Community discussions

MikroTik App
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

What is the Best Practice for detecting/preventing unauthorized devices in LAN?

Fri May 01, 2020 1:49 pm

What is the best practice/method for detecting/preventing unauthorized devices in LAN?
Since anybody or an intruder can simply set his/her device's IP accordingly (or even try DHCP first) and simply plug it into any LAN port in any of the rooms, and voilà he/she is in the LAN... and has automatically also access to the WAN via the in-house switch/router...
Can such a scenario be detected/prevented in RouterOS, without a separate intruder-detection-system(IDS)?
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: What is the Best Practice for detecting/preventing unauthorized devices in LAN?

Fri May 01, 2020 2:27 pm

Port-based security, 802.1X will prevent this.
Basically only after authentication/authorization the port can be used.

Sure on RouterOS you can do a lot with scripts, you could collect the MAC/ARP entries on a regular basis, process this, compare it, do something with it.
On the other hand, MAC-addresses is very simple to spoof so to me this is the "last resort" of no other authentication (username/password or certificate) is possible because the client does not have this capabilities.

Not sure how the 802.1X implementation on RouterOS is done (I mean, if completely implemented, caveats etc) but we've designed many networks like this with thousands of wired & wireless users but based on Cisco products. I guess the basics will run fine. So you would need a RADIUS-server that speaks to RouterOS. Configured 802.1X on ports of the LAN-switch. All other stuff is RADIUS-config to create some profiles/process-flows etc depending on your needs.
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: What is the Best Practice for detecting/preventing unauthorized devices in LAN?

Fri May 01, 2020 2:32 pm

It depends on how hard you want to try preventing unauthorised devices and how determined someone is to bypass your blocks.

A very simple method is to disable DHCP and only assign IP addresses with static leases or statically, this would require someone to either manually set an IP address and gateway on their device, or to clone the MAC address of one of your devices and disconnect it.

Beyond that you are looking at port-based access controls such as MAC learning/whitelisting, MAC auth, 802.1X. Any of the MAC based methods can be bypassed by cloning the MAC address of an authorised device, certificate or username/password 802.1X methods are secure.

Mikrotik have recently introduced port-based access control https://wiki.mikrotik.com/wiki/Manual:Interface/Dot1x although you need an external RADIUS server. Many other vendors support port-based access control in fully managed and the better smart/web managed switches, entry-level smart/web managed and unmanaged switches do not.
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 872
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: What is the Best Practice for detecting/preventing unauthorized devices in LAN?

Fri May 01, 2020 2:46 pm

Mikrotik have recently introduced port-based access control https://wiki.mikrotik.com/wiki/Manual:Interface/Dot1x although you need an external RADIUS server. Many other vendors support port-based access control in fully managed and the better smart/web managed switches, entry-level smart/web managed and unmanaged switches do not.
In v7 of RouterOS Radius server is included I believe .... I seem to remember reading a post about that ..... But v7 probably will not be in stable production till 2021

And YES Port-based security, 802.1X is the effective way.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: What is the Best Practice for detecting/preventing unauthorized devices in LAN?

Fri May 01, 2020 3:10 pm

@jvanhambelgium, thank you very much for the info about RADIUS.
I admit I had heard/read about RADIUS, but didn't know that it is intended exactly for this purpose :-)
I'll read some docs/HOWTOs on the web.

Can someone tell me whether a RADIUS server is included in RouterOS, or does it have only a RADIUS client?
Or do I need to install a RADIUS server on a serverPC in my LAN?

Update: as @mozerd and @tdw have mentioned, a RADIUS server seems to be included in the upcoming RouterOS 7.0. I already have the beta5 of it running; will test it.
Last edited by mutluit on Fri May 01, 2020 3:31 pm, edited 1 time in total.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: What is the Best Practice for detecting/preventing unauthorized devices in LAN?

Fri May 01, 2020 3:28 pm

Can someone please describe the process briefly, from the point of view of a user in the LAN:
what does change for him/her, what extra steps are required for him/her, after RADIUS has been set up in the org?
Thx
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: What is the Best Practice for detecting/preventing unauthorized devices in LAN?

Fri May 01, 2020 4:29 pm

If you do not use RADIUS built in to RouterOS v7 the usual choice is FreeRADIUS or Window NPS (integrated with newer Windows Server products).

MAC auth - there are no changes to the device, but you need to record the MAC address of authorised devices.

