can I use
Code: Select all
private-pre-shared-key (string; Default: "")
https://help.mikrotik.com/docs/display/ ... +Interface
and
Code: Select all
Mikrotik-Wireless-PSK
to asigne clients to VLANs based only on the private PSK used?
private-pre-shared-key (string; Default: "")
Mikrotik-Wireless-PSK
that was my first intention but how to deal with devices that don't support EAP?using WPA2/Enterprise
but if I readIs it necessary to limit the identification based on the PSK entered only?
According to DPSK Dynamic WPA2 PSK support - MikroTik it seems not to be possible and in [Proof of Concept] Private PSK / Personal PSK (PPSK) with dynamic VLAN via RADIUS MAC-auth | Ubiquiti Community is repeated againThis might be difficult to deploy.
how to distinguish between users but it is said as wellthat the AP doesn't send any information on which RADIUS could decide
but how to implement that in an MT device?The only way to have more than one PSK that every client can use is to use a wpa_psk file on the access point (in addition). It allows for more than one PSK every client can connect to, because it allows a wildcard MAC of 00:00:00:00:00:00.
thx for referring to it but I would like to wait until ROS 7.x has a somehow stable feature set.In MT ROS, only Usermanager in ROS 7.x can do wifi PEAP-MSCHAPv2. (It's not in ROS 6 Usermanager) viewtopic.php?p=900484
Profiles associated to devices
With BYOD devices; you will typically assign a profile which returns the information that the LAN switch requires to dynamically assign the device into a VLAN after authentication.
The profiles is not limited to it; you can for instance also implement a Captive Portal which makes use of MAC authentication and limit the connection time of a certain device to the captive portal.
that is the same as I inquired in Self Service Kiosk / Workflow to trust untrusted devices to add them to personal VLAN dynamically (freeradius.org) isn't it?Every Permanent User of Deskradius/Freeradius can manage it's own BYOD devices and grant them access without user login. (MAC based login)
Maybe for my own case I would need to create a MAC-cookie in the MT Hotspot
https://sourceforge.net/p/radiusdesk/co ... t%20Users/
https://sourceforge.net/p/radiusdesk/co ... /BYOD_MAC/
/caps-man security
add authentication-types=wpa2-eap eap-methods=passthrough encryption=aes-ccm group-encryption=aes-ccm name=radius
/caps-man access-list
add mac-address=00:00:00:00:00:00 action=query-radius query-radius comment=define VLAN by RADIUS-Server
add mac-address=00:00:00:00:00:00 action=accept private-passphrase=nonEAPdevice vlan-id=VLAN_untrustedDevices vlan-mode=use-tag comment=put in network for untrusted devices
/caps-man security
add authentication-types=wpa2-eap eap-methods=passthrough encryption=aes-ccm group-encryption=aes-ccm name=radius
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=wpa2-psk
/caps-man access-list
add mac-address=00:00:00:00:00:00 action=query-radius query-radius comment=radius
devices
MT Usermanager5 starts to function now, but FreeRADIUS is still better. (I run it in NAS, PC, Raspberry Pi, Odroid, as native, Oracle Virtual box or Docker container )
Wanting a GUI interface I use DaloRadius as a layer with extra features on FreeRADIUS. But there is also DeskRadius as a layer on top of FreeRADIUS, and that one has some interesting features for non-interactive devices.
could be but it is said that it can run standalone as well.OpenWisp is interesting, but is rather a compettitor with OpenWRT for RouterOS as far I have seen.
I noted that same, what does not give a good impression of the project.In depth documentation is missing, so only some discussions to evaluate. Like: https://sourceforge.net/p/radiusdesk/di ... /4c52718f/