Community discussions

 
User avatar
lapsio
Member
Member
Topic Author
Posts: 470
Joined: Wed Feb 24, 2016 5:19 pm

FreeRADIUS based MikroTik Wireless VLAN tagging

Sat Aug 25, 2018 6:52 pm

I'm trying to assign users to different VLANs on wireless interface basing on RADIUS authentication. Basic RADIUS authentication works as expected but MikroTik-specific attributes don't seem to be assigned properly. This is my server side config of FreeRADIUS (mikrotik.dictionary is taken from here: https://wiki.mikrotik.com/wiki/Manual:R ... dictionary):

/etc/raddb/dictionary:
...
$INCLUDE mikrotik.dictionary
...


/etc/raddb/clients.conf:

client rb {
        ipaddr = 192.168.10.2
        secret = ***
        nastype = mikrotik
}


/etc/raddb/users:

lapsio-phone    Cleartext-Password := "***"
        Mikrotik_Wireless_VLANID := 481,
        Mikrotik_Wireless_VLANIDtype := 0,
        Mikrotik-Wireless-Comment := 17

I thought it's FreeRADIUS misconfiguration but when I enabled radius logs on mikrotik I can see following logs:

17:17:44 radius,debug new request 58:44b code=Access-Request service=wireless called-id=4E-5E-0C-65-35-31:Suse-alt 
17:17:44 radius,debug sending 58:44b to 192.168.10.9:1812 
17:17:44 radius,debug,packet sending Access-Request with id 210 to 192.168.10.9:1812 
17:17:44 radius,debug,packet     Signature = 0xe7391c6b21abd9cbda8cea58c2da4e28 
17:17:44 radius,debug,packet     Service-Type = 2 
17:17:44 radius,debug,packet     Framed-MTU = 1400 
17:17:44 radius,debug,packet     User-Name = "lapsio-phone" 
17:17:44 radius,debug,packet     NAS-Port-Id = "wlan4-alt" 
17:17:44 radius,debug,packet     NAS-Port-Type = 19 
17:17:44 radius,debug,packet     Acct-Session-Id = "82100032" 
17:17:44 radius,debug,packet     Acct-Multi-Session-Id = "4E-5E-0C-65-35-31-2C-4D-54-35-BC-2D-82-10-00-00-00-00-00-32" 
17:17:44 radius,debug,packet     Calling-Station-Id = "2C-4D-54-35-BC-2D" 
17:17:44 radius,debug,packet     Called-Station-Id = "4E-5E-0C-65-35-31:Suse-alt" 
17:17:44 radius,debug,packet     EAP-Message = 0x02000011016c617073696f2d70686f6e 
17:17:44 radius,debug,packet       65 
17:17:44 radius,debug,packet     Message-Authenticator = 0x16ff17ac4c8cfaa8e0bf2dce9c8c082a 
17:17:44 radius,debug,packet     NAS-Identifier = "RB2011SWAG" 
17:17:44 radius,debug,packet     NAS-IP-Address = 192.168.10.2 
17:17:44 radius,debug,packet received Access-Challenge with id 210 from 192.168.10.9:1812 
17:17:44 radius,debug,packet     Signature = 0x512c81239f2e000504a29a083cae2d93 
17:17:44 radius,debug,packet     EAP-Message = 0x01010016041075db65cb914f9ea9aeed 
17:17:44 radius,debug,packet       b454b790bc1e 
17:17:44 radius,debug,packet     Message-Authenticator = 0x987408929484851b6991395f3ffea998 
17:17:44 radius,debug,packet     State = 0x5560b0245561b49260cad83a72523c75 
17:17:44 radius,debug received reply for 58:44b 
17:17:44 radius,debug new request 58:44c code=Access-Request service=wireless called-id=4E-5E-0C-65-35-31:Suse-alt 
17:17:44 radius,debug sending 58:44c to 192.168.10.9:1812 
17:17:44 radius,debug,packet sending Access-Request with id 211 to 192.168.10.9:1812 
17:17:44 radius,debug,packet     Signature = 0x2966589320c22b2eae92d380b52fcb2f 
17:17:44 radius,debug,packet     Service-Type = 2 
17:17:44 radius,debug,packet     Framed-MTU = 1400 
17:17:44 radius,debug,packet     User-Name = "lapsio-phone" 
17:17:44 radius,debug,packet     State = 0x5560b0245561b49260cad83a72523c75 
17:17:44 radius,debug,packet     NAS-Port-Id = "wlan4-alt" 
17:17:44 radius,debug,packet     NAS-Port-Type = 19 
17:17:44 radius,debug,packet     Acct-Session-Id = "82100032" 
17:17:44 radius,debug,packet     Acct-Multi-Session-Id = "4E-5E-0C-65-35-31-2C-4D-54-35-BC-2D-82-10-00-00-00-00-00-32" 
17:17:44 radius,debug,packet     Calling-Station-Id = "2C-4D-54-35-BC-2D" 
17:17:44 radius,debug,packet     Called-Station-Id = "4E-5E-0C-65-35-31:Suse-alt" 
17:17:44 radius,debug,packet     EAP-Message = 0x020100060319 
17:17:44 radius,debug,packet     Message-Authenticator = 0x1a7cbc7184af745e3c83a3b02e9b99cd 
17:17:44 radius,debug,packet     NAS-Identifier = "RB2011SWAG" 
17:17:44 radius,debug,packet     NAS-IP-Address = 192.168.10.2 
17:17:44 radius,debug,packet received Access-Challenge with id 211 from 192.168.10.9:1812 
17:17:44 radius,debug,packet     Signature = 0xf2181013d252c2f8ad496a7c33edd3c1 
17:17:44 radius,debug,packet     MT-Wireless-VLAN-ID = 481 
17:17:44 radius,debug,packet     MT-Wireless-VLAN-ID-Type = 0 
17:17:44 radius,debug,packet     MT-Wireless-Comment = "17" 
17:17:44 radius,debug,packet     EAP-Message = 0x010200061920 
17:17:44 radius,debug,packet     Message-Authenticator = 0xb454787b48ca34d60e38cfed6b8ad770 
17:17:44 radius,debug,packet     State = 0x5560b0245462a99260cad83a72523c75 
17:17:44 radius,debug received reply for 58:44c 

