Community discussions

 
phin
just joined
Topic Author
Posts: 15
Joined: Mon Dec 04, 2017 11:25 pm

Feature Request: 802.1X over ethernet

Wed Dec 06, 2017 9:46 pm

This would be a great feature to have. Please implement as this is a part of the standard linux kernel these days.

Thank you.
 
User avatar
doneware
Trainer
Trainer
Posts: 475
Joined: Mon Oct 08, 2012 8:39 pm
Location: Hungary

Re: Feature Request: 802.1X over ethernet

Thu Dec 07, 2017 12:24 am

this would probably enable the adoption in the enterprise segment
#TR0359
 
alcohol
just joined
Posts: 9
Joined: Thu Oct 31, 2013 8:23 pm

Re: Feature Request: 802.1X over ethernet

Wed Jan 31, 2018 11:15 pm

I thought this was already available but now I see that it isn't, so "me too". Please support wired 802.1x.
 
User avatar
Crami
newbie
Posts: 26
Joined: Wed Apr 24, 2013 4:07 pm
Location: Zürich, Switzerland
Contact:

Re: Feature Request: 802.1X over ethernet

Wed Sep 05, 2018 6:41 pm

Please, please, we need it, have to use different vendor if i can not do 802.1x
 
bsiege
just joined
Posts: 2
Joined: Sat Feb 27, 2016 5:31 pm

Re: Feature Request: 802.1X over ethernet

Tue Nov 06, 2018 9:02 pm

Wait, i did not realized this until today. There is a radius server package (userman) available but no wired 802.1x for ethernet ports? I was optimistic to realize this complete inside a hex-s for the whole network with userman and no external components.
 
BubaKukin
just joined
Posts: 2
Joined: Thu Feb 08, 2018 4:36 pm
Location: Moscow, Russia

Re: Feature Request: 802.1X over ethernet

Sun Nov 18, 2018 11:29 am

When to expect 802.1x support in RouterOS and SwOS?
In a year, two or never?
 
User avatar
awacenter
Member Candidate
Member Candidate
Posts: 198
Joined: Thu Dec 09, 2004 12:58 pm
Location: Castellón
Contact:

Re: Feature Request: 802.1X over ethernet

Fri Nov 30, 2018 4:57 pm

+1.
ImageImage
 
tuliss
just joined
Posts: 10
Joined: Mon Aug 06, 2012 9:00 am

Re: Feature Request: 802.1X over ethernet

Sat Dec 01, 2018 1:25 pm

I asked for it on MUM.
+1
 
User avatar
peterh
just joined
Posts: 19
Joined: Tue Dec 11, 2018 7:39 pm

Re: Feature Request: 802.1X over ethernet

Thu Dec 13, 2018 12:52 am

Agree. 802.1x is mandatory in larger enterprise switch environments. Regulatory requirements subject more and more companies to adherence of IT security standards such as ISO 27002. These standards all recommend network access control. Without it, the product cannot be used in such environments. Since this is usually a trickle down process (first large corporations, then medium sized, then small ones), it will become relevant for MikroTik even if its target market is rather SMBs.
 
sh2222
just joined
Posts: 2
Joined: Tue Dec 18, 2018 12:18 am

Re: Feature Request: 802.1X over ethernet

Tue Dec 18, 2018 12:33 am

MAC authentication, 802.1x (EAP-TLS and PEAP) are very importend in a lot of companies. Not only for security reasons. Especially for an automatic port configuration with vlans.

Regards
SH
 
PaenePerfectus
just joined
Posts: 1
Joined: Sun Dec 23, 2018 4:23 pm

Re: Feature Request: 802.1X over ethernet

Sun Dec 23, 2018 4:29 pm

Hi, my company is also in urgent need of this feature. If not availaible in the near future we might switch vendor for switches and will replace the existing mikrotik devices.
 
muetzekoeln
Member Candidate
Member Candidate
Posts: 104
Joined: Fri Jun 29, 2018 2:34 pm

Re: Feature Request: 802.1X over ethernet

Mon Jan 14, 2019 5:27 pm

+1 for RFC5216 support
 
Luukman
just joined
Posts: 1
Joined: Tue Feb 19, 2019 10:30 pm

Re: Feature Request: 802.1X over ethernet

Tue Feb 19, 2019 10:39 pm

Like sh2222 said, MAC authentication, 802.1x (EAP-TLS and PEAP) are very importend in a lot of companies. Not only for security reasons. Especially for an automatic port configuration with vlans
 
