I had hoped to setup VLAN segregation of wireless clients based upon defail forwarded from RADIUS server during WPA2 enterprise authentication.
Reading the documentation, and forum posts (back many years), it appears this is not possible on Mikrotik devices (only MAC based radius authentication can set the VLAN).
Would really be nice if the RADIUS server response when using security.eap-methods = passthrough could set the per-client VLAN. This seemed like a pretty popular request many years ago - w.r.t implementing VLAN segregation for different classes of user on services like Eduroam advertising a single SSID on Mikrotik hardware.
Kind regards
Peter Clifton
Re: Feature request: Dynamic VLAN assignment (WLAN)
Just a follow-up for anyone reading... or thinking RouterOS does not support dynamic VLANs (on WiFi)... (which old forum posts suggest) - this is not true.
Dynamic wifi VLANs do appear to be possible, just that you need to configure your Radius server to pass attributes set in the inner tunnel authentication down to the outer-tunnel. For me, on freeradius, this was altering some settings under the eap / peap module configuration.
The settings in question were "use_tunneled_reply = yes" (I also set "copy_request_to_tunnel = yes" - not certain that was needed, but it makes attributes passed by the CAP available in the inner tunnel authentication check).
I have the CAPs traffic forwarded back on the CAPsMAN manager unit. Also - I created a new bridge to push traffic onto, and setup the VLANs I was using on that bridge, not sure if that makes a difference. I might like to try and figure out if it is necessary to setup the VLAN interfaces on the unit if doing local forwarding (do tagged packets then just get bridged out to ethernet link of the cAP?)
Especially with the upcoming changes w.r.t. VLANs and bridges - I think it might be useful to document further how VLAN traffic is handled by the software bridges - both as they are in 6.40, and what will be the case when the new implementation lands.
I still don't know if Mikrotik supports VLAN assignment via Radius during 801.X auth on a wired port, or a non CAPsMAN Wifi, but these are not my use-cases).
For futher reading, see this MUM presentation.. (although you'll have to adapt for other Radius servers).
https://mum.mikrotik.com/presentations/ ... 137144.pdf
Dynamic wifi VLANs do appear to be possible, just that you need to configure your Radius server to pass attributes set in the inner tunnel authentication down to the outer-tunnel. For me, on freeradius, this was altering some settings under the eap / peap module configuration.
The settings in question were "use_tunneled_reply = yes" (I also set "copy_request_to_tunnel = yes" - not certain that was needed, but it makes attributes passed by the CAP available in the inner tunnel authentication check).
I have the CAPs traffic forwarded back on the CAPsMAN manager unit. Also - I created a new bridge to push traffic onto, and setup the VLANs I was using on that bridge, not sure if that makes a difference. I might like to try and figure out if it is necessary to setup the VLAN interfaces on the unit if doing local forwarding (do tagged packets then just get bridged out to ethernet link of the cAP?)
Especially with the upcoming changes w.r.t. VLANs and bridges - I think it might be useful to document further how VLAN traffic is handled by the software bridges - both as they are in 6.40, and what will be the case when the new implementation lands.
I still don't know if Mikrotik supports VLAN assignment via Radius during 801.X auth on a wired port, or a non CAPsMAN Wifi, but these are not my use-cases).
For futher reading, see this MUM presentation.. (although you'll have to adapt for other Radius servers).
https://mum.mikrotik.com/presentations/ ... 137144.pdf
Re: Feature request: Dynamic VLAN assignment (WLAN)
Hi there,
I must really thank you for your input on this matter.
I have been reading this same presentation as i am looking at doing the same thing with FreeRADIUS.
I currently have HP MSM, Aruba and Mikrotik deployed in my environment and am going to be purchasing more Mikrotik devices to further our coverage in certain areas. Having dynamic VLAN allocation is the only struggle i have been faced with achieving with Mikrotik devices.
Must say on a side note, that since v6.40. CapsMan now shows the EAP Identity which is really really REALLY useful
I must really thank you for your input on this matter.
I have been reading this same presentation as i am looking at doing the same thing with FreeRADIUS.
I currently have HP MSM, Aruba and Mikrotik deployed in my environment and am going to be purchasing more Mikrotik devices to further our coverage in certain areas. Having dynamic VLAN allocation is the only struggle i have been faced with achieving with Mikrotik devices.
Must say on a side note, that since v6.40. CapsMan now shows the EAP Identity which is really really REALLY useful
Re: Feature request: Dynamic VLAN assignment (WLAN)
Hi there,
An update to this thread.
I have successfully been utilizing Mikrotik equipment, ranging from hAP mini to cAPac for Dynamic VLAN allocation without fault. Was rather interesting after the update where the bridge settings incorporated all the VLAN configuration which made things alot easier to setup and interpret.
All the equipment is managed via a CAPsMAN controller where the RADIUS authentication is passed through to a FreeRADIUS instance for VLAN query and quota filtering.
The next challenge i am trying to work through is get the VLANs to be tunneled through to the cAPs so that the VLANS dont have to be configured on all the switches to the endpoint. The challenge i am seeing is that when you create your VLAN you need to specify the Bridge port, so just need to wrap my head around that.
An update to this thread.
I have successfully been utilizing Mikrotik equipment, ranging from hAP mini to cAPac for Dynamic VLAN allocation without fault. Was rather interesting after the update where the bridge settings incorporated all the VLAN configuration which made things alot easier to setup and interpret.
All the equipment is managed via a CAPsMAN controller where the RADIUS authentication is passed through to a FreeRADIUS instance for VLAN query and quota filtering.
The next challenge i am trying to work through is get the VLANs to be tunneled through to the cAPs so that the VLANS dont have to be configured on all the switches to the endpoint. The challenge i am seeing is that when you create your VLAN you need to specify the Bridge port, so just need to wrap my head around that.
Re: Feature request: Dynamic VLAN assignment (WLAN)
This is exactly what got me going with the Dynamic VLAN allocation when using any Mikrotik as a standalone AP.
The challenge i am trying to solve is to do Dynamic VLAN allocation with Controlled AP connecting back to a CAPsMAN controller and offloading traffic at the controller itself.
The issue i have is when you setup the data connection, you have to specify the Bridge from the CAPsMAN device
The challenge i am trying to solve is to do Dynamic VLAN allocation with Controlled AP connecting back to a CAPsMAN controller and offloading traffic at the controller itself.
The issue i have is when you setup the data connection, you have to specify the Bridge from the CAPsMAN device
Re: Feature request: Dynamic VLAN assignment (WLAN)
If its really good perhaps MT can include it a WIKI!!