MikroTik

This would be a great feature to have. Please implement as this is a part of the standard linux kernel these days.

Thank you.

this would probably enable the adoption in the enterprise segment

I thought this was already available but now I see that it isn't, so "me too". Please support wired 802.1x.

Please, please, we need it, have to use different vendor if i can not do 802.1x

Wait, i did not realized this until today. There is a radius server package (userman) available but no wired 802.1x for ethernet ports? I was optimistic to realize this complete inside a hex-s for the whole network with userman and no external components.

When to expect 802.1x support in RouterOS and SwOS?
In a year, two or never?

+1.

I asked for it on MUM.
+1

Agree. 802.1x is mandatory in larger enterprise switch environments. Regulatory requirements subject more and more companies to adherence of IT security standards such as ISO 27002. These standards all recommend network access control. Without it, the product cannot be used in such environments. Since this is usually a trickle down process (first large corporations, then medium sized, then small ones), it will become relevant for MikroTik even if its target market is rather SMBs.

MAC authentication, 802.1x (EAP-TLS and PEAP) are very importend in a lot of companies. Not only for security reasons. Especially for an automatic port configuration with vlans.

Regards
SH

Hi, my company is also in urgent need of this feature. If not availaible in the near future we might switch vendor for switches and will replace the existing mikrotik devices.

+1 for RFC5216 support

Like sh2222 said, MAC authentication, 802.1x (EAP-TLS and PEAP) are very importend in a lot of companies. Not only for security reasons. Especially for an automatic port configuration with vlans

+1. Strong need in wired 802.1X

I am very interested too

When to expect 802.1x support in RouterOS?

Strong need in wired 802.1X

When to expect 802.1x support in RouterOS?

Strong need in wired 802.1X

Code: Select all

MAJOR CHANGES IN v6.45:
---------------------- 
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
---------------------- 

And before anyone (like myself) wastes time searching where it is:

Before anyone asks. Configuration options for dot1x are not yet enabled in this release. Coming in next beta, most likely next week.

When to expect 802.1x support in RouterOS?

Strong need in wired 802.1X

Code: Select all

MAJOR CHANGES IN v6.45:
---------------------- 
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
---------------------- 

Shall we hope for Radius assigned VLAN with this promising feature ?

Basic server side support added in 6.45beta34 (CLI only).
Client side support will be available in the next testing release.

Any feedback or feature requests are much appreciated.

It does something, I somehow managed to set up a test with RouterOS, external FreeRADIUS and Windows as client. But I don't really know what I'm doing, it's my first time playing with 802.1x and almost first time with FreeRADIUS, which is terrible starting point and everything seems too complicated. Well, it's mainly FreeRADIUS, so many options and configuration files, ...

Sorry if it's stupid question, but can I use User Manager instead? I have near zero experience with that too, and quick search suggests that probably not. But it would be really nice if it could do it. If for no other reason, then to be able to have it on router itself and not require other device, that would be really handy in some places.

It does something, I somehow managed to set up a test with RouterOS, external FreeRADIUS and Windows as client. But I don't really know what I'm doing, it's my first time playing with 802.1x and almost first time with FreeRADIUS, which is terrible starting point and everything seems too complicated. Well, it's mainly FreeRADIUS, so many options and configuration files, ...

Sorry if it's stupid question, but can I use User Manager instead? I have near zero experience with that too, and quick search suggests that probably not. But it would be really nice if it could do it. If for no other reason, then to be able to have it on router itself and not require other device, that would be really handy in some places.

I think you can run the dot1x using userman. try to see the radius settings if there any 802.1x option to tick. I have not try yet the beta version.

No, dot1x requires EAP authentication which User Managed does not support at this moment.

Client side support added in 6.45beta37:

Client side support added in 6.45beta37: /interface dot1x client

Thank you.

Client side support added in 6.45beta37:

Code: Select all

/interface dot1x client

Is this EAPOL/802.1x supplicant mode? I don't see where you define phase2 auth method such as mschapv2.

If you are referring to the inner authentication layer of PEAP as phase 2, then there is currently no way to specify it since only EAP-MSCHAPv2 is supported. Currently supported EAP methods:
EAP-TLS
EAP-TTLS
PEAPv0/EAP-MSCHAPv2 (EAP-PEAP)

If you are referring to the inner authentication layer of PEAP as phase 2, then there is currently no way to specify it since only EAP-MSCHAPv2 is supported. Currently supported EAP methods:
EAP-TLS
EAP-TTLS
PEAPv0/EAP-MSCHAPv2 (EAP-PEAP)

Thank you for clarifying.

