Hello
I have factory with 9 Cisco C2960X-48FPS and 15 Cisco C2960C-08P, ~30 Mikrotik cAP ac, and CCR1009
CCR1009 is main router for NAT, CAPSMAN and VPN-s. Allso there is a lot of IP Cameras, IP Phones, different sensors. All work…. and have aprox 10 vlan. BUT very offten some devices are moved and connceted on some other switch port which need to be configured for proper vlan then.
Idea is to put USERMAN on CCR1009 and to do dinamic vlan assingment with MAB on every port switch.
So example if somone disconnect devices from switchport on switch 10 (C2960C), and connect same device on other switch on other part of factory,that port (on new switch) automatic assign specified vlan.
A have MAC of all devices,so can create “MAC Arhive” on CCR1009
My question, is someon have something simular, and is it wiling to share config.
Main problem for me is on Mikrotik CCR1009 (userman) how to create Attributes for cisco and MAC mask (exampe all MAC with FB:CO:XX:XX:XX:XX assign vlan 110
MAC with 0C:99:XX:XX:XX:XX assing vlan 330)
Cisco have ok manuals for RADIUS so I can play with that, but can;t find any for Mikrotik on this maner.
With the use of VLAN RADIUS attributes in authentication requests, clients are authorized based on existing VLAN segmented networks. The existing VLAN provisioning is used as an indication of the location.
Based on RFC 2868 (RADIUS Attributes for Tunnel Protocol Support), support is provided for standard RADIUS attributes that exist for specifying the tunnel-type, medium and identifier
The Tunnel-Private-Group-ID includes the VLAN ID or name, and accommodates a string length of up to 253 characters.
Obviously you need to make some configuration on the Cisco side too, please look for those exact config snippets compatible with your platform.
All-in-all this should be doable, as far as I know. But I think in USERMAN you’ll need to work with UserGROUPS/PROFILES or something where you provide provide the required RADIUS attributes back to the CAT2960.
For a USER, you cannot seem to do that directly ? The MAC-address of the end-point connected to the switch probably has the “username” (MAC) embedded in the Calling-Station-ID or something.
Good luck.
I have no expierence with using Userman as a “Radius” servers.
I have done that with Aruba switches, it should be the same.
However, what you want to do with “mask” is not possible with userman. You can only specify MAC addresses in full, and assign attributes like a VLAN to them. You can make a “group” that sets the RADIUS attributes for VLAN 110 and any “users” (MAC addresses) that are part of this group will get the proper VLAN.
However, you cannot put FB:CO:XX:XX:XX:XX as a user in such group, you need to fully specify e.g. FB:CO:12:34:56:78 for each MAC on the network.
Also there is the issue (I filed SUP-196157 for that) there is no logging of access requests. Userman is severely session-oriented, it logs only accounting requests, and you cannot know what is happening with access requests (at least not in the router, only in the switch).
So for now, user-manager is not really suitable for what you want to do…
Perhaps you should also consider something like PacketFence (opensource / free) and deploy it like a REAL NAC-solution, with lots of logging and insight.
Thanks man. Your infos help a lot. I was thinking that is not possible to “mask” MAC, it needs to be fully specificated. So this solution is not what I need. So Mikrotik USERMAN can’t do this.
Thank you
So packetfence can be used instead of USERMAN for this ? Like radius server. Where I can specicy MAC address and/or MAC “mask” so vlan is assignes by that ? Cisco and Mikrotik switches can be conneced on that ?
Thanks
Probably it will work I guess, but you should test these things anyway.
I’m pretty sure you can work with device-groups in the authentication flow, so eg match the Vendor-ID part of the MAC OUI or something and do something with that.
The solution is built around the concept of network isolation through VLAN assignment. For more details on how this work see the Technical Introduction page. Because of its long experience and several deployments, the VLAN management of PacketFence grew to be very flexible over the years. Your VLAN topology can be kept as it is and only two new VLAN will need to be added throughout your network: registration VLAN and isolation VLAN. Moreover, PacketFence can also make use of roles support from many equipment vendors.
VLAN and roles can be assigned using the various means:
Per switch (default for VLAN)
Per client category (default for roles)
Per client
Using any arbitrary decision (if you use our perl extension points)
Also, the per-switch method can be combined with the others. For example, with a default PacketFence setup, a VLAN or a role can be assigned to your printers and your PCs (if categorized properly) based on what equipment they are connected to. This implies that you can easily have per-building per-device type VLANs.
Might be a fun project for the coming months Increasing the network security of your factory network
Cool men. Thanks.
I install PacketFence on VM on my server, so I will play with it, and try first with my 2 ciso switches and home settup. After that I will move forward
Increasing the network security of your factory network