Community discussions

 
ashpri
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 94
Joined: Sun Oct 14, 2018 3:11 am

Wi-fi RADIUS Assigned VLAN based on user/password, troubleshooting help

Thu Jun 13, 2019 9:01 am

Goal:
Have a single ssid authenticated by radius, with vlans assigned based on username/password.

Succeeded:
- I've managed to get FreeRADIUS working with my router. My AP is a HAPAC2 (as CAP).
- Authentication with freeradius works great.

Issue:
I cannot get the radius server to assign vlan.

I have done the following:
- copied and pasted the contents of https://wiki.mikrotik.com/wiki/Manual:R ... dictionary into the freeradius dictionary file

- the setting for the user is as follows:
vl86 Cleartext-Password := "bm_vl86"
Mikrotik_Wireless_VLANID := 86,
Mikrotik_Wireless_VLANIDtype := 0

- The security setting is as follows

zz1.png

- The setting for RADIUS is as follow

zz2.png

Radius works as evidenced by the following status screen

zz3.png

------

What am I missing?
You do not have the required permissions to view the files attached to this post.
Last edited by ashpri on Thu Jun 13, 2019 1:43 pm, edited 2 times in total.
 
savage
Forum Guru
Forum Guru
Posts: 1203
Joined: Mon Oct 18, 2004 12:07 am
Location: Cape Town, South Africa
Contact:

Re: Wi-fi RADIUS Assigned VLAN based on user/password, troubleshooting help

Thu Jun 13, 2019 9:22 am

viewtopic.php?t=119494

Contains in details what is required and what you are missing, and also covers a small bug (which I don't know whether it's fixed yet or not).
Regards,
Chris
 
ashpri
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 94
Joined: Sun Oct 14, 2018 3:11 am

Re: Wi-fi RADIUS Assigned VLAN based on user/password, troubleshooting help

Thu Jun 13, 2019 1:31 pm

I have reviewed that post and others with similar topics before posting this thread. I did not find a solution, but I will go through that post again.

I did a test with radlogin (radius test client) from another pc and this is the result:

zz1.png

Is that response acceptable? I am assuming it is the test client that is unaware what those two attributes are.
You do not have the required permissions to view the files attached to this post.
 
ashpri
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 94
Joined: Sun Oct 14, 2018 3:11 am

Re: Wi-fi RADIUS Assigned VLAN based on user/password, troubleshooting help

Fri Jun 14, 2019 8:05 am

I've discovered the problem isn't freeradius at all.

The error is the client isn't getting proper dhcp lease in the vlan assigned by the radius server. What could I be missing.

zz4.jpg
You do not have the required permissions to view the files attached to this post.
 
mkx
Forum Guru
Forum Guru
Posts: 2932
Joined: Thu Mar 03, 2016 10:23 pm

Re: Wi-fi RADIUS Assigned VLAN based on user/password, troubleshooting help

Fri Jun 14, 2019 9:16 am

Is the vlan configuration regarding wireless interface correct? Does it allow to pass all necessary VLAN IDs?
BR,
Metod
 
ashpri
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 94
Joined: Sun Oct 14, 2018 3:11 am

Re: Wi-fi RADIUS Assigned VLAN based on user/password, troubleshooting help

Fri Jun 14, 2019 12:25 pm

The setting seems basic enough. There are 2 settings below. The top is WPA2-EAP for radius assigned VLAN, with the DHCP issue. The bottom is WPA2-PSK, with no DHCP issue. Both serving the same vlan.

-----

/caps-man configuration

add datapath.bridge=bridge1
mode=ap
datapath.vlan-mode=use-tag
name="RADIUS TEST"
security.authentication-types=wpa2-eap
security.eap-methods=passthrough

security.encryption=aes-ccm
security.group-encryption=aes-ccm
ssid=RADIUSTEST

add datapath.bridge=bridge1
mode=ap
datapath.vlan-mode=use-tag
datapath.vlan-id=60
name="RADIUS TEST 2"
security.authentication-types=wpa2-psk
security.passphrase=XXX

security.encryption=aes-ccm
security.group-encryption=aes-ccm
ssid=RADIUSTEST2

/radius
add address=192.168.xx.xx secret=xxx service=wireless timeout=10s

------

This is the user setting in freeradius. I am using freeradius.net a windows port of freeradius, based on the older freeradius version 2.0.X.

vl60 User-Password == "vl60"
Mikrotik_Wireless_VLANID = "60",
Mikrotik_Wireless_VLANIDtype = "0"

test User-Password == "test"

------

In summary:
1. Login to SSID with WPA2-PSK, to tagged vlan = dhcp ok
2. Login to SSID with WPA-EAP, to tagged vlan assigned from freeradius = dhcp issue
3. Login to SSID with WPA-EAP, to default untagged vlan from freeradius = dhcp ok

I'm stumped. I don't even know where to go next.

Based on other threads with dhcp problems, I've tried disabling RSTP on bridge, MTU to 1504 on bridge, MTU to 1504 on capsman config, dhcp to always broadcast, checked add ARP on leases for dhcp server, setting admin mac on bridge. Still the same.

Next I will try freeradius 3.0.19 on ubuntu. Update: Freeradius 3.0.19 has a different issue, no matter the vlan setting in freeradius, all logins get an ip from the default untagged vlan. I am getting an ulcer (which is on par when implementing a new feature in mikrotik).

Who is online

Users browsing this forum: No registered users and 22 guests