What is the best practice/method for detecting/preventing unauthorized devices in LAN?
Since anybody or an intruder can simply set his/her device’s IP accordingly (or even try DHCP first) and simply plug it into any LAN port in any of the rooms, and voilà he/she is in the LAN… and has automatically also access to the WAN via the in-house switch/router…
Can such a scenario be detected/prevented in RouterOS, without a separate intruder-detection-system(IDS)?
Port-based security, 802.1X will prevent this.
Basically only after authentication/authorization the port can be used.
Sure on RouterOS you can do a lot with scripts, you could collect the MAC/ARP entries on a regular basis, process this, compare it, do something with it.
On the other hand, MAC-addresses is very simple to spoof so to me this is the “last resort” of no other authentication (username/password or certificate) is possible because the client does not have this capabilities.
Not sure how the 802.1X implementation on RouterOS is done (I mean, if completely implemented, caveats etc) but we’ve designed many networks like this with thousands of wired & wireless users but based on Cisco products. I guess the basics will run fine. So you would need a RADIUS-server that speaks to RouterOS. Configured 802.1X on ports of the LAN-switch. All other stuff is RADIUS-config to create some profiles/process-flows etc depending on your needs.
It depends on how hard you want to try preventing unauthorised devices and how determined someone is to bypass your blocks.
A very simple method is to disable DHCP and only assign IP addresses with static leases or statically, this would require someone to either manually set an IP address and gateway on their device, or to clone the MAC address of one of your devices and disconnect it.
Beyond that you are looking at port-based access controls such as MAC learning/whitelisting, MAC auth, 802.1X. Any of the MAC based methods can be bypassed by cloning the MAC address of an authorised device, certificate or username/password 802.1X methods are secure.
Mikrotik have recently introduced port-based access control https://wiki.mikrotik.com/wiki/Manual:Interface/Dot1x although you need an external RADIUS server. Many other vendors support port-based access control in fully managed and the better smart/web managed switches, entry-level smart/web managed and unmanaged switches do not.
In v7 of RouterOS Radius server is included I believe … I seem to remember reading a post about that … But v7 probably will not be in stable production till 2021
And YES Port-based security, 802.1X is the effective way.
@jvanhambelgium, thank you very much for the info about RADIUS.
I admit I had heard/read about RADIUS, but didn’t know that it is intended exactly for this purpose 
I’ll read some docs/HOWTOs on the web.
Can someone tell me whether a RADIUS server is included in RouterOS, or does it have only a RADIUS client?
Or do I need to install a RADIUS server on a serverPC in my LAN?
Update: as @mozerd and @tdw have mentioned, a RADIUS server seems to be included in the upcoming RouterOS 7.0. I already have the beta5 of it running; will test it.
Can someone please describe the process briefly, from the point of view of a user in the LAN:
what does change for him/her, what extra steps are required for him/her, after RADIUS has been set up in the org?
Thx
If you do not use RADIUS built in to RouterOS v7 the usual choice is FreeRADIUS or Window NPS (integrated with newer Windows Server products).
MAC auth - there are no changes to the device, but you need to record the MAC address of authorised devices.
Certificate 802.1X - you need to create, distribute and manage certificates. For user-managed devices they will have to install the client certificate on their device and configure the wired connection 802.1X support to use it.
username/password 802.1X - you need to maintain a database of usernames and passwords, it is possible to use an existing Active Directory or LDAP setup. The user will have to enable wired connection 802.1X support on their device, if it is not already, and enter the username/password in order to connect.
Many educational establishments use 802.1X with federated RADIUS allowing their members to connect wired/wirelessly at other establishments with no device reconfiguration after the initial setup, so there are plenty of examples of setups to be found.
@tdw, thanks for the explanation, but I wonder when the username and userpassword has to be used.
Let’s say a user in the morning comes to his seat and turns his office computer on (it was ordinarily shut down the previous work day).
So, what happens next? Does he need to login to the RADIUS server first (but how is this supposed to work as he does not have any network access yet, I imagine) before he can do his usual login into his local OS on his office PC? Surely I must have misunderstood something in this concept
Thx
For my windows users I use screen time … if the screen has no user interaction for x minutes log the user out. The logout closes all connections so the user would need to re-authenticate. Management decides what the value of x will be for each person and circumstances of monitoring … if the person is in a locked room the value of x can be much higher … locked rooms usually have cams monitoring everything. Everything depends on the environment and security policy In place.
https://www.virtualizationhowto.com/2018/12/configure-windows-10-for-802-1x-user-authentication/
Is it possible with RADIUS to authenticate with these 2 or 3 credentials: MAC and/or IP plus a password for the device/interface itself, but without involving/managing/using any usernames and userpasswords?
Ie. when a device boots up, it shall autom. communicate via the RADIUS client to the configured RADIUS server, pass its credentials and if everything is ok,
then the (either a pre-assigned or any one) switch port shall open for this machine, else any attempts of normal traffic from that machine gets blocked by the switch.
Update after some more research: yes, the above scenario seems to be possible:
https://techexpert.tips/mikrotik/mikrotik-radius-authentication-freeradius/
Will now just try it out by setting up an own RADIUS server (the freeradius server mentioned by @tdw) on a local Debian box.
