eduroam: VLAN assignment based on RADIUS 802.1x reply

alice · Fri Feb 14, 2014 4:58 pm

Hi,

We've been running eduroam on Mikrotik - so far we've been using the same network for both users from our institution and for guests.

Now, I'd like to assign the VLAN to the user based on their realm. Guests from other institutions get different VLAN from locals.

I have found the trick for FreeRADIUS server, any chance to do anything with the RouterOS?

Thank you in advance.

jaykay2342 · Fri Feb 14, 2014 9:58 pm

i think this is not possible with routeros at the moment. but i also would like to have such a feature

alice · Mon Feb 17, 2014 10:36 am

SHTF situation.

If anyone here is fluent in MetaROUTER - do you think it might be the light at the end of the tunnel?

dog · Mon Mar 10, 2014 5:31 pm

Basically the problem is that wireless clients do not create an interface on MT (except for WDS) so you can't put them in a VLAN.

The workaround would be to use a Virtual AP and create two WLANs for eduroam guests and local users and bridge them to different VLANs.
Then you would have to configure freeradius to filter out the guests from the internal WLAN.

levak · Tue Apr 29, 2014 2:40 pm

Hi Alice!

I can't seem to send PM, so I'm asking you here...

I want to attach my Mikrotik router to eduroam network but cant manage to do it: http://forum.mikrotik.com/viewtopic.php?f=2&t=83893.

Could you send me your working mikrotik config so I could test it?

Thanks, MAtej

alice · Thu Jul 31, 2014 4:37 pm

Let me refresh my question:

Can CAPsMAN help me in assigning different VLANs to individual clients using the same SSID and AAA'ed by a RADIUS server?
vlan-mode and vlan-id look promising, but the description is very brief and maybe I hope too much.

Test471 · Thu Jul 31, 2014 5:09 pm

Check out the access list within CAPsMAN. Based on MAC or MAC filter you can assign different VLANs. This is not exactly what you are looking for but maybe there is something that can be done based od radius reply. Just thinking...

alice · Thu Jul 31, 2014 5:46 pm

Check out the access list within CAPsMAN.

That's my point - I'm not exactly sure what I can do with the access list... and maybe if I did some overcomplicated packet mangling... no, I don't have a clue yet.
thx for a reaction anyway.

roadracer96 · Fri Aug 01, 2014 1:28 am

Capsman can't do 802.1x. Mikrotik can't do eduroam at the moment. Use ubiquiti or openwrt. Or pretty much any othe vendor.

alice · Fri Aug 01, 2014 9:59 am

Mikrotik can't do eduroam at the moment. Use ubiquiti or openwrt.

Maybe this is some misunderstanding, but I'd like to stress for a random reader of this topic that a standalone Mikrotik can do eduroam. I've been running ~100 units.
While I haven't tried it with CAPsMAN yet, I have a good reason to believe it can work too.
I am only wondering whether I can do the VLAN assignment for each client based on RADIUS response.

roadracer96 · Sat Aug 02, 2014 12:29 am

Capsman doesn't support 802.1xand capsman is the only one that supports radius vlan assignment.

We just rolled out eduroam. Dynamic vlan assignment is a requirement for us. We are trying to go single ssid.

alice · Mon Aug 04, 2014 3:45 pm

Capsman doesn't support 802.1x

Excuse me, I haven't tried it yet (still playing with the L3 provisioning), but wouldn't eduroam setting be done with CAPsMAN by setting security.authentication-types=wpa2-eap and security.eap-methods=passthrough ? Could you please explain the problem with eduroam more?

roadracer96 · Tue Aug 05, 2014 4:45 am

Im TELLING you that Capsman DOES NOT work with 802.1x.. I tried it at home. It only works with MAC based..

Once more. Caps man DOES NOT work with 802.1x. AT ALL.

EDIT: The security options exist, but they just don't work. Im sure they will in the future, but at the moment, they don't.

