Hi,
Using 3.30, confirmed on two MIBSLE boards, both having the idential same issue…
- When Radius authentication is used for Wireless clients (/interface wireless security-profiles), no Wireless Connect/Disconnect/etc logs are displayed on Mikrotik.
/interface wireless security-profiles
set default authentication-types="" group-ciphers="" group-key-update=5m interim-update=5m mode=none name=default radius-eap-accounting=no radius-mac-accounting=yes radius-mac-authentication=tes radius-mac-caching=\
30s radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username-and-password static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=none static-key-0="" static-key-1="" static-key-2="" \
static-key-3="" static-sta-private-algo=none static-sta-private-key="" static-transmit-key=key-0 supplicant-identity=MikroTik tls-certificate=none tls-mode=no-certificates unicast-ciphers="" \
wpa-pre-shared-key="" wpa2-pre-shared-key=""
- I’ve configured a Bridge port, containing my Wireless Interface, tied together with a VLAN interface. The main reason for this is that DHCP on the Wireless network is handled by a central server.
/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes comment="" disabled=no forward-delay=15s l2mtu=1596 max-message-age=20s mtu=1500 name="WIFI Bridge" priority=0x8000 protocol-mode=stp \
transmit-hold-count=6
...
/interface vlan
add arp=enabled comment="" disabled=no interface="Uplink Port" l2mtu=1596 mtu=1500 name="VLAN100 - WIFI" use-service-tag=no vlan-id=100
...
/interface wireless
set 0 ack-timeout=dynamic adaptive-noise-immunity=none allow-sharedkey=no antenna-gain=0 antenna-mode=ant-a area="" arp=enabled band=2.4ghz-b basic-rates-a/g=6Mbps basic-rates-b=1Mbps burst-time=disabled comment=\
"" compression=no country="us 2.4 crossroads" default-ap-tx-limit=0 default-authentication=no default-client-tx-limit=0 default-forwarding=no dfs-mode=none disable-running-check=no disabled=no \
disconnect-timeout=3s frame-lifetime=0 frequency=2412 frequency-mode=regulatory-domain hide-ssid=no hw-retries=4 mac-address=00:0C:42:08:78:B9 max-station-count=2007 mode=ap-bridge mtu=1500 name=WLAN01 \
noise-floor-threshold=default on-fail-retry-time=100ms periodic-calibration=default periodic-calibration-interval=60 preamble-mode=both proprietary-extensions=post-2.9.25 radio-name="-=savage=-" rate-set=\
default scan-list=default security-profile=default ssid="-=savage=-" station-bridge-clone-mac=00:00:00:00:00:00 supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps supported-rates-b=\
1Mbps,2Mbps,5.5Mbps,11Mbps tx-power-mode=default update-stats-interval=disabled wds-cost-range=50-150 wds-default-bridge=none wds-default-cost=100 wds-ignore-ssid=no wds-mode=disabled wmm-support=disabled
...
/interface bridge port
add bridge="WIFI Bridge" comment="" disabled=no edge=auto external-fdb=auto horizon=none interface="VLAN100 - WIFI" path-cost=10 point-to-point=auto priority=0x80
add bridge="WIFI Bridge" comment="" disabled=no edge=auto external-fdb=auto horizon=none interface=WLAN01 path-cost=10 point-to-point=auto priority=0x80
...
The moment a wireless client connects, the authentication is sent to the Radius Server (I’ve tried with Default-Forwarding=yes and no). The MAC is authenticated and the Wireless device connects to the radio, but no traffic passes through the bridge.
When I remove the Radius authentication, and add the Client to the Access List:
/interface wireless access-list
add ap-tx-limit=0 authentication=yes client-tx-limit=0 comment="" disabled=no forwarding=yes interface=WLAN01 mac-address=00:23:6C:35:2E:D6 private-algo=none private-key="" private-pre-shared-key="" signal-range=\
-120..120
Then everything works fine.
I’m stumped as to why the bridge would not allow traffic for MAC addresses authenticated via Radius, but WOULD for MAC addresses on the Wireless Access Table… I am smelling a bug.