cAP AX and Dynamic VLAN assignment

Brain2000 · Sat Oct 05, 2024 1:49 am

Greetings, I just picked up a cAP AX wireless access point and I would like to set it up for dynamic vlans. I read this article: viewtopic.php?t=186420 but it seemed to use CAPSMAN in order to set this up. So I figured out how to get packages and installed the Wireless package and disabled the wifi-qcom package. However, no wireless interfaces show up at all when I do this so I went back to the wifi-qcom package and they came back.

I was able to set up a VLAN trunk to our switch, assign it a couple of VLANs, and authenticate with the Radius server. However I can't seem to figure out how to take the Tunnel-Private-Group-ID RADIUS attribute to assign which VLAN the wireless client should be connected to.

I have this same setup working on our older Cisco switches and also OpenWRT. But I'd like to switch over to Mikrotik for all of our wireless access points as we move towards WPA3/Wifi6.

Brain2000 · Tue Oct 08, 2024 2:10 am

Perhaps a different question.
I understand that this unit uses a different set of Radius attributes. Unfortunately, the documentation is missing. The entire wiki seems to have gone missing.
Does anyone know how to set this up?
https://wiki.mikrotik.com/Wiki/Manual:R ... dictionary

spippan · Tue Oct 08, 2024 2:14 am

there are 3 attributes which come to play here
maybe this guide helps or clearifies some stuff -> https://administrator.de/forum/mikrotik ... 35253.html

EDIT: the article shows the mikrotik user-manger radius implementation but the 3 attributes are standardized no matter if it is a cisco ISE, an aruba clearpass, mikrotik user-manager or even a MS NPS

snuggerbonzen · Tue Oct 08, 2024 10:00 pm

I have dynamic vlan assignment working with cAP ax and freeradius (works both with and without capsman), but only when I use WPA-EAP. Weirdly enough, when using WPA-PSK, the radius server is not even contacted. I am planning to write to support about this soonish. As a workaround, the new PPSK functionalit viewtopic.php?t=211305 could be used.

snuggerbonzen · Tue Oct 08, 2024 11:21 pm

there are 3 attributes which come to play here
maybe this guide helps or clearifies some stuff -> https://administrator.de/forum/mikrotik ... 35253.html

EDIT: the article shows the mikrotik user-manger radius implementation but the 3 attributes are standardized no matter if it is a cisco ISE, an aruba clearpass, mikrotik user-manager or even a MS NPS

Not standardized enough appearently... what the radius server needs to send for this to work is

Mikrotik-Wireless-VLANID = "10" (or whichever id you choose)
Mikrotik-Wireless-VLANID-Type = "0"

Your radius server needs to use the mikrotik dictionary https://wiki.mikrotik.com/Manual:RADIUS ... dictionary

Brain2000 · Fri Oct 11, 2024 5:41 pm

I have dynamic vlan assignment working with cAP ax and freeradius (works both with and without capsman), but only when I use WPA-EAP. Weirdly enough, when using WPA-PSK, the radius server is not even contacted. I am planning to write to support about this soonish. As a workaround, the new PPSK functionalit viewtopic.php?t=211305 could be used.

This is correct.
PSK == PreSharedKey == you enter the wifi password
EAP == Extensible Authentication Protocol == radius authentication

Brain2000 · Fri Oct 11, 2024 6:04 pm

Not standardized enough appearently... what the radius server needs to send for this to work is

Mikrotik-Wireless-VLANID = "10" (or whichever id you choose)
Mikrotik-Wireless-VLANID-Type = "0"

Your radius server needs to use the mikrotik dictionary https://wiki.mikrotik.com/Manual:RADIUS ... dictionary

Aha! That's where the link should go. Google still has everything pointing to old links in the wiki that are empty. There should be redirects. Looks like they just removed the path /Wiki/ from the URL.

Thank you! I just added the two attributes to NPS and am going to try this over the weekend.

anav · Sun Oct 13, 2024 5:34 pm

Do post your config, interesting setup!!
/export file=anynameyouwish ( minus device serial number, any public WANIP information, keys etc. )

snuggerbonzen · Sun Oct 13, 2024 10:51 pm

This is correct.
PSK == PreSharedKey == you enter the wifi password
EAP == Extensible Authentication Protocol == radius authentication

Right... now that you put it that way, it makes sense. So with PSK, we want MAC address authentication. This has to be done though an Access List entry with query-radius action. I have tried this in the past, and it didn't work.

That said, I just tried again, and while I don't have it working yet I think I can get there. I have the following problems to solve:

Get an access list entry to actually match one of my mac addresses. If I put a mac address into the access list entry, that entry is never triggered. What did work so far was leaving the mac address field blank and so match EVERY client. Fixing this might even be optional for me, as I have my WPA-PSK exclusively on wifi2, so I could make a single entry for all my clients by filtering on the interface only.
Make my FreeRadius send back what my capsman or AP expects. Right now what I get back (in the mikrotik log) is wireless,debug B8:XX:XX:XX:XX:XX@cap-wifi2 got RADIUS reply TIMEOUT and wireless,debug B8:XX:XX:XX:XX:XX@cap-wifi2 connection rejected, forbidden by RADIUS

I think I can get this to work, but not tonight. Will take a week or two. I will report back.

