I've just bought our first MikroTik switch, I look after a few networks and all being well I wish to use these to gradually phase out our current Ubiquiti EdgeSwitches.
I am trying to set up Dot1x with FreeRADIUS on CRS354.
If a machine is authenticated it should go on to the VLAN provided by FreeRADIUS, I can happily say that this is working great.
The issue I have is with the reject VLAN ID part, if a device is unable to successfully authenticate I would like to put the device on VLAN 1. However this does not happen, instead the device stays in an un-authorised state with no network connectivity. The FreeRADIUS logs continue to show repeated auth attempts, to which it responds invalid username/password.
Being new to the MikroTik way of life I imagine I have set something up wrong. My setup is below, any help would be very much appreciated!
Code: Select all
# RouterOS 6.48.5
# model = CRS354-48P-4S+2Q+
/interface bridge
add admin-mac=DC:2C:6E:01:A5:E4 auto-mac=no comment=defconf ingress-filtering=yes name=bridgeLocal vlan-filtering=yes
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
(Above is then repeated for all interfaces)
/interface bridge vlan
add bridge=bridgeLocal comment=Guest tagged=ether1,ether3 vlan-ids=1002
add bridge=bridgeLocal comment=Private tagged=ether1,ether3 vlan-ids=1003
/interface dot1x server
add auth-timeout=6s auth-types=dot1x,mac-auth interface=ether2 mac-auth-mode=mac-as-username-and-password radius-mac-format=xx:xx:xx:xx:xx:xx reject-vlan-id=1 retrans-timeout=3s
/ip address
add address=192.168.1.2/24 interface=bridgeLocal network=192.168.1.0
/radius
add address=192.168.1.1 secret="redacted" service=dot1x src-address=192.168.1.2