XGX
just joined
Posts: 1
Joined: Sat Aug 11, 2018 4:04 pm

Re: Feature Request: 802.1X over ethernet

Thu Feb 21, 2019 12:09 am

+1. Strong need in wired 802.1X
 
User avatar
awacenter
Member Candidate
Member Candidate
Posts: 198
Joined: Thu Dec 09, 2004 12:58 pm
Location: Castellón
Contact:

Re: Feature Request: 802.1X over ethernet

Mon Feb 25, 2019 4:28 pm

I am very interested too
ImageImage
 
maxmedia
just joined
Posts: 2
Joined: Sat Sep 02, 2017 12:21 pm

Re: Feature Request: 802.1X over ethernet

Tue Mar 19, 2019 9:11 am

When to expect 802.1x support in RouterOS?

Strong need in wired 802.1X
 
nickdwhite
just joined
Posts: 11
Joined: Thu Jun 22, 2006 11:41 pm

Re: Feature Request: 802.1X over ethernet

Fri Apr 12, 2019 7:08 pm

When to expect 802.1x support in RouterOS?

Strong need in wired 802.1X

MAJOR CHANGES IN v6.45:
---------------------- 
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
---------------------- 

 
Sob
Forum Guru
Forum Guru
Posts: 4178
Joined: Mon Apr 20, 2009 9:11 pm

Re: Feature Request: 802.1X over ethernet

Sat Apr 13, 2019 4:49 am

And before anyone (like myself) wastes time searching where it is:
Before anyone asks. Configuration options for dot1x are not yet enabled in this release. Coming in next beta, most likely next week.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
olivier2831
Frequent Visitor
Frequent Visitor
Posts: 71
Joined: Fri Sep 08, 2017 6:53 pm

Re: Feature Request: 802.1X over ethernet

Wed Apr 17, 2019 11:49 am

When to expect 802.1x support in RouterOS?

Strong need in wired 802.1X

MAJOR CHANGES IN v6.45:
---------------------- 
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
---------------------- 

Shall we hope for Radius assigned VLAN with this promising feature ?
 
User avatar
emils
MikroTik Support
MikroTik Support
Posts: 444
Joined: Thu Dec 11, 2014 8:53 am

Re: Feature Request: 802.1X over ethernet

Thu Apr 18, 2019 1:33 pm

Basic server side support added in 6.45beta34 (CLI only).
/interface dot1x server
Client side support will be available in the next testing release.

Any feedback or feature requests are much appreciated.
 
Sob
Forum Guru
Forum Guru
Posts: 4178
Joined: Mon Apr 20, 2009 9:11 pm

Re: Feature Request: 802.1X over ethernet

Fri Apr 19, 2019 3:46 am

It does something, I somehow managed to set up a test with RouterOS, external FreeRADIUS and Windows as client. But I don't really know what I'm doing, it's my first time playing with 802.1x and almost first time with FreeRADIUS, which is terrible starting point and everything seems too complicated. Well, it's mainly FreeRADIUS, so many options and configuration files, ...

Sorry if it's stupid question, but can I use User Manager instead? I have near zero experience with that too, and quick search suggests that probably not. But it would be really nice if it could do it. If for no other reason, then to be able to have it on router itself and not require other device, that would be really handy in some places.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
Halfeez92
newbie
Posts: 34
Joined: Tue Oct 30, 2012 12:58 pm
Contact:

Re: Feature Request: 802.1X over ethernet

Sun Apr 21, 2019 7:16 pm

It does something, I somehow managed to set up a test with RouterOS, external FreeRADIUS and Windows as client. But I don't really know what I'm doing, it's my first time playing with 802.1x and almost first time with FreeRADIUS, which is terrible starting point and everything seems too complicated. Well, it's mainly FreeRADIUS, so many options and configuration files, ...

Sorry if it's stupid question, but can I use User Manager instead? I have near zero experience with that too, and quick search suggests that probably not. But it would be really nice if it could do it. If for no other reason, then to be able to have it on router itself and not require other device, that would be really handy in some places.
I think you can run the dot1x using userman. try to see the radius settings if there any 802.1x option to tick. I have not try yet the beta version.
 
User avatar
emils
MikroTik Support
MikroTik Support
Posts: 444
Joined: Thu Dec 11, 2014 8:53 am

Re: Feature Request: 802.1X over ethernet

Tue Apr 23, 2019 8:08 am

No, dot1x requires EAP authentication which User Managed does not support at this moment.
 