EDIT: Couldn't stop fiddling and now it works. The missing piece (for the second point above) was an AAA entry on my wifi2 interface, that defined Username Format and Password Format in the way that FreeRadius expects it. So, for FreeRadius on pfsense, in an entry in the Users Tab (no entries in MACs tab needed), if you have Mac Address set lowercase and with dashes (eg a2-b2-ef-52-ab-12) for both Username and Password, set the AAA entry to aa-aa-aa-aa-aa-aa for both Username Format and Password Format, see https://help.mikrotik.com/docs/display/ ... properties . Or use colons, works as well if you configure the AAA entry and the entries in FreeRadius accordingly.

Yay!!!

Brain2000 · Tue Oct 22, 2024 6:21 pm

Ok, I have dynamic wifi VLANs working !! Thank you for your help with this.

Notes:
The ethernet is 802.1Q tagged for all VLANs going to the wifi router.
The main VLAN for the wifi itself is VLAN10.
There is a DHCP helper on the upstream Cisco that handles sending requests to a Microsoft DHCP server with VLAN scopes from 8-15 (192.168.8-15.0/24).
The radius server is Microsoft NPS, with the two additional Mikrotik radius attributes added, #26 and #27.
Active Directory domain accounts are mapped to the radius server by group membership.

Here is the config (unneeded stuff removed):

/interface bridge
add admin-mac=D4:01:C3:6C:7F:BA auto-mac=no comment=defconf dhcp-snooping=yes frame-types=admit-only-vlan-tagged name=bridge protocol-mode=none vlan-filtering=yes
/interface vlan
add comment=8 interface=bridge name=VLAN8 vlan-id=8
add comment=9 interface=bridge name=VLAN9 vlan-id=9
add comment=10 interface=bridge name=VLAN10 vlan-id=10
add comment=11 interface=bridge name=VLAN11 vlan-id=11
add comment=12 interface=bridge name=VLAN12 vlan-id=12
add comment=13 interface=bridge name=VLAN13 vlan-id=13
add comment=14 interface=bridge name=VLAN14 vlan-id=14
add comment=15 interface=bridge name=VLAN15 vlan-id=15
/interface list
add comment=defconf name=LAN
/interface wifi security
add authentication-types=wpa2-eap,wpa3-eap comment=wifisecurity disabled=no eap-certificate-mode=dont-verify-certificate eap-methods=peap encryption="" group-encryption=ccmp name=wifisecurity
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.country="United States" .mode=ap .ssid=TEST .tx-power=14 disabled=no security=wifisecurity
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=10min-cac .width=20/40mhz configuration.country="United States" .mode=ap .ssid=TEST .tx-power=10 disabled=no security=wifisecurity
/interface bridge port
add bridge=bridge comment=defconf interface=wifi1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=wifi2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=ether1 internal-path-cost=10 path-cost=10 trusted=yes
/interface bridge vlan
add bridge=bridge comment=8 tagged=wifi1,wifi2,ether1 vlan-ids=8
add bridge=bridge comment=9 tagged=wifi1,wifi2,ether1 vlan-ids=9
add bridge=bridge comment=10 tagged=wifi1,wifi2,ether1,bridge vlan-ids=10
add bridge=bridge comment=11 tagged=wifi1,wifi2,ether1 vlan-ids=11
add bridge=bridge comment=12 tagged=wifi1,wifi2,ether1 vlan-ids=12
add bridge=bridge comment=13 tagged=wifi1,wifi2,ether1 vlan-ids=13
add bridge=bridge comment=14 tagged=wifi1,wifi2,ether1 vlan-ids=14
add bridge=bridge comment=15 tagged=wifi1,wifi2,ether1 vlan-ids=15
/interface list member
add comment=defconf interface=bridge list=LAN
/ip address
add address=192.168.10.137/24 comment=defconf interface=VLAN10 network=192.168.10.0
/ip dns
set servers=192.168.10.11
/ip route
add comment=defaultroute disabled=no dst-address=0.0.0.0/0 gateway=192.168.10.1 routing-table=main suppress-hw-offload=no
/radius
add address=192.168.10.11 comment=radius require-message-auth=no service=wireless timeout=3s secret=**********
/system clock
set time-zone-name=America/New_York

cAP AX and Dynamic VLAN assignment [SOLVED]

cAP AX and Dynamic VLAN assignment

Re: cAP AX and Dynamic VLAN assignment

Re: cAP AX and Dynamic VLAN assignment

Re: cAP AX and Dynamic VLAN assignment

Re: cAP AX and Dynamic VLAN assignment [SOLVED]

Re: cAP AX and Dynamic VLAN assignment

Re: cAP AX and Dynamic VLAN assignment

Re: cAP AX and Dynamic VLAN assignment

Re: cAP AX and Dynamic VLAN assignment

Re: cAP AX and Dynamic VLAN assignment