Community discussions

MikroTik App
 
User avatar
genesispro
Member Candidate
Member Candidate
Topic Author
Posts: 283
Joined: Fri Mar 14, 2014 12:33 pm

vlan by mac address on LAN with multiple mikrotik switches

Sun Jul 25, 2021 10:10 am

Is it possible to assign a VLAN via radius on an ethernet client in setup where all routers/switches are mikrotiks?
In other words I want a certain device to get a certain vlan ID where ever it is plugged on the network.
For example an ip phone that is on a VLAN for voip to always get the vlan ID that I want, such that I won't need to know the exact port that it is plugged to configure it every time that it is moved.
Same goes for other types of devices that are assigned to certain VLANs in the building.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: vlan by mac address on LAN with multiple mikrotik switches

Sun Jul 25, 2021 12:44 pm

Radius can help, but only if LAN forces authentication process for all devices. The authentication process then needs to invilve radius server and might be WiFi WPA2 (the enterprise version) or 802.1X.

If the network doesn't enforce authentication, then you could configure MAC-based VLAN on all access ports of your network. I don't think this involves radius, I think it has to be done (pseudo)manually on all access switches/APs.
 
User avatar
genesispro
Member Candidate
Member Candidate
Topic Author
Posts: 283
Joined: Fri Mar 14, 2014 12:33 pm

Re: vlan by mac address on LAN with multiple mikrotik switches

Sun Jul 25, 2021 3:20 pm

Radius can help, but only if LAN forces authentication process for all devices. The authentication process then needs to invilve radius server and might be WiFi WPA2 (the enterprise version) or 802.1X.

If the network doesn't enforce authentication, then you could configure MAC-based VLAN on all access ports of your network. I don't think this involves radius, I think it has to be done (pseudo)manually on all access switches/APs.
how do I enforce authentication on LAN (ethernet)? On wireless it works fine!
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: vlan by mac address on LAN with multiple mikrotik switches

Sun Jul 25, 2021 3:36 pm

 
User avatar
genesispro
Member Candidate
Member Candidate
Topic Author
Posts: 283
Joined: Fri Mar 14, 2014 12:33 pm

Re: vlan by mac address on LAN with multiple mikrotik switches

Sun Jul 25, 2021 4:07 pm

This is what I was trying but I didn't make it. Is there another example apart from the wiki to understand it? I reached a point were I could be on click away or miles away and I couldn't understand what was wrong.
 
User avatar
genesispro
Member Candidate
Member Candidate
Topic Author
Posts: 283
Joined: Fri Mar 14, 2014 12:33 pm

Re: vlan by mac address on LAN with multiple mikrotik switches

Mon Jul 26, 2021 1:21 pm

I also noticed with this approach that devices with Windows would need to create a dot1x dialup/interface or something like it to be able to connect?
I don't want that!
I want the moment a device is plugged to the network to get a vlan ID according to its mac address. I don't want lan devices to need to login to be able to reach the network.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: vlan by mac address on LAN with multiple mikrotik switches

Mon Jul 26, 2021 1:42 pm

I don't think you can do it just like that without 802.1X, which is standard solution towards wired per-port security. While there are some hooks in mikrotik's DHCP server to work with radius, this doesn't cut the corner because at the end of the day, it's the access switch (where some end device is connected) who needs to apply proper VLAN settings. And DHCP doesn't provision switches.

So again: either use 802.1X (which provisions switches as needed) or you have to provision switches manually. When a switch is configured with proper MAC/VLAN combo, it doesn't matter which particular switch port is used. But if you have multiple access switches, you have to reconfigure all of them.
 
User avatar
genesispro
Member Candidate
Member Candidate
Topic Author
Posts: 283
Joined: Fri Mar 14, 2014 12:33 pm

Re: vlan by mac address on LAN with multiple mikrotik switches

Mon Jul 26, 2021 2:27 pm

I don't think you can do it just like that without 802.1X, which is standard solution towards wired per-port security. While there are some hooks in mikrotik's DHCP server to work with radius, this doesn't cut the corner because at the end of the day, it's the access switch (where some end device is connected) who needs to apply proper VLAN settings. And DHCP doesn't provision switches.

