Page 1 of 1

Default VLAN for non-authenticated users ?

Posted: Mon May 13, 2024 12:33 pm
by KoenraadL
I setup VLAN's with a management VLAN. Now I have on every switch/router a specific port to access the management VLAN. Works, but nevertheless, since those devcies are more or less hidden I need to have a long cable to do modifications without lying on my belly or something like that.
So I was thinking : dot1x can assign VLAN's to users, so I could create users to access the management VLAN. But then every user would need an account to use the switch. Not what I want.
So can user-manager assign a VLAN to unauthenticated users ? Or another way ?
That way every user could access the default VLAN without authentication, but when some user DOES authenticate with the management-account he is directed to the management-VLAN.

Thanks for any insights.

Re: Default VLAN for non-authenticated users ?

Posted: Tue May 14, 2024 11:12 am
by KoenraadL
My previous question was theoretical, last evening I went ahead and tried some things.
It seems that there are options for what I need, but I would like clarification.
Setting up a dot1x-server there are the following options (winbox) :
Reject VLAN
Guest VLAN
Server-fail VLAN
I set all of those VLAN's to the same VLAN (which has a DHCP-server !).
I setup a user on my freeradius-server.
Trying to get access with that user works fine, and gets met to the desired VLAN (NOT the same as the other VLAN's) and an ip-address.

When I give wrong credentials, after a while I see in the status that the port is enabled in the server-fail VLAN, but I don't get an ip-address.
I checked with the logs (freeradius & switch), and it seems that the switch never gets the Access-Reject message from freeradius.

I would presume that trying to access without authentication, I would immediately get access to the guest VLAN. Unfortunately, it's only after at least 1 minute I get access. Is there a way to shorten this time ? I did set the Auth timeout to 5 seconds.

I'm confused.
FWIW, the switch is a CRS310-8G+2S+IN, running RoS 7.14.3.

Re: Default VLAN for non-authenticated users ?

Posted: Sun May 19, 2024 5:26 am
by tdw
See ... t1X-Server. The guest-vlan-id functionality is odd, other vendors allow access to a guest VLAN immediately until dot1x authentication completes. Other than making a feature request to Mikrotik there isn't much you can do to reduce the time.

Not sure why you don't get an IP address when falling back to the server-fail-vlan-id VLAN, however fixing the FreeRADIUS setup so Access-Reject is returned promptly on authentication failure would use reject-vlan-id.

Re: Default VLAN for non-authenticated users ?

Posted: Sat May 25, 2024 2:13 pm
by KoenraadL
After further investigation, I came to the conclusion that I could live with the settings when using Freeradius.
I can get access unauthenticated via the correct vlan (guest-vlan). When I authenticate correct, I can get to the desired vlan (Freeradius provides the vlan).
Trying to authenticate with wrong credentials does not work (reject-vlan does not work) is OK with me, as a rogue user is not supposed to get access.
To get guest vlan to work I had to set the Retrans. Timeout low, I used 5sec.
But, and here is the big problem : when I try this with user-manager on a mikrotik-device, which is the purpose of all this, it never works (I tried with a hEX-router and another CRS310). I only get access via the guest-vlan.
I set up user-manager on the second switch with the exact same credentials as on freeradius, with the exact same user-account. I also set extra attributes for the vlan. So switching the ip-address of the Radius-server on the switch should give the same results. Unfortunately, it does not.
When I add logging (debug, radius) on both switches, I only see activity on the dot1x-server, although the packet-sniffer on the user-manager-switch does capture packets, but with a result Access-Reject.
My laptop (kubuntu, networkmanager) is configured like this (dot1x) :
anonymous identity : anonymous
PEAP-version : automatic
inner auth : MSCHAPv2
username : test-user
password : <obfuscated>

Re: Default VLAN for non-authenticated users ?

