Hi Nicolas,
MikroTik have at least 3 integration options with their products. Most people
appear to want to integrate their centrally managed WiFi solutions called
CAPsMAN, but most of my integration to Packet Fence has been with individual
MikroTik routers with wireless interfaces. We have RADIUS disconnect working
well in this scenario, after making the following subtle change. VLAN
assignment has been reliable and RADIUS accounting is working perfectly for
single sign on to a Check Point security gateway:
--- Mikrotik.pm.orig 2021-05-08 07:38:14.976719201 +0200
+++ /usr/local/pf/lib/pf/Switch/Mikrotik.pm 2021-05-16 09:39:14.703284401
+0200
@@ -139,7 +139,8 @@
sub deauthTechniques {
my ($self, $method, $connection_type) = @_;
my $logger = $self->logger;
- my $default = $SNMP::SSH;
+ my $default = $SNMP::RADIUS;
my %tech = (
$SNMP::SSH => 'deauthenticateMacSSH',
$SNMP::RADIUS => 'deauthenticateMacRadius',
@@ -257,8 +258,8 @@
Don't forget to fill /usr/share/freeradius/dictionary.mikrotik with the
following attributes:
-ATTRIBUTE Mikrotik-Wireless-VlanID 26 integer
-ATTRIBUTE Mikrotik-Wireless-VlanIDType 27 integer
+ATTRIBUTE Mikrotik-Wireless-VLANID 26 integer
+ATTRIBUTE Mikrotik-Wireless-VLANID-Type 27 integer
=cut
The attribute name changes are actually just comment corrections, references in
the code appeared to have been changed relatively recently to match the
FreeRADIUS defaults.
MikroTik RouterOS v6.45.1 (changelog
here<https://forum.mikrotik.com/viewtopic.php?t=149786> from 2019/07)
introduced dot1x (manual
here<https://help.mikrotik.com/docs/display/ROS/Dot1X>) as an implementation of
IEEE 802.1X port-based network access control using EAPOL (EAP over LAN), as
both supplicant (client) and authenticator (server). Supported EAP methods are
EAP-TLS, EAP-TTLS, EAP-MSCHAPv2, PEAPv0/EAP-MSCHAPv2 and it appears to support
MAB fallback.
PS: RouterOS is a free upgrade on any RouterBoard device and all current
software release channels (long term, stable, testing and development) have
this feature.
I would essentially like to hack around with the switch module to hopefully get
both wired and wireless 802.1X working as authenticator. Perl appears to be
readable but I have no idea where to start looking at what variables and
functions I need to possibly copy to support both wired 802.1x and wired MAC
auth.
Regards
David Herselman
From: Quiniou-Briand, Nicolas <[email protected]>
Sent: Tuesday, 18 May 2021 2:24 PM
To: [email protected]
Cc: David Herselman <[email protected]>
Subject: RE: MikroTik dot1x (Ethernet not WiFi)
Hello David,
1. Which features do you use on Mikrotik module: Wireless MAC Auth ? Webauth
Wireless ? Or both ?
If you only use Wireless MAC Auth, you can try to create your own switch
template [1] to support features you need ('WiredDot1x' and 'WiredMacAuth').
[1]
https://www.packetfence.org/doc/PacketFence_Developers_Guide.html#_creating_a_new_switch_via_a_template
It looks like current switch module returned following attribute:
#v+
'Mikrotik-Wireless-VLANID' => $args->{'vlan'} . "",
'Mikrotik-Wireless-VLANID-Type' => "0",
};
#v-
You certainly need to adapt switch template to return something similar for
wired.
Nicolas Quiniou-Briand
Product Support Engineer
[cid:[email protected]]
Office: +33156696210
Akamai Technologies
145 Broadway
Cambridge, MA 02142
Connect with Us:
[cid:[email protected]]<https://community.akamai.com/>
[cid:[email protected]] <http://blogs.akamai.com/>
[cid:[email protected]] <https://twitter.com/akamai>
[cid:[email protected]]
<http://www.facebook.com/AkamaiTechnologies>
[cid:[email protected]]
<http://www.linkedin.com/company/akamai-technologies>
[cid:[email protected]]
<http://www.youtube.com/user/akamaitechnologies?feature=results_main>
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
