Hi!

I read through the documentation at https://help.mikrotik.com/docs/display/ROS/Dot1X and have some questions. I'm used to configuring 802.1x NAC on major switch brands like, cisco, extreme, hp .... but I don't get some points in the Mikrotik documentation. I hope someone can help me.

1. The documentation states. "An interface where dot1x server is enabled will block all traffic except for EAPOL packets which is used for the authentication." There is no explanation if that means only incoming or also outgoing traffic. The reason I ask is that in enterprise networks, WakeOnLan is required to wake up and patch the PCs at night and not to interrupt the employees during the day. Is this possible with Mikrotik and how?

2. The documentation also states: "If the interface is connected to a shared medium with multiple hosts, the traffic will be accepted from all hosts when at least one client is successfully authenticated." That does not make any sense .. A classic use is case is that the phone is connected to the switch/router and the PC is connected to the phone. Most if not all VoIP phones have therefore 2 Ethernet interfaces. If the documentation is correct, that would mean that if we connect a phone to a Mikrotik with an 802.1x enabled port that an attacker can connect any system behind the phone, no 802.1x required. Also a simple unmanaged switch would disable all network security. Is that correct? If so the 802.1x feature is basically useless on Mikrotiks

3. Does Mikrotik support setting an untagged VLAN and a tagged VLAN at the same time on a port. The reason I ask is that it is common in enterprise networks to set the PC VLAN untagged and the VoIP Network tagged. The phones get via LLDP MED or DHCP the info to use a given VLAN ID to communicate with the voice system. This setup allows the use of different VLANs for PC and VoIP even if they are connected on the same port (PC behind phone). I could not find anything about that in the documentation.

4. Is it possible to assign different untagged VLANs to 2 mac addresses on one switch port. On Extreme Network switches that feature is call mac based vs. port based netlogin (the name of the 802.1x at Extreme Network switches) ... This allows also to connect a phone in front of the PC without sending a VLAN tagged .. just traffic from/to the phone mac is sent in the VoIP VLAN and traffic to/from the pc network is send in the pc VLAN.

5. Whats the best idea to run a script after a client is authenticated? There does not seam to be an option to provide a script - so I'm correct that the only way is to run a script every 1 minute that does check /interface dot1x server active print ?

Thx for your help.
Robert

WakeOnLan

By your post count, I assume you have at least one item of MikroTik gear, so can't you just try it and see?

Yes, I realize that sword cuts both ways, but I haven't got any need for dot1x here, so it's just as fast for you, and you're the one with the itch.

If the documentation is correct, that would mean that if we connect a phone to a Mikrotik with an 802.1x enabled port that an attacker can connect any system behind the phone, no 802.1x required.

I suspect you're reading "at least one client" too broadly: I think you'll find that it means "any one configured dot1x client". To take your example, if both the SIP phone and the PC are registered in the dot1x RADIUS server or whatever, it doesn't matter which one comes up first, it'll allow packets from either.

But you could be right. Try it and let us know. If it works as you worry it does, that'd be grounds for a proper bug report.

Does Mikrotik support setting an untagged VLAN and a tagged VLAN at the same time on a port.

Yes, if the filtering is so-configured.

I could not find anything about that in the documentation.

I believe you're looking for the pvid setting.

that feature is call mac based vs. port based netlogin

I believe you're looking for auth-types=mac-auth coupled with mac-auth-mode.

Beware that MAC authentication is as secure as using "My Name Is…" stickers for identifying who gets into a secure building, which is why it's disabled by default under dot1x.

run a script after a client is authenticated

For what purpose? Knowing "why" might spark solutions.

Hi

thx for your answer. Yes, I can and will try it out, just thought that I'm not the first one looking into that or maybe someone from Mikrotik reads it and tells us what's the correct meaning of the documentation.

About the mac based / port based. No, that has nothing to do with mac-auth. Basically, it allows an Exterme Network Switch to authenticate multiple clients which are connected via an unmanaged switch (e.g. Phone) to the 802.1x port to get assigned to different VLANs. e.g. on ether1 a phone is connected and it gets untagged VLAN 2 and behinde the phone is a PC which gets untagged VLAN 3. With port based 802.1x that's not possible as only on untagged VLAN can be assigned to the Port.

From the manual:

Currently, network login allows only a single, untagged VLAN to exist on a port. This limits the flexibility for untagged supplicants because they must be in the same VLAN.

ExtremeSwitching series switches support network login MAC-based VLANs. Network login MAC-based VLANs allow a port assigned to a VLAN to operate in a MAC-based fashion. This means that each individual untagged supplicant, identified by its MAC address, can be in different VLANs.

Network login MAC-based VLAN utilizes VSA information from both the network login local database and the RADIUS server. After successfully performing the Campus mode operation, the supplicant is added untagged to the destination VLAN.

To support this feature, you must configure the network login port‘s mode of operation.

https://documentation.extremenetworks.c ... C0D1.shtml

just thought that I'm not the first one looking into that

Doubtless true, but surely you can try it and get the answer faster than it'll take someone to give a definitive reply.

maybe someone from Mikrotik reads it

That'll take days, if it happens at all. Plenty of time to try it, at which point you'll be in a position to ask sharper, more focused questions.

With port based 802.1x that's not possible as only on untagged VLAN can be assigned to the Port.

I don't see how Extreme's limitations apply to RouterOS.

Maybe what you want is MAC-based VLAN filtering?

