We have 2 type of authentication: Machine & User.
In an ideal situation (current have Cisco & Ubiquiti working), on restart the Machine is authenticated using a local certificate and if correct will provide VLAN110. On login according to the user details the Radius Server assigns VLAN 120 or 125.
The issue: On restart the Computer is provided VLAN 110 correctly. After login the computer sends a user request for authentication but the state stays VLAN 110 instead of changing to VLAN 120. For it to work you have to remove the cable and reconnect, which after the correct vlan is provided.
Does anyone know how to solve this issue?
Kindly find below configuration:
Code: Select all
/interface bridge
add admin-mac=FF:FF:FF:11:11:11 auto-mac=no fast-forward=no name=switch \
protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=switch name=vlan500-mgmt vlan-id=500
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=vlan500-mgmt
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
/interface bridge port
add bridge=switch comment=trunk frame-types=admit-only-vlan-tagged \
ingress-filtering=yes interface=ether1
add bridge=switch comment="dot1x authentication" interface=ether5
add bridge=switch comment="dot1x authentication" interface=ether4
add bridge=switch comment="dot1x authentication" interface=ether3
add bridge=switch comment="dot1x authentication" interface=ether2
/interface bridge vlan
add bridge=switch tagged=ether1 vlan-ids=110
add bridge=switch tagged=ether1 vlan-ids=120
add bridge=switch tagged=ether1 vlan-ids=125
add bridge=switch tagged=ether1,switch vlan-ids=500
/interface dot1x server
add interface=ether5 interim-update=30m
add interface=ether4 interim-update=30m
add interface=ether3 interim-update=30m
add interface=ether2 interim-update=30m
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=forward
add action=accept chain=input
add action=accept chain=output
/radius
add address=192.168.1.252 secret=RadiusTestSecret service=dot1x
/system clock
set time-zone-name=Europe/Italy
/system identity
set name=test.mikrotik
/system logging
add topics=radius
/tool romon
set enabled=yes