MikroTik

Community discussions
https://forum.mikrotik.com/

MAC Addresses can not be assigned in Switch Rule (CRS328) via dot1x

https://forum.mikrotik.com/viewtopic.php?t=179956

Page 1 of 1

MAC Addresses can not be assigned in Switch Rule (CRS328) via dot1x

Posted: Tue Nov 02, 2021 9:17 am
by ekarin
According to Dynamic Switch Rule Configuration:
https://help.mikrotik.com/docs/display/ ... figuration

The source mac address that are set from RADIUS server in the Mikrotik-Switching-Filter attribute can not be set dynamically via Dot1x in the Switch rule (CRS328). The log error is shown in the attached image. My attribute value is "src-mac-address 6C:2B:59:3A:09:63/FF:FF:FF:FF:FF:FF action allow, src-mac-address 6C:3B:6B:95:A9:9B/FF:FF:FF:FF:FF:FF action allow, action drop" It does not worl. :( What does it happen? The switch does not support to set the mac address in the switch rule via dot1x, yet ?

I have tried the attribute values in the example as shown below. It works! :-)
https://help.mikrotik.com/docs/display/ ... figuration
"protocol 17 dst-port 100 action allow, action drop"

If anyone knows what the root cause is, please kindly let me know. Many Thanks.

Re: MAC Addresses can not be assigned in Switch Rule (CRS328) via dot1x

Posted: Fri Nov 05, 2021 2:44 pm
by tdw
You cannot set the src-mac-address (also switch or port), these are automatically populated by the dot1x server as it will have acquired the MAC address of the device attached to the port, see https://wiki.mikrotik.com/wiki/Manual:I ... figuration

Re: MAC Addresses can not be assigned in Switch Rule (CRS328) via dot1x

Posted: Mon Nov 08, 2021 10:36 am
by ekarin
You cannot set the src-mac-address (also switch or port), these are automatically populated by the dot1x server as it will have acquired the MAC address of the device attached to the port, see https://wiki.mikrotik.com/wiki/Manual:I ... figuration
Thank you for your suggestion. I understand your point.
I also read and followed that link before. I would like to secure the network after the authentication has been successfully done with access accept together with the switch rule. This means devices with incorrect source MAC address can not get shared with that switch port. With dot1X, it is possible to do port security automatically, isn't it. Only the device that get authenticated can use the switch port. I hope the MikroTik support will take this into account.

Any other ideas, please let me know. Thanks

Re: MAC Addresses can not be assigned in Switch Rule (CRS328) via dot1x

Posted: Mon Nov 08, 2021 7:19 pm
by tdw
Once a port is authenticated traffic from any source MAC address can pass, it is an architectural defect in the original 802.1X design. Various vendors have additional controls to limit or restrict source MAC addresses.

I've not looked to see if the dynamic rules are added before or after any static rules. If they appear before you could use Mikrotik-Switching-Filter = "action allow" plus a static rule to drop anything from the 802.1X controlled ports (maybe needs something to allow the EAPOL traffic to the CPU port), however if the dynamic rules appear after any static rules you are stuck.

The Mikrotik 802.1x implementation is fairly new, you could always suggest a feature request to Mikrotik.
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/