Community discussions

MUM Europe 2020
 
joncolby
newbie
Topic Author
Posts: 39
Joined: Wed Nov 13, 2013 8:09 am
Location: Southern California

ADD DYNAMIC VLAN ASSIGNMENT.

Tue Apr 22, 2014 1:34 am

Hi,

I would like Dynamic VLAN Assignment added to mikrotik. I have looked around at what this would take to accomplish, and it would be minimum amount of
hours to implement. I am tired of using non-mikrotik products and would like to use mikrotik products, however i cannot use mikrotik untill it supports dynamic vlan assignment.

Thank you.
-Jonathan
 
efaden
Forum Guru
Forum Guru
Posts: 1711
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: ADD DYNAMIC VLAN ASSIGNMENT.

Tue Apr 22, 2014 1:39 am

Hi,

I would like Dynamic VLAN Assignment added to mikrotik. I have looked around at what this would take to accomplish, and it would be minimum amount of
hours to implement. I am tired of using non-mikrotik products and would like to use mikrotik products, however i cannot use mikrotik untill it supports dynamic vlan assignment.

Thank you.
-Jonathan
What do you mean mean dynamic vlan assignment? The CRS has a bunch of VLAN features...
 
joncolby
newbie
Topic Author
Posts: 39
Joined: Wed Nov 13, 2013 8:09 am
Location: Southern California

Re: ADD DYNAMIC VLAN ASSIGNMENT.

Fri Apr 25, 2014 9:47 am

Many radios and routers and firmwares support Dynamic VLAN Assignment, It allows for the use of additional functionality, like NAC Software.
I have had sucess flashing mikrotik with openWRT to get the dynamicVLAN Assignment function, but it would be nice if mikrotik just included it
in their factory firmware... Their hardware already supports it..

Currently, VLAN assignment is performed using several different techniques.... These techniques are compatible one to another but not on the same switch port. This means that you can use the more secure and modern techniques for your latest switches and another technique on the old switches that doesn't support latest techniques. As it's name implies, VLAN assignment means that 3rd Party NAC Software is the server that assigns the VLAN to a device. This VLAN can be one of your VLANs or it can be a special VLAN where 3rd Party NAC Software acts as a DHCP/DNS/HTTP server where it runs the captive portal.

Compared to 3rd Party NAC Software legacy modes of operation (ARP and DHCP) VLAN assignment effectively isolate your hosts at the OSI Layer2 meaning that it is the trickiest method to bypass and is the one which adapts best to your environment since it glues into your current VLAN assignment methodology.



Using SNMP Traps

All switch ports (on which VLAN isolation should be done) must be configured to send SNMP traps to the 3rd Party NAC Software host. On 3rd Party NAC Software, we use snmptrapd as the SNMP trap receiver. As it receives traps, it reformats and writes them into a flat file: /usr/local/pf/logs/snmptrapd.log. The multithreaded pfsetvlan daemon reads these traps from the flat file and responds to them by setting the switch port to the correct VLAN. Depending on your switches capabilities, pfsetvlan will act on different types of SNMP traps. You need to create a registration VLAN (with a DHCP server, but no routing to other VLANs) in which 3rd Party NAC Software will put unregistered devices. If you want to isolate computers which have open violations in a separate VLAN, an isolation VLAN needs also to be created.





Link Change Traps

This is the most basic setup and it needs a third VLAN: the MAC detection VLAN. There should be nothing in this VLAN (no DHCP server) and it should not be routed anywhere; it is just an empty VLAN.When a host connects to a switch port, the switch sends a linkUp trap to 3rd Party NAC Software. Since it takes some time before the switch learns the MAC address of the newly connected device, 3rd Party NAC Software immediately puts the port in the MAC detection VLAN in which the device will send DHCP requests (with no answer) in order for the switch to learn its MAC address. Then pfsetvlan will send periodical SNMP queries to the switch until the switch learns the MAC of the device. When the MAC address is known, pfsetvlan checks its status (existing ? registered ? any violations ?) in the database and puts the port in the appropriate VLAN.