802.1X “authentication” CAN happen before the person itself issues the login on the Windows screen for example. (and authentication after that can again happen using Windows credentials)
If you go to the network-settings of your PC you’ll find some section on 802.1X or “security” where you can choose things like PEAP (Protected EAP and EAP = Extensible Authentication Protocol, which is more a “framework” than an actual protocol)
https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol
As a client-PC you don’t need to enter any RADIUS stuff because it is not YOU who is talking to the RADIUS, it is the LAN-switch who is doing RADIUS for the actual authentication part.
If you choose username/password authentication you can populate something in there (eg on a Linux box). In a Windows environment probably the cached-credentials are forwarded to the LAN-switch who takes this up to the RADIUS. If your RADIUS is then hooked into your Windows Domain the circle is closed.
I’m telling you a very simplified version of the process, just to give you an idea.
From the moment your network-card goes up, normally the “supplicant” software (in the OS) starts talking to the switch(port) and some exchanges is talking place.
These features can be quite complex. It’s not always an “all of nothing” thing. Eg. when your PC boots your implementation might allow DHCP/DNS traffic to already flow and after login other policies/profiles are processed.
Or initially be placed on a specific VLAN , after authentication you move VLAN etc. Certain design incorporate some client-soft software to check your PC if it is “compliant” to IT-standards, latest patches, antivirus-updates etc,etc. If not compliant, you are “parked” on some remediation VLAN with partial access until resolved etc,etc.
Many,many options exist.
You are getting it wrong. RADIUS is just a protocol, RADIUS server is (to a great extent) just a special credentials database.
RADIUS serves AAA requests from your network equipment. So you should be asking about the capabilities of (lets say) your access switches, not the RADIUS.
RADIUS client runs on your network equipment (switches, access points, VPN servers, etc), and NOT on the client devices. Your client devices MAY communicate with your RADIUS server, but that is done indirectly and using other protocols (i.e. EAPoL in case of 802.1X), and not RADIUS.
Sounds like someone should go back to school and thus can ask pertinent Mikrotik based questions…
Otherwise perhaps this is a better place to be…
https://www.dslreports.com/forum/network
https://commotionwireless.net/docs/cck/networking/learn-networking-basics/
https://www.foxpass.com/blog/radius-server-and-how-it-works
and three million other resources.
In others words, dont be so lazy and be prepared to ask pertinent questions related to MT equipment.
Just because you are old, doesnt mean you forget the basics (of reading and doing homework)
@andriys, you have got the terminology of client wrong. According to wikipedia https://en.wikipedia.org/wiki/IEEE_802.1X :
client (also called supplicant): the user device (such as a laptop) that wishes to attach to the LAN/WLAN.
authenticator (f.e. a switch): a network device which provides a data link between the client and the network and can allow or block network traffic between the two, such as an Ethernet switch.
authentication server (RADIUS server): a trusted server that can receive and respond to requests for network access, and can tell the authenticator if the connection is to be allowed …,In some cases, the authentication server software may be running on the authenticator hardware.
@anav, FYI: the question is MT related as how to allow/deny LAN/WAN access to user devices that are attached to a MT switch, via RADIUS/IEEE 802.1X.
No, I have not. You were talking about RADIUS client. That has nothing to do with supplicant and other IEEE 802.1X stuff. Strictly speaking, RADIUS is not even a requirement for 802.1X, any other protocol capable of encapsulating EAP can theoretically be used instead.
I have yet to find an example that covers the described situation in the OP.
Most of these examples understand something different when they talk about “users”: they mean router/switch admin users, whereas I mean normal Average Joe users in a LAN w/o login permission to the router or switch they are connected to, as they aren’t any admins.
Maybe I’m a Martian new on planet Earth
Update: newly discovered: the answer seems to lie exactly in this document:
https://wiki.mikrotik.com/wiki/Manual:Interface/Dot1x
To me [like YOU ] users are Joe users in a LAN w/o login permission to the router or switch they are connected — that is it.
These things – Routers, Switches etc are there to ENABLE and support USERS – that is the definition of infrastructure … no if’s – no and’s – no but’s. Admins are also user’s with higher privileges. 
As said: the answer seems to be “Dot1x”.
In 7.0beta5 under /interface/dot1x/ in CLI one finds both client and server (btw. the Webfig GUI does not have them yet).
Then now I’m missing the 3rd part: the part on the PCs/servers. And here I could take wpa_supplicant or an older software named xsuplicant (there are v2 and v1 versions). I’m trying to compile the v1 of the latter one under Linux as it seems to fit my needs better, IMO. But unfortunately I am getting some compile errors… 
Just a matter of time…
Ie. I hope to use simple port-based authentication without a fullblown external RADIUS server like freeradius as it looks to me gigantic for my simple needs (and maybe even buggy as hell and/or like swiss cheese… ) Ie. I try to apply KISS
You your Linux PC/systems do not have a GUI ?
PS : FreeRADIUS buggy ? Are you nuts ? FreeRADIUS handles A LOT of authentications globally on Internet. Also in the “traditional” spaces (PAP/CHAP protocols when doing dialup, PPPoE authentications for xDSL users etc) but also in EAP area. There probably are plenty examples on how to get some basic DOT1X chain working with simple MAC/local-username-password thingy.
FreeRADIUS is not heavy software that required a lot of resources to run. Small VM or docker on NAS could do the job.
https://stackoverflow.com/questions/36743852/freeradius-server-confiuration-for-802-1x
Tons of examples.
On your remark : “I want simple port-based authentication” → Well … there is no such thing as simple in this area. 802.1x projects can be quite a challenge( wired/wireless)! However with simple MAC/username-password should be OK depending on your knowledge.