Community discussions

MikroTik App
 
User avatar
ekarin
Trainer
Trainer
Topic Author
Posts: 34
Joined: Fri Jun 01, 2018 9:12 pm
Contact:

MAC Addresses can not be assigned in Switch Rule (CRS328) via dot1x

Tue Nov 02, 2021 9:17 am

According to Dynamic Switch Rule Configuration:
https://help.mikrotik.com/docs/display/ ... figuration

The source mac address that are set from RADIUS server in the Mikrotik-Switching-Filter attribute can not be set dynamically via Dot1x in the Switch rule (CRS328). The log error is shown in the attached image. My attribute value is "src-mac-address 6C:2B:59:3A:09:63/FF:FF:FF:FF:FF:FF action allow, src-mac-address 6C:3B:6B:95:A9:9B/FF:FF:FF:FF:FF:FF action allow, action drop" It does not worl. :( What does it happen? The switch does not support to set the mac address in the switch rule via dot1x, yet ?

I have tried the attribute values in the example as shown below. It works! :-)
https://help.mikrotik.com/docs/display/ ... figuration
"protocol 17 dst-port 100 action allow, action drop"

If anyone knows what the root cause is, please kindly let me know. Many Thanks.
You do not have the required permissions to view the files attached to this post.
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: MAC Addresses can not be assigned in Switch Rule (CRS328) via dot1x

Fri Nov 05, 2021 2:44 pm

You cannot set the src-mac-address (also switch or port), these are automatically populated by the dot1x server as it will have acquired the MAC address of the device attached to the port, see https://wiki.mikrotik.com/wiki/Manual:I ... figuration
 
User avatar
ekarin
Trainer
Trainer
Topic Author
Posts: 34
Joined: Fri Jun 01, 2018 9:12 pm
Contact:

Re: MAC Addresses can not be assigned in Switch Rule (CRS328) via dot1x

Mon Nov 08, 2021 10:36 am

You cannot set the src-mac-address (also switch or port), these are automatically populated by the dot1x server as it will have acquired the MAC address of the device attached to the port, see https://wiki.mikrotik.com/wiki/Manual:I ... figuration
Thank you for your suggestion. I understand your point.
I also read and followed that link before. I would like to secure the network after the authentication has been successfully done with access accept together with the switch rule. This means devices with incorrect source MAC address can not get shared with that switch port. With dot1X, it is possible to do port security automatically, isn't it. Only the device that get authenticated can use the switch port. I hope the MikroTik support will take this into account.

Any other ideas, please let me know. Thanks
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: MAC Addresses can not be assigned in Switch Rule (CRS328) via dot1x

Mon Nov 08, 2021 7:19 pm

Once a port is authenticated traffic from any source MAC address can pass, it is an architectural defect in the original 802.1X design. Various vendors have additional controls to limit or restrict source MAC addresses.

I've not looked to see if the dynamic rules are added before or after any static rules. If they appear before you could use Mikrotik-Switching-Filter = "action allow" plus a static rule to drop anything from the 802.1X controlled ports (maybe needs something to allow the EAPOL traffic to the CPU port), however if the dynamic rules appear after any static rules you are stuck.

The Mikrotik 802.1x implementation is fairly new, you could always suggest a feature request to Mikrotik.

Who is online

Users browsing this forum: No registered users and 14 guests