Doubtless true, but surely you can try it and get the answer faster than it'll take someone to give a definitive reply.

but that way if outgoing traffic is leaking it could be a feature or a bug or the other way round if it does not get out ... as most features got only implemented with 7.2 that quite possible.

I don't see how Extreme's limitations apply to RouterOS.

That's not a limitation of EXOS .. it just has 2 modes ... and I read it correctly, Mikrotik support only the Port-Based mode. So if my reading is correct, it's more like a limitation of RouterOS.

Regards,
Robert

Mikrotik support only the Port-Based mode.

I initially thought you were asking about MAC-based "dot1x" authentication, as opposed to EAP auth. If you're using proper dot1x (meaning EAP) for both devices on the port, then what I'm saying is that MAC-based VLAN ID assignment is orthogonal to dot1x in RouterOS. You use a MAC filter per my last link to assign the phone's VLAN ID, and you use the pvid parameter referenced in my first reply to assign the PC's VLAN ID by default.

1. The documentation states. "An interface where dot1x server is enabled will block all traffic except for EAPOL packets which is used for the authentication." There is no explanation if that means only incoming or also outgoing traffic. The reason I ask is that in enterprise networks, WakeOnLan is required to wake up and patch the PCs at night and not to interrupt the employees during the day. Is this possible with Mikrotik and how?

It's not working current, the only workaround I got working is a script that is calling /tool/wol with the interface itself, not the bridge. You need some custom mechanism to get the info to the router to do a wol, the script than loops over all interfaces and sends the wol.

2. The documentation also states: "If the interface is connected to a shared medium with multiple hosts, the traffic will be accepted from all hosts when at least one client is successfully authenticated." That does not make any sense .. A classic use is case is that the phone is connected to the switch/router and the PC is connected to the phone. Most if not all VoIP phones have therefore 2 Ethernet interfaces. If the documentation is correct, that would mean that if we connect a phone to a Mikrotik with an 802.1x enabled port that an attacker can connect any system behind the phone, no 802.1x required. Also a simple unmanaged switch would disable all network security. Is that correct? If so the 802.1x feature is basically useless on Mikrotiks

The documentation is correct, if one device gets authenticated on an interface, every traffic goes through without any authentication. So basically useless for security out of the box - as you just need to use an unmanaged switch between an allowed device and the Mikrotik to get into the network. A workaround I didn't test but will do so is to write a script that runs every few seconds and that checks the authenticated users / dot1x active sessions and writes a bridge filter for all other mac addresses to drop.

3. Does Mikrotik support setting an untagged VLAN and a tagged VLAN at the same time on a port. The reason I ask is that it is common in enterprise networks to set the PC VLAN untagged and the VoIP Network tagged. The phones get via LLDP MED or DHCP the info to use a given VLAN ID to communicate with the voice system. This setup allows the use of different VLANs for PC and VoIP even if they are connected on the same port (PC behind phone). I could not find anything about that in the documentation.

No support for that so far - there is no radius flag/option RouterOS supports to tagging a VLAN.

4. Is it possible to assign different untagged VLANs to 2 mac addresses on one switch port. On Extreme Network switches that feature is call mac based vs. port based netlogin (the name of the 802.1x at Extreme Network switches) ... This allows also to connect a phone in front of the PC without sending a VLAN tagged .. just traffic from/to the phone mac is sent in the VoIP VLAN and traffic to/from the pc network is send in the pc VLAN.

No, it's not possible - with 802.1x the last authenticated device change the VLAN for all devices on the interface. If the device does not send a 802.1x, it silently uses the VLAN the first device got - see the answer to question 2.

5. Whats the best idea to run a script after a client is authenticated? There does not seam to be an option to provide a script - so I'm correct that the only way is to run a script every 1 minute that does check /interface dot1x server active print ?

no hook found - just mindless polling.

Regards,
Robert

Thank you for sharing your experiments’ results. I think you should send them on to MikroTik support. There’s considerable room for improvement here.

Hi

Had the same problem so made a testlab.

Setup is ether2 -> voip device-> laptop.
Set the voip device to tagged vlan 31. Set ethernet 2 port in bridge and set vlan - filtering on

Configure voip device lan-port vlan 31 tagged.
Don't configure 802.1.x at voip device
Next step is configure dot1x set dot1x (not mac) and reauth timeout at 30s
So as long as there is no authenticated device at pc port from voip device the interface ether 2 will reject everything. (Eapol packets doesn't get right answer.) So also voip device is unreachable
When a laptop/pc is connected to the pc port of voip device, and eapol packets will be answered right, ethernet set the right vlan for laptop (pushed by radius) and activated tagged vlan for voip device.

Is pc port is disconnect 3 reauth time-outs will appear and then port is deactivated .

Another option is to set a dummy vlan 4
With dummy vlan the tagged vlan for voip will be always.up, the pc port wil get into your dummy vlan. Disadvantage is that all devices not registered will see each other in dummy vlan 4

KR
Lightman

RouterOS 7.2 was current when this thread was started, but while there have been several "dot1x" items in the changelog through 7.7, the current stable version, none advertise a feature you might call "allow only authenticated devices." Therefore, why would you expect that 802.1x behaved differently now in this regard?

If your goal in posting was to add your voice to those asking for this massive security hole to be plugged, this forum isn't the best place for that, being a user-to-user help forum, not a channel for asking MikroTik for fixes and features. Oh, sometimes they do pick things up here and address them, but the direct channels are best for cases like this.