Hi!
I have configured radius connection with a Packetfence server that assign device connected to switch to specific vlan. I want only wired solution.
I use DOT1X.
I want to know how to properly setup vlans to set the port given by radius to a specific vlan.
I want the port get assigned to the proper vlan no matter of the port.
Basicaly, my idea is:
1. I connect device to a random port.
2. Switch get radius from packetfence with an VLAN that should be assigned to the device.
3. Switch set the port to the vlan.
Could someone help me please?
-
-
Michiganbroadband
Member Candidate
- Posts: 108
- Joined:
- Contact:
Re: VLAN assignment with radius and dot1x on CRS328
Sure just google it.
And here we are.
And here we are.
Re: VLAN assignment with radius and dot1x on CRS328
Code: Select all
https://citraweb.com/artikel_lihat.php?id=446 with username and password authentication
https://mikrotik.co.id/artikel/447/ with mac authentication
Re: VLAN assignment with radius and dot1x on CRS328
OP has an external device acting as RADIUS server (PacketFence) so the guides with User Manager are not very useful, plus they don't even address the VLAN issue.
To OP: you need to do the following on your CRS328 running RouterOS 7.
* On PacketFence, add the IP address of the CRS328 and a shared secret to the RADIUS configuration
* On the CRS328 go to the RADIUS menu and add an entry pointing to the PacketFence device's IP address, with the shared secret above. The dot1x checkbox should be enabled
* The CRS328 should be configured with only one single bridge containing all the ports, with vlan-filtering=yes, the uplink port connecting the switch to the PacketFence machine must be configured as a trunk port carrying all the VLANs that you wish to use (add entries under /interface bridge vlan)
* For the ports that you want to use with DOT1X, configure them as access ports of the bridge by simply setting frame-types=admit-only-untagged-and-priority-tagged for them under /interface bridge port. The PVID value here is unimportant and can be left at the default value or can be set to a bogus VLAN ID (any ID not used by your VLANs, this is only as safeguard for the case where entries are mistakenly removed/disabled from the Dot1X server table). Do not add entries for those ports in the /interface bridge vlan table at all!
* Add entries for the ports under Dot1X -> Server. For example, to use user authentication with fallback VLAN for guest / unauthorized:
* If you want to use MAC authentication then turn on mac-auth, but then you can no longer specify the guest VLAN.
To OP: you need to do the following on your CRS328 running RouterOS 7.
* On PacketFence, add the IP address of the CRS328 and a shared secret to the RADIUS configuration
* On the CRS328 go to the RADIUS menu and add an entry pointing to the PacketFence device's IP address, with the shared secret above. The dot1x checkbox should be enabled
Code: Select all
/radius
add address=10.20.30.40 secret=****************** service=dot1x
/radius incoming
set accept=yes
* The CRS328 should be configured with only one single bridge containing all the ports, with vlan-filtering=yes, the uplink port connecting the switch to the PacketFence machine must be configured as a trunk port carrying all the VLANs that you wish to use (add entries under /interface bridge vlan)
* For the ports that you want to use with DOT1X, configure them as access ports of the bridge by simply setting frame-types=admit-only-untagged-and-priority-tagged for them under /interface bridge port. The PVID value here is unimportant and can be left at the default value or can be set to a bogus VLAN ID (any ID not used by your VLANs, this is only as safeguard for the case where entries are mistakenly removed/disabled from the Dot1X server table). Do not add entries for those ports in the /interface bridge vlan table at all!
* Add entries for the ports under Dot1X -> Server. For example, to use user authentication with fallback VLAN for guest / unauthorized:
Code: Select all
/interface dot1x server
add interface=ether5 guest-vlan-id=60 interim-update=30m reject-vlan-id=60 retrans-timeout=10s server-fail-vlan-id=60
add interface=ether8 guest-vlan-id=15 interim-update=30m reject-vlan-id=15 retrans-timeout=10s server-fail-vlan-id=15
* If you want to use MAC authentication then turn on mac-auth, but then you can no longer specify the guest VLAN.
Re: VLAN assignment with radius and dot1x on CRS328
What do you mean the vlan issue? anyway that guide can be easily adapt to whatever radius server he/she want to use, the important bits on how to deploy it was clearly there.OP has an external device acting as RADIUS server (PacketFence) so the guides with User Manager are not very useful, plus they don't even address the VLAN issue.
Re: VLAN assignment with radius and dot1x on CRS328
Your first link is unreachable for me (timeout) and the 2nd one has no VLAN related config.
Re: VLAN assignment with radius and dot1x on CRS328
You do not have the required permissions to view the files attached to this post.
Re: VLAN assignment with radius and dot1x on CRS328
more elaborate lab with configuration based on that link
You do not have the required permissions to view the files attached to this post.