Community discussions

MikroTik App
 
mTwUser
just joined
Topic Author
Posts: 19
Joined: Fri Jun 17, 2016 4:38 pm

capsman + freeradius + user based vlan

Fri Jun 17, 2016 4:49 pm

Hi everyone,

I'm trying to assign VLANs based on a user authentification (so EAP and no PSK), for example if user2 logs in he automatically assigns VLAN2 and recieves a 192.168.202.0/24 IP-Address from the DHCP Server

Used Software/Packages:

Freeradius Version 3.0.11
Router OS v6.35.4
CapsmanV2
Wireless-cm2

My Configuration on RouterOS: (ether1 = WAN = 192.168.0.149/24, as you can see in my plan)
/interface bridge
add name=bridge-lan protocol-mode=none

/interface vlan
add interface=bridge-lan name=vlan1 vlan-id=1
add interface=bridge-lan name=vlan2 vlan-id=2
add interface=bridge-lan name=vlan3 vlan-id=3
add interface=bridge-lan name=vlan4 vlan-id=4

/caps-man configuration
add channel.extension-channel=Ce channel.frequency=2412 channel.width=20 \
    country=austria datapath.bridge=bridge-lan datapath.vlan-mode=use-tag mode=\
    ap name=wlan-2 rx-chains=0,1,2 security.authentication-types=wpa2-eap \
    security.eap-methods=passthrough security.eap-radius-accounting=yes \
    security.encryption=aes-ccm,tkip security.group-encryption=aes-ccm ssid=\
    testcl01 tx-chains=0,1,2

 /caps-man interface
add arp=enabled configuration=wlan-2 datapath.vlan-mode=use-tag disabled=no \
    l2mtu=1600 mac-address=E4:8D:8C:72:D6:32 master-interface=none mtu=1500 \
    name=cap1 radio-mac=E4:8D:8C:72:D6:32 security.authentication-types=\
    wpa2-eap security.eap-methods=passthrough security.eap-radius-accounting=no \
    security.encryption=aes-ccm security.group-encryption=aes-ccm
add arp=enabled configuration=wlan-2 datapath.vlan-mode=use-tag disabled=no \
    l2mtu=1600 mac-address=E4:8D:8C:69:BC:53 master-interface=none mtu=1500 \
    name=cap3 radio-mac=E4:8D:8C:69:BC:53

 /caps-man security
add authentication-types=wpa2-eap eap-radius-accounting=yes encryption=\
    aes-ccm,tkip group-encryption=aes-ccm name=security-t1
add authentication-types=wpa2-eap eap-methods=passthrough \
    eap-radius-accounting=yes encryption=aes-ccm name=test

 /caps-man configuration
add channel.band=5ghz-a/n/ac channel.extension-channel=eeCe channel.frequency=\
    5540 country=austria datapath.bridge=bridge-lan datapath.vlan-mode=use-tag \
    mode=ap name=wlan-5 rx-chains=0,1,2 security=test \
    security.authentication-types=wpa2-eap security.eap-methods=passthrough \
    security.eap-radius-accounting=yes security.encryption=aes-ccm ssid=\
    testcl02 tx-chains=0,1,2

 /caps-man interface
add arp=enabled configuration=wlan-5 configuration.multicast-helper=full \
    datapath.bridge=bridge-lan datapath.vlan-mode=use-tag disabled=no l2mtu=\
    1600 mac-address=E4:8D:8C:72:D6:31 master-interface=none mtu=1500 name=cap2 \
    radio-mac=E4:8D:8C:72:D6:31 security.encryption=aes-ccm,tkip
/interface wireless security-profiles

set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal

/ip pool
add name=dhcp-pool ranges=192.168.1.20-192.168.1.200
add name=server-vlan2-pool ranges=192.168.202.20-192.168.202.200
add name=server-vlan1-pool ranges=192.168.201.20-192.168.201.200
add name=server-vlan3-pool ranges=192.168.203.20-192.168.203.200
add name=server-vlan4-pool ranges=192.168.204.20-192.168.204.200

/ip dhcp-server
add address-pool=server-vlan1-pool disabled=no interface=vlan1 lease-time=2m \
    name=server-vlan1
add address-pool=dhcp-pool disabled=no interface=bridge-lan name=server1
add address-pool=server-vlan2-pool disabled=no interface=vlan2 lease-time=2d \
    name=server-vlan2
add address-pool=server-vlan3-pool disabled=no interface=vlan3 lease-time=2d \
    name=server-vlan3
add address-pool=server-vlan4-pool disabled=no interface=vlan4 lease-time=2d \
    name=server-vlan4


/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100

/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes

/interface bridge port
add bridge=bridge-lan interface=ether2
add bridge=bridge-lan interface=ether3
add bridge=bridge-lan interface=ether4
add bridge=bridge-lan interface=ether5

