Community discussions

MikroTik App
 
LegsAJimbo
just joined
Topic Author
Posts: 3
Joined: Fri Nov 05, 2021 1:50 pm

Dot1x Reject VLAN ID

Fri Nov 05, 2021 2:08 pm

Hi all,

I've just bought our first MikroTik switch, I look after a few networks and all being well I wish to use these to gradually phase out our current Ubiquiti EdgeSwitches.

I am trying to set up Dot1x with FreeRADIUS on CRS354.

If a machine is authenticated it should go on to the VLAN provided by FreeRADIUS, I can happily say that this is working great.

The issue I have is with the reject VLAN ID part, if a device is unable to successfully authenticate I would like to put the device on VLAN 1. However this does not happen, instead the device stays in an un-authorised state with no network connectivity. The FreeRADIUS logs continue to show repeated auth attempts, to which it responds invalid username/password.

Being new to the MikroTik way of life I imagine I have set something up wrong. My setup is below, any help would be very much appreciated!
# RouterOS 6.48.5
# model = CRS354-48P-4S+2Q+

/interface bridge
add admin-mac=DC:2C:6E:01:A5:E4 auto-mac=no comment=defconf ingress-filtering=yes name=bridgeLocal vlan-filtering=yes

/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
(Above is then repeated for all interfaces)

/interface bridge vlan
add bridge=bridgeLocal comment=Guest tagged=ether1,ether3 vlan-ids=1002
add bridge=bridgeLocal comment=Private tagged=ether1,ether3 vlan-ids=1003

/interface dot1x server
add auth-timeout=6s auth-types=dot1x,mac-auth interface=ether2 mac-auth-mode=mac-as-username-and-password radius-mac-format=xx:xx:xx:xx:xx:xx reject-vlan-id=1 retrans-timeout=3s

/ip address
add address=192.168.1.2/24 interface=bridgeLocal network=192.168.1.0

/radius
add address=192.168.1.1 secret="redacted" service=dot1x src-address=192.168.1.2
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: Dot1x Reject VLAN ID

Wed Dec 08, 2021 6:37 am

I had a similar issue and took me a while to realise that my RADIUS server responds with "reject" however RADIUS client in RouterOS timed out already due to low default timeout value.

The reject-vlan-id is not applied if RADIUS fails due to timeout. It applies only if there is reject message received.
 
LegsAJimbo
just joined
Topic Author
Posts: 3
Joined: Fri Nov 05, 2021 1:50 pm

Re: Dot1x Reject VLAN ID

Wed Dec 08, 2021 3:03 pm

Thanks vecernik87!

I did solve this eventually. For anyone else with this issue...

Something that helped me greatly with troubleshooting was to add the radius topic under System > Logging

The fix was found under the RADIUS config page. The default timeout was 300ms, but to protect against attacks FreeRADIUS adds an intentional 1000ms delay to rejections. Changing the Mikrotik timeout from 300ms to 3000ms solved my issue.

I thought I had changed timeouts initially, but was doing so on the Dot1X config page rather than the RADIUS config page.

Who is online

Users browsing this forum: Batterio, Kuitz and 47 guests