Community discussions

MikroTik App
 
losta
just joined
Topic Author
Posts: 6
Joined: Thu Jun 06, 2019 8:00 pm

UserManager with Unifi-SW 802.1x

Thu Sep 01, 2022 2:40 pm

Hello,

I have configured a user-manager in a hap ac3 to authenticate by 802.1x

The idea is that the hosts that connect by cable or Wi-Fi to the Unifi devices, if they are authorized by Radius (MAC), are entered in a specific vlan and if they are not in that list, they are added to a guest VLAN.

VLAN12-Working VLAN MAC Auth
VLAN15-Guest VLAN MAC no Auth

What doesn't work for me is that after the Unifi device request, the response doesn't seem to understand it.


Mikrotik export:
/interface bridge
add admin-mac=08:55:31:D4:43:51 auto-mac=no comment=defconf frame-types=\
    admit-only-vlan-tagged name=bridge pvid=12 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    MikroTik-D44355 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
    mode=ap-bridge ssid=MikroTik-D44356 wireless-protocol=802.11
/interface vlan
add comment=PERMITIDOS interface=bridge name=vlan12 vlan-id=12
add comment=SIN_PERMISO interface=bridge name=vlan15 vlan-id=15
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add interface=bridge lease-time=30s name=defconf use-radius=yes
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=PERMITIDOS ranges=192.168.66.2-192.168.66.254
add name=VLAN12-POOL ranges=192.168.12.2-192.168.12.254
add name=SIN_PERMISO ranges=192.168.15.2-192.168.15.254
/ip dhcp-server
add address-pool=VLAN12-POOL interface=vlan12 lease-time=30s name=VLAN12
add address-pool=SIN_PERMISO interface=vlan15 lease-time=30s name=VLAN15
/user-manager attribute
set [ find default-name=Tunnel-Type ] packet-types=access-accept,access-challenge
set [ find default-name=Tunnel-Medium-Type ] packet-types=access-accept,access-challenge
set [ find default-name=Tunnel-Private-Group-ID ] packet-types=access-accept,access-challenge
/user-manager user
add attributes=Tunnel-Type:13,Tunnel-Medium-Type:6,Tunnel-Private-Group-ID:12 caller-id=192.168.15.253 name=CC2DE0181095 shared-users=unlimited
/interface bridge port
add bridge=bridge comment=defconf disabled=yes ingress-filtering=no \
    interface=ether2 pvid=12
add bridge=bridge comment=defconf disabled=yes ingress-filtering=no \
    interface=ether3 pvid=12
add bridge=bridge comment=defconf disabled=yes ingress-filtering=no \
    interface=ether4 pvid=12
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether5 pvid=12
add bridge=bridge comment=defconf disabled=yes ingress-filtering=no \
    interface=wlan1 pvid=12
add bridge=bridge comment=defconf disabled=yes ingress-filtering=no \
    interface=wlan2 pvid=12
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5 vlan-ids=12
add bridge=bridge tagged=bridge,ether5 vlan-ids=15
/interface dot1x server
add auth-types=mac-auth disabled=yes interface=ether5 mac-auth-mode=\
    mac-as-username-and-password radius-mac-format=XXXXXXXXXXXX \
    reauth-timeout=1m server-fail-vlan-id=15
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.66.1/24 comment=defconf interface=bridge network=\
    192.168.66.0
add address=192.168.12.1/24 comment=PERMITIDOS interface=vlan12 network=\
    192.168.12.0
add address=192.168.15.1/24 comment=SIN_PERMISO interface=vlan15 network=\
    192.168.15.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.12.0/24 dns-server=8.8.8.8 gateway=192.168.12.1 netmask=\
    24
add address=192.168.15.0/24 dns-server=8.8.8.8 gateway=192.168.15.1 netmask=\
    24
add address=192.168.66.0/24 dns-server=8.8.8.8 gateway=192.168.66.1 netmask=\
    24
add address=192.168.88.0/24 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input disabled=yes
add action=accept chain=forward disabled=yes
add action=accept chain=input
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=192.168.68.80 dst-port=6001 \
    protocol=tcp to-addresses=192.168.15.251 to-ports=8291
/radius
add address=127.0.0.1 disabled=yes service=login,dhcp,dot1x
/radius incoming
set accept=yes port=1700
/system clock
set time-zone-name=Europe/Madrid
/system leds
set 0 interface=wlan1 leds=led1,led2,led3,led4,led5 type=\
    wireless-signal-strength
set 1 leds=poe-led type=poe-out
/system logging
add topics=radius
add topics=account
add topics=manager
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
/tool romon port
add disabled=no interface=vlan12
/user-manager
set certificate=*0 enabled=yes
/user-manager router
add address=127.0.0.1 coa-port=1700 disabled=yes name=router1
add address=192.168.15.253 coa-port=45054 name=Unifi
Diagram:
Image

Who is online

Users browsing this forum: Majestic-12 [Bot] and 12 guests