User avatar
emils
MikroTik Support
MikroTik Support
Posts: 444
Joined: Thu Dec 11, 2014 8:53 am

Re: Feature Request: 802.1X over ethernet

Fri Apr 26, 2019 9:23 am

Client side support added in 6.45beta37:
/interface dot1x client
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Posts: 945
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Feature Request: 802.1X over ethernet

Fri Apr 26, 2019 2:56 pm

Client side support added in 6.45beta37: /interface dot1x client

Thank you.
 
zude
just joined
Posts: 2
Joined: Wed May 01, 2019 12:31 am

Re: Feature Request: 802.1X over ethernet

Wed May 01, 2019 12:40 am

Client side support added in 6.45beta37:
/interface dot1x client
Is this EAPOL/802.1x supplicant mode? I don't see where you define phase2 auth method such as mschapv2.
 
User avatar
emils
MikroTik Support
MikroTik Support
Posts: 444
Joined: Thu Dec 11, 2014 8:53 am

Re: Feature Request: 802.1X over ethernet

Thu May 02, 2019 11:46 am

If you are referring to the inner authentication layer of PEAP as phase 2, then there is currently no way to specify it since only EAP-MSCHAPv2 is supported. Currently supported EAP methods:
EAP-TLS
EAP-TTLS
PEAPv0/EAP-MSCHAPv2 (EAP-PEAP)
 
zude
just joined
Posts: 2
Joined: Wed May 01, 2019 12:31 am

Re: Feature Request: 802.1X over ethernet

Thu May 02, 2019 10:39 pm

If you are referring to the inner authentication layer of PEAP as phase 2, then there is currently no way to specify it since only EAP-MSCHAPv2 is supported. Currently supported EAP methods:
EAP-TLS
EAP-TTLS
PEAPv0/EAP-MSCHAPv2 (EAP-PEAP)
Thank you for clarifying.
 
User avatar
emils
MikroTik Support
MikroTik Support
Posts: 444
Joined: Thu Dec 11, 2014 8:53 am

Re: Feature Request: 802.1X over ethernet

Thu May 09, 2019 2:16 pm

6.45beta42 added EAP-MSCHAPv2 authentication method and VLAN ID assignment from RADIUS attributes.

Manual page published if anyone interested:

https://wiki.mikrotik.com/wiki/Manual:Interface/Dot1x
 
Sob
Forum Guru
Forum Guru
Posts: 4178
Joined: Mon Apr 20, 2009 9:11 pm

Re: Feature Request: 802.1X over ethernet

Thu May 09, 2019 4:07 pm

It's beautiful, but if only we could get rid of external dependencies, i.e. third-party RADIUS, it would be even better. Yeah, I know, some people are never satisfied, call me ungrateful if you want. :)
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5350
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request: 802.1X over ethernet

Thu May 09, 2019 4:10 pm

What is wrong with third party RADIUS? You wanted to use MikroTik usermanager instead?
 
Sob
Forum Guru
Forum Guru
Posts: 4178
Joined: Mon Apr 20, 2009 9:11 pm

Re: Feature Request: 802.1X over ethernet

Thu May 09, 2019 4:35 pm

It's not really about it being third-party (even though I'm big MikroTik fan and I'd favour their solution because of that), but mainly because it's another thing you have to run somewhere, on another machine, keep it alive, etc. But if the place is in this odd in-between position where 802.1x would be useful, but there are no other existing always-online machines where RADIUS could be added to, it's annoying to add something solely for that. I'm not very excited by UM, it haven't done anything useful for me so far (in the past I wanted per-user wifi passwords, but it's EAP again...), but it's RADIUS server, so it's half way there.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5350
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request: 802.1X over ethernet

Thu May 09, 2019 4:52 pm

Well, we do MAC based authentication here but I have looked only 5 seconds at UM before noticing that it is not really suitable for this.
Very limited possibility to add attributes, no support for replicated servers, etc.
So now I am happily using freeradius. But of course it requires machines to run it on. No problem here as we have ESXi at several locations.
 
