http://forum.mikrotik.com/t/eduroam-vlan-assignment-based-on-radius-802-1x-reply/74268/1
You can follow up with Mikrotik on what the proper radius attribute is. They say it works. If you know the attribute it will take 4 seconds to copy the hostapd.pm and paste the radius reply sub from switch.pm and change the attribute.
Then it’ll work.
But you’re a genius. You can figure it out.
1, Thank you for the nice response.
2, Thus far, I have found and used another product, (Reluctantly I might add)
3, Mikrotiks Strength going forward will be their Value for the dollar, As things change and even more things virtualize, they will champion the market of performance for the dollar.. That is absolutely why they need to begin supporting things like Packetfence, open-nac and other NAC based offerings. This world is changing, and quite fast.. They should implement Packetfence support at the most granular level and hire a guy to hammer the crap out of the markets with their products paired with packetfence and openac… I think they have already begun loosing critical moments to gain momentum in this area.
4, Is there any way to delete these previous posts and clean this up so others will want to take it serious and cast a strong vote that mikrotik’s leadership will notice?
@joncolby:
Even if your request seems of crucial importance to you, stop trashing other non-related topics with your voting campaign.
This is a user forum, so except annoying other users which don’t care about your issue, there is no gain in it.
Talking about cleaning up. What about YOU cleaning up YOUR trash first by deleting your off topic posts in other threads?
The world isn’t changing. These are features that have been in enterprise access points for 5+ years. Just because you are now getting around to using it does t make it more important all of a sudden. In all honesty. It sounds like you are the on that is behind the times.
Without count me, the OP is the worst user which I ever found on this forum.
Karma: -5
Aug 12 11:57:58 httpd.webservices(20577) INFO: handling radius autz request: from switch_ip => 1.2.3.4, connection_type => Wireless-802.11-NoEAP,switch_mac => d4:ca:6d:d2:88:67, mac => my.ip.on.em.ac, port => 0, username => my.ip.on.em.ac (pf::radius::authorize)
Aug 12 11:57:58 httpd.webservices(20577) INFO: MAC: my.ip.on.em.ac is of status unreg; belongs into registration VLAN (pf::vlan::getRegistrationVlan)
Aug 12 11:57:58 httpd.webservices(20577) INFO: [1.2.3.4] Returning ACCEPT with VLAN 2000 and role (pf::Switch::Mikrotik::returnRadiusAccessAccept)
Put this in /usr/share/freeradius/dictionary.mikrotik at the end of the attribute section
ATTRIBUTE MIKROTIK_WIRELESS_VLANID 26 integer
ATTRIBUTE MIKROTIK_WIRELESS_VLANIDTYPE 27 integer
cp /usr/local/pf/lib/pf/Switch/Hostapd.pm /usr/local/pf/lib/pf/Switch/Mikrotik.pm
chown pf:pf /usr/local/pf/lib/pf/Switch/Mikrotik.pm
patch Mikrotik.pm with the following diff.
Configure CAPSMAN controller in PF as a Mikrotik with radius deauthentication, setup your roles, radius secrets, etc.
Capsman Config:
# aug/12/2014 11:50:23 by RouterOS 6.18
# software id = 18QF-P0PP
#
/interface bridge
add l2mtu=1600 name=BR-CAPS protocol-mode=none
/interface vlan
#Dunno if you really need these or not.. But Whatevs...