When a device is unplugged, the switch sends a 'linkDown' trap to 3rd Party NAC Software which puts the port into the MAC detection VLAN.When a computer boots, the initialization of the NIC generates several link status changes. And every time the switch sends a linkUp and a linkDown trap to 3rd Party NAC Software. Since 3rd Party NAC Software has to act on each of these traps, this generates unfortunately some unnecessary load on pfsetvlan. In order to optimize the trap treatment, 3rd Party NAC Software stops every thread for a 'linkUp trap' when it receives a 'linkDown' trap on the same port. But using only linkUp/linkDown traps is not the most scalable option. For example in case of power failure, if hundreds of computers boot at the same time, 3rd Party NAC Software would receive a lot of traps almost instantly and this could result in network connection latency…
MAC notification traps

If your switches support MAC notification traps (MAC learnt, MAC removed), we suggest that you activate them in addition to the linkUp/linkDown traps. This way, pfsetvlan does not need, after a linkUp trap, to query the switch continuously until the MAC has finally been learned. When it receives a linkUp trap for a port on which MAC notification traps are also enabled, it only needs to pot the port in the MAC detection VLAN and can than free the thread. When the switch learns the MAC address of the device it sends a MAC learnt trap (containing the MAC address) to 3rd Party NAC Software.
Port Security Traps

In its most basic form, the Port Security feature remembers the MAC address connected to the switch port and allows only that MAC address to communicate on that port. If any other MAC address tries to communicate through the port, port security will not allow it and send a port-security trap.

If your switches support this feature, we strongly recommend to use it rather than linkUp/linkDown and/or MAC notifications. Why ? Because as long as a MAC address is authorized on a port and is the only one connected, the switch will send no trap whether the device reboots, plugs in or unplugs. This drastically reduces the SNMP interactions between the switches and 3rd Party NAC Software.

When you enable port security traps you should not enable linkUp/linkDown nor MAC notification traps.
Wired: 802.1X + MAC Authentication Bypass (MAB)

802.1X provides port-based authentication, which involves communications between a supplicant, authenticator (known as NAS), and authentication server (known as AAA). The supplicant is often software on a client device, such as a laptop, the authenticator is a wired Ethernet switch or wireless access point, and the authentication server is generally a RADIUS database.

The supplicant (i.e., client device) is not allowed access through the authenticator to the network until the supplicant’s identity is authorized. With 802.1X port-based authentication, the supplicant provides credentials, such as user name / password or digital certificate, to the authenticator, and the authenticator forwards the credentials to the authentication server for verification. If the credentials are valid (in the authentication server database), the supplicant (client device) is allowed to access the network. The protocol for authentication is called Extensible Authentication Protocol (EAP) which have many variants. Both supplicant and authentication servers need to speak the same EAP protocol. Among popular ones are EAP-MD5, PEAP-MsCHAPv2 (used by Windows for authentication against Active Directory) or EAP-TLS.

In this context, 3rd Party NAC Software runs the authentication server (a FreeRADIUS instance) and will return the appropriate VLAN to the switch. A module that integrates in FreeRADIUS does a remote call to the 3rd Party NAC Software server to obtain that information. More and more devices have 802.1X supplicant which makes this approach more and more popular.



MAC authentication bypass (MAB) is a new mechanism introduced by some switch vendor to handle the cases where a 802.1X supplicant does not exist. After a timeout period, the switch will stop trying to perform 802.1X and will fallback to MAB. It has the advantage of using the same approach as 802.1X except that the MAC address is sent instead of the user name and that there is no end-to-end EAP conversation (no strong authentication). Using MAB, devices like network printer or non-802.1X capable IP Telephones (IPT) can still gain access to the network and the right VLAN.

Right now this integration is not pleasant as it could be involving manual modification of our FreeRADIUS module but our latest unreleased code already handles 802.1X + MAB built into the 3rd Party NAC Software main configuration. If you are adventurous feel free to try it out.

