I am facing a problem that I just cant get around. I have searched the forum without success. Any help will be highly appreciated. Thanks in advance.

I have a network setup as follows:
DSL -Ether1- Mikrotik 750G (DHCP, Hotspot, Userman) - Ether2- Switch- APs

* The network consists of many APs connected through a switch to the 750G.
* Radius is enabled for hotspot (not for dhcp)
* In userman, for each user, I have enabled *MAC binding on first use*.

The issue is, the user manager is binding the user to the AP 's MAC address. This is the AP to which the client is connected. The DHCP server is showing the correct MAC address of the client but the hotspot is showing the AP's address. Obviously this results in only one client being able to get connected through an AP.

What is going on? How do I cleanly enable mac authentication (or binding)?

The config:

HOTSPOT

[admin@MikroTik] > ip hotspot profile print Flags: * - default
0 * name="default" hotspot-address=0.0.0.0 dns-name="" html-directory=hotspot
rate-limit="" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0
login-by=cookie,http-chap http-cookie-lifetime=3d split-user-domain=no
use-radius=no

1 name="hsprof1" hotspot-address=192.168.4.1 dns-name=""
html-directory=hotspot rate-limit="" http-proxy=0.0.0.0:0
smtp-server=0.0.0.0 login-by=mac,http-chap,http-pap mac-auth-password=""
split-user-domain=no use-radius=yes radius-accounting=yes
radius-interim-update=received nas-port-type=wireless-802.11
radius-default-domain="" radius-location-id="" radius-location-name=""
radius-mac-format=XX:XX:XX:XX:XX:XX

DHCP Server

# jan/19/2013 23:22:46 by RouterOS 5.0rc1
# software id = XXX-XXX
#
/ip dhcp-server
add address-pool=hs-pool-2 authoritative=after-2sec-delay bootp-support=\
static disabled=no interface=ether2-local-master lease-time=1h name=dhcp1
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server network
add address=192.168.4.0/24 comment="hotspot network" gateway=192.168.4.1

USER MANAGER
[admin@MikroTik] > tool user-manager export
# jan/19/2013 23:24:00 by RouterOS 5.0rc1
# software id = XXX-XXX
#
/tool user-manager customer
add backup-allowed=yes currency=Dollars disabled=no login=admin parent=admin \
password=iofc_admin paypal-accept-pending=no paypal-allowed=no \
paypal-secure-response=no permissions=owner signup-allowed=no time-zone=\
-00:00
/tool user-manager router
add coa-port=1700 customer=admin disabled=no ip-address=127.0.0.1 log=\
auth-fail name=router1 shared-secret=1
/tool user-manager user

add caller-id=94:XX:XX:XXX:XX:XX customer=admin disabled=no name=test \
password=test shared-users=1
add caller-id=94:XX:XX:XX:XX:XX customer=admin disabled=no name=mtest \
password=mtest shared-users=1


* Both these MACs are AP MAC addresses.

I tried the following:

In DHCP server, I checked "Add ARP for leases" ON. The DHCP server is showing the client's MAC address. The ARP table is logging the APs MAC address.

Sounds more like the aps are not in transparrent mode.

Thanks TheWiFiGuy. I think you are right. I would like to hear the reasoning, if you can.

This is a few years old setup (I had missed the following from the above network):
750G-Switch-AP(Backhaul)
-Client (Backhaul) - AP- WiFi
-Client (Backhaul) - AP - WiFi

Used some TPLinks to backhaul traffic. These are the MAC addresses being reflected.

Will try setting them in point-multipoint bridge mode (if its available). Although, I still do not understand why the dhcp is not able to update the arp the way we want.

I get the same problem. Is there someone who can resolve this?

Hi,
I would have a look into normal traffic packets with Wireshark.

(simple start the sniffer on your Mikrotik, let it write to a file on the Mikrotik and then copy this file to your PC and open it with Wireshark. Look what MAC addresses are in e.g. HTML traffic)

Also, the DHCP packets contain the MAC address of the requester in the data field. The DHCP server does not extract it from the layer2 of the actually received packet. However the ARP table is built form the received packets. Have a look into the packets you get from the TP-Link AP. It might not be a real bridge, hence it might rewrite the layer2 and puts it's own MAC address as sender.