Community discussions

MikroTik App
  4. RouterOS
  5. Wireless Networking

Mikrotik Radius Client Attribute/Authentication Questions

Locked
 
cwu46
just joined
Topic Author
Posts: 9
Joined: Sat Jun 10, 2006 8:35 pm

Mikrotik Radius Client Attribute/Authentication Questions

Fri Jun 30, 2006 1:36 am

Hi all,

To authenticate w/ our Radius servers, I need to have the Mikrotik send during the RADIUS access-request for each user the following

1. SSID requested by the user

In doing some research, I've discovered methods of doing it either through Congdon (e.g. -- attached to the end of the called-station-id) or via a VSA

Does Mikrotik support this (through Congdon or a specific VSA for SSID)?

If not -- how are others implementing 802.1x RADIUS-based authentication w/ Mikrotik (or is anyone doing it?)

Thanks

-Charles
Top
 
cwu46
just joined
Topic Author
Posts: 9
Joined: Sat Jun 10, 2006 8:35 pm

Fri Jun 30, 2006 2:17 am

Just to expand:

from:
http://www.ieee802.org/1/files/public/d ... 21x-20.txt
Congdon RADIUS (802.1x) implementation of Called-Station-ID Attribute
3.20. Called-Station-Id

For IEEE 802.1X Authenticators, this attribute is used to store the bridge or Access Point MAC address in ASCII format, with octet values separated by a "-". Example: "00-10-A4-23-19-C0". In IEEE 802.11, where the SSID is known, it SHOULD be appended to the Access Point MAC address, separated from the MAC address with a ":". Example "00-10-A4-23-19-C0:AP1".
Top
 
cwu46
just joined
Topic Author
Posts: 9
Joined: Sat Jun 10, 2006 8:35 pm

Fri Jun 30, 2006 2:27 am

So I delved deeper into the documentation, and found the Mikrotik reference dictionary:

http://www.mikrotik.com/Documentation/m ... dictionary

It looks like there's no particular VSA for SSID =(

That said, is there any way to pass the user's associated SSID to the radius server (is Calling-Station-ID implemented correctly per Congdon)?

thanks

-Charles
Top
 
datanet
just joined
Posts: 8
Joined: Sat Nov 11, 2006 7:57 pm
Location: Poland

Thu Nov 30, 2006 2:34 am

I need the same: is there any way to pass the user's associated SSID to the radius server?
I have a tower with 2 wifi interfaces and I must set access to particular SSID for wireless client in the radius server.

Please advice.

Piotr
Top
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26440
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Thu Nov 30, 2006 9:18 am

Each SSID has its own interface in RouterOS. Radius gets interface name in NAS-Port-Id attribute.

It is possible to rename all wireless interfaces to their SSID value and then NAS-Port-Id will contain SSID of the client.
Top
 
datanet
just joined
Posts: 8
Joined: Sat Nov 11, 2006 7:57 pm
Location: Poland

Fri Dec 01, 2006 5:02 pm

Now I can check SSID with NAS-Port-Id attribute.

00:13:CE:9A:F6:82 NAS-Port-Id == wlan1

But if I turn it on - DHCP server don't give me an IP address - I got Access-Reject.

Check SSID works fine, client can be associated with radio station, but dhcp lease stop working.

Then I remove this line from radius check table, DHCP start working, but of course I lost possibility of check SSID.

Any ideas?
Top
 
jfan
newbie
Posts: 25
Joined: Wed May 31, 2006 9:04 pm
Location: United States

Thu Jan 11, 2007 12:10 am

I have been told that v3.x will pass SSID to RADIUS. Can anyone confirm this? I am trying to prove it myself currently...

For Virtual AP, Each SSID should be able to pass to RADIUS per Congdon, right?

Jin
Top
Locked

Who is online

Users browsing this forum: No registered users and 4 guests
  4. RouterOS
  5. Wireless Networking