Hi Fabrice,
Many thanks! It appears I’ve gotten 802.1x working but the mac fallback doesn’t
appear to work but that looks like a RouterOS issue so I’ll log a query in
their forums.
Managed to work around the VLAN assignment issue I was having where WiFi
requires MikroTik specific attributes and wired uses the standard ones by
simply sending everything in the replies which works for both 802.1x wired and
wireless connections.
Works for me, will test before trying to submit a patch:
[root@packetfence2 ~]# diff -uNr Mikrotik.pm.orig
/usr/local/pf/lib/pf/Switch/Mikrotik.pm;
--- Mikrotik.pm.orig 2021-05-08 07:38:14.976719201 +0200
+++ /usr/local/pf/lib/pf/Switch/Mikrotik.pm 2021-05-18 22:42:36.465205841
+0200
@@ -46,6 +46,8 @@
# CAPABILITIES
# access technology supported
use pf::SwitchSupports qw(
+ WiredMacAuth
+ WiredDot1x
WirelessMacAuth
ExternalPortal
WebFormRegistration
@@ -139,7 +141,8 @@
sub deauthTechniques {
my ($self, $method, $connection_type) = @_;
my $logger = $self->logger;
- my $default = $SNMP::SSH;
+ my $default = $SNMP::RADIUS;
my %tech = (
$SNMP::SSH => 'deauthenticateMacSSH',
$SNMP::RADIUS => 'deauthenticateMacRadius',
@@ -257,8 +260,8 @@
Don't forget to fill /usr/share/freeradius/dictionary.mikrotik with the
following attributes:
-ATTRIBUTE Mikrotik-Wireless-VlanID 26 integer
-ATTRIBUTE Mikrotik-Wireless-VlanIDType 27 integer
+ATTRIBUTE Mikrotik-Wireless-VLANID 26 integer
+ATTRIBUTE Mikrotik-Wireless-VLANID-Type 27 integer
=cut
@@ -279,6 +282,9 @@
$radius_reply_ref = {
'Mikrotik-Wireless-VLANID' => $args->{'vlan'} . "",
'Mikrotik-Wireless-VLANID-Type' => "0",
+ 'Tunnel-Type' => "13",
+ 'Tunnel-Medium-Type' => "6",
+ 'Tunnel-Private-Group-ID' => $args->{'vlan'} . "",
};
}
PS: RADIUS disconnect nor CoA on 802.1x wired appears to be working but this
may also require alterations…
Regards
David Herselman
From: Fabrice Durand <[email protected]>
Sent: Tuesday, 18 May 2021 2:40 PM
To: [email protected]
Cc: David Herselman <[email protected]>
Subject: Re: [PacketFence-users] MikroTik dot1x (Ethernet not WiFi)
Hello David,
you are in the good tracks.
First you need to append that:
use pf::SwitchSupports qw(
WiredMacAuth
WiredDot1x
...
);
Then retry.
Also can you provide a raddebug output when you connect ?
raddebug -f /usr/local/pf/var/run/radiusd.sock
Regards
Fabrice
Le mar. 18 mai 2021 à 01:22, David Herselman via PacketFence-users
<[email protected]<mailto:[email protected]>>
a écrit :
Hi,
I'm hoping someone could point me at some documentation which may provide
necessary steps to extend the MikroTik module to additionally support 802.1x
for ethernet.
I tried adding 'WiredDot1x' and 'WiredMacAuth' to
/usr/local/pf/lib/pf/Switch/Mikrotik.pm in the pf::SwitchSupports stansa but
still received the following warnings:
May 16 09:19:58 packetfence2 packetfence_httpd.aaa: httpd.aaa(1992) WARN:
[mac:38:60:77:2f:73:f5] Use of uninitialized value $nas_port in concatenation
(.) or string at /usr/local/pf/lib/pf/Switch.pm line 2468.
(pf::Switch::NasPortToIfIndex)
May 16 09:19:58 packetfence2 packetfence_httpd.aaa: httpd.aaa(1992) WARN:
[mac:38:60:77:2f:73:f5] Use of uninitialized value $port in concatenation (.)
or string at /usr/local/pf/lib/pf/radius.pm<http://radius.pm> line 188.
(pf::radius::authorize)
May 16 09:19:58 packetfence2 packetfence_httpd.aaa: httpd.aaa(1992) INFO:
[mac:38:60:77:2f:73:f5] handling radius autz request: from switch_ip =>
(100.127.255.10), connection_type => Ethernet-EAP,switch_mac =>
(6c:3b:6b:18:bc:0b), mac => [38:60:77:2f:73:f5], port => , username =>
"DOMAIN-01\davidh" (pf::radius::authorize)
May 16 09:19:58 packetfence2 packetfence_httpd.aaa: httpd.aaa(1992) WARN:
[mac:38:60:77:2f:73:f5] (100.127.255.10) Sending REJECT since switch is
unsupported (pf::radius::_switchUnsupportedReply)
When I review the Pica8 module I see the following, but have no reference as to
what they do and whether or not I'm missing something which is possibly clearly
documented.
Pica8 switch module:
use pf::config qw(
$ROLE_API_LEVEL
$MAC
$PORT
$WIRED_802_1X
$WIRED_MAC_AUTH
MikroTik switch module:
use pf::config qw(
$MAC
$SSID
$WIRELESS_MAC_AUTH
$WEBAUTH_WIRELESS
Regards
David Herselman
_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