add interface=BR-CAPS name=default vlan-id=1208
add interface=BR-CAPS name=registration vlan-id=2000
add interface=BR-CAPS name=isolation vlan-id=2001
/caps-man datapath
add bridge=BR-CAPS client-to-client-forwarding=yes name=datapath1
/caps-man interface
#
add arp=enabled configuration.mode=ap configuration.ssid=LOSERTEST datapath=datapath1 disabled=no l2mtu=1600 mac-address=MACOFAP master-interface=none mtu=1500 name=cap1 radio-mac=MACOFAP
/caps-man aaa
set interim-update=5m
/caps-man access-list
add action=query-radius radius-accounting=yes signal-range=-120..120 time=0s-1d,sun,mon,tue,wed,thu,fri,sat
/caps-man manager
set enabled=yes
/interface bridge port
add bridge=BR-CAPS interface=ether13
/ip address
add address=1.2.3.4/16 interface=ether12
/ip route
add distance=1 gateway=x.y.z
/radius
add address=pfip secret=yoursecret service=wireless src-address=1.2.3.4
/radius incoming
set accept=yes
Patch:
--- Hostapd.pm 2014-06-26 15:03:13.000000000 -0400
+++ Mikrotik.pm 2014-08-12 11:46:13.305173223 -0400
@@ -1,17 +1,17 @@
-package pf::Switch::Hostapd;
+package pf::Switch::Mikrotik;
=head1 NAME
-pf::Switch::hostapd
+pf::Switch::mikrotik
=head1 SYNOPSIS
-The pf::Switch::hostapd module manages access to hostapd
+The pf::Switch::Mikrotik module manages access to mikrotik APs
=head1 STATUS
-Should work on the hostapd version started 2.0
+Should work on CAPSMAN enabled APs, tested on v6.18
=cut
@@ -25,7 +25,7 @@
use base ('pf::Switch');
use pf::config;
-sub description { 'Hostapd' }
+sub description { 'Mikrotik' }
# importing switch constants
use pf::Switch::constants;
@@ -192,7 +192,39 @@
return;
}
+sub returnRadiusAccessAccept {
+ my ($self, $vlan, $mac, $port, $connection_type, $user_name, $ssid, $wasInline, $user_role) = @_;
+ my $logger = Log::Log4perl::get_logger( ref($self) );
+
+ # Inline Vs. VLAN enforcement
+ my $radius_reply_ref = {};
+ my $role = "";
+ if ( (!$wasInline || ($wasInline && $vlan != 0) ) && isenabled($self->{_VlanMap})) {
+ $radius_reply_ref = {
+ 'MIKROTIK_WIRELESS_VLANID' => $vlan,
+ 'MIKROTIK_WIRELESS_VLANIDTYPE' => "0",
+ };
+ }
+ if ( isenabled($self->{_RoleMap}) && $self->supportsRoleBasedEnforcement()) {
+ $logger->debug("[$self->{'_id'}] Network device supports roles. Evaluating role to be returned");
+ if ( defined($user_role) && $user_role ne "" ) {
+ $role = $self->getRoleByName($user_role);
+ }
+ if ( defined($role) && $role ne "" ) {
+ $radius_reply_ref->{$self->returnRoleAttribute()} = $role;
+ $logger->info(
+ "[$self->{'_id'}] Added role $role to the returned RADIUS Access-Accept under attribute " . $self->returnRoleAttribute()
+ );
+ }
+ else {
+ $logger->debug("[$self->{'_id'}] Received undefined role. No Role added to RADIUS Access-Accept");
+ }
+ }
+
+ $logger->info("[$self->{'_id'}] Returning ACCEPT with VLAN $vlan and role $role");
+ return [$RADIUS::RLM_MODULE_OK, %$radius_reply_ref];
+}
=back
=head1 AUTHOR
Maybe you’d like to tell me again how much I don’t know about packet fence… Moron.
Why you post this, is like you throw your pearls to the swine.
Thanks for sharing.
To show him how much of an idiot he is.. Sometimes people just don’t know…
People, cool down. Such statements are of no use…
Roadracer, thanks for posting this. I’ve been interested in testing out PacketFence on my home network for quite some time without using inline mode.
Wow, how did I miss this post over in wireless. Fabrice helped add support in the next release of PacketFence
http://forum.mikrotik.com/t/disassociate-device-coa-snmp/80382/1
Pretty awesome. Thanks to Fabrice for his hard work on this. PacketFence 4.4.0 officially supports Mikrotik APs now.
http://www.packetfence.org/news/2014/article/packetfence-440-released.html
We should start a fight club.
Hi,
for information Dot1X based vlan assignment with Packetfence working in version 10, and mikrotik routeros, tested version 6.46.6
For example Port with windows client 802.1x suplicant get vlan, based on setting in packetfence and is authentificated from AD.
What not working is administration task like a Reevaluate Access and RestartSwitchPort, new template for mikrotik-switch radius command is needed.
But you all want Dot1X, you have it 
Radius disconnect task on mikrotik need more values than
ADIUS Request
Acct-Session-Id = "
NAS-IP-Address = 192.168.70.81 "
Calling-Station-Id = D4-AE-52-B9-2B-FD",
RADIUS Reply
Code = Disconnect-NAK "
NAS-Identifier = cap_michalek "
Error-Cause = Unsupported-Extension