Community discussions

MikroTik App
 
deweydb
just joined
Topic Author
Posts: 7
Joined: Mon Dec 14, 2020 10:03 pm

Packetfence (RADIUS) + Hotspot + CAPsMAN + Dynamic VLAN

Mon Dec 14, 2020 10:57 pm

My goal is to setup a hotel wireless network where guests can roam across any AP in the building but remain in their dedicated room assigned VLAN. Additionally in each guest room there is a dedicated casting device connected to the TV. The goal is that the guest can cast media from their devices to this casting device. I have attempted to illustrate this with a small diagram. I apologize that my graphic design skills are not the greatest.
Image
Note: at the moment I do not have the switch included I am only testing with a mikrotik router and access point. I am only showing this diagram as an example of the planned infrastructure, also the switch ports in the diagram are not necessarily correct i just drew some lines to indicate communication between devices.

I have configured an open wireless network, where guests are restricted from internet access initially behind a captive portal. I modified the mikrotik captive portal login.html file to redirect to the packetfence captive portal as outlined in the somewhat outdated packetfence mikrotik networking guide. I have CAPsMAN configured on the main router to manage the access points.

My problem is when my clients first connect they do not have an assigned VLAN tag. Once they complete authentication with the captive portal, Packetfence (RADIUS) replies with with Access Accept and
Mikrotik-Wireless-VlanID = <room_number>
Mikrotik-Wireless-VlanIDType = 0

In my CAPsMAN datapath configuration if I do:
/caps-man datapath
add bridge=bridge1 name=datapath1 vlan-mode=use-tag
the client is unable to connect to the wireless network, and does not receive an IP address.

If I leave out my datapath vlan configuration eg:
/caps-man datapath
add bridge=bridge1 name=datapath1
The client connects, receives a hotspot pool ip, e.g. 10.5.50.123 and after authenticating with the captive portal, the client stays on 10.5.50.123, and becomes "Authenticated" in the hotspot. The packetfence logs show:
(10.2.2.1) Returning ACCEPT with VLAN 906 
But the client does not switch to this VLAN.

Am I just going about this all wrong? It seems like I should have "use tag" enabled, but also have some sort of ACL that specifies the registration VLAN tag for unauthenticated users? Thank you for taking the time to read my post.