Introduction to Wireless Integration
Wireless 802.1X works pretty much like wired 802.1X and MAC authentication is like MAB. Where things change is that the 802.1X is used to setup the security keys for encrypted communication (WPA2-Enterprise) while MAC authentication is only used to authorize allow or disallow a MAC on the wireless network.



3rd Party NAC Software integrates very well with wireless networks. As for its wired counterpart, the switch, a wireless Access Points (AP) needs to implement some specific features in order for the integration to work perfectly. In particular, the AP needs to support

several SSIDs with several VLANs inside each SSID
authentication against a RADIUS server
dynamic VLAN assignment (through RADIUS attributes)
SNMP deauthentication traps
the deauthentication of an associated station
We can then configure two SSIDs on the AP, the first one reserved for visitors and unregistered clients. In this SSID, communications will not be encrypted and users will connect either to the registration VLAN or the guest VLAN (depending on their registration status). Users can register and get assistance to configure their access to the secure SSID using the captive portal which requires authentication and runs over HTTPS. The second SSID will allow encrypted communications for registered users.
 
mainTAP
newbie
Posts: 36
Joined: Tue Oct 02, 2012 4:01 am

Re: ADD DYNAMIC VLAN ASSIGNMENT.

Fri Apr 25, 2014 10:16 pm

+1
 
xavierc
just joined
Posts: 8
Joined: Mon Apr 21, 2014 8:42 pm

Re: ADD DYNAMIC VLAN ASSIGNMENT.

Tue Apr 29, 2014 11:00 pm

I support this request +1
 
joncolby
newbie
Topic Author
Posts: 39
Joined: Wed Nov 13, 2013 8:09 am
Location: Southern California

Re: ADD DYNAMIC VLAN ASSIGNMENT.

Wed May 07, 2014 10:30 pm

.... Mee too..
 
joncolby
newbie
Topic Author
Posts: 39
Joined: Wed Nov 13, 2013 8:09 am
Location: Southern California

Re: ADD DYNAMIC VLAN ASSIGNMENT.

Sat May 10, 2014 3:48 am

Adding the dynic VLAN Assignment would great for v7
 
roadracer96
Forum Veteran
Forum Veteran
Posts: 714
Joined: Tue Aug 25, 2009 12:01 am

Re: ADD DYNAMIC VLAN ASSIGNMENT.

Sat May 10, 2014 5:48 am

Www.packetfence.org

Should work with capsman as a hostapd ap when it's production. I'd like to see radius support in the switches.
 
joncolby
newbie
Topic Author
Posts: 39
Joined: Wed Nov 13, 2013 8:09 am
Location: Southern California

Re: ADD DYNAMIC VLAN ASSIGNMENT.

Sun Jun 08, 2014 6:54 am

packetfence is the whole reason I made this post... Currently the mikrotik has everything needed to support packetfence, except the dynamic VLAN assignment is not enabled....
I really would like for mikrotik to support NAC Software by enabling dynamic vlan assignment...
 
keithy
newbie
Posts: 25
Joined: Sat Aug 07, 2010 7:00 pm

Re: ADD DYNAMIC VLAN ASSIGNMENT.

Sun Jun 08, 2014 4:10 pm

+1 would be very useful
 
joncolby
newbie
Topic Author
Posts: 39
Joined: Wed Nov 13, 2013 8:09 am
Location: Southern California

Re: ADD DYNAMIC VLAN ASSIGNMENT.

Wed Jun 11, 2014 7:20 pm

Please add Dynamic VLAN Assignment.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: ADD DYNAMIC VLAN ASSIGNMENT.

Thu Jun 12, 2014 2:55 pm

using CRS you can set up MAC addresses that will have VLAN assigned, no matter what port is used.
 
joncolby
newbie
Topic Author
Posts: 39
Joined: Wed Nov 13, 2013 8:09 am
Location: Southern California

Re: ADD DYNAMIC VLAN ASSIGNMENT.

Sat Jun 14, 2014 10:26 pm

That is not dynamic VLAN Assignment, and that will not work with NAC Software.
 
joncolby
newbie
Topic Author
Posts: 39
Joined: Wed Nov 13, 2013 8:09 am
Location: Southern California

Re: ADD DYNAMIC VLAN ASSIGNMENT.

