Community discussions

MikroTik App
  4. RouterOS
  5. Wireless Networking

access-list + radius not working.

Post Reply
 
BobCat
just joined
Topic Author
Posts: 12
Joined: Sat May 11, 2019 9:37 pm

access-list + radius not working.

Tue Jan 30, 2024 10:52 am

We have multiple AP's at work with same SSID.

device mac-auth is controlled by daloradius server which is working fine.

I want to use access-list to remove wireless devices with weak signal.

The issue is that when i setup access-list then router ignores radius server and any device with password can connect.

My question is how can i use access-list together with radius server.

I want to be able to remove device with weak signal but still want them to use radius for mac auth.

Thank you
Top
 
User avatar
vingjfg
Member Candidate
Member Candidate
Posts: 294
Joined: Fri Oct 20, 2023 1:45 pm

Re: access-list + radius not working.

Tue Jan 30, 2024 10:58 am

Can you post your ACL configuration?
Top
 
BobCat
just joined
Topic Author
Posts: 12
Joined: Sat May 11, 2019 9:37 pm

Re: access-list + radius not working.

Tue Jan 30, 2024 11:03 am

/interface wireless access-list
add signal-range=-85..120
add authentication=no forwarding=no
Top
 
User avatar
vingjfg
Member Candidate
Member Candidate
Posts: 294
Joined: Fri Oct 20, 2023 1:45 pm

Re: access-list + radius not working.

Tue Jan 30, 2024 11:13 am

That's ... not a lot.

Is your ACL set to reject the clients with signal in the range -85..-120?

I created one (using wifi, not wireless) - here is what it looks like.
Code: Select all
/interface wifi access-list
add action=reject disabled=no signal-range=-85..120
The second "add", is it an ACL?
Top
 
BobCat
just joined
Topic Author
Posts: 12
Joined: Sat May 11, 2019 9:37 pm

Re: access-list + radius not working.

Tue Jan 30, 2024 11:22 am

Yes if it falls below that thresholds then device will be disconnected after 10 seconds.
Th issue im facing is that radius does not have control when rules is enabled. In the logs it will show radius rejected device but then acl will allow the same device.
Top
 
erlinden
Forum Guru
Forum Guru
Posts: 1975
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: access-list + radius not working.

Tue Jan 30, 2024 11:48 am

My settings are a bit different, your range is incorrect:
Code: Select all
/interface wifi access-list
add action=accept allow-signal-out-of-range=10s disabled=no signal-range=-90..0
add action=reject allow-signal-out-of-range=10s disabled=no signal-range=-120..-91
Anything above -90 is accepted, anything below rejected.
Your current range is from -80 to 120, which is the range you would probably like to accept.
Last edited by erlinden on Tue Jan 30, 2024 11:55 am, edited 2 times in total.
Top
 
User avatar
vingjfg
Member Candidate
Member Candidate
Posts: 294
Joined: Fri Oct 20, 2023 1:45 pm

Re: access-list + radius not working.

Tue Jan 30, 2024 11:49 am

Can you modify your ACL to the following?

This means that the clients with signal -65..0 are accepted but when the signal dips under -65, they are disconnected.
Code: Select all
/interface wireless access-list
add signal-range=-65..0
add authentication=no forwarding=no signal-range=-120..-66
The way your ACL was written meant: "if a client has a signal in the range -85..120, okay, otherwise disconnect"
Top
 
User avatar
vingjfg
Member Candidate
Member Candidate
Posts: 294
Joined: Fri Oct 20, 2023 1:45 pm

Re: access-list + radius not working.

Tue Jan 30, 2024 12:49 pm

I am reading the page on interface/wireless, specifically the section on Radius MAC authentication
RADIUS MAC authentication
Note: RADIUS MAC authentication is used by access point for clients that are not found in the access-list, similarly to the default-authentication property of the wireless interface. It controls whether client is allowed to proceed with authentication, or is rejected immediately.

