Wi-fi RADIUS Assigned VLAN based on user/password, troubleshooting help

RouterOS Wireless Networking
1

Goal:
Have a single ssid authenticated by radius, with vlans assigned based on username/password.

Succeeded:

  • I've managed to get FreeRADIUS working with my router. My AP is a HAPAC2 (as CAP).
  • Authentication with freeradius works great.

Issue:
I cannot get the radius server to assign vlan.

I have done the following:

  • copied and pasted the contents of RouterOS - RouterOS - MikroTik Documentation into the freeradius dictionary file

  • the setting for the user is as follows:
    vl86 Cleartext-Password := "bm_vl86"
    Mikrotik_Wireless_VLANID := 86,
    Mikrotik_Wireless_VLANIDtype := 0

  • The security setting is as follows

zz1.png
zz1.png552×325 6.64 KB

  • The setting for RADIUS is as follow

zz2.png
zz2.png372×489 9.17 KB

Radius works as evidenced by the following status screen

zz3.png
zz3.png271×257 3.29 KB

What am I missing?

2

http://forum.mikrotik.com/t/capsman-freeradius-vlan-per-user/107024/1

Contains in details what is required and what you are missing, and also covers a small bug (which I don’t know whether it’s fixed yet or not).

3

I have reviewed that post and others with similar topics before posting this thread. I did not find a solution, but I will go through that post again.

I did a test with radlogin (radius test client) from another pc and this is the result:

zz1.png
Is that response acceptable? I am assuming it is the test client that is unaware what those two attributes are.

4

I’ve discovered the problem isn’t freeradius at all.

The error is the client isn’t getting proper dhcp lease in the vlan assigned by the radius server. What could I be missing.

zz4.jpg

5

Is the vlan configuration regarding wireless interface correct? Does it allow to pass all necessary VLAN IDs?

6

The setting seems basic enough. There are 2 settings below. The top is WPA2-EAP for radius assigned VLAN, with the DHCP issue. The bottom is WPA2-PSK, with no DHCP issue. Both serving the same vlan.

/caps-man configuration

add datapath.bridge=bridge1
mode=ap
datapath.vlan-mode=use-tag
name=“RADIUS TEST”
security.authentication-types=wpa2-eap
security.eap-methods=passthrough
security.encryption=aes-ccm
security.group-encryption=aes-ccm
ssid=RADIUSTEST

add datapath.bridge=bridge1
mode=ap
datapath.vlan-mode=use-tag
datapath.vlan-id=60
name=“RADIUS TEST 2”
security.authentication-types=wpa2-psk
security.passphrase=XXX
security.encryption=aes-ccm
security.group-encryption=aes-ccm
ssid=RADIUSTEST2

/radius
add address=192.168.xx.xx secret=xxx service=wireless timeout=10s

This is the user setting in freeradius. I am using freeradius.net a windows port of freeradius, based on the older freeradius version 2.0.X.

vl60 User-Password == “vl60”
Mikrotik_Wireless_VLANID = “60”,
Mikrotik_Wireless_VLANIDtype = “0”

test User-Password == “test”

In summary:

  1. Login to SSID with WPA2-PSK, to tagged vlan = dhcp ok
  2. Login to SSID with WPA-EAP, to tagged vlan assigned from freeradius = dhcp issue
  3. Login to SSID with WPA-EAP, to default untagged vlan from freeradius = dhcp ok

I’m stumped. I don’t even know where to go next.

Based on other threads with dhcp problems, I’ve tried disabling RSTP on bridge, MTU to 1504 on bridge, MTU to 1504 on capsman config, dhcp to always broadcast, checked add ARP on leases for dhcp server, setting admin mac on bridge. Still the same.

Next I will try freeradius 3.0.19 on ubuntu. Update: Freeradius 3.0.19 has a different issue, no matter the vlan setting in freeradius, all logins get an ip from the default untagged vlan. I am getting an ulcer (which is on par when implementing a new feature in mikrotik).