Here are my router config:
# dec/14/2020 20:28:41 by RouterOS 6.47.4
# software id = EVXY-A9Y7
#
# model = RouterBOARD 3011UiAS
# serial number = 8EEE0A390AAB
/interface bridge
add mtu=1504 name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface vlan
add interface=bridge1 mtu=1504 name="ether1-vlan 100 MGMT" vlan-id=100
add interface=ether1 name="ether1-vlan 103" vlan-id=103
add interface=bridge1 name="ether1-vlan 150 Phones" vlan-id=150
add interface=bridge1 name="ether1-vlan 200 CAST" vlan-id=200
add interface=bridge1 name="ether1-vlan 801" vlan-id=801
add interface=bridge1 name="ether1-vlan 905" vlan-id=905
add interface=bridge1 name="ether1-vlan 906" vlan-id=906
add interface=bridge1 name="ether1-vlan 907" vlan-id=907
add interface=bridge1 name="ether1-vlan 908" vlan-id=908
add interface=ether1 mtu=1504 name=ether1-vlan102 vlan-id=102
add interface=ether9 name="vlan35 for Bell" vlan-id=35
/caps-man datapath
add bridge=bridge1 name=datapath1 vlan-id=102 vlan-mode=use-tag
/interface pppoe-client
add add-default-route=yes disabled=no interface="vlan35 for Bell" name="Bell Fibe" password=<redacted> use-peer-dns=yes user=<redacted>
/caps-man security
add authentication-types="" name=GuestsNetwork
/caps-man configuration
add channel.band=2ghz-g/n channel.control-channel-width=20mhz channel.extension-channel=disabled channel.reselect-interval=1h datapath=\
    datapath1 multicast-helper=full name=GuestsNetwork2Ghz security=GuestsNetwork ssid=MikroTik
add channel.band=5ghz-n/ac channel.control-channel-width=20mhz channel.extension-channel=XX channel.reselect-interval=1d datapath=\
    datapath1 multicast-helper=full name=GuestNetwork5Ghz security=GuestsNetwork ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
add dns-name=wifi.rookhotel.com hotspot-address=10.5.50.1 login-by=cookie,http-chap,https name=hsprof1 ssl-certificate=\
    CAPsMAN-744D2819AD41 use-radius=yes
/ip pool
add name="906 pool" ranges=10.9.6.8-10.9.6.14
add name=dhcp_pool1 ranges=10.5.5.2-10.5.5.254
add name="cast pool" ranges=10.4.4.2-10.4.4.254
add name="907 pool" ranges=10.9.7.8-10.9.7.14
add name="MGMT pool" ranges=10.2.2.50-10.2.2.60
add name="908 Pool" ranges=10.9.8.8-10.9.8.14
add name="102 VLAN dhcp" ranges=192.168.102.2-192.168.102.254
add name="905 Pool" ranges=10.9.5.8-10.9.5.14
add name="801 Pool" ranges=10.8.1.8-10.8.1.14
add name=hs-pool-27 ranges=10.5.50.2-10.5.50.254
/ip dhcp-server
add address-pool="906 pool" disabled=no interface="ether1-vlan 906" name="Room 906 DHCP"
add address-pool=dhcp_pool1 disabled=no interface="ether1-vlan 150 Phones" name=dhcp1
add address-pool="cast pool" disabled=no interface="ether1-vlan 200 CAST" name="cast dhcp"
add address-pool="907 pool" disabled=no interface="ether1-vlan 907" name="Room 907 DHCP"
add address-pool="MGMT pool" disabled=no interface="ether1-vlan 100 MGMT" name="MGMT DHCP"
add address-pool="908 Pool" disabled=no interface="ether1-vlan 908" name="Room 908 DHCP"
add address-pool="905 Pool" disabled=no interface="ether1-vlan 905" name="Room 905 DHCP"
add address-pool="801 Pool" interface="ether1-vlan 801" name="Room 801 DHCP"
add address-pool=hs-pool-27 disabled=no interface=bridge1 lease-time=1h name=dhcp2
/ip hotspot
add address-pool=hs-pool-27 disabled=no interface=bridge1 name=hotspot1 profile=hsprof1
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man manager interface
add disabled=no interface=bridge1
/caps-man provisioning
add action=create-dynamic-enabled comment=GuestNetwork2Ghz hw-supported-modes=gn master-configuration=GuestsNetwork2Ghz
add action=create-dynamic-enabled comment=GuestNetwork5Ghz hw-supported-modes=ac master-configuration=GuestNetwork5Ghz
/interface bridge filter
add action=drop chain=forward in-bridge=bridge1 out-bridge=bridge1
/interface bridge port
add bridge=bridge1 ingress-filtering=yes interface="ether1-vlan 100 MGMT" pvid=100
add bridge=bridge1 interface=eoip-tunnel1
add bridge=bridge1 interface=ether1 pvid=100
add bridge=bridge1 interface="ether1-vlan 906"
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=10.9.6.1/28 interface="ether1-vlan 906" network=10.9.6.0
add address=10.2.2.1/24 interface="ether1-vlan 100 MGMT" network=10.2.2.0
add address=10.9.7.1/27 interface="ether1-vlan 907" network=10.9.7.0
add address=10.5.5.1/24 interface="ether1-vlan 150 Phones" network=10.5.5.0
add address=10.4.4.1/24 interface="ether1-vlan 200 CAST" network=10.4.4.0
add address=10.9.8.1/28 interface="ether1-vlan 908" network=10.9.8.0
add address=10.9.5.1/28 interface="ether1-vlan 905" network=10.9.5.0
add address=10.8.1.1/28 interface="ether1-vlan 801" network=10.8.1.0
add address=10.5.50.1/24 comment="hotspot network" interface=bridge1 network=10.5.50.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-relay
add dhcp-server=10.2.2.254 disabled=no interface="ether1-vlan 100 MGMT" name=packetfence
/ip dhcp-server network
add address=10.2.2.0/24 gateway=10.2.2.1
add address=10.4.4.0/24 dns-server=8.8.8.8 gateway=10.4.4.1
add address=10.5.5.0/24 gateway=10.5.5.1
add address=10.5.50.0/24 comment="hotspot network" dns-server=8.8.8.8 gateway=10.5.50.1
add address=10.9.6.0/28 dns-server=8.8.8.8 gateway=10.9.6.1
add address=10.9.7.0/27 dns-server=8.8.8.8 gateway=10.9.7.1
add address=10.100.100.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.100.100.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=10.2.2.254 name=radius.<redacted>.com
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=drop chain=input in-interface="ether1-vlan 200 CAST" protocol=igmp
add action=accept chain=forward dst-address=10.2.2.0/24 src-address=10.0.2.0/24
add action=drop chain=forward disabled=yes dst-address=!10.0.0.0/8 src-address=10.2.2.0/24
add action=accept chain=forward src-address=10.2.2.254
add action=accept chain=forward disabled=yes dst-address=10.2.2.1 src-address=10.2.2.60
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="NAT rule for 10.9.6.0/28" out-interface="Bell Fibe" src-address=10.9.6.0/28
add action=masquerade chain=srcnat comment="NAT rule for 10.9.7.0/27" out-interface="Bell Fibe" src-address=10.9.7.0/27
add action=masquerade chain=srcnat comment="NAT rule for Phones" out-interface="Bell Fibe" src-address=10.5.5.0/24
add action=masquerade chain=srcnat comment="NAT rule for MGMT network" out-interface="Bell Fibe" src-address=10.2.2.0/24
add action=masquerade chain=srcnat out-interface="Bell Fibe" src-address=10.4.4.0/24
add action=masquerade chain=srcnat comment="Test Rule" src-address=10.100.100.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=10.5.50.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=10.5.50.0/24
/ip hotspot user
add name=admin
/ip hotspot walled-garden
add comment="place hotspot rules here" disabled=yes
add dst-host=10.2.2.254
add src-address=10.2.2.254
/ip hotspot walled-garden ip
add action=accept disabled=no dst-host=10.2.2.254
add action=accept disabled=no src-address=10.2.2.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set www-ssl disabled=no
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/radius
add address=10.2.2.254 secret=<redacted> service=hotspot,wireless
/radius incoming
set accept=yes
/system clock
set time-zone-autodetect=no
/tool mac-server
set allowed-interface-list=none

