/en/nps-802-1x-radius-authentication-with-eap-tls-and-strong-certificate-mapping-for-non-domain-joined-devices-9670013529.html

http://forum.mikrotik.com/t/routeros-802-1x-client-windows-nps-ad-cs/148870/1

https://help.mikrotik.com/docs/display/ROS/Dot1X
https://wiki.mikrotik.com/wiki/Manual:Interface/Dot1x

jaclaz · July 24, 2024, 12:10pm

If I get this right, this particular kind of dock is connected via thunderbolt and has an internal NIC (with its own MAC address).
So the router (or any other device on the network connected to it) has no way to see which computer is connected via thunderbolt, it will always see the MAC of the dock NIC, no matter which computer is connected to it.
It has to be seen if it is possible to do some kind of MAC spoofing on that device.
Only as an example/reference, DELL has a “pass-through mode” for similar devices:
https://www.dell.com/support/kbdoc/en-us/000143263/what-is-mac-address-pass-through
and if I recall correctly also Lenovo and other manufacturers has something similar.

spippan · July 24, 2024, 12:44pm

HP also has such an option