Sun Jun 22, 2014 8:38 pm

Dynamic VLAN Assignment today Please ?
 
roadracer96
Forum Veteran
Forum Veteran
Posts: 714
Joined: Tue Aug 25, 2009 12:01 am

Re: ADD DYNAMIC VLAN ASSIGNMENT.

Mon Jun 23, 2014 4:28 am

using CRS you can set up MAC addresses that will have VLAN assigned, no matter what port is used.

That doesn't help with wireless/802.1x. I'd like to see mac/802.1x radius auth in switches and access points honoring the vlan returned by radius. All the big players and lots of the small ones support this and have for years. It's nothing new.
 
joncolby
newbie
Topic Author
Posts: 39
Joined: Wed Nov 13, 2013 8:09 am
Location: Southern California

Re: ADD DYNAMIC VLAN ASSIGNMENT.

Wed Jun 25, 2014 12:40 am

Please PLEASE please Add Dynamic VLAN Assignment so I can use mikrotik with OpenNAC and Packetfence... Please !

Its not going to be hard to do....
 
baggar11
Frequent Visitor
Frequent Visitor
Posts: 59
Joined: Tue Oct 22, 2013 4:49 am

Re: ADD DYNAMIC VLAN ASSIGNMENT.

Fri Jun 27, 2014 5:16 am

Came here to post my support for this as well. I would love to be able to use Packetfence with Mikrotik devices.
 
joncolby
newbie
Topic Author
Posts: 39
Joined: Wed Nov 13, 2013 8:09 am
Location: Southern California

Re: ADD DYNAMIC VLAN ASSIGNMENT.

Fri Jun 27, 2014 5:28 am

Making a new Thread called 'VOTE FOR PACKETFENCE SUPPORT'...

Please Vote and Rally your troops for the cause. Packetfence is Great and it's added support means mikrotik does not need to be responsible for something new.
 
roadracer96
Forum Veteran
Forum Veteran
Posts: 714
Joined: Tue Aug 25, 2009 12:01 am

Re: ADD DYNAMIC VLAN ASSIGNMENT.

Fri Jun 27, 2014 1:36 pm

Put it this way.. I have 300 Meru APs on campus.. Im not super impressed with them overall.. Having functional 802.1x and Mac based authentication with dynamic VLAN assignment and dynamic profiles (Add to queues or address lists and such) would make it usable for me. Vport/Channel sharing would be a huge plus too....

Would probably need AC support to to justify the upgrade. :D
 
joncolby
newbie
Topic Author
Posts: 39
Joined: Wed Nov 13, 2013 8:09 am
Location: Southern California

Re: ADD DYNAMIC VLAN ASSIGNMENT.

Wed Jul 02, 2014 8:27 am

I have Packetfence running with Ruckus and it works Awesome, Can Mikrotik Please get on board. There are serious professional needs for this.
 
roadracer96
Forum Veteran
Forum Veteran
Posts: 714
Joined: Tue Aug 25, 2009 12:01 am

Re: ADD DYNAMIC VLAN ASSIGNMENT.

Wed Jul 02, 2014 2:24 pm

At the switch level too.. we use packet fence to control about 10000 network ports in addition to the APs. MAC based vlan assignment for the switches and mac/802.1x for the APs.
 
joncolby
newbie
Topic Author
Posts: 39
Joined: Wed Nov 13, 2013 8:09 am
Location: Southern California

Re: ADD DYNAMIC VLAN ASSIGNMENT.

Wed Jul 02, 2014 7:01 pm

Definitely, ALL Mikrotik Switches should support the minimal function for Packetfence on their switches as well...

I spoke with many people about HOST APD, and dynamicVLAN Assignment and they all said Mikrotik could add support
for that in less than 2 days if they tried....
 
cchance
newbie
Posts: 39
Joined: Mon Dec 01, 2014 2:42 pm

Re: ADD DYNAMIC VLAN ASSIGNMENT.