6.45beta42 added EAP-MSCHAPv2 authentication method and VLAN ID assignment from RADIUS attributes.

Manual page published if anyone interested:

https://wiki.mikrotik.com/wiki/Manual:Interface/Dot1x

It's beautiful, but if only we could get rid of external dependencies, i.e. third-party RADIUS, it would be even better. Yeah, I know, some people are never satisfied, call me ungrateful if you want.

What is wrong with third party RADIUS? You wanted to use MikroTik usermanager instead?

It's not really about it being third-party (even though I'm big MikroTik fan and I'd favour their solution because of that), but mainly because it's another thing you have to run somewhere, on another machine, keep it alive, etc. But if the place is in this odd in-between position where 802.1x would be useful, but there are no other existing always-online machines where RADIUS could be added to, it's annoying to add something solely for that. I'm not very excited by UM, it haven't done anything useful for me so far (in the past I wanted per-user wifi passwords, but it's EAP again...), but it's RADIUS server, so it's half way there.

Well, we do MAC based authentication here but I have looked only 5 seconds at UM before noticing that it is not really suitable for this.
Very limited possibility to add attributes, no support for replicated servers, etc.
So now I am happily using freeradius. But of course it requires machines to run it on. No problem here as we have ESXi at several locations.

It's just that I deal mainly with little guys, small offices and such. They could use some advanced features traditionally not used there, but they don't have the proper big infrastructure. Real dedicated server is too much and something small like Raspi is not something I'd want to rely on. Router is the perfect device, it's always on, with power to spare, and if it happens to go down, everything is doomed anyway, so if one more thing relies on it, it doesn't make a difference. Anyway, that's enough for OT, I explained my motivation and maybe one day my wish will come true.

Hi!

First of all, thank you for this log awaited feature.

Is it possible to have the following multiple level authentication scenario:
1. The client has dot1x enabled - authentication is done and a VLAN is assigned.
2. The client has not enabled dot1x - authentication is done via the client MAC address and a VLAN is assigned.
3. The MAC address is not known to the radius server - a quarantine VLAN is assigned.

That would be a big step towards an all dynamic configuration. We are a technical school with a lot of bring your own device users und devices that don't support dot1x and the above scenario would make us very happy

Greetings, MIke

It's beautiful, but if only we could get rid of external dependencies, i.e. third-party RADIUS, it would be even better. Yeah, I know, some people are never satisfied, call me ungrateful if you want.

Exactly my thought. Why cant make the built-in auth server?

+1.

+1 for adding EAP to User Manager.
My smaller customers are interested in PEAP but are not willing to manage a server of any size.

Hi!

First of all, thank you for this log awaited feature.

Is it possible to have the following multiple level authentication scenario:
1. The client has dot1x enabled - authentication is done and a VLAN is assigned.
2. The client has not enabled dot1x - authentication is done via the client MAC address and a VLAN is assigned.
3. The MAC address is not known to the radius server - a quarantine VLAN is assigned.

That would be a big step towards an all dynamic configuration. We are a technical school with a lot of bring your own device users und devices that don't support dot1x and the above scenario would make us very happy

Greetings, MIke

Especially with an upcoming 48 port switch the above would be a really sophisticated feature set. We are in the middle of choosing our next edge switching equipment (about 7000 ports) and would be willing to wait for a few months for said 48 port switch. Can anyone from Mikrotik make a statement if we can expect that the above stated authentication scenario can be possible in the future?

Thanks,
Mike

Hi,

I'm testing wired dot1x with NPS. Is it possible to put the interface in a "guest" VLAN if 802.1x authentication fails?

In my example the devices/users that authenticate successfully are put in Corporate VLAN (let's say VLAN10). And I'd like to put all other devices/user into the "guest" VLAN (let's say VLAN20). When devices successfully authenticate they are put into VLAN10. If I connect an unauthorised device (a computer that is not in our domain, doesn't have 802.1 ethernet enabled on their NIC) nothing happens. Port is UP but no MAC is added to the MAC table (/interface bridge hosts print). I tried configuring the port in VLAN20 access statically but nothing happens either.

This would be something that would really usefull if you could implement it in the future.

+1 for adding EAP to User Manager.
My smaller customers are interested in PEAP but are not willing to manage a server of any size.

+1 as well. Even using a routerboard with another firmware would already be a workaround. Making a FreeRADIUS appliance with Mikrotik hardware?