Community discussions

 
User avatar
alexvdbaan
Trainer
Trainer
Topic Author
Posts: 38
Joined: Sun Feb 22, 2015 12:12 pm
Location: Amsterdam, Netherlands
Contact:

Hotspot+dynamic vlanned Capsman

Fri May 03, 2019 4:39 pm

Goodafternoon,
My company is currently supporting a coworking space with several locations. Each location has roughly 30 separate units that host individual companies. We use a full MikroTik network stack assisted with the Kaplansoft TekRadius software to provide a wlan with dynamically assigned vlans.

Each location has a CCR1009, CRS326, CRS328 and wap ac’s to serve one SSID over capsman. The bridge that is included in the datapath has 30 vlans. Each vlan hosts a private IPv4 /24 and a public /64 IPv6. Wireless authentication is WPA2-EAP with passthrough to Tekradius.

The user authenticate agains Tekradius, which in its turn when accepted gives back a vlan ID to the MikroTik which then provides the respective leases. This all works as it should.

My issue at hand is that many devices cant authenticate against WPA2-(P)EAP, chromecast devices and primarily printers. I would like to include MAC authentication, however this appears only to be possible with the use of IP Hotspot. Do people here have experience with mixing Capsman and Hotspot together?

Thanks, Alex
 
GuJack20
Trainer
Trainer
Posts: 322
Joined: Sat Jun 12, 2004 9:44 pm
Location: Tirana
Contact:

Re: Hotspot+dynamic vlanned Capsman

Mon May 06, 2019 12:24 pm

Hi

Yes, I have done Hotspot in CAPsMAN. I have also done some setups where for different datapaths, I have used Hotspot running in one datapath and DHCP in another, with virtual interfaces multiple ssid.

I dont have experience with authentication to radius though 😞
--Do you remember that guy who gave up? Neither does anybody else!
 
Exiver
Member Candidate
Member Candidate
Posts: 113
Joined: Sat Jan 10, 2015 6:45 pm

Re: Hotspot+dynamic vlanned Capsman

Mon May 06, 2019 3:18 pm

Since it looks like your setup is a little bit more complex i would go with the "easy" way.

Add a second virtual configuration to your access points either with or without passphrase (WPA-Personal AND/OR WPA2-Personal) and setup access lists with mac-address matching rules. https://wiki.mikrotik.com/wiki/Manual:I ... ccess_List

Setting up hotspot on the same bridge (datapath) as your wpa2-enterprise authentication would bring many disadvantages and i wouldnt recommend you doing so.

Second option would be to add a second "logic" to your tenants network and have a second datapath with hotspot enabled on that bridge. But i guess this will be not trivial and can bring some other problems (no layer2-connectivity between devices in the different networks for example)
 
User avatar
alexvdbaan
Trainer
Trainer
Topic Author
Posts: 38
Joined: Sun Feb 22, 2015 12:12 pm
Location: Amsterdam, Netherlands
Contact:

Re: Hotspot+dynamic vlanned Capsman

Wed May 08, 2019 8:20 pm

Since it looks like your setup is a little bit more complex i would go with the "easy" way.

Add a second virtual configuration to your access points either with or without passphrase (WPA-Personal AND/OR WPA2-Personal) and setup access lists with mac-address matching rules. https://wiki.mikrotik.com/wiki/Manual:I ... ccess_List

Setting up hotspot on the same bridge (datapath) as your wpa2-enterprise authentication would bring many disadvantages and i wouldnt recommend you doing so.

Second option would be to add a second "logic" to your tenants network and have a second datapath with hotspot enabled on that bridge. But i guess this will be not trivial and can bring some other problems (no layer2-connectivity between devices in the different networks for example)
This is an option that I will give a try, thanks for the suggestion.

Who is online

Users browsing this forum: No registered users and 47 guests