Certificate 802.1X - you need to create, distribute and manage certificates. For user-managed devices they will have to install the client certificate on their device and configure the wired connection 802.1X support to use it.

username/password 802.1X - you need to maintain a database of usernames and passwords, it is possible to use an existing Active Directory or LDAP setup. The user will have to enable wired connection 802.1X support on their device, if it is not already, and enter the username/password in order to connect.

Many educational establishments use 802.1X with federated RADIUS allowing their members to connect wired/wirelessly at other establishments with no device reconfiguration after the initial setup, so there are plenty of examples of setups to be found.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: What is the Best Practice for detecting/preventing unauthorized devices in LAN?

Fri May 01, 2020 4:55 pm

@tdw, thanks for the explanation, but I wonder when the username and userpassword has to be used.
Let's say a user in the morning comes to his seat and turns his office computer on (it was ordinarily shut down the previous work day).
So, what happens next? Does he need to login to the RADIUS server first (but how is this supposed to work as he does not have any network access yet, I imagine) before he can do his usual login into his local OS on his office PC? Surely I must have misunderstood something in this concept :-)
Thx
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 872
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: What is the Best Practice for detecting/preventing unauthorized devices in LAN?

Fri May 01, 2020 5:46 pm

Let's say a user in the morning comes to his seat and turns his office computer on (it was ordinarily shut down the previous work day).
So, what happens next? Does he need to login to the RADIUS server first (but how is this supposed to work as he does not have any network access yet, I imagine) before he can do his usual login into his local OS on his office PC? Surely I must have misunderstood something in this concept :-)
For my windows users I use screen time ... if the screen has no user interaction for x minutes log the user out. The logout closes all connections so the user would need to re-authenticate. Management decides what the value of x will be for each person and circumstances of monitoring .... if the person is in a locked room the value of x can be much higher .... locked rooms usually have cams monitoring everything. Everything depends on the environment and security policy In place.

https://www.virtualizationhowto.com/201 ... ntication/
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: What is the Best Practice for detecting/preventing unauthorized devices in LAN?

Fri May 01, 2020 6:31 pm

Is it possible with RADIUS to authenticate with these 2 or 3 credentials: MAC and/or IP plus a password for the device/interface itself, but without involving/managing/using any usernames and userpasswords?

Ie. when a device boots up, it shall autom. communicate via the RADIUS client to the configured RADIUS server, pass its credentials and if everything is ok,
then the (either a pre-assigned or any one) switch port shall open for this machine, else any attempts of normal traffic from that machine gets blocked by the switch.

Update after some more research: yes, the above scenario seems to be possible:
https://techexpert.tips/mikrotik/mikrot ... reeradius/
Will now just try it out by setting up an own RADIUS server (the freeradius server mentioned by @tdw) on a local Debian box.
Last edited by mutluit on Fri May 01, 2020 7:05 pm, edited 1 time in total.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: What is the Best Practice for detecting/preventing unauthorized devices in LAN?

Fri May 01, 2020 6:51 pm

@tdw, thanks for the explanation, but I wonder when the username and userpassword has to be used.
Let's say a user in the morning comes to his seat and turns his office computer on (it was ordinarily shut down the previous work day).
So, what happens next? Does he need to login to the RADIUS server first (but how is this supposed to work as he does not have any network access yet, I imagine) before he can do his usual login into his local OS on his office PC? Surely I must have misunderstood something in this concept :-)
Thx
802.1X "authentication" CAN happen before the person itself issues the login on the Windows screen for example. (and authentication after that can again happen using Windows credentials)
If you go to the network-settings of your PC you'll find some section on 802.1X or "security" where you can choose things like PEAP (Protected EAP and EAP = Extensible Authentication Protocol, which is more a "framework" than an actual protocol)
https://en.wikipedia.org/wiki/Extensibl ... n_Protocol
As a client-PC you don't need to enter any RADIUS stuff because it is not YOU who is talking to the RADIUS, it is the LAN-switch who is doing RADIUS for the actual authentication part.
If you choose username/password authentication you can populate something in there (eg on a Linux box). In a Windows environment probably the cached-credentials are forwarded to the LAN-switch who takes this up to the RADIUS. If your RADIUS is then hooked into your Windows Domain the circle is closed.

I'm telling you a very simplified version of the process, just to give you an idea.

From the moment your network-card goes up, normally the "supplicant" software (in the OS) starts talking to the switch(port) and some exchanges is talking place.
These features can be quite complex. It's not always an "all of nothing" thing. Eg. when your PC boots your implementation might allow DHCP/DNS traffic to already flow and after login other policies/profiles are processed.

