Hi again,
could you use RADIUS to check if the passphrase used matches a predefined one and assign VLAN-id according to the predefined passphrase?
I know that is said
... but unfortunately it is impossible ... or send passphrase to RADIUS server (passphrase is not known).
but there is very old thread
Auth WPA2/PSK agaist radius server - MikroTik (and an idea in
DPSK Dynamic WPA2 PSK support - MikroTik), so I'm wondering if I could use
private-pre-shared-key, see
Wireless Interface - RouterOS - MikroTik Documentation, which I understand is available as RADIUS attribute
MIKROTIK_WIRELESS_PSK, see
Manual:RADIUS Client - MikroTik Wiki.
Unfortunately, it is not listed as an attribute in or
4.2 Access-Request or
4.4 Accounting-Request, so I can't tell if this attribute is sent to the RADIUS server in the course of an authentication and accounting request.
At least FreeRadius can deal with an Attribute in a Access Request, see
protocol/Access Request (freeradius.org).
If so assignment, I hope the VLAN assignment could happen somehow as follows (based on
Unlang | FreeRADIUS Documentation (networkradius.com):
[root@pfSense.test.home.arpa]/usr/local/etc/raddb: cat users.PSK
# Mikrotik Mac Auth and dyn. VLAN
# Mac Format XXXX:XXXX:XXXX
#
# check any User
DEFAULT Cleartext-Password := "%{User-Name}"
#assign VLAN per PPSK
switch %MIKROTIK_WIRELESS_PSK {
case VLAN1_PPSK {
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Mikrotik-Wireless-VLANID := 20,
Mikrotik-Wireless-VLANID-Type := 0,
Mikrotik-Wireless-Comment = "USER_01_DEVICE"
}
case VLAN2_PPSK {
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Mikrotik-Wireless-VLANID := 10,
Mikrotik-Wireless-VLANID-Type := 0,
Mikrotik-Wireless-Comment = "USER_01_DEVICE"
}
case {
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Mikrotik-Wireless-VLANID := 99,
Mikrotik-Wireless-VLANID-Type := 0,
Mikrotik-Wireless-Comment = "UNTRUSTED_DEVICE"
}
}