MikroTik

Posted: **Fri Jun 27, 2014 5:29 am**

Please Add Dynamic VLAN Assignment for packetfence / openNAC Support.

+1

Posted: **Fri Jun 27, 2014 5:57 am**

+1 here

Posted: **Fri Jun 27, 2014 6:31 am**

+1 would use.

Posted: **Fri Jun 27, 2014 6:33 am**

+1 would use

Posted: **Tue Jul 22, 2014 6:59 pm**

+1 vote

Posted: **Sun Jul 27, 2014 3:29 pm**

+1 vote

Posted: **Mon Jul 28, 2014 2:06 am**

Never used but looks promising.

+1.

Posted: **Mon Jul 28, 2014 6:04 am**

+1 here

Posted: **Mon Jul 28, 2014 6:43 pm**

+1

I need to purchase ~40 small switches/routers this year to replace ancient dumb switches. PacketFence support would definitely put Mikrotik devices in the lead. Evaluating multiple brands now.

Posted: **Sat Aug 09, 2014 11:58 pm**

According to this: http://en.wikipedia.org/wiki/PacketFence

On what PacketFence feature are interested which actual 6.18 RouterOS can not do?

Posted: **Sun Aug 10, 2014 1:44 am**

RouterOS cannot do what packetfence does. PacketFence is a NAC (Network Access Control) Platform. It is second to none, and is superior to OPENNAC.

All RouterOS needs to do to support it is add the dynamic VLAN Assignment.... See this post http://forum.mikrotik.com/viewtopic.php?f=1&t=84240

Someone Decreased my Karma for posting, but I thought it was a valid post. Sorry for offending whoever it was.. I only give out karma.... But I Never try to lower other's karma...

Posted: **Sun Aug 10, 2014 5:08 am**

You could write a packetfence module. You'd get results faster that way. Their modules design is usable via ssh. Could also interface it with the packetfence API.

Posted: **Sun Aug 10, 2014 9:38 am**

Although I work with C++, I cannot write a module for it, it has to be a function that is enabled in routeros.. I understand how it works and even though I do not have access to routeros code, I am certain a person with equal or greater programming skill as my own could complete it in less than 48 hours. Do you understand how dynamic VLAN Assignment works ? Packetfence has documentation on their webpage, and I have worked with Ludovic for over 5 months trying to get packetfence support. Ive purchased a mikrotik radio and had it shipped to Canada just for him to test with.. He tried many times to contact the people at mikrotik, but he was rejected every time he reached out. I am doing the best I can to push the ball forward, but mikrotik has no concern. I have had 4 different larger scale jobs go with another product because I could not offer them mikrotik as it did not support the generic 3rd party NAC platform they wanted to use. I know the size and scope of adding dynamic VLAN Assignment and it is not a big deal, over 60 percent of it is taken care of already via HOSTAPD functionality.. This is a smaller request of all the requests being made and truly there is no excuse for mikrotik not to get it done once and for all.... Its just as essential as DHCP... Do they still have to bug-test DHCP every time they release an update to routeros ? As a business man, I just have to compare the size of return of enabling dynamic VLAN Assignment to the cost of adding it to the next routeros release to realize it is a very good choice.

Get it added. Please... In the name of Jesus Add Dynamic VLAN Assignment.
http://www.packetfence.org/about/overview.html

Posted: **Sun Aug 10, 2014 8:02 pm**

I be for a 10000 port, 200+ switch network with 300 aps running packetfence. I understand completely how it works. I've written custom modules for packetfence and it isn't that hard. It will already work for wireless(capsman mac auth), Just not for wired. There is absolutely no support for it in Routeros for switches yet. But using snmp traps and cli, you could easily make it work on switches. I'm sure they will add support in some future release but just because 1/2 dozen people want it doesn't mean it's going to be put in in 2 weeks. I'm sure they could have a proof of concept thrown together quick but I've dealt with the repercussions of quirks in radius mac auth code. You don't want it. You want something planned, thought over, and executed properly.

Again. It already exists in wireless. Use capsman. Just not 802.1x yet

Posted: **Mon Aug 11, 2014 1:55 am**

Packetfence support needs HOSTAPD... Mikrotik has implemented a non-standard instance of this, thats why Packetfence does not work with ANY mikrotik products.... I do not know what you are doing with whatever modules you claim to have made, but Unless it is doing actual dynamic VLAN assignment, it is not packetfence. The problem is Mikrotik thinks capsman is a sufficient answer. It is not. School systems are not rolling out Multi-AP Installs with the hopes of running capsman. they want a Real and full featured NAC. Im not going to keep arguing the point, I dont need to. The people at packetfence reached out months ago like i said earlier and mikrotik did not work with them. If mikrotik would just enable Dynamic VLAN Assignment everything would be good. their existing products could be installed in these larger scale projects and it would be there for all their future 802.11 AC Stuff as well.

