Community discussions

MikroTik App
 
Raeksallad
just joined
Topic Author
Posts: 1
Joined: Sun Mar 26, 2023 7:40 pm

Hotspot login with dynamic vlan assignment?

Tue Mar 28, 2023 3:05 pm

Hello everybody, intermediate newbie and first time forum user here :)

For the past few weeks I have been trying out some (for me) more advanced authentication features in my homelab (RB4011iGS+RM and hAP ax2). My goal has been to create a wlan setup where I can connect my devices and assign them one of three vlans;

vlan100: trusted (desktop, laptop, phone etc)
vlan200: untrusted (IoT devices)
vlan300: guests

I have manged to get this working the "easy" way by simply creating different SSID's that dynamically assigns the clients to their respective bridge vlan. But after watching an excellent presentation by Ron Touw (https://www.youtube.com/watch?v=nCB4hL0f1VQ) I learned, among other things, that each unique SSID doubles the size of the AP beacons and therefore doubles the time it takes to connect to it. In the presentation Touw says in passing, without expanding on it, that there are other ways, using Radius and capsman, where you can assign vlans to different user groups connecting to one single SSID. I have tried to find ways to do this but can't get any appropriate solutions to work.

As I see it, if there is only one SSID, then the AP needs to be able to identify the different clients in some way to know which vlan to assign them. The closest solutions I have managed to implement is to create user groups in Radius where I register each client and identify them either by mac address or by certificates. For this to work I need to register the clients and their mac/certificate in Radius before they can connect to the AP. This works for my own trusted devices and IoT-devices, but it won't work for guests as am not able to register all new guest devices before they connect to my wifi.

The only solution to this that thought should work, but never actually got to work, is to use hotspots. I thought that it would be possible to set it up so that a client can connect to the hotspot, use a username and password in the login portal, and then be assigned either to the trusted o guest-vlan depending on the user credentials (the IoT devices can continue to just be authenticated by mac adress).

So, my initial question simply if this hotspot solution is possible at all, and if that's the case, how do I do it?

If it not possible, what other methods of assigning vlans to user groups with capsman and radius could Ron Touw be refering to?

Thanks

Who is online

Users browsing this forum: baragoon, fposavec, Google [Bot], keithy, menyarito and 82 guests