here is my AP config:
# dec/14/2020 15:39:29 by RouterOS 6.47.8
# software id = WFU3-28AH
#
# model = RBcAPGi-5acD2nD
# serial number = B8BF0ABC78AF
/interface bridge
add name=NewBridge
/interface wireless
# managed by CAPsMAN
# channel: 2422/20/gn(28dBm), SSID: MikroTik, CAPsMAN forwarding
set [ find default-name=wlan1 ] ssid=MikroTik
# managed by CAPsMAN
# channel: 5660/20-Ce/ac/DP(24dBm), SSID: MikroTik, CAPsMAN forwarding
set [ find default-name=wlan2 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=NewBridge interface=ether1 pvid=100
add bridge=NewBridge interface=wlan2
add bridge=NewBridge interface=wlan1
/interface wireless cap
# 
set certificate=request discovery-interfaces=NewBridge enabled=yes interfaces=wlan2,wlan1
/ip dhcp-client
add disabled=no interface=NewBridge
/ip firewall filter
add action=accept chain=forward dst-address=10.2.2.0/24
add action=accept chain=forward src-address=10.2.2.0/24
/radius
add address=10.2.2.254 secret=<redacted> service=hotspot,wireless
/radius incoming
set accept=yes
/system clock
set time-zone-name=America/New_York
/system identity
set name="Test CAP AC Mikrotik AP"
 
deweydb
just joined
Topic Author
Posts: 7
Joined: Mon Dec 14, 2020 10:03 pm

Re: Packetfence (RADIUS) + Hotspot + CAPsMAN + Dynamic VLAN

Tue Jan 05, 2021 12:32 am

Bump
 
peson
Trainer
Trainer
Posts: 202
Joined: Tue Jul 20, 2004 10:33 am
Location: Sweden