Posted: **Mon Aug 11, 2014 4:28 am**

You moron. Capsman supports radius dynamic
Vlan assignment using standard radius attributes. It will work with packetfence. Hostapd has absolutely nothing to do with switches.

Configure a capsman access point with radius mac auth and point it at packetfence configured as hostapd and it will probably work out of the box with minimal if any changes.

I use packetfence. By inverse. A pretty well customized version supporting active/active servers for redundancy. We have almost 80 stacks and over 200 switches and 300 aps being controlled by it. I actually have a Mikrotik captive portal interfacing with it via radius to test some possibilities.

Packetfence is very well written and easily customizable. If you were actually some experienced c++ programmer you would be able to handle the perl to understand how pf works.

Posted: **Mon Aug 11, 2014 4:53 am**

You moron. Capsman supports radius dynamic
Vlan assignment using standard radius attributes. It will work with packetfence. Hostapd has absolutely nothing to do with switches.

Configure a capsman access point with radius mac auth and point it at packetfence configured as hostapd and it will probably work out of the box with minimal if any changes.

I use packetfence. By inverse. A pretty well customized version supporting active/active servers for redundancy. We have almost 80 stacks and over 200 switches and 300 aps being controlled by it. I actually have a Mikrotik captive portal interfacing with it via radius to test some possibilities.

Packetfence is very well written and easily customizable. If you were actually some experienced c++ programmer you would be able to handle the perl to understand how pf works.

Haha, Your funny... You want to decrease my karma AND call me the idiot.... Man, This is hilarious... .. Not to mention your facts are wrong about packetfence.... But I dont need to prove that I am right, and im not going to lower your Karma because of your prideful foolishness either..

Posted: **Mon Aug 11, 2014 12:00 pm**

What facts are wrong about packetfence?

I'm calling your bluff. You don't know anything about how packetfence works. You do have to prove yourself right in this case. You are spreading misinformation.

Maybe, just to shut you up, I'll setup a mt ap as a client to packetfence and show you it works. Then you can delete all the posts isn threads you have shit on that bear zero relevance to dynamic vlan assignment.

Posted: **Tue Aug 12, 2014 12:28 am**

What facts are wrong about packetfence?

I'm calling your bluff. You don't know anything about how packetfence works. You do have to prove yourself right in this case. You are spreading misinformation.

Maybe, just to shut you up, I'll setup a mt ap as a client to packetfence and show you it works. Then you can delete all the posts isn threads you have **it on that bear zero relevance to dynamic vlan assignment.

Are you Serious... This is a legitimate request for Dynamic VLAN Assignment and you are choosing to conduct your self like this.... I guess it is your choice to do so, but this is not the quality of behavior I expected from the Manufacture's website for some of the products I own.

You are Technically Incorrect in your assertions, and 90% of that is due to the fact that you are incorrectly miss-representing what this post is about. It is a poor attempt at usurping the real point in case, which is I am pushing for Dynamic VLAN Assignment and complete packetfence support which is not a difficult task.

You are wrong and your attempt to blur the facts only clarifies your defensive position. Yes, Packetfence does have two modes, and yes indeed running in inline mode you could hook a Mikrotik Ap up to it, but Inline mode is an inferior method and offers less control... So I am here to cordially ask for packetfence support, I was going to just respond to your message with one from Loick and Ludovic to put the issue to rest regarding Dynamic VLAN Assignment, but caught my self as that message was between them and myself and to use it publicly would be to conduct my self at the same low level you currently are conducting your self, and I will not stoop to that low of a level.

I guess All forum's have people like you in them, but you are the real person who needs their karma decreased. No Doubt your immaturity will want to respond and come to the defense of your ignorant pride, But perhaps you could take a moment of pause and see this whole thing from a higher point of view. I am actually here to get business done and move the ball forward as far as getting Dynamic VLAN Assignment and Packetfence support. Your personal emotional vendetta is only serving to constipate and degrade the value of my legitimate request. The end results of your conduct is that mikrotik does not move forward and increase their functionality to support Dynamic VLAN Assignment, the consequence to My cause is that the would... and that makes mikrotik better, not worse. I would like to take a moment and publicly say I am sorry to you because I have obviously offended you or hurt your feelings. Please accept my apology, It is genuine.