Or initially be placed on a specific VLAN , after authentication you move VLAN etc. Certain design incorporate some client-soft software to check your PC if it is "compliant" to IT-standards, latest patches, antivirus-updates etc,etc. If not compliant, you are "parked" on some remediation VLAN with partial access until resolved etc,etc.
Many,many options exist.
 
andriys
Forum Guru
Forum Guru
Posts: 1526
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: What is the Best Practice for detecting/preventing unauthorized devices in LAN?

Fri May 01, 2020 6:54 pm

You are getting it wrong. RADIUS is just a protocol, RADIUS server is (to a great extent) just a special credentials database.

Is it possible with RADIUS to authenticate with these 2 or 3 credentials: MAC and/or IP plus a password for the device/interface itself, but without involving/managing/using any usernames and userpasswords?
RADIUS serves AAA requests from your network equipment. So you should be asking about the capabilities of (lets say) your access switches, not the RADIUS.

Ie. when a device boots up, it shall autom. communicate via the RADIUS client to the configured RADIUS server, pass its credentials and if everything is ok
RADIUS client runs on your network equipment (switches, access points, VPN servers, etc), and NOT on the client devices. Your client devices MAY communicate with your RADIUS server, but that is done indirectly and using other protocols (i.e. EAPoL in case of 802.1X), and not RADIUS.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: What is the Best Practice for detecting/preventing unauthorized devices in LAN?

Fri May 01, 2020 7:22 pm

Sounds like someone should go back to school and thus can ask pertinent Mikrotik based questions.....
Otherwise perhaps this is a better place to be.......
https://www.dslreports.com/forum/network

https://commotionwireless.net/docs/cck/ ... ng-basics/
https://www.foxpass.com/blog/radius-ser ... w-it-works
and three million other resources.

In others words, dont be so lazy and be prepared to ask pertinent questions related to MT equipment.
Just because you are old, doesnt mean you forget the basics (of reading and doing homework)
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: What is the Best Practice for detecting/preventing unauthorized devices in LAN?

Fri May 01, 2020 7:24 pm

@andriys, you have got the terminology of client wrong. According to wikipedia https://en.wikipedia.org/wiki/IEEE_802.1X :
client (also called supplicant): the user device (such as a laptop) that wishes to attach to the LAN/WLAN.
authenticator (f.e. a switch): a network device which provides a data link between the client and the network and can allow or block network traffic between the two, such as an Ethernet switch.
authentication server (RADIUS server): a trusted server that can receive and respond to requests for network access, and can tell the authenticator if the connection is to be allowed ...,In some cases, the authentication server software may be running on the authenticator hardware.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: What is the Best Practice for detecting/preventing unauthorized devices in LAN?

Fri May 01, 2020 7:29 pm

@anav, FYI: the question is MT related as how to allow/deny LAN/WAN access to user devices that are attached to a MT switch, via RADIUS/IEEE 802.1X.
Last edited by mutluit on Fri May 01, 2020 7:35 pm, edited 2 times in total.
 
andriys
Forum Guru
Forum Guru
Posts: 1526
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: What is the Best Practice for detecting/preventing unauthorized devices in LAN?

Fri May 01, 2020 7:29 pm

@andriys, you have got the terminology of client wrong
No, I have not. You were talking about RADIUS client. That has nothing to do with supplicant and other IEEE 802.1X stuff. Strictly speaking, RADIUS is not even a requirement for 802.1X, any other protocol capable of encapsulating EAP can theoretically be used instead.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: What is the Best Practice for detecting/preventing unauthorized devices in LAN?

Fri May 01, 2020 8:51 pm

I have yet to find an example that covers the described situation in the OP.
Most of these examples understand something different when they talk about "users": they mean router/switch admin users, whereas I mean normal Average Joe users in a LAN w/o login permission to the router or switch they are connected to, as they aren't any admins.
Maybe I'm a Martian new on planet Earth :-)

Update: newly discovered: the answer seems to lie exactly in this document:
https://wiki.mikrotik.com/wiki/Manual:Interface/Dot1x
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 872
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: What is the Best Practice for detecting/preventing unauthorized devices in LAN?

