Community discussions

MikroTik App
 
sathackr
just joined
Topic Author
Posts: 22
Joined: Thu Dec 25, 2014 5:13 am

Dot1x mac auth in V7 not working as expected

Sat Nov 26, 2022 7:33 am

Is anyone successfully using 802.1x mac auth/vlan assignment in V7.x?

We're trying our first deployment and getting entirely unpredictable results. In one test setup, we have reject vlan and server-fail vlans configured, yet the port still goes into un-authorized state with no vlans.

Seems to be entirely random whether the switch actually checks in with the radius server.

Yes, I know in the log below the radius request timed out, but it doesn't matter. The port should have been authorized into the server-fail vlan. the enables/disables are me trying to get it to re-auth again. it's not even trying to talk to radius. Have tried v7.2 through v7.6.
 00:22:02 radius,debug,packet     NAS-Port-Id = "ether22"
 00:22:02 radius,debug,packet     Unknown-Attribute(type=102) = 0x00
 00:22:02 radius,debug,packet     NAS-Identifier = "lab"
 00:22:02 radius,debug,packet     NAS-IP-Address = 10.5.93.133
 00:22:02 radius,debug resending 82:04
 00:22:02 radius,debug,packet sending Access-Request with id 5 to 10.1.3.14:1812
 00:22:02 radius,debug,packet     Signature = 0x0xxxx
 00:22:02 radius,debug,packet     Framed-MTU = 1400
 00:22:02 radius,debug,packet     NAS-Port-Type = 15
 00:22:02 radius,debug,packet     Called-Station-Id = "48-8F-5A-93-D0-64"
 00:22:02 radius,debug,packet     Calling-Station-Id = "00-0A-19-09-AE-6E"
 00:22:02 radius,debug,packet     Service-Type = 2
 00:22:02 radius,debug,packet     User-Password = 0xxxxx
 00:22:02 radius,debug,packet       45
 00:22:02 radius,debug,packet     User-Name = "00:0A:19:09:AE:6E"
 00:22:02 radius,debug,packet     Acct-Session-Id = "00007086"
 00:22:02 radius,debug,packet     NAS-Port-Id = "ether22"
 00:22:02 radius,debug,packet     Unknown-Attribute(type=102) = 0x00
 00:22:02 radius,debug,packet     NAS-Identifier = "lab"
 00:22:02 radius,debug,packet     NAS-IP-Address = 10.5.93.133
 00:22:03 radius,debug timeout for 82:04
 00:22:03 dot1x,debug s ether22 "00:0A:19:09:AE:6E" radius req timeout, apply server fail vlan:2400
 00:22:03 dot1x,debug s ether22 "00:0A:19:09:AE:6E" add to vlan 2400
 00:22:03 dot1x,debug s ether22 "00:0A:19:09:AE:6E" authorized, start reauth timer seconds:10
 00:22:03 dot1x,debug s ether22 UNBLOCK
 00:22:13 dot1x,debug s ether22 "00:0A:19:09:AE:6E" starting reauth mac-auth
 00:22:13 dot1x,debug s ether22 BLOCK
 00:22:40 interface,info ether22 link down
 00:22:40 system,info device changed by admin
 00:22:40 system,info device changed by admin
 00:22:40 dot1x,debug s ether22 BLOCK
 00:22:41 system,info device changed by admin
 00:22:41 system,info device changed by admin
 00:22:41 system,info device changed by admin
 00:22:41 dot1x,debug s ether22 BLOCK
 00:22:41 system,info device changed by admin
 00:22:41 system,info device changed by admin
 00:22:41 dot1x,debug s ether22 BLOCK
 00:22:41 system,info device changed by admin
 00:22:42 system,info device changed by admin
 00:22:42 dot1x,debug s ether22 BLOCK
 00:22:42 system,info device changed by admin
 00:22:42 system,info device changed by admin
 00:22:42 dot1x,debug s ether22 BLOCK
 00:22:42 system,info device changed by admin
 00:22:42 system,info device changed by admin
 00:22:42 dot1x,debug s ether22 BLOCK
 00:22:42 system,info device changed by admin
 00:22:43 system,info device changed by admin
 00:22:43 dot1x,debug s ether22 BLOCK
 00:22:43 system,info device changed by admin
 00:22:44 system,info device changed by admin
 00:22:44 dot1x,debug s ether22 BLOCK
 00:22:46 interface,info ether22 link up (speed 100M, full duplex)
 00:22:54 system,info dot1x server port removed by admin
 00:23:09 system,info dot1x server port added by admin
 00:23:09 dot1x,debug s ether22 BLOCK
 00:23:09 system,info dot1x server port changed by admin
 00:27:07 system,info,account user admin logged in from 10.1.3.3 via ssh

[admin@lab] > /interface/bridge/vlan/print 
Flags: D - DYNAMIC
Columns: BRIDGE, VLAN-IDS, CURRENT-TAGGED, CURRENT-UNTAGGED
#   BRIDGE  VLAN-IDS  CURRENT-TAGGED  CURRENT-UNTAGGED
0   bridge       200  bonding1                        
1   bridge       100  bridge                          
                      bonding1                        
2 D bridge         1                  bridge          
                                      bonding1        
[admin@lab] > 

[admin@lab] > /interface/dot1x/export 
# nov/26/2022 00:27:53 by RouterOS 7.2.3
# software id = xxxx
#
# model = CRS326-24G-2S+
# serial number = xxxx
/interface dot1x server
add accounting=no auth-types=mac-auth interface=ether22 mac-auth-mode=mac-as-username-and-password reject-vlan-id=2100 server-fail-vlan-id=2200
[admin@lab] > /radius/export 
# nov/26/2022 00:28:05 by RouterOS 7.2.3
# software id = xxxx
#
# model = CRS326-24G-2S+
# serial number = xxxx
/radius
add address=10.1.3.14 service=dot1x
 
sathackr
just joined
Topic Author
Posts: 22
Joined: Thu Dec 25, 2014 5:13 am

Re: Dot1x mac auth in V7 not working as expected  [SOLVED]

Sat Nov 26, 2022 8:13 am

okay I think I solved my own problem.

From wiki: https://wiki.mikrotik.com/wiki/Manual:Interface/Dot1x
In order for mac-auth authentication type to work, the server interface should receive at least one frame containing a client's device source MAC address
the device I'm testing with is not very chatty. Probably the port is staying un-authorized and not trying to talk to radius because it doesn't have a mac address to authorize.

Who is online

Users browsing this forum: No registered users and 68 guests