Hi, Mikrotik forum. I want to implement a Mikrotik router that provides DHCP along with a switch (the brand doesn’t matter). The idea is that each user connecting to the switch must authenticate before gaining access to the network.
I understand there’s the Hotspot option, but I’m looking for something simpler for the person who will manage the network in the future.
I was considering using ARP Reply Only as a way to ensure that only the administrator can authorize which users have access to the network. Is this a good option?
if you work with ARP you can allow ARP from DHCP by activating the appropriate flag, and you work with DHCP server in only static. This allows only the Mac addresses that you manually enter in the lease to navigate.
MAC-based mechanisms don’t provide authentication as it is trival for anyone to spoof a MAC address and gain access.
Any authentication and authorisation setup will require ongoing management, if you already have a database of user credentials such as Windows / Azure AD it is possible to use those for both WiFi (WPA-Enterprise) and wired (802.1X) connections, or there are various cloud-based such as JumpCloud or Okta.
for the given problem 802,1x seems as the only viable solution. To configure it - you need to have radius server to feed MT with configuration details for clients. There is a few radius servers available, but you can start from FreeRADIUS (which is probably not the easiest one for configuration but definitely the most versatile).