Tue Feb 10, 2015 3:15 pm

+1 to this for sure,
 
User avatar
rwrocket
Frequent Visitor
Frequent Visitor
Posts: 80
Joined: Mon Nov 24, 2014 8:08 am

Re: ADD DYNAMIC VLAN ASSIGNMENT.

Thu Oct 08, 2015 7:34 am

BUMP

Need this too
 
revellion
just joined
Posts: 13
Joined: Thu Nov 10, 2011 9:53 pm
Location: Sweden

Re: ADD DYNAMIC VLAN ASSIGNMENT.

Fri Oct 09, 2015 8:07 pm

Bump
 
User avatar
bajodel
Long time Member
Long time Member
Posts: 545
Joined: Sun Nov 24, 2013 8:30 am
Location: Italy

Re: ADD DYNAMIC VLAN ASSIGNMENT.

Fri Oct 09, 2015 11:58 pm

+1 one more
 
Yashiro
just joined
Posts: 1
Joined: Tue Nov 10, 2015 1:04 pm

Re: ADD DYNAMIC VLAN ASSIGNMENT.

Wed Nov 11, 2015 8:39 pm

Can anyone tell if this has been implemented yet?
 
daggerCVN
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Thu Jan 30, 2014 5:05 pm

Re: ADD DYNAMIC VLAN ASSIGNMENT.

Thu Dec 10, 2015 10:49 pm

Please add RADIUS based dynamic VLAN support to RouterOS. Already deploying this via Ruckus access points/controller/our RADIUS AAA servers, but to also have this supported natively on the Mikrotik routers (all the AAA/Radius interfaces are there, just need to support this parameter).

I'll even say PLEASE again! Thanks. v3.34 would work for me :D
 
JorgeAmaral
Trainer
Trainer
Posts: 199
Joined: Wed Mar 04, 2009 11:53 pm
Location: /ip route add type=blackhole

Re: ADD DYNAMIC VLAN ASSIGNMENT.

Fri Dec 11, 2015 12:16 am

RouterOS already supports this over wifi since CAPS v2 (6.23+).

There are already some threads about this:

http://forum.mikrotik.com/viewtopic.php?t=81881

http://forum.mikrotik.com/viewtopic.php?t=95537

You just need to enable caps v2, add the radius server and enable wireless, inside caps->access-list add an access-rule with action=query-radius and set the proper security profile.

Your radius server needs to reply with the correct radius attributes (Mikrotik_Wireless_VLANID and Mikrotik_Wireless_VLANIDtype).

Dont forget to update your radius server dictionary: http://wiki.mikrotik.com/wiki/Manual:RA ... dictionary

I have this working with EDUROAM and works like a charm.

And I confirm that user based authentication (802.1x) with dynamic vlan works :-)

We just need is 802.1x support with dyamic vlans for electrical ports ( fast/giga ethernet )

Best regards,
 
daggerCVN
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Thu Jan 30, 2014 5:05 pm

Re: ADD DYNAMIC VLAN ASSIGNMENT.

Thu Jan 14, 2016 12:36 am

Bumping this dynamic VLAN support thread, because I really need this to work with wired ports and would like to see a more standard RADIUS protocol parameter support as was captured in a previous post.

I have Ruckus access points connected to Mikrotik routers deployed and the dynamic vlan'ing works great all thru the Ruckus AP/Controller/my Radius server system. But I need to have the Mikrotik support dVLAN natively to meet all of my deployment scenarios.
 
anuser
Member
Member
Posts: 407
Joined: Sat Nov 29, 2014 7:27 pm

Re: ADD DYNAMIC VLAN ASSIGNMENT.

Tue Feb 09, 2016 11:34 am

Hello Jorge,
You just need to enable caps v2, add the radius server and enable wireless, inside caps->access-list add an access-rule with action=query-radius and set the proper security profile.
[...]
could you please post your RouterOS/CAPSMAN configuration for this part, i.e. the actual VLAN assignment on RouterOS?
Regards
 
Guido64
just joined
Posts: 8
Joined: Mon Oct 27, 2014 9:59 pm

Re: ADD DYNAMIC VLAN ASSIGNMENT.