I am sorry now that this Clean attempt to achieve superior functionality has become muttled and will more than likely fall by the wayside.

-Jonathan

P.S. The only one who has been bringing up switches is you. Ive got AP's to get functional.

Posted: **Tue Aug 12, 2014 2:44 am**

And cross posting in any thread where someone has a question about wireless "you should request dynamic vlan assignment" is what?

Get a life. If the product does t do what you want then find another product. Don't expect a company that sells budget products to drop everything because you have a request.

Posted: **Tue Aug 12, 2014 2:49 am**

http://forum.mikrotik.com/viewtopic.php?f=1&t=81881

You can follow up with Mikrotik on what the proper radius attribute is. They say it works. If you know the attribute it will take 4 seconds to copy the hostapd.pm and paste the radius reply sub from switch.pm and change the attribute.

Then it'll work.

But you're a genius. You can figure it out.

Posted: **Tue Aug 12, 2014 9:19 am**

1, Thank you for the nice response.
2, Thus far, I have found and used another product, (Reluctantly I might add)
3, Mikrotiks Strength going forward will be their Value for the dollar, As things change and even more things virtualize, they will champion the market of performance for the dollar.. That is absolutely why they need to begin supporting things like Packetfence, open-nac and other NAC based offerings. This world is changing, and quite fast.. They should implement Packetfence support at the most granular level and hire a guy to hammer the crap out of the markets with their products paired with packetfence and openac... I think they have already begun loosing critical moments to gain momentum in this area.
4, Is there any way to delete these previous posts and clean this up so others will want to take it serious and cast a strong vote that mikrotik's leadership will notice?

Posted: **Tue Aug 12, 2014 10:16 am**

@joncolby:
Even if your request seems of crucial importance to you, stop trashing other non-related topics with your voting campaign.
This is a user forum, so except annoying other users which don't care about your issue, there is no gain in it.

4, Is there any way to delete these previous posts and clean this up so others will want to take it serious and cast a strong vote that mikrotik's leadership will notice?

Talking about cleaning up. What about YOU cleaning up YOUR trash first by deleting your off topic posts in other threads?

Posted: **Tue Aug 12, 2014 12:07 pm**

1, Thank you for the nice response.
2, Thus far, I have found and used another product, (Reluctantly I might add)
3, Mikrotiks Strength going forward will be their Value for the dollar, As things change and even more things virtualize, they will champion the market of performance for the dollar.. That is absolutely why they need to begin supporting things like Packetfence, open-nac and other NAC based offerings. This world is changing, and quite fast.. They should implement Packetfence support at the most granular level and hire a guy to hammer the crap out of the markets with their products paired with packetfence and openac... I think they have already begun loosing critical moments to gain momentum in this area.
4, Is there any way to delete these previous posts and clean this up so others will want to take it serious and cast a strong vote that mikrotik's leadership will notice?

The world isn't changing. These are features that have been in enterprise access points for 5+ years. Just because you are now getting around to using it does t make it more important all of a sudden. In all honesty. It sounds like you are the on that is behind the times.

Posted: **Tue Aug 12, 2014 6:27 pm**

Without count me, the OP is the worst user which I ever found on this forum.
Karma: -5

Posted: **Tue Aug 12, 2014 7:22 pm**

Aug 12 11:57:58 httpd.webservices(20577) INFO: handling radius autz request: from switch_ip => 1.2.3.4, connection_type => Wireless-802.11-NoEAP,switch_mac => d4:ca:6d:d2:88:67, mac => my.ip.on.em.ac, port => 0, username => my.ip.on.em.ac (pf::radius::authorize)
Aug 12 11:57:58 httpd.webservices(20577) INFO: MAC: my.ip.on.em.ac is of status unreg; belongs into registration VLAN (pf::vlan::getRegistrationVlan)
Aug 12 11:57:58 httpd.webservices(20577) INFO: [1.2.3.4] Returning ACCEPT with VLAN 2000 and role (pf::Switch::Mikrotik::returnRadiusAccessAccept)

Put this in /usr/share/freeradius/dictionary.mikrotik at the end of the attribute section

ATTRIBUTE MIKROTIK_WIRELESS_VLANID 26 integer
ATTRIBUTE MIKROTIK_WIRELESS_VLANIDTYPE 27 integer

cp /usr/local/pf/lib/pf/Switch/Hostapd.pm /usr/local/pf/lib/pf/Switch/Mikrotik.pm
chown pf:pf /usr/local/pf/lib/pf/Switch/Mikrotik.pm

patch Mikrotik.pm with the following diff.