P2k1 · Tue Aug 05, 2014 12:59 pm

For me Radius Auth. (WPA-EAP / eap-methods=passthrough) to a Windows Radius Server checking Windows Domain Group memberships of users / computers is working with CAPsMAN.

Tue Aug 05, 2014 2:10 pm

vlan-mode and vlan-id can be only specified from the MAC RADIUS response. From the EAP RADIUS response it isn't specified.

alice · Tue Aug 05, 2014 3:37 pm

Any chance for quick implementation or some kind of workaround (some packet mangling)? This is strategic for our long-term strategy.

roadracer96 · Tue Aug 05, 2014 5:48 pm

vlan-mode and vlan-id can be only specified from the MAC RADIUS response. From the EAP RADIUS response it isn't specified.

AHHH.. OK.. That would explain why it didn't work for me when all i did as change from MAC to EAP..... When do we expect that to work?

alice · Wed Aug 06, 2014 10:37 am

When do we expect that to work?

+1

Wed Aug 06, 2014 12:15 pm

fow what purposes you would use that vlan-id if we would try to add that to the EAP RADIUS response?

alice · Wed Aug 06, 2014 12:34 pm

eduroam users must to log in at institutional WiFi with a login name in form loginname@realm with PEAP.

After successful verification of their identity thru a planet-wide RADIUS hierarchy
- if they study at this university (i.e. they have the proper realm), they are assigned a vlan with full access to the university network.
- if they are from any other institution participating in eduroam (any other realm), they are assigned a vlan with guest level access.

The trick for FreeRADIUS described for example here.

(Feasibility of this scenario has became a pretext for my manager to think seriously about replacing current Mikrotik infrastructure with now-damned-cheap HP and maybe also some other bad side-effect consequences.)

roadracer96 · Wed Aug 06, 2014 10:21 pm

fow what purposes you would use that vlan-id if we would try to add that to the EAP RADIUS response?

Dynamic vlan assignment based on the user.

For instance. We broadcast the "eduroam" SSID. We have employees connect to it and get vlan 501, students connect and get vlan 502, IT department gets vlan 1208, other non-user devices get vlan 3900, and federated logins from other institutions get vlan 502. Users that exhibit malicious or virus like activity get thrown into yet another vlan.

So in the end (When we finish the migration) will only have 1 SSID being broadcast for all networks and all purposes. Plus 1 open SSID for people to read setup directions for 802.1x (Captive portal only showing 1 website)

Our Meru does it wonderfully... But as we want to move towards AC, Id like to put Mikrotik on bid.

EDIT: I should add.. The other features required to even consider Mikrotik would be single channel zero handoff roaming (Way to many access points to worry about channel overlap), functional L3 Capsman tunneled connections (APs could be in any of about 40 different subnets). Capsman was the big jump that made it even seem feasible for us to use mikrotik. Centrally managed, tunneled connections... We've grown too accustomed to having that functionality to lose it.

alice · Wed Aug 06, 2014 11:09 pm

btw: eduroam is now implemented at ~6,000 campuses (see the map) and still counting.

I can imagine that this EAP scenario can be useful in just about any institutional network where it is important to separate "access levels" of various employees.
I believe that MAC based authentication on the contrary can't be really considered an effective security mechanism.

roadracer96 · Mon Aug 11, 2014 4:31 pm

vlan-mode and vlan-id can be only specified from the MAC RADIUS response. From the EAP RADIUS response it isn't specified.

Testing this.

Mac auth, Trying to assign tagged vlan based on RADIUS response.

Mon Aug 11 09:21:41 2014
Packet-Type = Access-Accept
Tunnel-Private-Group-Id:0 = "1208"
Acct-Interim-Interval = 600
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802

Debugging output shows unknown attributes for the Tunnel-* Attributes. Is there some other attribute we should use in capsman for assigning the client to a vlan?