/ip address
add address=192.168.1.1/24 interface=bridge-lan network=192.168.1.0
add address=192.168.201.1/24 interface=vlan1 network=192.168.201.0
add address=192.168.202.1/24 interface=vlan2 network=192.168.202.0
add address=192.168.203.1/24 interface=vlan3 network=192.168.203.0
add address=192.168.204.1/24 interface=vlan4 network=192.168.204.0

/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \
    interface=ether1

 /ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1,8.8.8.8 gateway=192.168.1.1
add address=192.168.201.0/24 dns-server=192.168.201.1,8.8.8.8 gateway=\
    192.168.201.1
add address=192.168.202.0/24 dns-server=192.168.202.1,8.8.8.8 gateway=\
    192.168.202.1
add address=192.168.203.0/24 dns-server=192.168.203.1,8.8.8.8 gateway=\
    192.168.203.1
add address=192.168.204.0/24 dns-server=192.168.204.1,8.8.8.8 gateway=\
    192.168.204.1

/ip firewall filter
add chain=forward dst-address=192.168.0.0/16 src-address=192.168.0.0/16
add chain=input dst-address=192.168.0.0/16 src-address=192.168.0.0/16
add chain=output dst-address=192.168.0.0/16 src-address=192.168.0.0/16
....
 
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes

/ip upnp
set enabled=yes
/ppp aaa
set interim-update=5m use-radius=yes
/radius
add address=192.168.0.5 secret=XXXXXXXX service=wireless
/system identity
set name=capsman
/system logging
set 0 disabled=yes
add topics=radius
add topics=dhcp
add topics=radvd
What the radreply table looks like:

radreply
radreply
+----+----------+-------------------------------+----+-------+
| id | username | attribute                     | op | value |
+----+----------+-------------------------------+----+-------+
|  5 | test2    | Mikrotik-Wireless-VLANID      | := | 0x2   |
|  6 | test2    | Mikrotik-Wireless-VLANID-Type | := | 0x0   |
+----+----------+-------------------------------+----+-------+
I tried skipping the VLANID Type, i tried the old dictionary (aka Mikrotik_Wireless_VLANID), the Value in plain text, in a differenct HEX value and so on.

But whenever i login as Test2 i endup in VLAN1 and so I get an 192.168.201.x/24 IP-Address.
If i delete the value the same thing happens as well, does any one got advice what i'm doing wrong?

Thank you very much in advance!
You do not have the required permissions to view the files attached to this post.
 
mTwUser
just joined
Topic Author
Posts: 19
Joined: Fri Jun 17, 2016 4:38 pm

Re: capsman + freeradius + user based vlan

Mon Jun 20, 2016 3:39 pm

Added some missing details, so bumping in case somebody knows now what's wrong.
 
mTwUser
just joined
Topic Author
Posts: 19
Joined: Fri Jun 17, 2016 4:38 pm

Re: capsman + freeradius + user based vlan

Tue Jun 21, 2016 1:16 pm

Well it works with Tekradius like mentioned here: http://mum.mikrotik.com/presentations/C ... 137144.pdf

so it seems like a freeradius issue.
 
mTwUser
just joined
Topic Author
Posts: 19
Joined: Fri Jun 17, 2016 4:38 pm

Re: capsman + freeradius + user based vlan

Tue Jul 05, 2016 5:56 pm

If somebody got this to work with freeradius and would give me some hint it would be really appreciated, would prefer that a lot over a windows solution.

Thanks!
 
noib
Member Candidate
Member Candidate
Posts: 291
Joined: Fri Jan 25, 2013 6:04 pm
Location: France
Contact:

Re: capsman + freeradius + user based vlan

Thu Aug 25, 2016 6:52 pm

I didn't test with Freeradius but it should work, i just finally made it after a day of tries :p.. But i'm not in your exact configuration - not using CAPSMAN, just a single AP with Radius client (RouterOS 6.35.4), and my VLANs are sent to the network, i don't have local VLANs interfaces and local DHCP server.

- check that you have wireless-cm2 package installed, and NOT wireless-fp.

- check if the logs that radius requests are sent at connection, and server is sending back the right attributes
17:39:46 radius,debug,packet received Access-Accept with id 107 from 172.20.30.1:1812 
17:39:46 radius,debug,packet     Signature = 0x4922b43a9fae3541b97bcdf0f7a1cf03 
17:39:46 radius,debug,packet     Unknown-Attribute(vendor=MT, type=26) = 0x00000052 
17:39:46 radius,debug,packet     Unknown-Attribute(vendor=MT, type=27) = 0x00000001 
Yeah i know it's written "unknown attribute", but RouterOS gets the info. Here the value is displayed in hexa, so it's VLAN 82 (0x52) and "Use-service-tag" (0x01), depends on your VLAN topology.

- check if your WLAN/Virtual AP interface has the "VLAN mode" enabled, in accordance to the Use-service-tag radius attribute. (not sure if it really helps)

- check if your WLAN/virtual AP is bridged with the ethernet interface where you want the VLANs to be tagged.

Hope it helps

Who is online

Users browsing this forum: No registered users and 32 guests