Configure CAPSMAN controller in PF as a Mikrotik with radius deauthentication, setup your roles, radius secrets, etc.

Capsman Config:

# aug/12/2014 11:50:23 by RouterOS 6.18
# software id = 18QF-P0PP
#
/interface bridge
add l2mtu=1600 name=BR-CAPS protocol-mode=none
/interface vlan
#Dunno if you really need these or not.. But Whatevs...
add interface=BR-CAPS name=default vlan-id=1208
add interface=BR-CAPS name=registration vlan-id=2000
add interface=BR-CAPS name=isolation vlan-id=2001
/caps-man datapath
add bridge=BR-CAPS client-to-client-forwarding=yes name=datapath1
/caps-man interface
# 
add arp=enabled configuration.mode=ap configuration.ssid=LOSERTEST datapath=datapath1 disabled=no l2mtu=1600 mac-address=MACOFAP master-interface=none mtu=1500 name=cap1 radio-mac=MACOFAP
/caps-man aaa
set interim-update=5m
/caps-man access-list
add action=query-radius radius-accounting=yes signal-range=-120..120 time=0s-1d,sun,mon,tue,wed,thu,fri,sat
/caps-man manager
set enabled=yes
/interface bridge port
add bridge=BR-CAPS interface=ether13
/ip address
add address=1.2.3.4/16 interface=ether12
/ip route
add distance=1 gateway=x.y.z
/radius
add address=pfip secret=yoursecret service=wireless src-address=1.2.3.4
/radius incoming
set accept=yes

Patch:

--- Hostapd.pm	2014-06-26 15:03:13.000000000 -0400
+++ Mikrotik.pm	2014-08-12 11:46:13.305173223 -0400
@@ -1,17 +1,17 @@
-package pf::Switch::Hostapd;
+package pf::Switch::Mikrotik;
 
 
 =head1 NAME
 
-pf::Switch::hostapd
+pf::Switch::mikrotik
 
 =head1 SYNOPSIS
 
-The pf::Switch::hostapd module manages access to hostapd
+The pf::Switch::Mikrotik module manages access to mikrotik APs
 
 =head1 STATUS
 
-Should work on the hostapd version started 2.0
+Should work on CAPSMAN enabled APs, tested on v6.18
 
 =cut
 
@@ -25,7 +25,7 @@
 use base ('pf::Switch');
 
 use pf::config;
-sub description { 'Hostapd' }
+sub description { 'Mikrotik' }
 
 # importing switch constants
 use pf::Switch::constants;
@@ -192,7 +192,39 @@
     return;
 }
 
+sub returnRadiusAccessAccept {
+    my ($self, $vlan, $mac, $port, $connection_type, $user_name, $ssid, $wasInline, $user_role) = @_;
+    my $logger = Log::Log4perl::get_logger( ref($self) );
+
+    # Inline Vs. VLAN enforcement
+    my $radius_reply_ref = {};
+    my $role = "";
+    if ( (!$wasInline || ($wasInline && $vlan != 0) ) && isenabled($self->{_VlanMap})) {
+        $radius_reply_ref = {
+            'MIKROTIK_WIRELESS_VLANID' => $vlan,
+            'MIKROTIK_WIRELESS_VLANIDTYPE' => "0",
+        };
+    }
 
+    if ( isenabled($self->{_RoleMap}) && $self->supportsRoleBasedEnforcement()) {
+        $logger->debug("[$self->{'_id'}] Network device supports roles. Evaluating role to be returned");
+        if ( defined($user_role) && $user_role ne "" ) {
+            $role = $self->getRoleByName($user_role);
+        }
+	if ( defined($role) && $role ne "" ) {
+            $radius_reply_ref->{$self->returnRoleAttribute()} = $role;
+            $logger->info(
+                "[$self->{'_id'}] Added role $role to the returned RADIUS Access-Accept under attribute " . $self->returnRoleAttribute()
+            );
+	}
+	else {
+            $logger->debug("[$self->{'_id'}] Received undefined role. No Role added to RADIUS Access-Accept");
+        }
+    }
+
+    $logger->info("[$self->{'_id'}] Returning ACCEPT with VLAN $vlan and role $role");
+    return [$RADIUS::RLM_MODULE_OK, %$radius_reply_ref];
+}
 =back
 
 =head1 AUTHOR

Maybe you'd like to tell me again how much I don't know about packet fence... Moron.

