RouterOS mac/user auth via RADIUS (ClearPass)

RouterOS General
1

I am evaluating MikroTik/RouterOS for use in our organization at sites that do not have the budget for full enterprise gear (HPE Aruba is our standard). I got a CRS328-24P-4S+RM switch and I was able to get it up and running within our network, successfully tagging/untagging VLANs.
We use ClearPass for authenticating to the network. I have not had much luck finding resources for anyone who has tried to use ClearPass with RouterOS. I was able to set up the RADIUS server, however I am not sure how to configure my access ports to point to ClearPass for authentication and correct VLAN assignment. The furthest I’ve gotten is to pass creds when attempting to sign into the switch itself. The MikroTik documentation shows client supplicant configuration settings, but it’s almost as if it wants me to prefill the details that the device connecting to the port should be supplying… https://help.mikrotik.com/docs/display/ROS/Dot1X Any guidance on this subject? I feel like I just need to configure the ports properly.

[admin@MikroTik] > export
# 2024-01-09 12:54:56 by RouterOS 7.13.1
# software id = T0G4-BFMH
#
# model = CRS328-24P-4S+
# serial number = [REDACTED]
/interface bridge
add ingress-filtering=no name=MGMT port-cost-mode=short pvid=[REDACTED] \
    vlan-filtering=yes
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=MGMT ingress-filtering=no interface=sfp-sfpplus1 internal-path-cost=\
    10 path-cost=10 pvid=[REDACTED]
add bridge=MGMT ingress-filtering=no interface=ether2 internal-path-cost=10 \
    path-cost=10 pvid=[REDACTED]
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=MGMT untagged=sfp-sfpplus1 vlan-ids=[REDACTED]
add bridge=MGMT tagged=sfp-sfpplus1 vlan-ids=[REDACTED]
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=[REDACTED] interface=MGMT network=[REDACTED]
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=[REDACTED]
/radius
add address=[REDACTED] service=login,dot1x
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=America/New_York
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=[REDACTED]
/system routerboard settings
set boot-os=router-os
/user aaa
set use-radius=yes
2

Update: I was able to get a computer successfully authenticating against ClearPass after setting up a Dot1X Server in RouterOS. ClearPass accepts the request, however the computer does not successfully get its VLAN. It just continually sends requests (it sent 10k in 2 mins) that are all accepted by ClearPass. This error is repeated 10 times a second indefinitely while the port is active:

 10:09:25 dot1x,warning  err adding port to vlan
 10:09:25 dot1x,warning  err adding port to vlan
 10:09:25 dot1x,warning  err adding port to vlan
 10:09:25 dot1x,warning  err adding port to vlan
 10:09:25 dot1x,warning  err adding port to vlan
 10:09:25 dot1x,warning  err adding port to vlan
 10:09:26 dot1x,warning  err adding port to vlan
 10:09:26 dot1x,warning  err adding port to vlan
 10:09:26 dot1x,warning  err adding port to vlan
 10:09:26 dot1x,warning  err adding port to vlan
 10:09:26 dot1x,warning  err adding port to vlan
 10:09:26 dot1x,warning  err adding port to vlan
 10:09:26 dot1x,warning  err adding port to vlan
 10:09:26 dot1x,warning  err adding port to vlan
 10:09:26 dot1x,warning  err adding port to vlan
 10:09:27 dot1x,warning  err adding port to vlan
 10:09:27 dot1x,warning  err adding port to vlan
 10:09:27 dot1x,warning  err adding port to vlan
 10:09:27 dot1x,warning  err adding port to vlan
 10:09:27 dot1x,warning  err adding port to vlan
 10:09:27 dot1x,warning  err adding port to vlan
 10:09:27 dot1x,warning  err adding port to vlan
 10:09:27 dot1x,warning  err adding port to vlan
 10:09:27 dot1x,warning  err adding port to vlan
 10:09:27 dot1x,warning  err adding port to vlan
 10:09:28 dot1x,warning  err adding port to vlan
 10:09:28 dot1x,warning  err adding port to vlan
 10:09:28 dot1x,warning  err adding port to vlan
 10:09:28 dot1x,warning  err adding port to vlan
 10:09:28 dot1x,warning  err adding port to vlan
 10:09:28 dot1x,warning  err adding port to vlan
 10:09:28 dot1x,warning  err adding port to vlan
 10:09:28 dot1x,warning  err adding port to vlan
 10:09:29 dot1x,warning  err adding port to vlan
 10:09:29 dot1x,warning  err adding port to vlan
 10:09:29 dot1x,warning  err adding port to vlan
 10:09:29 dot1x,warning  err adding port to vlan
 10:09:29 dot1x,warning  err adding port to vlan
 10:09:29 dot1x,warning  err adding port to vlan
 10:09:29 dot1x,warning  err adding port to vlan
 10:09:29 dot1x,warning  err adding port to vlan
 10:09:29 dot1x,warning  err adding port to vlan
 10:09:29 dot1x,warning  err adding port to vlan
 10:09:30 dot1x,warning  err adding port to vlan
 10:09:30 dot1x,warning  err adding port to vlan
 10:09:30 dot1x,warning  err adding port to vlan
 10:09:30 dot1x,warning  err adding port to vlan
 10:09:30 dot1x,warning  err adding port to vlan
 10:09:30 dot1x,warning  err adding port to vlan
 10:09:30 dot1x,warning  err adding port to vlan
 10:09:30 dot1x,warning  err adding port to vlan
 10:09:30 dot1x,warning  err adding port to vlan
 10:09:30 dot1x,warning  err adding port to vlan
 10:09:31 dot1x,warning  err adding port to vlan
 10:09:31 dot1x,warning  err adding port to vlan
 10:09:31 dot1x,warning  err adding port to vlan
 10:09:31 dot1x,warning  err adding port to vlan

I’m not sure what I need to do to get it working…

3

Update: I was able to get things rolling after creating a separate bridge VLAN for each VLAN ID and tag my uplink port on each. I’m now struggling to figure out how to allow a phone to get its VLAN and a PC to get its separate VLAN (connected to the phone’s computer port). Current config below.

