MikroTik

Hello,
Does anybody know if radius authentication with an external radius servers works with the new drivers wifi-qcom-ac 7.13 to allocate different vlans to clients? My setup worked very well on V6 with capsman. Currently and trying to do the same on 7.13 and struggling to make it work. Read about the issues with vlan assignments but not sure if this affects radius authentication also. At the moment just trying to make one AP work with wifi radius authentication beforing adding capsman. With wpa2-psk i manage to make the configuration work with an untagged vlan.

Current config below

/interface bridge
add name=bridge vlan-filtering=yes
/interface wifi
# SSID not set
set [ find default-name=wifi1 ] configuration.manager=local .mode=ap disabled=no
/interface vlan
add interface=bridge name=MGMT vlan-id=217
/interface wifi security
add authentication-types=wpa2-eap,wpa3-eap disabled=no eap-accounting=yes name=sec1
/interface wifi
set [ find default-name=wifi2 ] channel.band=5ghz-ac .skip-dfs-channels=all .width=20/40/80mhz configuration.country=Romania .manager=local .mode=ap .ssid=B1 disabled=no security=sec1
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge frame-types=admit-only-vlan-tagged interface=wifi2 pvid=320
/interface bridge vlan
add bridge=bridge tagged=ether1,bridge vlan-ids=217
add bridge=bridge tagged=ether1,bridge untagged=wifi2 vlan-ids=320
/interface wifi cap
set caps-man-addresses=172.17.0.251 discovery-interfaces=ether1 slaves-static=no
/ip address
add address=172.17.0.169/24 interface=MGMT network=172.17.0.0
/ip dns
set servers=192.168.13.200
/ip route
add distance=1 gateway=172.17.0.254
/radius
add accounting-port=2041 address=XX.XX.XX.XX authentication-port=2040 service=wireless
/radius incoming
set accept=yes
/system clock
set time-zone-name=Europe/Bucharest
/system logging
add topics=wireless,info
add topics=caps,info
add prefix=error topics=radius
add topics=wireless,info
add topics=caps,info
add prefix=error topics=radius
/system note
set show-at-login=no
/system package update
set channel=development

Any advice would be appreciated:)

Your setup isn't possible when running wave2/wifi drivers. The new driver doesn't handle VLAN tags natively (neither per user set by radius or ACLs nor static set as datapath property).

We're quite a large group of users hoping and waiting for this support to get added.

Thank you. At least i know what i have to do now. Hopefully it will fixed soon.

Your setup isn't possible when running wave2/wifi drivers. The new driver doesn't handle VLAN tags natively (neither per user set by radius or ACLs nor static set as datapath property).

We're quite a large group of users hoping and waiting for this support to get added.

Could you elaborate please? I am a RouterOS newbie. I am asking because I think I have something like OP wants working.

My current setup is one CRS-323 (currently on SwitchOS) and two cAP-ax running wifi-qcom. I have dynamic vlan assignment working with WPA2-EAP, without capsman for now. The clients are authenticated against a FreeRadius running on a pfsense, which also tells the APs which VLAN each client belongs to. What I am struggling with is to do dynamic VLAN assignment with wifi-qcom and WPA2-PSK by MAC address. But I asked about that in a different topic.

Your setup isn't possible when running wave2/wifi drivers. The new driver doesn't handle VLAN tags natively (neither per user set by radius or ACLs nor static set as datapath property).

We're quite a large group of users hoping and waiting for this support to get added.

Could you elaborate please? I am a RouterOS newbie. I am asking because I think I have something like OP wants working.

My current setup is one CRS-323 (currently on SwitchOS) and two cAP-ax running wifi-qcom. I have dynamic vlan assignment working with WPA2-EAP, without capsman for now. The clients are authenticated against a FreeRadius running on a pfsense, which also tells the APs which VLAN each client belongs to. What I am struggling with is to do dynamic VLAN assignment with wifi-qcom and WPA2-PSK by MAC address. But I asked about that in a different topic.

There are 2 different wifi drivers for ac and ax devices. The ax devices work with dynamic vlan tagging as you mentioned. The ac ones not yet.

There are 2 different wifi drivers for ac and ax devices. The ax devices work with dynamic vlan tagging as you mentioned. The ac ones not yet.

Oh right, that makes sense. Thanks!

Hey all,
Does someone have any updates on this topic? It's very critical that it still doesn't support it.
Thank you!

This is still not solved. Or it is in a new beta firmware?

This is still not solved. Or it is in a new beta firmware?

Apologies I clicked on the solved button by accident. Based on my testing of the latest beta version and the changelog it's not yet resolved still waiting.

I've bought Mikrotik cAP ax, hoping that everything would just work as before on previous models (currently I have hAP-Ac-2 and hAP-mini) -- I need to replace AP from my ISP.
Started to configure RADIUS authentication today and figured out there are no "Security Profiles" anymore and the "Security" tab doesn't have RADIUS option at all

This is really bad user experience and apparently the issue is almost 1 year old. Subscribed to the topic to get updates.

Cap ax works with wifi radius authentication. I use an external radius and it s fine. Older models like cap ac do not yet because of the driver. If you want to use miikrotik radius it's a different package that needs to be installed and setup.

@alexv87, thank for reply.

I guess the RADIUS authentication is not the issue in my case. I want to have per MAC VLAN tagging using external RADIUS server. And this feature seems to be unsupported. Or do I miss something?

I don't see a VLAN ID configuration on Wireless settings anywhere :-/

I want to have per MAC VLAN tagging using external RADIUS server. And this feature seems to be unsupported. Or do I miss something?

That feature was just added in 7.17beta2 as part of the new PPSK feature, but only for ax devices. Details here.

@tangent, brilliant and I just upgraded my MikroTik-cAP-ax. I guess it is compatible:
Is there any newby friendly guide I can follow to configure it? I got it configured, but the wireless device can't acquire an IP address

Or maybe I can list my current options and someone could point to miss-configurations?

Is there any newby friendly guide I can follow to configure it?

That's a big ask for a brand-new feature.

Your best bet right now is the official docs.

I have no idea how this integrates with the optional (!) on-device RADIUS server called User Manager, available as user-manager-*.npk in the extra packages archive, much less with third-party RADIUS servers.

Okay, got it. Will experiment. Thank you for the provided links!