VLAN Assignation per user using RADIUS

RouterOS Wireless Networking
1

Greeting everyone.

I do WPA authentication using a RADIUS server (freeradius on a zeroshell server). On the server I can specify a the client assigned VLAN (802.1x).

I need my AP to assign dynamicly the vlan to the wireless client. This will allow differents clients to be on differents networks.

TRUNK PORT → ETH2 → WAP → CLIENT on vlan 3404
-> CLIENT2 on vlan 3410

I understand that I need to brigde my WAP and the ETH2 interface. But I do not understand where the packet is going to be tagged and how to tell routeros to do that.

I am yet to find documentation or information.

Any idea?

Dany Chouinard

2

That is kinda I want to make.. create a vlan per customer… but I dont know exactly how do that on wimax profesional equipment like alvarion,. I heared about a pseudo vlan.. but that all I know in 802.11a/b/g

3

I have found a good description of what I’m trying to accomplish. But I am yet to figure how to do it with routerOS.

http://searchsecurity.techtarget.com/generic/0,295582,sid14_gci1169011,00.html

4

This sounds like something we would be interested in knowing about as well

5

As can be read in the post the key is that RouterOS has to understand those RADIUS attributes (and act accordingly).
I don’t think this is implemented right now.

Best bet would be to write a feature request to support, I suppose…

6

Hi,

Did this ever get implemented?

Was there a feature request?

Currently I can only get this functionality with products like HP, Trapeze etc. If I could use the “Client Assigned VLAN” attribute in RouterOS then I’d be able to deploy a lot more MikroTik.

I only need the AP to respect the attribute in WPA2-EAP scenarios. Don’t necessarily need it in HotSpot or UserManager.

Ta

7

It is not implemented in any current version.

8

Ok, would it be possible? How do I make a feature request? Can anyone think of a workaround?

Perhaps I’ll look at the L2 firewall…

Ta

9

Maybe you could try openwrt, this feature is working with it.

10

That’s interesting, I didn’t know that. I’ll take a look.

The thing is that I already have a significant (city wide) Mikrotik deployment so I’d like to stick with that if possible.

Ta

11

Duvi - I can’t see this in any of the OpenWRT documentation and I’ve Googled pretty hard …

Could you point me in the right direction please.


Thanks

12

If you turn on radius debug logging, does that attribute show up in the logs? If it does, a workaround would be to write a script to monitor the radius log, watching for that attribute. Then you could take any action you wanted based on the entry in the log. It is a bit of a hack, but may get you going in the meantime, if required.

13

It’s described here http://rpc.one.pl/index.php/lista-artykulow/34-openwrt/82-dynamiclvlan-w-openwrt-z-wykorzystaniem-hostapd

It’s in Polish, but it’s not too hard to get the point from the config files.

14

Translated in English:
http://translate.google.com/translate?hl=en&ie=UTF-8&sl=auto&tl=en&u=http://rpc.one.pl/index.php/lista-artykulow/34-openwrt/82-dynamiclvlan-w-openwrt-z-wykorzystaniem-hostapd&prev=_t

15

That’s an interesting idea Doug…

Perhaps I can script dynamic L2 NAT rules to forward the client’s traffic to/from the right VLAN…

Thanks

16

Wow! It’s a shame that we can’t have access to wireless interfaces from MetaRouters :frowning:

Then I could use OpenWRT to do this on my existing MikroTik installations.


I’ve added “Support for RADIUS Subscriber Assigned VLAN attribute in 802.1x” to the MikroTik feature request Wiki…

I guess people can vote for it if they think it would be useful :slight_smile:

In the meantime I’ll be learning OpenWRT then…

Thanks

Matt