I'm able to successfully authenticate with a 802.1x server using RouterOS on a bare interface, but once that interface is a part of a bridge (with default settings) I cannot successfully complete the EAPOL process. It seems to never get to the TLSv1 packet exchange, but I do see the identity request and response.

I have pcaps that I'll clean up soon, but curious if anyone else has tried this or can reproduce it.

If you are wondering why is this interface on a bridge, it lets me handle a situation of stripping VLAN 0 (due to 802.1p priority tagging without VLAN) with VLAN Filtering so I can utilize standard IP features including DHCP, etc. I have to be able to handle those tagged frames inbound to the Mikrotik, but not produce them.

ROS version 4.45.2

+1 Me Too!

Question - what protocol-mode have you set on the bridge? One of the STP flavors or none?

Question - what protocol-mode have you set on the bridge? One of the STP flavors or none?

I've tried both both also thinking it could be the restrictions around 802.1D. I also spent way too much time tinkering with all the settings I could think of in the dark for weird interactions/bugs but couldn't find anything that works while the interface was on a bridge.

+1 here

+1 as well

I'm able to successfully authenticate with a 802.1x server using RouterOS on a bare interface, but once that interface is a part of a bridge (with default settings) I cannot successfully complete the EAPOL process.

I hope to work on this soon, to update my current procedure. Can you share your configuration (hiding your certs, etc.) that you have working so far? I think that with scripting, you can allow the EAPOL process to complete first, then move interfaces to where they need to be. I've never seen the ONT try to verify the cert ever again. If the ONT looses power, you could just reboot the router to handle that.

@wojo

I'm able to use ether1 and get Dot1x Cert status authenticated. Also DHCP client on ether1 pulled an IP, all without putting ether1 on a bridge. Everything seems to be working fine. Using firmware 6.46.1 on an RB4011. Can you update this thread with your success?

@wojo

I'm able to use ether1 and get Dot1x Cert status authenticated. Also DHCP client on ether1 pulled an IP, all without putting ether1 on a bridge. Everything seems to be working fine. Using firmware 6.46.1 on an RB4011. Can you update this thread with your success?

I'll test this, may not be able to until this weekend however. Can you share your configuration (snippets of the important parts) here?

It is indeed possible some has changed in the latest releases! Exciting.

Where I got stuck last time was I *had* to place the interface on the bridge to pull DHCP dues to the VLAN 0 issue. What ISP do you have and do they utilize VLAN 0 like AT&T UVerse?

Can you share your configuration (snippets of the important parts) here? It is indeed possible that something has changed in the latest releases! Exciting. Where I got stuck last time was I *had* to place the interface on the bridge to pull DHCP due to the VLAN 0 issue. What ISP do you have and do they utilize VLAN 0 like AT&T UVerse?

Okay, I'll be publishing my findings in a new post on this subject very soon. I wanted to run it past you first. I use AT&T Fiber Internet 100 (they have a 1GB service plan too). I don't know what they send over the wire as I did not capture it.

My configuration is extremely simple: 1, import the certs, 2, turn off CRL, 3, set ether1 mac to RG mac, 4, enable Dot1x EAP TLS client supplicant on ether1, 5, set Identity & Anon to the mac, 6, create DHCP client on ether1, 7, standard firewall and LAN side, yadda, yadda.

I actually had trouble getting a Dot1x client to work on an interface what was part of a bridge. So, I was forced to just use the bare ether1 interface. But I could've made a mistake (I think I did with the CRL option).

Please read my new article on this subject.

I'm still unable to have any IP traffic pass due to the VLAN 0 tagging. Nothing has changed for me, must be a configuration that is regional or something.

I've placed my configuration and script into this new thread which is a little cleaner and focused: viewtopic.php?f=23&t=154954&p=766284#p766284