As you can see following entries are present in RADIUS response:
...
17:17:44 radius,debug,packet     MT-Wireless-VLAN-ID = 481 
17:17:44 radius,debug,packet     MT-Wireless-VLAN-ID-Type = 0 
17:17:44 radius,debug,packet     MT-Wireless-Comment = "17" 
...
So it seems that RADIUS sends proper attributes, yet still they're ignored by RouterOS. So this is my RouterOS config for wifi:

/interface wireless security-profiles
add authentication-types=wpa2-eap group-key-update=1m mode=dynamic-keys name=paranoid radius-eap-accounting=yes radius-mac-mode=as-username-and-password supplicant-identity=Uncertain
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n bridge-mode=disabled compression=yes default-authentication=no default-forwarding=no disabled=no frequency=2427 hide-ssid=yes l2mtu=2290 mode=ap-bridge mtu=2000 name=wlan-root preamble-mode=long rx-chains=0 security-profile=secure ssid=- tx-chains=1 tx-power=30 tx-power-mode=all-rates-fixed wps-mode=disabled
add default-forwarding=no disabled=no hide-ssid=yes l2mtu=2290 mac-address=4E:5E:0C:65:35:31 master-interface=wlan-root mtu=2000 name=wlan4-alt security-profile=paranoid ssid=Suse-alt vlan-id=480 vlan-mode=use-tag wps-mode=disabled
/interface wireless access-list
add disabled=yes interface=wlan4-alt mac-address=2C:4D:54:35:BC:2D vlan-id=482 vlan-mode=use-tag

/radius
add address=192.168.10.9 service=wireless src-address=192.168.10.2 timeout=3s

I added entry in access-list to see whether vlan tagging works at all but it apparently does when VLAN-ID is specified on access-list. Unfortely when I disable access-list entry it doesn't work anymore so RouterOS ignores RADIUS response directives. (by "doesn't work" I mean that lapsio-phone is assigned to VLAN 480 and doesn't have any comment in registration-table)

RouterOS: 6.42.6
Board: RB2011UiAS-2HnD
MTCNA, MTCRE, MTCINE

Who is online

Users browsing this forum: No registered users and 9 guests