Tue Aug 12, 2014 3:45 pm

you should use our MikroTik attributes:

MIKROTIK_WIRELESS_VLANID = 26, /* integer */
MIKROTIK_WIRELESS_VLANIDTYPE = 27, /* integer */

VLANIDTYPE:
0 - 802.1q tag
1 - 802.1ad tag (service tag)

roadracer96 · Tue Aug 12, 2014 6:10 pm

you should use our MikroTik attributes:

MIKROTIK_WIRELESS_VLANID = 26, /* integer */
MIKROTIK_WIRELESS_VLANIDTYPE = 27, /* integer */

VLANIDTYPE:
0 - 802.1q tag
1 - 802.1ad tag (service tag)

Thanks!

Those don't show up in any of the radius dictionaries I've seen, including your wiki.

Are there any other undocumented attributes?

Frinstance.. I have 1-22 in a standard free radius dictionary.. you gave me 26,27.. what are 23-25?

roadracer96 · Tue Aug 12, 2014 6:33 pm

Unknown attribute?

This is CAPSMAN ROS 6.18

11:31:46 radius,debug,packet received Access-Accept with id 90 from 10.0.0.28:1812
11:31:46 radius,debug,packet Signature = 0x82d76e59de1aa563441b2ab5ed61c5d3
11:31:46 radius,debug,packet Acct-Interim-Interval = 600
11:31:46 radius,debug,packet Unknown-Attribute(vendor=MT, type=27) = 0x00000000
11:31:46 radius,debug,packet Unknown-Attribute(vendor=MT, type=26) = 0x000004b8

The values are correct. 4b8 in decimal is 1208, the vlan id i passed along.

It seems to work.. But odd that it didn't know what the attribute is..

roadracer96 · Wed Aug 13, 2014 2:47 pm

It doesn't fully work.

Im setting it up like this:

RB1100AHX2 Caps Manager
Omnitik AP Caps Client
Manager Forwarding mode

Omnitik plugged into port 10 of RB1100, Caps using ethernet discovery and communication, not L3.
Bridge BR-CAPS setup on RB1100 with port 13 as slave, connected to upstream switch with only tagged vlans on it.
Omnitik cap interface set to BR-CAPS bridge.

So, like I said, when the tag is manually specified in the access list, it works fine. But if the access list has no tag specified or the tag in the RADIUS response differs from the access list, it only 1/2 works. The forwarding entry shows up in the switch, packet captures show data going out the cap interface with tagged traffic, but the client can't get a DHCP address.

Any ideas?

odge · Thu Oct 02, 2014 1:40 am

Hi Uldis

Is there a reason you aren't supporting the normal VLAN tagging for radius? Both Windows AD serving as a RADIUS and FreeRadius (probably the most common RADIUS implentations is use) ll already support the Standard RADIUS attribute Tunnel-Pvt-Group-ID

ilnicchio · Tue Nov 04, 2014 11:33 am

Any update?
This topic it's very interesting also for us.
Proposing MK in a institutional place require more often this kind of requirement...

alice · Tue Dec 16, 2014 1:50 pm

I am kinda "stoned" after long term painful health condition with lots of analgetics, but: I've noticed in my purple hazed sleepy world this CAPsMAN v2 thing recently and recalled the promise to try to get it there: We will try to implement the EAP response from RADIUS for vlan assigning in next revision of CAPsMAN.

The manual is still TL;DR for me, but ...did it make it there?

alice · Tue Jun 02, 2015 6:11 pm

...did it make it there?

I can see it did not.

yaggii · Thu Aug 20, 2015 5:26 pm

...did it make it there?
I can see it did not.

Some news? Did you manage to set up authentication with a RADIUS server? I'm trying it, the user is verified, but obtains an IP address. Thanks for reply.

alice · Mon Aug 24, 2015 12:39 am

Did you manage to set up authentication with a RADIUS server? I'm trying it, the user is verified, but obtains an IP address. Thanks for reply.

I didn't even dare to try to assign an IP address from RADIUS server. I am going to assign it from a DHCP server once a user is properly authenticated - even when a fixed IP is required for the client. However, I still need that VLAN desperately in this scenario.

rwrocket · Mon Oct 12, 2015 4:31 am

*BUMP*

Uldis any update on this?

