Hi,
I setup VLAN's with a management VLAN. Now I have on every switch/router a specific port to access the management VLAN. Works, but nevertheless, since those devcies are more or less hidden I need to have a long cable to do modifications without lying on my belly or something like that.
So I was thinking : dot1x can assign VLAN's to users, so I could create users to access the management VLAN. But then every user would need an account to use the switch. Not what I want.
So can user-manager assign a VLAN to unauthenticated users ? Or another way ?
That way every user could access the default VLAN without authentication, but when some user DOES authenticate with the management-account he is directed to the management-VLAN.

Thanks for any insights.

My previous question was theoretical, last evening I went ahead and tried some things.
It seems that there are options for what I need, but I would like clarification.
Setting up a dot1x-server there are the following options (winbox) :
Reject VLAN
Guest VLAN
Server-fail VLAN
I set all of those VLAN's to the same VLAN (which has a DHCP-server !).
I setup a user on my freeradius-server.
Trying to get access with that user works fine, and gets met to the desired VLAN (NOT the same as the other VLAN's) and an ip-address.

When I give wrong credentials, after a while I see in the status that the port is enabled in the server-fail VLAN, but I don't get an ip-address.
I checked with the logs (freeradius & switch), and it seems that the switch never gets the Access-Reject message from freeradius.

I would presume that trying to access without authentication, I would immediately get access to the guest VLAN. Unfortunately, it's only after at least 1 minute I get access. Is there a way to shorten this time ? I did set the Auth timeout to 5 seconds.

I'm confused.
FWIW, the switch is a CRS310-8G+2S+IN, running RoS 7.14.3.

See https://help.mikrotik.com/docs/display/ ... t1X-Server. The guest-vlan-id functionality is odd, other vendors allow access to a guest VLAN immediately until dot1x authentication completes. Other than making a feature request to Mikrotik there isn't much you can do to reduce the time.

Not sure why you don't get an IP address when falling back to the server-fail-vlan-id VLAN, however fixing the FreeRADIUS setup so Access-Reject is returned promptly on authentication failure would use reject-vlan-id.

After further investigation, I came to the conclusion that I could live with the settings when using Freeradius.
I can get access unauthenticated via the correct vlan (guest-vlan). When I authenticate correct, I can get to the desired vlan (Freeradius provides the vlan).
Trying to authenticate with wrong credentials does not work (reject-vlan does not work) is OK with me, as a rogue user is not supposed to get access.
To get guest vlan to work I had to set the Retrans. Timeout low, I used 5sec.
But, and here is the big problem : when I try this with user-manager on a mikrotik-device, which is the purpose of all this, it never works (I tried with a hEX-router and another CRS310). I only get access via the guest-vlan.
I set up user-manager on the second switch with the exact same credentials as on freeradius, with the exact same user-account. I also set extra attributes for the vlan. So switching the ip-address of the Radius-server on the switch should give the same results. Unfortunately, it does not.
When I add logging (debug, radius) on both switches, I only see activity on the dot1x-server, although the packet-sniffer on the user-manager-switch does capture packets, but with a result Access-Reject.
My laptop (kubuntu, networkmanager) is configured like this (dot1x) :
anonymous identity : anonymous
PEAP-version : automatic
inner auth : MSCHAPv2
username : test-user
password : <obfuscated>

OK, I restarted from scratch.
My setup (topology see the image) :
PC1
Freeradius 3.0
user :
- user2 with password

R1 (default configuration)
- Usermanager
enabled authentication port (and accounting port)
added client (NAS in radius-speach) with ip-address and secret.
2 users :
- user1, with password
- user2, with same password as on Freeradius
both in "user group" "default"

S1 (default configuration)
- 2 RADIUS entries :
- IP-address pointing to R1 with corresponding secret
- IP-address pointing to freeradius-server with corresponding secret (disabled)
- Dot1X server
- ethers 1 to 6 and spfplus1 as dot1x (via an interface list).
- Auth.Types : dot1x checked
- Retrans. Timeout : 5sec.

S2 (default configuration)
- Dot1X client
Interface : sfpplus1
EAP Methods : EAP MSCHAPv2
identity : user1
password : <as on R1>
Anon. Identity : anonymous

PC2 : Kubuntu 24.04LTS with NetworkManager
not connected to the network

Procedure :
To have a baseline I started with pure mikrotik, so RADIUS on S1 pointing to R1. The result was an authenticated sfp-sfpplus1.
Next I connected PC2 to ether3 and tried to connect withouth autentication, this failed as axpected.
Then I set up PC2 to connect with 801.1x authentication as user2, but that failed, no matter what authentication methods I tried.

Now, on S1 I disabled the RADIUS entry to R1 and enabled that to Freeradius.
I tried to connect PC2 to ether3 with 801.x authentication, again as user2, with PEAP/MSCHAPv2 and I could connect.
So there is a difference between freeradius and mikrotik's User Manager in the handling of dot1x.

On PC2 I sniffed the traffic on the network port and there it shows :
after the "Client Hello" of the PC, the mikrotik-port answers "Alert (Level: Fatal, Description: Handshake Failure)".
See the (zipped) pcap-file.

FWIW, Windows 11 with PEAP/MSCHAPv2 behaves the same, i.e. no access with mikrotik User Manager.

What certificates are you using for the EAP part. Windows requires the CA to be in the machine certificate store, there are other caveats too https://wiki.geant.org/display/H2eduroa ... iderations

No certificates at this moment.
But isn't that besides the point ? Freeradius authenticates fine, should not mikrotik do the same ? Although I didn't test windows with freeradius.
And the ultimate goal is to have no Freeradius server in this instance.

Pretty much all EAP methods will not work unless the server presents a certificate - are you sure FreeRADIUS isn't using some default certificate, whereas usermanager will need one creating

I'm absolutely no expert in radius, but what I understand is that a certificate is used to certify that the server is who it pretends to be. But then the clients need it's counterpart, the CA cert.
And yes, my freeradius server presents a certificate (to authenicate WiFi-clients). So I'm going to try to create a certificate on mikrotik.
A new but : why do mikrotik devices work without those certificates ?

OK, so I installed a certificate on the User Manager and now it works.
But it only works if I don't use the exported ca-certificate on the client. I exported it as PEM, but the name ends in crt.
With the mikrotik ca and User Manager, the client reports "Unsupported Certificate".

Now I can try using vlans.

I made an error.
In the UserManager /Router/Settings I selected the ca-certificate, that should have been the server-certificate. Not that works also.

I'm not sure why the Mikrotik supplicant works without a certificate on the server. The certificate provides the keying material for the TLS tunnel used by PEAP in addition to providing identity information.

Per the previously linked page for Windows supplicants they will not work unless the certifcate contains the TLS Server Authentication EKU and the CA exists in the certificate store.