Fri May 01, 2020 11:52 pm

Maybe I'm a Martian new on planet Earth :-)

Update: newly discovered: the answer seems to lie exactly in this document:
https://wiki.mikrotik.com/wiki/Manual:Interface/Dot1x
To me [like YOU :-)] users are Joe users in a LAN w/o login permission to the router or switch they are connected --- that is it.
These things -- Routers, Switches etc are there to ENABLE and support USERS -- that is the definition of infrastructure .... no if's -- no and's -- no but's. Admins are also user's with higher privileges. :lol:
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: What is the Best Practice for detecting/preventing unauthorized devices in LAN?

Sat May 02, 2020 1:44 am

As said: the answer seems to be "Dot1x".
In 7.0beta5 under /interface/dot1x/ in CLI one finds both client and server (btw. the Webfig GUI does not have them yet).
Then now I'm missing the 3rd part: the part on the PCs/servers. And here I could take wpa_supplicant or an older software named xsuplicant (there are v2 and v1 versions). I'm trying to compile the v1 of the latter one under Linux as it seems to fit my needs better, IMO. But unfortunately I am getting some compile errors... :-( Just a matter of time... :-)
Ie. I hope to use simple port-based authentication without a fullblown external RADIUS server like freeradius as it looks to me gigantic for my simple needs (and maybe even buggy as hell and/or like swiss cheese... :-)) Ie. I try to apply KISS :-)
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: What is the Best Practice for detecting/preventing unauthorized devices in LAN?

Sat May 02, 2020 8:33 am

As said: the answer seems to be "Dot1x".
In 7.0beta5 under /interface/dot1x/ in CLI one finds both client and server (btw. the Webfig GUI does not have them yet).
Then now I'm missing the 3rd part: the part on the PCs/servers. And here I could take wpa_supplicant or an older software named xsuplicant (there are v2 and v1 versions). I'm trying to compile the v1 of the latter one under Linux as it seems to fit my needs better, IMO. But unfortunately I am getting some compile errors... :-( Just a matter of time... :-)
Ie. I hope to use simple port-based authentication without a fullblown external RADIUS server like freeradius as it looks to me gigantic for my simple needs (and maybe even buggy as hell and/or like swiss cheese... :-)) Ie. I try to apply KISS :-)
You your Linux PC/systems do not have a GUI ?

PS : FreeRADIUS buggy ? Are you nuts ? FreeRADIUS handles A LOT of authentications globally on Internet. Also in the "traditional" spaces (PAP/CHAP protocols when doing dialup, PPPoE authentications for xDSL users etc) but also in EAP area. There probably are plenty examples on how to get some basic DOT1X chain working with simple MAC/local-username-password thingy.
FreeRADIUS is not heavy software that required a lot of resources to run. Small VM or docker on NAS could do the job.

https://stackoverflow.com/questions/367 ... for-802-1x

Tons of examples.


On your remark : "I want simple port-based authentication" -> Well ... there is no such thing as simple in this area. 802.1x projects can be quite a challenge( wired/wireless)! However with simple MAC/username-password should be OK depending on your knowledge.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: What is the Best Practice for detecting/preventing unauthorized devices in LAN?

Sat May 02, 2020 5:57 pm

As said: the answer seems to be "Dot1x".
In 7.0beta5 under /interface/dot1x/ in CLI one finds both client and server (btw. the Webfig GUI does not have them yet).
Then now I'm missing the 3rd part: the part on the PCs/servers. And here I could take wpa_supplicant or an older software named xsuplicant (there are v2 and v1 versions). I'm trying to compile the v1 of the latter one under Linux as it seems to fit my needs better, IMO. But unfortunately I am getting some compile errors... :-( Just a matter of time... :-)
Ie. I hope to use simple port-based authentication without a fullblown external RADIUS server like freeradius as it looks to me gigantic for my simple needs (and maybe even buggy as hell and/or like swiss cheese... :-)) Ie. I try to apply KISS :-)
You your Linux PC/systems do not have a GUI ?

PS : FreeRADIUS buggy ? Are you nuts ? FreeRADIUS handles A LOT of authentications globally on Internet. Also in the "traditional" spaces (PAP/CHAP protocols when doing dialup, PPPoE authentications for xDSL users etc) but also in EAP area. There probably are plenty examples on how to get some basic DOT1X chain working with simple MAC/local-username-password thingy.
FreeRADIUS is not heavy software that required a lot of resources to run. Small VM or docker on NAS could do the job.

https://stackoverflow.com/questions/367 ... for-802-1x

Tons of examples.


