Re: [PacketFence-users] MikroTik dot1x (Ethernet not WiFi)

David Herselman via PacketFence-users Tue, 18 May 2021 17:44:20 -0700

Hi Fabrice,

Many thanks! It appears I’ve gotten 802.1x working but the mac fallback doesn’t 
appear to work but that looks like a RouterOS issue so I’ll log a query in 
their forums.


Managed to work around the VLAN assignment issue I was having where WiFi 
requires MikroTik specific attributes and wired uses the standard ones by 
simply sending everything in the replies which works for both 802.1x wired and 
wireless connections.

Works for me, will test before trying to submit a patch:
[root@packetfence2 ~]# diff -uNr Mikrotik.pm.orig 
/usr/local/pf/lib/pf/Switch/Mikrotik.pm;
--- Mikrotik.pm.orig    2021-05-08 07:38:14.976719201 +0200
+++ /usr/local/pf/lib/pf/Switch/Mikrotik.pm     2021-05-18 22:42:36.465205841 
+0200
@@ -46,6 +46,8 @@
# CAPABILITIES
# access technology supported
use pf::SwitchSupports qw(
+    WiredMacAuth
+    WiredDot1x
     WirelessMacAuth
     ExternalPortal
     WebFormRegistration
@@ -139,7 +141,8 @@
sub deauthTechniques {
     my ($self, $method, $connection_type) = @_;
     my $logger = $self->logger;
-    my $default = $SNMP::SSH;
+    my $default = $SNMP::RADIUS;
     my %tech = (
         $SNMP::SSH    => 'deauthenticateMacSSH',
         $SNMP::RADIUS => 'deauthenticateMacRadius',
@@ -257,8 +260,8 @@

Don't forget to fill /usr/share/freeradius/dictionary.mikrotik with the 
following attributes:

-ATTRIBUTE       Mikrotik-Wireless-VlanID                26      integer
-ATTRIBUTE       Mikrotik-Wireless-VlanIDType            27      integer
+ATTRIBUTE       Mikrotik-Wireless-VLANID                26      integer
+ATTRIBUTE       Mikrotik-Wireless-VLANID-Type           27      integer

=cut

@@ -279,6 +282,9 @@
         $radius_reply_ref = {
             'Mikrotik-Wireless-VLANID' => $args->{'vlan'} . "",
             'Mikrotik-Wireless-VLANID-Type' => "0",
+            'Tunnel-Type' => "13",
+            'Tunnel-Medium-Type' => "6",
+            'Tunnel-Private-Group-ID' => $args->{'vlan'} . "",
         };
     }

PS: RADIUS disconnect nor CoA on 802.1x wired appears to be working but this 
may also require alterations…

Regards
David Herselman

From: Fabrice Durand <oeufd...@gmail.com>
Sent: Tuesday, 18 May 2021 2:40 PM
To: packetfence-users@lists.sourceforge.net
Cc: David Herselman <d...@syrex.co>
Subject: Re: [PacketFence-users] MikroTik dot1x (Ethernet not WiFi)

Hello David,

you are in the good tracks.

First you need to append that:

use pf::SwitchSupports qw(
    WiredMacAuth
    WiredDot1x
...
);


Then retry.
Also can you provide a raddebug output when you connect ?

raddebug -f /usr/local/pf/var/run/radiusd.sock

Regards
Fabrice


Le mar. 18 mai 2021 à 01:22, David Herselman via PacketFence-users 
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
 a écrit :
Hi,

I'm hoping someone could point me at some documentation which may provide 
necessary steps to extend the MikroTik module to additionally support 802.1x 
for ethernet.

I tried adding 'WiredDot1x' and 'WiredMacAuth' to 
/usr/local/pf/lib/pf/Switch/Mikrotik.pm in the pf::SwitchSupports stansa but 
still received the following warnings:

May 16 09:19:58 packetfence2 packetfence_httpd.aaa: httpd.aaa(1992) WARN: 
[mac:38:60:77:2f:73:f5] Use of uninitialized value $nas_port in concatenation 
(.) or string at /usr/local/pf/lib/pf/Switch.pm line 2468.
 (pf::Switch::NasPortToIfIndex)
May 16 09:19:58 packetfence2 packetfence_httpd.aaa: httpd.aaa(1992) WARN: 
[mac:38:60:77:2f:73:f5] Use of uninitialized value $port in concatenation (.) 
or string at /usr/local/pf/lib/pf/radius.pm<http://radius.pm> line 188.
 (pf::radius::authorize)
May 16 09:19:58 packetfence2 packetfence_httpd.aaa: httpd.aaa(1992) INFO: 
[mac:38:60:77:2f:73:f5] handling radius autz request: from switch_ip => 
(100.127.255.10), connection_type => Ethernet-EAP,switch_mac => 
(6c:3b:6b:18:bc:0b), mac => [38:60:77:2f:73:f5], port => , username => 
"DOMAIN-01\davidh" (pf::radius::authorize)
May 16 09:19:58 packetfence2 packetfence_httpd.aaa: httpd.aaa(1992) WARN: 
[mac:38:60:77:2f:73:f5] (100.127.255.10) Sending REJECT since switch is 
unsupported (pf::radius::_switchUnsupportedReply)


When I review the Pica8 module I see the following, but have no reference as to 
what they do and whether or not I'm missing something which is possibly clearly 
documented.

Pica8 switch module:
use pf::config qw(
    $ROLE_API_LEVEL
    $MAC
    $PORT
    $WIRED_802_1X
    $WIRED_MAC_AUTH

MikroTik switch module:
use pf::config qw(
    $MAC
    $SSID
    $WIRELESS_MAC_AUTH
    $WEBAUTH_WIRELESS


Regards
David Herselman
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users

_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] MikroTik dot1x (Ethernet not WiFi)

Reply via email to