When radius-mac-authentication=yes, access point queries RADIUS server by sending Access-Request with the following attributes:

User-Name - Client MAC address. This is encoded as specified by the radius-mac-format setting. Default encoding is "XX:XX:XX:XX:XX:XX".
Nas-Port-Id - name of wireless interface.
User-Password - When radius-mac-mode=as-username-and-password this is set to the same value as User-Name. Otherwise this attribute is empty.
Calling-Station-Id - Client MAC address, encoded as "XX-XX-XX-XX-XX-XX".
Called-Station-Id - MAC address and SSID of the access point, encoded as "XX-XX-XX-XX-XX-XX:SSID" (minus separated pairs of MAC address digits, followed by colon, followed by SSID value).
Acct-Session-Id - Added when radius-mac-accounting=yes.
If I understand that correctly - unfortunately I no longer have an old-style wifi device to test - whatever is not matched by the ACL goes to MAC auth: so if accepted -> no MAC auth, if rejected -> no MAC auth.

Provided you have radius-mac-authentication=yes set, something like this should then be used:
Code: Select all
/interface wireless access-list
add authentication=no forwarding=no signal-range=-120..-66
That will drop whatever is out of signal and the rest will have to go through radius.
Top
 
snuggerbonzen
just joined
Posts: 11
Joined: Tue Jan 16, 2024 9:08 am

Re: access-list + radius not working.

Wed Jan 31, 2024 11:08 am

We have multiple AP's at work with same SSID.

device mac-auth is controlled by daloradius server which is working fine.

Could you share the relevant capsman and caps configs that make this work? I am trying to achieve the same, but so far I only got auth and vlan assignment working with EAP, but not for mac auth.
Top
 
BobCat
just joined
Topic Author
Posts: 12
Joined: Sat May 11, 2019 9:37 pm

Re: access-list + radius not working.

Tue Feb 13, 2024 2:52 pm

We have multiple AP's at work with same SSID.

device mac-auth is controlled by daloradius server which is working fine.

Could you share the relevant capsman and caps configs that make this work? I am trying to achieve the same, but so far I only got auth and vlan assignment working with EAP, but not for mac auth.
Im not using capsman but have setup access list on each router.
Top
 
BobCat
just joined
Topic Author
Posts: 12
Joined: Sat May 11, 2019 9:37 pm

Re: access-list + radius not working.

Tue Feb 13, 2024 2:54 pm

I am reading the page on interface/wireless, specifically the section on Radius MAC authentication
RADIUS MAC authentication
Note: RADIUS MAC authentication is used by access point for clients that are not found in the access-list, similarly to the default-authentication property of the wireless interface. It controls whether client is allowed to proceed with authentication, or is rejected immediately.

When radius-mac-authentication=yes, access point queries RADIUS server by sending Access-Request with the following attributes:

User-Name - Client MAC address. This is encoded as specified by the radius-mac-format setting. Default encoding is "XX:XX:XX:XX:XX:XX".
Nas-Port-Id - name of wireless interface.
User-Password - When radius-mac-mode=as-username-and-password this is set to the same value as User-Name. Otherwise this attribute is empty.
Calling-Station-Id - Client MAC address, encoded as "XX-XX-XX-XX-XX-XX".
Called-Station-Id - MAC address and SSID of the access point, encoded as "XX-XX-XX-XX-XX-XX:SSID" (minus separated pairs of MAC address digits, followed by colon, followed by SSID value).
Acct-Session-Id - Added when radius-mac-accounting=yes.
If I understand that correctly - unfortunately I no longer have an old-style wifi device to test - whatever is not matched by the ACL goes to MAC auth: so if accepted -> no MAC auth, if rejected -> no MAC auth.

Provided you have radius-mac-authentication=yes set, something like this should then be used:
Code: Select all
/interface wireless access-list
add authentication=no forwarding=no signal-range=-120..-66
That will drop whatever is out of signal and the rest will have to go through radius.

Thank you. It seems to be working after trying your suggestion.
Top
Post Reply

Who is online

Users browsing this forum: cyrq and 16 guests
  4. RouterOS
  5. Wireless Networking