On your remark : "I want simple port-based authentication" -> Well ... there is no such thing as simple in this area. 802.1x projects can be quite a challenge( wired/wireless)! However with simple MAC/username-password should be OK depending on your knowledge.
You nailed it. Clear, concise and accurate!! As I stated previously this has nothing to do with MT hardware its a discussion of networking understanding best served by doing research before wasting peoples time.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: What is the Best Practice for detecting/preventing unauthorized devices in LAN?

Sat May 02, 2020 7:00 pm

I don't know about buggy, but I'll sign "looks to me gigantic for my simple needs". When I install it, I end up with 350MB of dependencies and 1.4MB of stuff in /etc/freeradius in over 200 files. It doesn't necessarily mean anything, but the first impression is scary, it definitely doesn't promise quick and easy results. That's why I'm waiting for nice and friendly (hopefully) User Manager in RouterOS 7.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: What is the Best Practice for detecting/preventing unauthorized devices in LAN?

Sat May 02, 2020 8:07 pm

and I thought you were scared of spiders not freeradius! ;-P

What are your expectations for User Manager? What functionalities are you looking for??
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: What is the Best Practice for detecting/preventing unauthorized devices in LAN?

Sat May 02, 2020 8:15 pm

I don't know about buggy, but I'll sign "looks to me gigantic for my simple needs". When I install it, I end up with 350MB of dependencies and 1.4MB of stuff in /etc/freeradius in over 200 files. It doesn't necessarily mean anything, but the first impression is scary, it definitely doesn't promise quick and easy results. That's why I'm waiting for nice and friendly (hopefully) User Manager in RouterOS 7.
I've the same views.
I need maybe less than 5% of its functionaly, maybe even less than 2.5%.
Also interesting:
https://freeradius.org/security/
https://www.cvedetails.com/vulnerabilit ... adius.html

I too would like to see the version in ROS: I'm already trying it out, but don't had enough time for this yet: the CLI of 7.0beta5 says Dot1x server and client are implemented, one just needs to add entries into it and test it. I'm trying to find the right supplicant stuff on the PC side. The v1 of the xsupplicant I mentioned has some serious compile problems as it was created with very old autoconf/automake tools, there are configure warnings that one simply can't ignore, and trying to fix them would take me much more time, as I already tried, but it's too complicated.
So, I think then I should take the said wpa_supplicant from the OS repository, which is normally for wireless stuff in Linux, but it can also be used for this, as both cases are similar.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: What is the Best Practice for detecting/preventing unauthorized devices in LAN?

Sat May 02, 2020 10:13 pm

@anav: I have the most humble requirements. Users should each have own password (or maybe certificate) and depending on that, they should be able to connect (and end up in correct VLAN if there are some), using both wired (optionally also with external managed switch) and wireless connections. Simple thing, which should not be difficult. If it is, then it's opportunity for improvements.

I assume it probably isn't too difficult even with FreeRADIUS, but the additional catch is that it should be usable also in places without much infrastructure, i.e. without the need for additional machines. I know people with small networks where this could be useful, but they have no reliable machine for external RADIUS. I know even something like Raspi would be enough, but it's another thing you need to worry about. If the network mostly stands and fall with router and internet access anyway, it's the right place for it. Plus I like RouterOS and how admin friendly it usually is (some would disagree, I know).

If I understood correctly, my wish already came true and UM7 can do what's needed, but last time I checked, there was no friendly interface (CLI only) and neither any documentation. I want at least one of those.
 
conectandonet
just joined
Posts: 2
Joined: Mon Jul 12, 2021 7:10 pm

Re: What is the Best Practice for detecting/preventing unauthorized devices in LAN?

Mon Jul 12, 2021 7:22 pm

Is it possible with RADIUS to authenticate with these 2 or 3 credentials: MAC and/or IP plus a password for the device/interface itself, but without involving/managing/using any usernames and userpasswords?

Ie. when a device boots up, it shall autom. communicate via the RADIUS client to the configured RADIUS server, pass its credentials and if everything is ok,
then the (either a pre-assigned or any one) switch port shall open for this machine, else any attempts of normal traffic from that machine gets blocked by the switch.

Update after some more research: yes, the above scenario seems to be possible:
https://techexpert.tips/mikrotik/mikrot ... reeradius/
Will now just try it out by setting up an own RADIUS server (the freeradius server mentioned by @tdw) on a local Debian box.
I wanted to do according to the instructions:
https://conectandonet.com.br/blog/como- ... reeradius/

Who is online

Users browsing this forum: cdblue, rarlup and 38 guests