Community discussions

MUM Europe 2020
 
User avatar
dchouinard
just joined
Topic Author
Posts: 13
Joined: Tue Aug 12, 2008 6:26 pm
Location: Val-d'Or, Quebec
Contact:

VLAN Assignation per user using RADIUS

Tue Aug 12, 2008 6:42 pm

Greeting everyone.

I do WPA authentication using a RADIUS server (freeradius on a zeroshell server). On the server I can specify a the client assigned VLAN (802.1x).

I need my AP to assign dynamicly the vlan to the wireless client. This will allow differents clients to be on differents networks.

TRUNK PORT -> ETH2 -> WAP -> CLIENT on vlan 3404
\-> CLIENT2 on vlan 3410

I understand that I need to brigde my WAP and the ETH2 interface. But I do not understand where the packet is going to be tagged and how to tell routeros to do that.

I am yet to find documentation or information.

Any idea?

Dany Chouinard
 
meno
Member Candidate
Member Candidate
Posts: 233
Joined: Sat Jul 19, 2008 4:45 am

Re: VLAN Assignation per user using RADIUS

Wed Aug 13, 2008 3:14 am

That is kinda I want to make.. create a vlan per customer... but I dont know exactly how do that on wimax profesional equipment like alvarion,. I heared about a pseudo vlan.. but that all I know in 802.11a/b/g
 
User avatar
dchouinard
just joined
Topic Author
Posts: 13
Joined: Tue Aug 12, 2008 6:26 pm
Location: Val-d'Or, Quebec
Contact:

Re: VLAN Assignation per user using RADIUS

Wed Aug 13, 2008 6:14 pm

I have found a good description of what I'm trying to accomplish. But I am yet to figure how to do it with routerOS.

http://searchsecurity.techtarget.com/ge ... 11,00.html
 
User avatar
Belyivulk
Member Candidate
Member Candidate
Posts: 285
Joined: Mon Mar 06, 2006 10:53 pm
Location: Whangarei, New Zealand
Contact:

Re: VLAN Assignation per user using RADIUS

Thu Aug 14, 2008 1:33 am

This sounds like something we would be interested in knowing about as well
 
cmit
Forum Guru
Forum Guru
Posts: 1552
Joined: Fri May 28, 2004 12:49 pm
Location: Germany

Re: VLAN Assignation per user using RADIUS

Thu Aug 14, 2008 12:04 pm

As can be read in the post the key is that RouterOS has to understand those RADIUS attributes (and act accordingly).
I don't think this is implemented right now.

Best bet would be to write a feature request to support, I suppose...
Best regards,
Christian Meis
 
joefat
just joined
Posts: 7
Joined: Tue Sep 21, 2010 4:32 pm

Re: VLAN Assignation per user using RADIUS

Thu Nov 04, 2010 3:47 pm

Hi,

Did this ever get implemented?

Was there a feature request?

Currently I can only get this functionality with products like HP, Trapeze etc. If I could use the "Client Assigned VLAN" attribute in RouterOS then I'd be able to deploy a lot more MikroTik.

I only need the AP to respect the attribute in WPA2-EAP scenarios. Don't necessarily need it in HotSpot or UserManager.

Ta
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: VLAN Assignation per user using RADIUS

Sat Nov 06, 2010 7:05 pm

It is not implemented in any current version.
 
joefat
just joined
Posts: 7
Joined: Tue Sep 21, 2010 4:32 pm

Re: VLAN Assignation per user using RADIUS

Sun Nov 07, 2010 5:30 pm

Ok, would it be possible? How do I make a feature request? Can anyone think of a workaround?

Perhaps I'll look at the L2 firewall...

Ta
 
duvi
Frequent Visitor
Frequent Visitor
Posts: 70
Joined: Fri Jun 05, 2009 12:32 pm
Contact:

Re: VLAN Assignation per user using RADIUS

Sun Nov 07, 2010 8:02 pm

Maybe you could try openwrt, this feature is working with it.
 
joefat
just joined
Posts: 7
Joined: Tue Sep 21, 2010 4:32 pm

Re: VLAN Assignation per user using RADIUS

Mon Nov 08, 2010 11:13 am

That's interesting, I didn't know that. I'll take a look.

The thing is that I already have a significant (city wide) Mikrotik deployment so I'd like to stick with that if possible.

Ta
 
joefat
just joined
Posts: 7
Joined: Tue Sep 21, 2010 4:32 pm

Re: VLAN Assignation per user using RADIUS

Wed Nov 10, 2010 12:02 am

Maybe you could try openwrt, this feature is working with it.
Duvi - I can't see this in any of the OpenWRT documentation and I've Googled pretty hard ...

Could you point me in the right direction please.


Thanks
 
dssmiktik
Forum Veteran
Forum Veteran
Posts: 732
Joined: Fri Aug 17, 2007 8:42 am

Re: VLAN Assignation per user using RADIUS

Wed Nov 10, 2010 12:39 am

If you turn on radius debug logging, does that attribute show up in the logs? If it does, a workaround would be to write a script to monitor the radius log, watching for that attribute. Then you could take any action you wanted based on the entry in the log. It is a bit of a hack, but may get you going in the meantime, if required.
Doug
 
duvi
Frequent Visitor
Frequent Visitor
Posts: 70
Joined: Fri Jun 05, 2009 12:32 pm
Contact:

Re: VLAN Assignation per user using RADIUS

Wed Nov 10, 2010 12:55 am

It's described here http://rpc.one.pl/index.php/lista-artyk ... em-hostapd

It's in Polish, but it's not too hard to get the point from the config files.
 
dssmiktik
Forum Veteran
Forum Veteran
Posts: 732
Joined: Fri Aug 17, 2007 8:42 am

Re: VLAN Assignation per user using RADIUS

Wed Nov 10, 2010 2:19 am

It's described here http://rpc.one.pl/index.php/lista-artyk ... em-hostapd

It's in Polish, but it's not too hard to get the point from the config files.
Translated in English:
http://translate.google.com/translate?h ... pd&prev=_t
Doug
 
joefat
just joined
Posts: 7
Joined: Tue Sep 21, 2010 4:32 pm

Re: VLAN Assignation per user using RADIUS

Wed Nov 10, 2010 9:28 am

If you turn on radius debug logging, does that attribute show up in the logs? If it does, a workaround would be to write a script to monitor the radius log, watching for that attribute. Then you could take any action you wanted based on the entry in the log. It is a bit of a hack, but may get you going in the meantime, if required.
That's an interesting idea Doug...

Perhaps I can script dynamic L2 NAT rules to forward the client's traffic to/from the right VLAN...

Thanks
 
joefat
just joined
Posts: 7
Joined: Tue Sep 21, 2010 4:32 pm

Re: VLAN Assignation per user using RADIUS

Wed Nov 10, 2010 10:44 am

Maybe you could try openwrt, this feature is working with it.
Wow! It's a shame that we can't have access to wireless interfaces from MetaRouters :-(

Then I could use OpenWRT to do this on my existing MikroTik installations.


I've added "Support for RADIUS Subscriber Assigned VLAN attribute in 802.1x" to the MikroTik feature request Wiki...

I guess people can vote for it if they think it would be useful :-)

In the meantime I'll be learning OpenWRT then...

Thanks

Matt

Who is online

Users browsing this forum: No registered users and 35 guests