Posted: **Tue Aug 12, 2014 7:27 pm**

Why you post this, is like you throw your pearls to the swine.

Thanks for sharing.

Posted: **Tue Aug 12, 2014 7:29 pm**

To show him how much of an idiot he is.. Sometimes people just don't know...

Posted: **Tue Aug 12, 2014 8:05 pm**

People, cool down. Such statements are of no use...

Posted: **Tue Aug 26, 2014 11:22 pm**

Roadracer, thanks for posting this. I've been interested in testing out PacketFence on my home network for quite some time without using inline mode.

Posted: **Sun Aug 31, 2014 9:05 am**

Wow, how did I miss this post over in wireless. Fabrice helped add support in the next release of PacketFence

http://forum.mikrotik.com/viewtopic.php?f=7&t=88495

Posted: **Mon Sep 15, 2014 6:44 pm**

Pretty awesome. Thanks to Fabrice for his hard work on this. PacketFence 4.4.0 officially supports Mikrotik APs now.

http://www.packetfence.org/news/2014/ar ... eased.html

Posted: **Tue Dec 02, 2014 6:46 pm**

We should start a fight club.

Posted: **Wed May 13, 2020 1:55 pm**

Hi,
for information Dot1X based vlan assignment with Packetfence working in version 10, and mikrotik routeros, tested version 6.46.6

For example Port with windows client 802.1x suplicant get vlan, based on setting in packetfence and is authentificated from AD.

What not working is administration task like a Reevaluate Access and RestartSwitchPort, new template for mikrotik-switch radius command is needed.

But you all want Dot1X, you have it

Radius disconnect task on mikrotik need more values than

ADIUS Request
Acct-Session-Id =  "
NAS-IP-Address = 192.168.70.81 "
Calling-Station-Id = D4-AE-52-B9-2B-FD",
RADIUS Reply
Code = Disconnect-NAK "
NAS-Identifier = cap_michalek "
Error-Cause = Unsupported-Extension

MikroTik

VOTE FOR PACKETFENCE SUPPORT

VOTE FOR PACKETFENCE SUPPORT

Re: VOTE FOR PACKETFENCE SUPPORT

Re: VOTE FOR PACKETFENCE SUPPORT

Re: VOTE FOR PACKETFENCE SUPPORT

Re: VOTE FOR PACKETFENCE SUPPORT

Re: VOTE FOR PACKETFENCE SUPPORT

Re: VOTE FOR PACKETFENCE SUPPORT

Re: VOTE FOR PACKETFENCE SUPPORT

Re: VOTE FOR PACKETFENCE SUPPORT

Re: VOTE FOR PACKETFENCE SUPPORT

Re: VOTE FOR PACKETFENCE SUPPORT

Re: VOTE FOR PACKETFENCE SUPPORT

Re: VOTE FOR PACKETFENCE SUPPORT

Re: VOTE FOR PACKETFENCE SUPPORT

Re: VOTE FOR PACKETFENCE SUPPORT

Re: VOTE FOR PACKETFENCE SUPPORT

Re: VOTE FOR PACKETFENCE SUPPORT

Re: VOTE FOR PACKETFENCE SUPPORT

Re: VOTE FOR PACKETFENCE SUPPORT

Re: VOTE FOR PACKETFENCE SUPPORT

Re: VOTE FOR PACKETFENCE SUPPORT

Re: VOTE FOR PACKETFENCE SUPPORT

Re: VOTE FOR PACKETFENCE SUPPORT

Re: VOTE FOR PACKETFENCE SUPPORT

Re: VOTE FOR PACKETFENCE SUPPORT

Re: VOTE FOR PACKETFENCE SUPPORT

Re: VOTE FOR PACKETFENCE SUPPORT

Re: VOTE FOR PACKETFENCE SUPPORT

Re: VOTE FOR PACKETFENCE SUPPORT

Re: VOTE FOR PACKETFENCE SUPPORT

Re: VOTE FOR PACKETFENCE SUPPORT

Re: VOTE FOR PACKETFENCE SUPPORT

Re: VOTE FOR PACKETFENCE SUPPORT

Re: VOTE FOR PACKETFENCE SUPPORT