Hi!
I have configured radius connection with a Packetfence server that assign device connected to switch to specific vlan. I want only wired solution.
I use DOT1X.
I want to know how to properly setup vlans to set the port given by radius to a specific vlan.
I want the port get assigned to the proper vlan no matter of the port.
Basicaly, my idea is:
- I connect device to a random port.
- Switch get radius from packetfence with an VLAN that should be assigned to the device.
- Switch set the port to the vlan.
Could someone help me please?
Sure just google it.
And here we are.
https://citraweb.com/artikel_lihat.php?id=446 with username and password authentication
https://mikrotik.co.id/artikel/447/ with mac authentication
Just use translator
OP has an external device acting as RADIUS server (PacketFence) so the guides with User Manager are not very useful, plus they don’t even address the VLAN issue.
To OP: you need to do the following on your CRS328 running RouterOS 7.
-
On PacketFence, add the IP address of the CRS328 and a shared secret to the RADIUS configuration
-
On the CRS328 go to the RADIUS menu and add an entry pointing to the PacketFence device’s IP address, with the shared secret above. The dot1x checkbox should be enabled
/radius
add address=10.20.30.40 secret=****************** service=dot1x
/radius incoming
set accept=yes
-
The CRS328 should be configured with only one single bridge containing all the ports, with vlan-filtering=yes, the uplink port connecting the switch to the PacketFence machine must be configured as a trunk port carrying all the VLANs that you wish to use (add entries under /interface bridge vlan)
-
For the ports that you want to use with DOT1X, configure them as access ports of the bridge by simply setting frame-types=admit-only-untagged-and-priority-tagged for them under /interface bridge port. The PVID value here is unimportant and can be left at the default value or can be set to a bogus VLAN ID (any ID not used by your VLANs, this is only as safeguard for the case where entries are mistakenly removed/disabled from the Dot1X server table). Do not add entries for those ports in the /interface bridge vlan table at all!
-
Add entries for the ports under Dot1X → Server. For example, to use user authentication with fallback VLAN for guest / unauthorized:
/interface dot1x server
add interface=ether5 guest-vlan-id=60 interim-update=30m reject-vlan-id=60 retrans-timeout=10s server-fail-vlan-id=60
add interface=ether8 guest-vlan-id=15 interim-update=30m reject-vlan-id=15 retrans-timeout=10s server-fail-vlan-id=15
- If you want to use MAC authentication then turn on mac-auth, but then you can no longer specify the guest VLAN.
What do you mean the vlan issue? anyway that guide can be easily adapt to whatever radius server he/she want to use, the important bits on how to deploy it was clearly there.
Your first link is unreachable for me (timeout) and the 2nd one has no VLAN related config.
more elaborate lab with configuration based on that link
radius.rsc (2.18 KB)
SW.rsc (1.76 KB)
CLIENT1.rsc (1.04 KB)