So again: either use 802.1X (which provisions switches as needed) or you have to provision switches manually. When a switch is configured with proper MAC/VLAN combo, it doesn't matter which particular switch port is used. But if you have multiple access switches, you have to reconfigure all of them.
If I use the 802.1X would client devices need to support it? Or do I just plug any ethernet device without the need to add some settings to the client itself?
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: vlan by mac address on LAN with multiple mikrotik switches

Mon Jul 26, 2021 2:33 pm

Windows requires the inbuilt supplicant to be running in order to handle EAPOL for EAP username/password or certificate-based connection. I don't know if it is enabled by default, it wasn't on older versions of Windows.

For 802.1X MAC-based authorisation (there is no authentication as MACs can easily be spoofed) the switch uses the source MAC address of the first frame it receives after the port comes up, this is completely transparent to the PC/device plugged in. Mikrotiks can be configured to send the MAC as just the username or both the username and password to the RADIUS server.

Most of the work will be in configuring your RADIUS server, for FreeRADIUS see https://wiki.freeradius.org/guide/mac-auth for the basics, and include Tunnel-Type / Tunnel-Medium-Type / Tunnel-Private-Group-ID attributes in the Access-Accept reply.
 
User avatar
genesispro
Member Candidate
Member Candidate
Topic Author
Posts: 283
Joined: Fri Mar 14, 2014 12:33 pm

Re: vlan by mac address on LAN with multiple mikrotik switches

Mon Jul 26, 2021 2:55 pm

Windows requires the inbuilt supplicant to be running in order to handle EAPOL for EAP username/password or certificate-based connection. I don't know if it is enabled by default, it wasn't on older versions of Windows.

For 802.1X MAC-based authorisation (there is no authentication as MACs can easily be spoofed) the switch uses the source MAC address of the first frame it receives after the port comes up, this is completely transparent to the PC/device plugged in. Mikrotiks can be configured to send the MAC as just the username or both the username and password to the RADIUS server.

Most of the work will be in configuring your RADIUS server, for FreeRADIUS see https://wiki.freeradius.org/guide/mac-auth for the basics, and include Tunnel-Type / Tunnel-Medium-Type / Tunnel-Private-Group-ID attributes in the Access-Accept reply.
I don't want to use it for security but for ease of moving devices here and there without needing to know the combination of the device and the plug in the wall. I want for example wherever a voip (grandstream for example) device is plugged to get VLAN ID 20, a printer from departmentA to VLAN 51, a pc from departmentB to VLAN 52 and so on. Desks have 8 utp ports next to them. I don't need to know that on port1 a printer was plugged on port 2 a voip device on port3 a PC and on port4 a guest pc (unknown mac).
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: vlan by mac address on LAN with multiple mikrotik switches

Mon Jul 26, 2021 3:46 pm

So 801.1X MAC-based authorisation then, per the second paragraph in my previous post it is completely transparent to the devices being plugged in.
 
User avatar
genesispro
Member Candidate
Member Candidate
Topic Author
Posts: 283
Joined: Fri Mar 14, 2014 12:33 pm

Re: vlan by mac address on LAN with multiple mikrotik switches

Mon Jul 26, 2021 6:34 pm

So 801.1X MAC-based authorisation then, per the second paragraph in my previous post it is completely transparent to the devices being plugged in.
So I need to set all switch ports as dot1x authenticators if I understand correctly?
==> except the uplink port
?
 
User avatar
genesispro
Member Candidate
Member Candidate
Topic Author
Posts: 283
Joined: Fri Mar 14, 2014 12:33 pm

Re: vlan by mac address on LAN with multiple mikrotik switches

Tue Jul 27, 2021 10:28 am

I managed to do it but it has a stupid requirement to have the bridge vlan filter on else it won't work.
One of my devices is a crs112 poe switch and the moment I enable it I loose hardware offloading.
If I don't enable it I can see it in the dot1x active clients with the VLAN ID that I assigned but it won't work, it remains untagged.
The moment I enable the vlan filter it works but I loose the hw offloading on that switch
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: vlan by mac address on LAN with multiple mikrotik switches

Wed Jul 28, 2021 3:59 pm

It is a limitation of the Mikrotik 802.1X implementation. If they intend to keep selling CRS1xx/2xx devices they should implement hardware-offloaded VLAN-aware bridges as the use of authenticated wired connections becomes more widespread - I was doing it in a large organisation 15 years ago with HP switches, and it is gradually trickling down to smaller ones.

