Is it possible to use RADIUS both for Dot1X interface authorization and DHCP IP distribution (via Framed-IP-Address)?
I’m having a bit of a problem where the only thing a DHCP server sends to a RADIUS server (via in-router client) is a MAC address, with an empty password.
I’m wondering, is it possible to use the auth data a client sent to a Dot1X server for DHCP->RADIUS authentication.
Also, I have found some info that RouterOS DHCP server may not give out the ip address that was specified in Framed-IP-Address (or Framed-Pool) in the user record on the RADIUS server, how does it work?
I’m currently using version 6.46.2, and a freeRADIUS server (though that is not set in stone, thought about using User Manager, but that would complicate the verification of users a bit).
There are two completely independent operations taking place - firstly the dot1x auth to permit layer 2 network access, and subsequently DHCP to obtain a layer 3 network address - this is very different from the traditional RADIUS use case where an IP address can be provided during authentication and authorisation of a PPP/PPPoE connection.
If the dot1x auth is by credentials (e.g. EAP-PEAP-MSCHAPv2) there is no data in the RADIUS server to supply an IP address to a specific MAC address, so if each user only ever connects with one device you can have a second set of data in the RADIUS server to provide IP addresses for those specific MAC addresses.
If the dot1x auth is by MAC address then it should be possible to use the same RADIUS record for both dot1x and DHCP, it may need some unlang processing in FreeRADIUS if the request formats are dissimilar.