Wired - MT RB2011 ( ROS 6.45.6 )with dynamic vlans (50,60,70) dot1x with Radius Auth
Wireless - MT hAP ac^2 on Ether 5 of MT RB2011 as wireless capsman
How can I extend my dynamic vlans to my wireless clients or can I through Radius Auth or can I?
I have made some attempts with different configs but with no success.
Goal is to have wireless client authenticate against radius server via single AP (SSID) then get assigned vlan dynamically based on Tunnel-pvt-group response from Radius server.
I can get the response back from the radius server for the wireless clients with the required vlan information for the MT hAP ac^2, but corresponding vlan dhcp server is not assigning IP based on vlan id... not sure; or if can do this at all?
Re: Extend dynamic VLANs to Wireless 802.1x
Isn't this what you are looking for: Wireless / VLAN tagging?
Re: Extend dynamic VLANs to Wireless 802.1x
I can get wireless vlans working if I choose 'use tag' and add vlan id per wifi interface.
But not able to get dynamic wireless vlans working from a singular SSID where the vlan id sent to the dhcp server in the response from radius server and then assigned IP by matching dhcp vlan server
My Mikrotik wireless device that handles the radius request and response sits behind the wan facing primary mikrotik router that assigns all the ip addresses via its dhcp server.
So not sure if how I am trying is the correct way. Maybe the radius response needs to go the primary mikrotik router that is handing out the ip addresses, but that router has no wireless capabilities so how to tell the wireless mikrotik router to forward the radius response to the primary mirkotik router for DCHP assignment..?
But not able to get dynamic wireless vlans working from a singular SSID where the vlan id sent to the dhcp server in the response from radius server and then assigned IP by matching dhcp vlan server
My Mikrotik wireless device that handles the radius request and response sits behind the wan facing primary mikrotik router that assigns all the ip addresses via its dhcp server.
So not sure if how I am trying is the correct way. Maybe the radius response needs to go the primary mikrotik router that is handing out the ip addresses, but that router has no wireless capabilities so how to tell the wireless mikrotik router to forward the radius response to the primary mirkotik router for DCHP assignment..?
-
-
CZFan
Forum Guru
- Posts: 2098
- Joined:
- Location: South Africa, Krugersdorp (Home town of Brad Binder)
- Contact:
Re: Extend dynamic VLANs to Wireless 802.1x
The DHCP service must do the radius request
Re: Extend dynamic VLANs to Wireless 802.1x
ehhh wrong!!
NM all, I figured this one out surprisingly.. hit me up if you want to know my tricks!
No, I did not use the DHCP server (service) to handle the Radius request.. cheers
My Setup:
Radius = Windows Server NPS+AD
MT RB2011 (no wireless) (ROS 6.45.6)
MT hAP ac^2 (ROS 6.45.6)
MT RBcAPGi-5acD2nD (ROS 6.45.6)
NM all, I figured this one out surprisingly.. hit me up if you want to know my tricks!
No, I did not use the DHCP server (service) to handle the Radius request.. cheers
My Setup:
Radius = Windows Server NPS+AD
MT RB2011 (no wireless) (ROS 6.45.6)
MT hAP ac^2 (ROS 6.45.6)
MT RBcAPGi-5acD2nD (ROS 6.45.6)
Re: Extend dynamic VLANs to Wireless 802.1x
Okay, the how...
ROS (6.45.6)
MT RB2011 (NO WIFI):
MT RB2011 (WAN facing) is radius client for 'ppp (VPN)' and 'dot1x (Ether)' NPS (Windows 2012 Server)
vlan trunk configured (vlan ids 7,8,9) MT RB2011 is the DHCP server for all.
Bridge vlan filtering enabled - Yes..
Three dhcp servers running on RB2011 one for each vlan interface etc.. Again no dhcp server is configured for radius, also I am NOT using dhcp checkbox in radius client configuration
dhcp-vlan7
dhcp-vlan8
dhcp-vlan9
MT hAP ac^2 (MT wifi router (2.4/5))
LAN facing radius client for 'wireless' only to NPS (Windows 2012 Server)
This one is hard wired into ether 7 of the RB2011 router
No dhcp servers are configured on MT hAP ac^2
3 vlans setup (vlan ids 7,8,9) (All ports bridged with vlan filtering enabled - Yes..
one wireless AP setup to use tag of master vlan id 1
3 virtual wireless bridges setup to use tag of 7,8,9...
wifi-vlan-7
wifi-vlan-8
wifi-vlan-9
So now.. when the user connects to the wifi-ap-bridge; the MT hAP ac^2 sends a wireless radius request to the NPS radius server..
The NPS radius server sends a response back to the MT hAP ac^2 with the access aproval and vlan id assigment attribute..
With the returned attribute the user connects to the corresponding wifi-bridge; at which point a dhcp broadcast is sent from the
authenticated client device; this dhcp request is passed ONTO the MT RB2011 since no dhcp server is configured on MT hAP ac^2
and there is a link between the two MT routers. The client device is authorized so the MT RB2011 gives out an IP address from the vlan-dhcp-server based on the
client connections vlan id.. and that is about it... so as we can now see; you do not need to use dhcp in your radius config
to get a dhcp assignment from a radius request and response... sound about right
ROS (6.45.6)
MT RB2011 (NO WIFI):
MT RB2011 (WAN facing) is radius client for 'ppp (VPN)' and 'dot1x (Ether)' NPS (Windows 2012 Server)
vlan trunk configured (vlan ids 7,8,9) MT RB2011 is the DHCP server for all.
Bridge vlan filtering enabled - Yes..
Three dhcp servers running on RB2011 one for each vlan interface etc.. Again no dhcp server is configured for radius, also I am NOT using dhcp checkbox in radius client configuration
dhcp-vlan7
dhcp-vlan8
dhcp-vlan9
MT hAP ac^2 (MT wifi router (2.4/5))
LAN facing radius client for 'wireless' only to NPS (Windows 2012 Server)
This one is hard wired into ether 7 of the RB2011 router
No dhcp servers are configured on MT hAP ac^2
3 vlans setup (vlan ids 7,8,9) (All ports bridged with vlan filtering enabled - Yes..
one wireless AP setup to use tag of master vlan id 1
3 virtual wireless bridges setup to use tag of 7,8,9...
wifi-vlan-7
wifi-vlan-8
wifi-vlan-9
So now.. when the user connects to the wifi-ap-bridge; the MT hAP ac^2 sends a wireless radius request to the NPS radius server..
The NPS radius server sends a response back to the MT hAP ac^2 with the access aproval and vlan id assigment attribute..
With the returned attribute the user connects to the corresponding wifi-bridge; at which point a dhcp broadcast is sent from the
authenticated client device; this dhcp request is passed ONTO the MT RB2011 since no dhcp server is configured on MT hAP ac^2
and there is a link between the two MT routers. The client device is authorized so the MT RB2011 gives out an IP address from the vlan-dhcp-server based on the
client connections vlan id.. and that is about it... so as we can now see; you do not need to use dhcp in your radius config
to get a dhcp assignment from a radius request and response... sound about right
Re: Extend dynamic VLANs to Wireless 802.1x
> With the returned attribute the user connects to the corresponding wifi-bridge
Hi, I'm trying to do the same setup, where the radius attribute controls which vlan the wireless client is connected to.
How did you configure it to connect to the proper wifi bridge based on the returned attribute?
Hi, I'm trying to do the same setup, where the radius attribute controls which vlan the wireless client is connected to.
How did you configure it to connect to the proper wifi bridge based on the returned attribute?