Posted: Sun May 26, 2024 11:28 am
by KoenraadL
OK, I restarted from scratch.
My setup (topology see the image) :
Freeradius 3.0
user :
- user2 with password

R1 (default configuration)
- Usermanager
enabled authentication port (and accounting port)
added client (NAS in radius-speach) with ip-address and secret.
2 users :
- user1, with password
- user2, with same password as on Freeradius
both in "user group" "default"

S1 (default configuration)
- 2 RADIUS entries :
- IP-address pointing to R1 with corresponding secret
- IP-address pointing to freeradius-server with corresponding secret (disabled)
- Dot1X server
- ethers 1 to 6 and spfplus1 as dot1x (via an interface list).
- Auth.Types : dot1x checked
- Retrans. Timeout : 5sec.

S2 (default configuration)
- Dot1X client
Interface : sfpplus1
EAP Methods : EAP MSCHAPv2
identity : user1
password : <as on R1>
Anon. Identity : anonymous

PC2 : Kubuntu 24.04LTS with NetworkManager
not connected to the network

Procedure :
To have a baseline I started with pure mikrotik, so RADIUS on S1 pointing to R1. The result was an authenticated sfp-sfpplus1.
Next I connected PC2 to ether3 and tried to connect withouth autentication, this failed as axpected.
Then I set up PC2 to connect with 801.1x authentication as user2, but that failed, no matter what authentication methods I tried.

Now, on S1 I disabled the RADIUS entry to R1 and enabled that to Freeradius.
I tried to connect PC2 to ether3 with 801.x authentication, again as user2, with PEAP/MSCHAPv2 and I could connect.
So there is a difference between freeradius and mikrotik's User Manager in the handling of dot1x.

On PC2 I sniffed the traffic on the network port and there it shows :
after the "Client Hello" of the PC, the mikrotik-port answers "Alert (Level: Fatal, Description: Handshake Failure)".
See the (zipped) pcap-file.

FWIW, Windows 11 with PEAP/MSCHAPv2 behaves the same, i.e. no access with mikrotik User Manager.

Re: Default VLAN for non-authenticated users ?

Posted: Sun May 26, 2024 8:41 pm
by tdw
What certificates are you using for the EAP part. Windows requires the CA to be in the machine certificate store, there are other caveats too ... iderations

Re: Default VLAN for non-authenticated users ?

Posted: Sun May 26, 2024 9:12 pm
by KoenraadL
No certificates at this moment.
But isn't that besides the point ? Freeradius authenticates fine, should not mikrotik do the same ? Although I didn't test windows with freeradius.
And the ultimate goal is to have no Freeradius server in this instance.

Re: Default VLAN for non-authenticated users ?

Posted: Sun May 26, 2024 11:34 pm
by tdw
Pretty much all EAP methods will not work unless the server presents a certificate - are you sure FreeRADIUS isn't using some default certificate, whereas usermanager will need one creating

Re: Default VLAN for non-authenticated users ?

Posted: Mon May 27, 2024 9:44 am
by KoenraadL
I'm absolutely no expert in radius, but what I understand is that a certificate is used to certify that the server is who it pretends to be. But then the clients need it's counterpart, the CA cert.
And yes, my freeradius server presents a certificate (to authenicate WiFi-clients). So I'm going to try to create a certificate on mikrotik.
A new but : why do mikrotik devices work without those certificates ?

Re: Default VLAN for non-authenticated users ?

Posted: Mon May 27, 2024 12:07 pm
by KoenraadL
OK, so I installed a certificate on the User Manager and now it works.
But it only works if I don't use the exported ca-certificate on the client. I exported it as PEM, but the name ends in crt.
With the mikrotik ca and User Manager, the client reports "Unsupported Certificate".

Now I can try using vlans.

Re: Default VLAN for non-authenticated users ?

Posted: Mon May 27, 2024 12:40 pm
by KoenraadL
I made an error.
In the UserManager /Router/Settings I selected the ca-certificate, that should have been the server-certificate. Not that works also.

Re: Default VLAN for non-authenticated users ?

Posted: Mon May 27, 2024 6:03 pm
by tdw
I'm not sure why the Mikrotik supplicant works without a certificate on the server. The certificate provides the keying material for the TLS tunnel used by PEAP in addition to providing identity information.

Per the previously linked page for Windows supplicants they will not work unless the certifcate contains the TLS Server Authentication EKU and the CA exists in the certificate store.