You can user MAC-based VLANs on CRS1xx/2xx devices. There are some limitations, and it does mean you would have to maintain the MAC - VLAN mappings in both your RADIUS server and the CRS1xx/2xx switches.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: vlan by mac address on LAN with multiple mikrotik switches

Wed Jul 28, 2021 6:07 pm

MT should implement HW offload bridges on all capable devices (i.e. on all devices that have decent switch chip).

But I guess the problem is that some switch chips simply lack needed functionality for certain operations. E.g. I guess MAC-based VLANs could be done in hardware using ACLs but not all switch chips support ACLs. On switch chips not supporting ACLs HW offload will have to be (completely) disabled if MAC-based VLANs are enabled. Since that can be set up via radius, HW offload might be flipping on/off when clients with MAC VLANs defined might connect to particular switch or not. The performance would vary wildly ... do we want to see it? I don't, hence to me it's better to know that certain features are not supported and HW offload has to be disabled hence performance will be shitty. If I can accept that OK, if not I'll skip the functionality (or get another switch that supports needed functionality).

If I were deciding on MT's priorities (which I'm not), I'd leave CRS1xx and CRS2xx as they are. Their functionality is well known, their performance as well. If some business wants to go 802.1x and their switches don't support it, well they'll have to replace switches with those that do. It's the same with any other vendor, I don't think any vendor introduces some major functionality upgrade (or performance upgrade) on existing products.
 
User avatar
genesispro
Member Candidate
Member Candidate
Topic Author
Posts: 283
Joined: Fri Mar 14, 2014 12:33 pm

Re: vlan by mac address on LAN with multiple mikrotik switches

Wed Jul 28, 2021 6:59 pm

I just noticed if I understand well that the vlan information is passed to the client and not to the switch itself!
The laptop gets the vlanid but a grandstream phone doesn't despite the information on my dot1x active clients shows the vlan ID.

I thought that the switch would tag the untagged traffic to that port. Instead I think that it is passing the information to the client and the client transmits already tagged data!

If that is the case it is useless in my project!

I want to be able to plug any network device and the untagged data on that port to get tagged according to he vlanID that I am passing from the Radius server!

Any ideas?
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: vlan by mac address on LAN with multiple mikrotik switches

Wed Jul 28, 2021 11:07 pm

The dot1x setup should do just that - any client device is becomes an untagged member of the VLAN sent from the RADIUS server to the switch. The configuration of a switch would help.
 
User avatar
genesispro
Member Candidate
Member Candidate
Topic Author
Posts: 283
Joined: Fri Mar 14, 2014 12:33 pm

Re: vlan by mac address on LAN with multiple mikrotik switches

Wed Jul 28, 2021 11:18 pm

The dot1x setup should do just that - any client device is becomes an untagged member of the VLAN sent from the RADIUS server to the switch. The configuration of a switch would help.
So the client gets the info and starts sending out already tagged data or the switch arranged to tag all untagged data of that device on that port?
I think that the 1st is happening that is why more "stupid" devices don't work... the weird part is that they request and get an IP from the DHCP server but they won't communicate any further!
PCs and laptops work, grandstreams don't, I haven't tested it with other kind of devices yet
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: vlan by mac address on LAN with multiple mikrotik switches

Wed Jul 28, 2021 11:28 pm

No. When a switch port comes up (device turned on or cable connected) no traffic passes, on receiving the first packet from a device the switch sends an Access-Request to the RADIUS server, when the Access-Accept is returned to the switch the port is set to untagged for the specified VLAN. If client devices are seeing tagged traffic you have a configuration error.
 
User avatar
genesispro
Member Candidate
Member Candidate
Topic Author
Posts: 283
Joined: Fri Mar 14, 2014 12:33 pm

Re: vlan by mac address on LAN with multiple mikrotik switches

Wed Jul 28, 2021 11:35 pm

No. When a switch port comes up (device turned on or cable connected) no traffic passes, on receiving the first packet from a device the switch sends an Access-Request to the RADIUS server, when the Access-Accept is returned to the switch the port is set to untagged for the specified VLAN. If client devices are seeing tagged traffic you have a configuration error.
Indeed I just realized that I was the "stupid" because in the bridge filter I had that port as tagged and not as untagged!

Oooufff

Who is online

Users browsing this forum: Ahrefs [Bot] and 55 guests