Community discussions

MikroTik App
 
project25
just joined
Topic Author
Posts: 11
Joined: Thu Aug 18, 2016 9:04 pm

CAPsMAN with Dynamic VLAN

Thu Oct 15, 2020 6:23 pm

I am attempting to get dynamic VLAN working in CAPsMAN and am not currently having any luck. I can get the wireless client to authenticate using EAP but the VLAN is not currently being assigned correctly by CAPsMAN. Running FreeRADIUS 3.0.17 and MariaDB 10.3.17 on CentOS 8. In terms of the CAPsMAN I'm running CHR 6.45.9 hosted by ESXi 6.7 on a CompuLabs Fitlet2 with my CAP being a mAP Lite. I stopped radiusd and restarted in debug mode and in the output when connecting a client to the output and saw the following:
...
(9) Virtual server sending reply
(9)   Mikrotik-Wireless-VLANID = 45
(9)   Mikrotik-Wireless-VLANIDtype = 802.1q
(9)   MS-MPPE-Encryption-Policy = Encryption-Allowed
(9)   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(9)   MS-MPPE-Send-Key = I DONT THINK YOU NEED TO SEE THE KEY
(9)   MS-MPPE-Recv-Key = I DONT THINK YOU NEED TO SEE THE KEY
(9)   EAP-Message = 0x03090004
(9)   Message-Authenticator = 0x00000000000000000000000000000000
(9)   User-Name = "user"
(9) eap_peap: Got tunneled reply code 2
(9) eap_peap:   Mikrotik-Wireless-VLANID = 45
(9) eap_peap:   Mikrotik-Wireless-VLANIDtype = 802.1q
(9) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Allowed
(9) eap_peap:   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
...
But the client is simply being dropped in the default VLAN (verified by DHCP lease being from the DHCP server on the default VLAN and not the DHCP on VLAN 45).

Here is a snippet of my Mikrotik config (using local forwarding).
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2412,2437,2462 name="2.4 GHz"
add band=5ghz-n/ac control-channel-width=20mhz extension-channel=XX name=\
    "5 GHz"
/caps-man datapath
add client-to-client-forwarding=yes local-forwarding=yes name=datapath1
/caps-man rates
add basic=12Mbps,18Mbps name="Basic Rates" supported=\
    12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
/caps-man security
add authentication-types=wpa2-eap eap-methods=passthrough encryption=aes-ccm \
    group-encryption=aes-ccm name=security1
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=security2 \
    passphrase=8779121550
/caps-man configuration
add channel="2.4 GHz" country="united states3" datapath=datapath1 installation=\
    indoor mode=ap name="MDU TEST 2.4 GHz" rates="Basic Rates" security=\
    security1 ssid=MDU-WIFI
add channel="5 GHz" country="united states3" datapath=datapath1 installation=\
    indoor mode=ap name="MDU TEST 5 GHz" rates="Basic Rates" security=security1 \
    ssid=MDU-WIFI
/caps-man interface
add channel.frequency=2412,2437,2462 configuration="MDU TEST 2.4 GHz" disabled=\
    no l2mtu=1600 mac-address=74:4D:28:8F:07:BA master-interface=none name=\
    mAP-Lite radio-mac=74:4D:28:8F:07:BA radio-name=744D288F07BA \
    security.eap-methods=passthrough
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-disabled hw-supported-modes=a master-configuration=\
    "MDU TEST 5 GHz" name-format=prefix name-prefix=MDU
add action=create-disabled hw-supported-modes=b master-configuration=\
    "MDU TEST 2.4 GHz"
/radius
add address=10.1.10.40 secret=itsasecret service=wireless
/radius incoming
set accept=yes

I found the following when I enabled RADIUS debugging on the CAPsMAN so it does appear to be receiving the information from the reply tables in the database.
...
10:07:27 radius,debug,packet     MT-Wireless-VLAN-ID = 45 
10:07:27 radius,debug,packet     MT-Wireless-VLAN-ID-Type = 0 
10:07:27 radius,debug,packet     EAP-Message = 0x010200061920 
...

I've also tried both remote forwarding and local forwarding (local would be the preferred method in this application). Does anyone see anything that stands out as unusual? Thanks for taking a look.

Who is online

Users browsing this forum: No registered users and 30 guests