[admin@MikroTik] > export
# 1970-01-03 00:53:04 by RouterOS 7.13.1
# software id = T0G4-BFMH
#
# model = CRS328-24P-4S+
# serial number = HEX0996ZWTX
/interface bridge
add name=MGMT pvid=[REDACTED] vlan-filtering=yes
/interface list
add name="CPPM Port"
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/port
set 0 name=serial0
/interface bridge port
add bridge=MGMT interface=sfp-sfpplus1 pvid=[REDACTED]
add bridge=MGMT interface=ether3
add bridge=MGMT interface=ether2
add bridge=MGMT interface=ether4
add bridge=MGMT interface=ether5
add bridge=MGMT interface=ether6
add bridge=MGMT interface=ether7
add bridge=MGMT interface=ether8
add bridge=MGMT interface=ether9
add bridge=MGMT interface=ether10
add bridge=MGMT interface=ether11
add bridge=MGMT interface=ether12
add bridge=MGMT interface=ether13
add bridge=MGMT interface=ether14
add bridge=MGMT interface=ether15
add bridge=MGMT interface=ether16
add bridge=MGMT interface=ether17
add bridge=MGMT interface=ether18
add bridge=MGMT interface=ether19
add bridge=MGMT interface=ether20
add bridge=MGMT interface=ether21
add bridge=MGMT interface=ether22
add bridge=MGMT interface=ether23
add bridge=MGMT interface=ether24
/interface bridge vlan
add bridge=MGMT tagged=sfp-sfpplus1 vlan-ids=[REDACTED]
add bridge=MGMT tagged=sfp-sfpplus1 vlan-ids=[REDACTED]
add bridge=MGMT tagged=sfp-sfpplus1 vlan-ids=[REDACTED]
add bridge=MGMT tagged=sfp-sfpplus1 vlan-ids=[REDACTED]
add bridge=MGMT tagged=sfp-sfpplus1 vlan-ids=[REDACTED]
add bridge=MGMT tagged=sfp-sfpplus1 vlan-ids=[REDACTED]
add bridge=MGMT tagged=sfp-sfpplus1 vlan-ids=[REDACTED]
add bridge=MGMT tagged=sfp-sfpplus1 vlan-ids=[REDACTED]
add bridge=MGMT tagged=sfp-sfpplus1 vlan-ids=[REDACTED]
add bridge=MGMT tagged=sfp-sfpplus1 vlan-ids=[REDACTED]
add bridge=MGMT tagged=sfp-sfpplus1 vlan-ids=[REDACTED]
add bridge=MGMT tagged=sfp-sfpplus1 vlan-ids=[REDACTED]
add bridge=MGMT tagged=sfp-sfpplus1 vlan-ids=[REDACTED]
add bridge=MGMT tagged=sfp-sfpplus1 vlan-ids=[REDACTED]
add bridge=MGMT tagged=sfp-sfpplus1 vlan-ids=[REDACTED]
add bridge=MGMT tagged=sfp-sfpplus1 vlan-ids=[REDACTED]
add bridge=MGMT tagged=sfp-sfpplus1 vlan-ids=[REDACTED]
add bridge=MGMT tagged=sfp-sfpplus1 vlan-ids=[REDACTED]
add bridge=MGMT tagged=sfp-sfpplus1 vlan-ids=[REDACTED]
/interface dot1x server
add auth-types=dot1x,mac-auth interface="CPPM Port" mac-auth-mode=mac-as-username-and-password
/interface list member
add interface=ether3 list="CPPM Port"
add interface=ether4 list="CPPM Port"
add interface=ether2 list="CPPM Port"
add interface=ether5 list="CPPM Port"
add interface=ether6 list="CPPM Port"
add interface=ether7 list="CPPM Port"
add interface=ether8 list="CPPM Port"
add interface=ether9 list="CPPM Port"
add interface=ether10 list="CPPM Port"
add interface=ether11 list="CPPM Port"
add interface=ether12 list="CPPM Port"
add interface=ether13 list="CPPM Port"
add interface=ether14 list="CPPM Port"
add interface=ether15 list="CPPM Port"
add interface=ether16 list="CPPM Port"
add interface=ether17 list="CPPM Port"
add interface=ether18 list="CPPM Port"
add interface=ether19 list="CPPM Port"
add interface=ether20 list="CPPM Port"
add interface=ether21 list="CPPM Port"
add interface=ether22 list="CPPM Port"
add interface=ether23 list="CPPM Port"
add interface=ether24 list="CPPM Port"
/ip address
add address=[REDACTED] interface=MGMT network=[REDACTED]
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=[REDACTED] routing-table=main suppress-hw-offload=no
/radius
add address=[REDACTED] service=dot1x
/system note
set show-at-login=no
/system routerboard settings
set boot-os=router-os
4

Hi, did you ever find a solution to mapping a vlan to a phone?

5

I didn’t, sorry.

6

AFAIK Mikrotik have only implemented RFC 3580 (single untagged VLAN) dynamic VLAN assignment, to support ‘untagged plus one or more tagged’ would require RFC 4675 (multiple tagged/untagged VLAN) too.