Wed Mar 09, 2016 10:22 pm

I also would like more information on how to configure mikrotik to work with dvlan. Today i have managed to configure my 2 ubiquity uap-pro's to work with dvlan with beta firmware. Its realy nice how it works i can put users in a group and the radius replies the group settings to the ap like vlan id. and it works really well. if i logon as user A i'm getting a ip from vlan x and wen i logon as user B i get an ip from the next vlan i setup for this.

Now i want to add my mikrotik aps the same way but i have no clue how and were to begin. wpa2-eap already works with the MT aps just not the dvlan function. Maybe someone has somekind of tutorial or howto how to do it.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1747
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: ADD DYNAMIC VLAN ASSIGNMENT.

Thu Mar 10, 2016 12:50 pm

I also would like more information on how to configure mikrotik to work with dvlan. Today i have managed to configure my 2 ubiquity uap-pro's to work with dvlan with beta firmware. Its realy nice how it works i can put users in a group and the radius replies the group settings to the ap like vlan id. and it works really well. if i logon as user A i'm getting a ip from vlan x and wen i logon as user B i get an ip from the next vlan i setup for this.

Now i want to add my mikrotik aps the same way but i have no clue how and were to begin. wpa2-eap already works with the MT aps just not the dvlan function. Maybe someone has somekind of tutorial or howto how to do it.

some time ago i have tested an mikrotik AP and using the radius atribute of vlan the traffic of the client gets taged with corresponding vlan ID

i dont remember the version of routeros i have tested
 
anuser
Member
Member
Posts: 407
Joined: Sat Nov 29, 2014 7:27 pm

Re: ADD DYNAMIC VLAN ASSIGNMENT.

Thu Mar 10, 2016 12:59 pm

It works => http://forum.mikrotik.com/viewtopic.php ... 95#p525995

You have to use the new "wireless-cm" or "wireless-rep" package and disable the old "wireless-fp" package.
For now, clients can use IPv4 with "dynamic vlan assignment" and IPv4 + IPv6 with static vlan assignment.
+ change multicast-helper setting to full on the Cap interface
 
Guido64
just joined
Posts: 8
Joined: Mon Oct 27, 2014 9:59 pm

Re: ADD DYNAMIC VLAN ASSIGNMENT.

Sun Mar 20, 2016 2:38 am

I have ubiquiti aps they works with dynamic vlans i created groups in freeradius and set :
Image

The Ubiquiti aps are now working but mikrotik is a bit harder for me to configure MK has lots more configuration possibilities wich is totaly great but i'm not so much experienced with MK.

I have Mk working with wpa2-eap and vlans attached to different ssid's for few years now. I installed wireless-cm or wel i think i have i'm not rwaly sure. how do i check wich wireless module i have installed?

How do i change the configuration so it works with the group attributes of the picture above?

Image

Is there a step by step tutorial how to set this up?
 
cloudkitten
just joined
Posts: 1
Joined: Wed Jul 13, 2016 11:57 pm

Re: ADD DYNAMIC VLAN ASSIGNMENT.

Wed Jul 13, 2016 11:58 pm

To set a reminder: ubnt has implemented this in their switch portofolio, aps and controller.
 
User avatar
lapsio
Member
Member
Posts: 479
Joined: Wed Feb 24, 2016 5:19 pm

Re: ADD DYNAMIC VLAN ASSIGNMENT.

Mon Jan 29, 2018 5:06 pm

Is ethernet dvlan implemented already or not yet?
MTCNA, MTCRE, MTCINE
 
JimmyNyholm
Member Candidate
Member Candidate
Posts: 249
Joined: Mon Apr 25, 2016 2:16 am
Location: Sweden

Re: ADD DYNAMIC VLAN ASSIGNMENT.

Tue Jan 30, 2018 1:02 am

2018 Are we there yet?

Who is online

Users browsing this forum: MSN [Bot] and 80 guests