Re: Packetfence (RADIUS) + Hotspot + CAPsMAN + Dynamic VLAN

Wed Sep 22, 2021 2:17 am

Did you solve this?
You need to setup bridge VLAN filtering.
Did you follow the capsman setup from pf device setup page?
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Packetfence (RADIUS) + Hotspot + CAPsMAN + Dynamic VLAN

Wed Sep 22, 2021 2:54 am

Curious myself if this worked out...

Never used Packetfence – we don't deal with enterprise stuff – but always liked their concept. Thought it be well suited to use with a Mikrotik ROS actually since it has a richer scheme for captive portals and ethernet VLAN assignment. In fact, using Packetfense with ROS Containers in v7, it be a lot more appealing than needing another middleware box...

BTW nothing too obviously wrong in the config, other than nothing is made simple by CAPsMAN. Only thing I saw was some of the VLAN interface live on ether1, not the bridge – at least be consistant. Using the "VLAN Filtering" approach to set the generate CAP interface's VLAN may provide better consistency – instead of "use-tag" in CAPsMAN config. But if we ignore that, without VLAN Filtering, it's just a dumb switch so the VLAN should passthrough. But since this doesn't work, it's pretty easy to use the Tool>Sniffer or "Torch" to see what's actually happing with the VLANs on the bridge.
 
olivier2831
Member Candidate
Member Candidate
Posts: 296
Joined: Fri Sep 08, 2017 6:53 pm

Re: Packetfence (RADIUS) + Hotspot + CAPsMAN + Dynamic VLAN

Wed Sep 22, 2021 9:04 am

My goal is to setup a hotel wireless network where guests can roam across any AP in the building but remain in their dedicated room assigned VLAN.
I've got a very similar target with the following differences:
- I'm planning to use a Freeradius server
- I'm planning to use different APs.

I've not started to work on it but I think one main component is using Change-of-Authorization (CoA) to have clients dynamically change from one VLAN to another one.

I hope this helps.
 
peson
Trainer
Trainer
Posts: 202
Joined: Tue Jul 20, 2004 10:33 am
Location: Sweden

Re: Packetfence (RADIUS) + Hotspot + CAPsMAN + Dynamic VLAN

Wed Sep 22, 2021 12:58 pm

BTW nothing too obviously wrong in the config, other than nothing is made simple by CAPsMAN. Only thing I saw was some of the VLAN interface live on ether1, not the bridge – at least be consistant. Using the "VLAN Filtering" approach to set the generate CAP interface's VLAN may provide better consistency – instead of "use-tag" in CAPsMAN config. But if we ignore that, without VLAN Filtering, it's just a dumb switch so the VLAN should passthrough. But since this doesn't work, it's pretty easy to use the Tool>Sniffer or "Torch" to see what's actually happing with the VLANs on the bridge.

I've summarized parts of the bridge and VLAN configuration code:
/interface bridge
add mtu=1504 name=bridge1 protocol-mode=none

/interface vlan
add interface=bridge1 mtu=1504 name="ether1-vlan 100 MGMT" vlan-id=100
add interface=ether1 name="ether1-vlan 103" vlan-id=103
add interface=bridge1 name="ether1-vlan 906" vlan-id=906
add interface=ether1 mtu=1504 name=ether1-vlan102 vlan-id=102

/interface bridge port
add bridge=bridge1 ingress-filtering=yes interface="ether1-vlan 100 MGMT" pvid=100
add bridge=bridge1 interface=eoip-tunnel1
add bridge=bridge1 interface=ether1 pvid=100
add bridge=bridge1 interface="ether1-vlan 906"
This configuration is incorrect, please read https://help.mikrotik.com/docs/display/ ... +Switching carfully.

Who is online

Users browsing this forum: Amazon [Bot], Bing [Bot], Maknz and 24 guests