MikroTik

Community discussions
https://forum.mikrotik.com/

Mikrotik Radius Client Attribute/Authentication Questions

https://forum.mikrotik.com/viewtopic.php?t=9398

Page 1 of 1

Mikrotik Radius Client Attribute/Authentication Questions

Posted: Fri Jun 30, 2006 1:36 am
by cwu46
Hi all,

To authenticate w/ our Radius servers, I need to have the Mikrotik send during the RADIUS access-request for each user the following

1. SSID requested by the user

In doing some research, I've discovered methods of doing it either through Congdon (e.g. -- attached to the end of the called-station-id) or via a VSA

Does Mikrotik support this (through Congdon or a specific VSA for SSID)?

If not -- how are others implementing 802.1x RADIUS-based authentication w/ Mikrotik (or is anyone doing it?)

Thanks

-Charles

Posted: Fri Jun 30, 2006 2:17 am
by cwu46
Just to expand:

from:
http://www.ieee802.org/1/files/public/d ... 21x-20.txt
Congdon RADIUS (802.1x) implementation of Called-Station-ID Attribute
3.20. Called-Station-Id

For IEEE 802.1X Authenticators, this attribute is used to store the bridge or Access Point MAC address in ASCII format, with octet values separated by a "-". Example: "00-10-A4-23-19-C0". In IEEE 802.11, where the SSID is known, it SHOULD be appended to the Access Point MAC address, separated from the MAC address with a ":". Example "00-10-A4-23-19-C0:AP1".

Posted: Fri Jun 30, 2006 2:27 am
by cwu46
So I delved deeper into the documentation, and found the Mikrotik reference dictionary:

http://www.mikrotik.com/Documentation/m ... dictionary

It looks like there's no particular VSA for SSID =(

That said, is there any way to pass the user's associated SSID to the radius server (is Calling-Station-ID implemented correctly per Congdon)?

thanks

-Charles

Posted: Thu Nov 30, 2006 2:34 am
by datanet
I need the same: is there any way to pass the user's associated SSID to the radius server?
I have a tower with 2 wifi interfaces and I must set access to particular SSID for wireless client in the radius server.

Please advice.

Piotr

Posted: Thu Nov 30, 2006 9:18 am
by normis
Each SSID has its own interface in RouterOS. Radius gets interface name in NAS-Port-Id attribute.

It is possible to rename all wireless interfaces to their SSID value and then NAS-Port-Id will contain SSID of the client.

Posted: Fri Dec 01, 2006 5:02 pm
by datanet
Now I can check SSID with NAS-Port-Id attribute.

00:13:CE:9A:F6:82 NAS-Port-Id == wlan1

But if I turn it on - DHCP server don't give me an IP address - I got Access-Reject.

Check SSID works fine, client can be associated with radio station, but dhcp lease stop working.

Then I remove this line from radius check table, DHCP start working, but of course I lost possibility of check SSID.

Any ideas?

Posted: Thu Jan 11, 2007 12:10 am
by jfan
I have been told that v3.x will pass SSID to RADIUS. Can anyone confirm this? I am trying to prove it myself currently...

For Virtual AP, Each SSID should be able to pass to RADIUS per Congdon, right?

Jin
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/