Community discussions

MikroTik App
 
KoenraadL
just joined
Topic Author
Posts: 4
Joined: Wed Aug 16, 2023 3:16 pm

Default VLAN for non-authenticated users ?

Mon May 13, 2024 12:33 pm

Hi,
I setup VLAN's with a management VLAN. Now I have on every switch/router a specific port to access the management VLAN. Works, but nevertheless, since those devcies are more or less hidden I need to have a long cable to do modifications without lying on my belly or something like that.
So I was thinking : dot1x can assign VLAN's to users, so I could create users to access the management VLAN. But then every user would need an account to use the switch. Not what I want.
So can user-manager assign a VLAN to unauthenticated users ? Or another way ?
That way every user could access the default VLAN without authentication, but when some user DOES authenticate with the management-account he is directed to the management-VLAN.

Thanks for any insights.
 
KoenraadL
just joined
Topic Author
Posts: 4
Joined: Wed Aug 16, 2023 3:16 pm

Re: Default VLAN for non-authenticated users ?

Tue May 14, 2024 11:12 am

My previous question was theoretical, last evening I went ahead and tried some things.
It seems that there are options for what I need, but I would like clarification.
Setting up a dot1x-server there are the following options (winbox) :
Reject VLAN
Guest VLAN
Server-fail VLAN
I set all of those VLAN's to the same VLAN (which has a DHCP-server !).
I setup a user on my freeradius-server.
Trying to get access with that user works fine, and gets met to the desired VLAN (NOT the same as the other VLAN's) and an ip-address.

When I give wrong credentials, after a while I see in the status that the port is enabled in the server-fail VLAN, but I don't get an ip-address.
I checked with the logs (freeradius & switch), and it seems that the switch never gets the Access-Reject message from freeradius.

I would presume that trying to access without authentication, I would immediately get access to the guest VLAN. Unfortunately, it's only after at least 1 minute I get access. Is there a way to shorten this time ? I did set the Auth timeout to 5 seconds.

I'm confused.
FWIW, the switch is a CRS310-8G+2S+IN, running RoS 7.14.3.
 
tdw
Forum Guru
Forum Guru
Posts: 1877
Joined: Sat May 05, 2018 11:55 am

Re: Default VLAN for non-authenticated users ?

Sun May 19, 2024 5:26 am

See https://help.mikrotik.com/docs/display/ ... t1X-Server. The guest-vlan-id functionality is odd, other vendors allow access to a guest VLAN immediately until dot1x authentication completes. Other than making a feature request to Mikrotik there isn't much you can do to reduce the time.

Not sure why you don't get an IP address when falling back to the server-fail-vlan-id VLAN, however fixing the FreeRADIUS setup so Access-Reject is returned promptly on authentication failure would use reject-vlan-id.

Who is online

Users browsing this forum: No registered users and 2 guests