Before anyone asks. Configuration options for dot1x are not yet enabled in this release. Coming in next beta, most likely next week.
Shall we hope for Radius assigned VLAN with this promising feature ?When to expect 802.1x support in RouterOS?
Strong need in wired 802.1X
I think you can run the dot1x using userman. try to see the radius settings if there any 802.1x option to tick. I have not try yet the beta version.It does something, I somehow managed to set up a test with RouterOS, external FreeRADIUS and Windows as client. But I don't really know what I'm doing, it's my first time playing with 802.1x and almost first time with FreeRADIUS, which is terrible starting point and everything seems too complicated. Well, it's mainly FreeRADIUS, so many options and configuration files, ...
Sorry if it's stupid question, but can I use User Manager instead? I have near zero experience with that too, and quick search suggests that probably not. But it would be really nice if it could do it. If for no other reason, then to be able to have it on router itself and not require other device, that would be really handy in some places.
Thank you for clarifying.If you are referring to the inner authentication layer of PEAP as phase 2, then there is currently no way to specify it since only EAP-MSCHAPv2 is supported. Currently supported EAP methods:
Exactly my thought. Why cant make the built-in auth server?It's beautiful, but if only we could get rid of external dependencies, i.e. third-party RADIUS, it would be even better. Yeah, I know, some people are never satisfied, call me ungrateful if you want.
Especially with an upcoming 48 port switch the above would be a really sophisticated feature set. We are in the middle of choosing our next edge switching equipment (about 7000 ports) and would be willing to wait for a few months for said 48 port switch. Can anyone from Mikrotik make a statement if we can expect that the above stated authentication scenario can be possible in the future?Hi!
First of all, thank you for this log awaited feature.
Is it possible to have the following multiple level authentication scenario:
1. The client has dot1x enabled - authentication is done and a VLAN is assigned.
2. The client has not enabled dot1x - authentication is done via the client MAC address and a VLAN is assigned.
3. The MAC address is not known to the radius server - a quarantine VLAN is assigned.
That would be a big step towards an all dynamic configuration. We are a technical school with a lot of bring your own device users und devices that don't support dot1x and the above scenario would make us very happy
+1 as well. Even using a routerboard with another firmware would already be a workaround. Making a FreeRADIUS appliance with Mikrotik hardware?+1 for adding EAP to User Manager.
My smaller customers are interested in PEAP but are not willing to manage a server of any size.