This would be a game changer for us

alice · Tue Nov 03, 2015 12:27 pm

While embracing Apple technologies, SSDP in particular, the need of easy per-user separation of VLANs became more important, by an order of magnitude. Seriously. It is now the game changer for indoor installations.

So.... ?

bajodel · Thu Nov 05, 2015 12:22 am

..[cut] .. the need of easy per-user separation of VLANs became more important, by an order of magnitude. Seriously. It is now the game changer for indoor installations

I strongly agree, I'm going to be involved in some projects in which that feature will be a requirement..

Beone · Thu Nov 05, 2015 10:50 am

Any change you can also provide us with RADIUS attributes numbers 23 to 25 so I can submit an updated dictionary.mikrotik to the freeradius repository?

you should use our MikroTik attributes:

MIKROTIK_WIRELESS_VLANID = 26, /* integer */
MIKROTIK_WIRELESS_VLANIDTYPE = 27, /* integer */

VLANIDTYPE:
0 - 802.1q tag
1 - 802.1ad tag (service tag)

Thanks!

Those don't show up in any of the radius dictionaries I've seen, including your wiki.

Are there any other undocumented attributes?

Frinstance.. I have 1-22 in a standard free radius dictionary.. you gave me 26,27.. what are 23-25?

bajodel · Fri Nov 20, 2015 12:55 am

Any change you can also provide us with RADIUS attributes numbers 23 to 25 so I can submit an updated dictionary.mikrotik to the freeradius repository?

.. http://wiki.mikrotik.com/wiki/Manual:RA ... dictionary ..

anuser · Sun Feb 07, 2016 10:28 am

Hi,

what is the current state of using CAPSMAN with Manager Forwarding mode and dynamic VLAN assignment?

My setup with my current non-Mikrotik hardware is rather simple:

- internal user connect with username@mydomain.com. The request is forwarded to the freeradius/radsecproxy. Everything that has "@mydomain.com" is forwarded to our local Microsoft RADIUS / Active Directory, whichs also sends an VLAN ID back to the freeradius.
- external user connect with username@someotherdomain.com. The request is forwarded to the freeradius/radsecproxy. Everything that has "@*.*" is forwarded to our national eduroam provider. Answers which are send back get their VLAN ID attribute filtered.

Our current non-Mikrotik wifi controller has a default VLAN configured which is used only if there´s an RADIUS answer without a given VLAN ID:

Does anyone have a working setup nowadays? If so, could you please provide a sample config for the Routeros for the dynamic vlan configuration part?

Regards

anuser · Tue Feb 09, 2016 10:10 am

I still have problems getting the "Mikrotik_Wireless_VLANID" and "Mikrotik_Wireless_VLANIDtype" recognized by RouterOS.

- Within /etc/raddb/mods-config/attr_filter/post-proxy I added:

Mikrotik_Wireless_VLANID =* ANY,
Mikrotik_Wireless_VLANIDtype =* ANY

- Within the Microsoft NPS I added custom VSAs

- Let´s look at the Access-Accept on the freeradius: cat /var/log/radius/radacct/.../post-proxy-detail-20160209

Tue Feb  9 08:58:53 2016
Packet-Type = Access-Accept
Proxy-State = 0x313839
Mikrotik_Wireless_VLANID = 743
Mikrotik_Wireless_VLANIDtype = 0
[...]

- What does RouterOS receive:

received Access-Accept with id 189 from [...]
Unknown-Attribute(vendor=MT, type=26) = 0x000002e7 
Unknown-Attribute(vendor=MT, type=27) = 0x00000000
Signatue = [...]
Framed-MTU = 1300
EAP-Message = [...]
MS-MPPE-Send-Key = [...]
MS-MPPE-Recv-Key = [...]
Message-Authenticator = [...]

What steps are needed on RouterOS? Some ACLs?

noib · Thu Aug 25, 2016 6:54 pm

Old topic, old question, but today it works as expected (WPA-EAP, VLAN ID in Radius attribute reply). Check
http://forum.mikrotik.com/viewtopic.php?f=7&t=109431