Sob
Forum Guru
Forum Guru
Posts: 4178
Joined: Mon Apr 20, 2009 9:11 pm

Re: Feature Request: 802.1X over ethernet

Thu May 09, 2019 5:46 pm

It's just that I deal mainly with little guys, small offices and such. They could use some advanced features traditionally not used there, but they don't have the proper big infrastructure. Real dedicated server is too much and something small like Raspi is not something I'd want to rely on. Router is the perfect device, it's always on, with power to spare, and if it happens to go down, everything is doomed anyway, so if one more thing relies on it, it doesn't make a difference. Anyway, that's enough for OT, I explained my motivation and maybe one day my wish will come true.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
mfischer
just joined
Posts: 2
Joined: Fri May 10, 2019 3:39 pm

Re: Feature Request: 802.1X over ethernet

Fri May 10, 2019 3:49 pm

Hi!

First of all, thank you for this log awaited feature.

Is it possible to have the following multiple level authentication scenario:
1. The client has dot1x enabled - authentication is done and a VLAN is assigned.
2. The client has not enabled dot1x - authentication is done via the client MAC address and a VLAN is assigned.
3. The MAC address is not known to the radius server - a quarantine VLAN is assigned.

That would be a big step towards an all dynamic configuration. We are a technical school with a lot of bring your own device users und devices that don't support dot1x and the above scenario would make us very happy :-)

Greetings, MIke
 
Halfeez92
newbie
Posts: 34
Joined: Tue Oct 30, 2012 12:58 pm
Contact:

Re: Feature Request: 802.1X over ethernet

Mon May 13, 2019 10:22 am

It's beautiful, but if only we could get rid of external dependencies, i.e. third-party RADIUS, it would be even better. Yeah, I know, some people are never satisfied, call me ungrateful if you want. :)
Exactly my thought. Why cant make the built-in auth server?
 
mutinsa
just joined
Posts: 21
Joined: Tue Feb 06, 2018 4:55 am
Location: Moscow, Russia
Contact:

Re: Feature Request: 802.1X over ethernet

Tue May 14, 2019 10:51 pm

+1.
Sergey Mutin
Certified Mikrotik Consultant
MikroTik: MTCNA, MTCRE, MTCIPv6E, MTCTCE, MTCUME, MTCINE, MTCWE | Cisco: CCNA R&S | Juniper: JNCIA-Junos | Zabbix: ZCU | Asterisk: dCAA | IPv6 Forum Certified Network Engineer (Silver) | HE.net IPv6: Sage
 
whyfly
Trainer
Trainer
Posts: 10
Joined: Tue Feb 09, 2016 4:17 pm

Re: Feature Request: 802.1X over ethernet

Fri May 17, 2019 7:55 am

+1 for adding EAP to User Manager.
My smaller customers are interested in PEAP but are not willing to manage a server of any size.
 
mfischer
just joined
Posts: 2
Joined: Fri May 10, 2019 3:39 pm

Re: Feature Request: 802.1X over ethernet

Tue May 21, 2019 4:42 pm

Hi!

First of all, thank you for this log awaited feature.

Is it possible to have the following multiple level authentication scenario:
1. The client has dot1x enabled - authentication is done and a VLAN is assigned.
2. The client has not enabled dot1x - authentication is done via the client MAC address and a VLAN is assigned.
3. The MAC address is not known to the radius server - a quarantine VLAN is assigned.

That would be a big step towards an all dynamic configuration. We are a technical school with a lot of bring your own device users und devices that don't support dot1x and the above scenario would make us very happy :-)

Greetings, MIke
Especially with an upcoming 48 port switch the above would be a really sophisticated feature set. We are in the middle of choosing our next edge switching equipment (about 7000 ports) and would be willing to wait for a few months for said 48 port switch. Can anyone from Mikrotik make a statement if we can expect that the above stated authentication scenario can be possible in the future?

Thanks,
Mike
 
kugla007
just joined
Posts: 5
Joined: Thu Mar 29, 2018 12:43 pm

Re: Feature Request: 802.1X over ethernet

Wed Jun 12, 2019 9:04 pm

Hi,

I'm testing wired dot1x with NPS. Is it possible to put the interface in a "guest" VLAN if 802.1x authentication fails?

In my example the devices/users that authenticate successfully are put in Corporate VLAN (let's say VLAN10). And I'd like to put all other devices/user into the "guest" VLAN (let's say VLAN20). When devices successfully authenticate they are put into VLAN10. If I connect an unauthorised device (a computer that is not in our domain, doesn't have 802.1 ethernet enabled on their NIC) nothing happens. Port is UP but no MAC is added to the MAC table (/interface bridge hosts print). I tried configuring the port in VLAN20 access statically but nothing happens either.

This would be something that would really usefull if you could implement it in the future.

Who is online

Users browsing this forum: No registered users and 9 guests