Hi Fabrice, Many thanks! It appears I’ve gotten 802.1x working but the mac fallback doesn’t appear to work but that looks like a RouterOS issue so I’ll log a query in their forums.
Managed to work around the VLAN assignment issue I was having where WiFi requires MikroTik specific attributes and wired uses the standard ones by simply sending everything in the replies which works for both 802.1x wired and wireless connections. Works for me, will test before trying to submit a patch: [root@packetfence2 ~]# diff -uNr Mikrotik.pm.orig /usr/local/pf/lib/pf/Switch/Mikrotik.pm; --- Mikrotik.pm.orig 2021-05-08 07:38:14.976719201 +0200 +++ /usr/local/pf/lib/pf/Switch/Mikrotik.pm 2021-05-18 22:42:36.465205841 +0200 @@ -46,6 +46,8 @@ # CAPABILITIES # access technology supported use pf::SwitchSupports qw( + WiredMacAuth + WiredDot1x WirelessMacAuth ExternalPortal WebFormRegistration @@ -139,7 +141,8 @@ sub deauthTechniques { my ($self, $method, $connection_type) = @_; my $logger = $self->logger; - my $default = $SNMP::SSH; + my $default = $SNMP::RADIUS; my %tech = ( $SNMP::SSH => 'deauthenticateMacSSH', $SNMP::RADIUS => 'deauthenticateMacRadius', @@ -257,8 +260,8 @@ Don't forget to fill /usr/share/freeradius/dictionary.mikrotik with the following attributes: -ATTRIBUTE Mikrotik-Wireless-VlanID 26 integer -ATTRIBUTE Mikrotik-Wireless-VlanIDType 27 integer +ATTRIBUTE Mikrotik-Wireless-VLANID 26 integer +ATTRIBUTE Mikrotik-Wireless-VLANID-Type 27 integer =cut @@ -279,6 +282,9 @@ $radius_reply_ref = { 'Mikrotik-Wireless-VLANID' => $args->{'vlan'} . "", 'Mikrotik-Wireless-VLANID-Type' => "0", + 'Tunnel-Type' => "13", + 'Tunnel-Medium-Type' => "6", + 'Tunnel-Private-Group-ID' => $args->{'vlan'} . "", }; } PS: RADIUS disconnect nor CoA on 802.1x wired appears to be working but this may also require alterations… Regards David Herselman From: Fabrice Durand <oeufd...@gmail.com> Sent: Tuesday, 18 May 2021 2:40 PM To: packetfence-users@lists.sourceforge.net Cc: David Herselman <d...@syrex.co> Subject: Re: [PacketFence-users] MikroTik dot1x (Ethernet not WiFi) Hello David, you are in the good tracks. First you need to append that: use pf::SwitchSupports qw( WiredMacAuth WiredDot1x ... ); Then retry. Also can you provide a raddebug output when you connect ? raddebug -f /usr/local/pf/var/run/radiusd.sock Regards Fabrice Le mar. 18 mai 2021 à 01:22, David Herselman via PacketFence-users <packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>> a écrit : Hi, I'm hoping someone could point me at some documentation which may provide necessary steps to extend the MikroTik module to additionally support 802.1x for ethernet. I tried adding 'WiredDot1x' and 'WiredMacAuth' to /usr/local/pf/lib/pf/Switch/Mikrotik.pm in the pf::SwitchSupports stansa but still received the following warnings: May 16 09:19:58 packetfence2 packetfence_httpd.aaa: httpd.aaa(1992) WARN: [mac:38:60:77:2f:73:f5] Use of uninitialized value $nas_port in concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 2468. (pf::Switch::NasPortToIfIndex) May 16 09:19:58 packetfence2 packetfence_httpd.aaa: httpd.aaa(1992) WARN: [mac:38:60:77:2f:73:f5] Use of uninitialized value $port in concatenation (.) or string at /usr/local/pf/lib/pf/radius.pm<http://radius.pm> line 188. (pf::radius::authorize) May 16 09:19:58 packetfence2 packetfence_httpd.aaa: httpd.aaa(1992) INFO: [mac:38:60:77:2f:73:f5] handling radius autz request: from switch_ip => (100.127.255.10), connection_type => Ethernet-EAP,switch_mac => (6c:3b:6b:18:bc:0b), mac => [38:60:77:2f:73:f5], port => , username => "DOMAIN-01\davidh" (pf::radius::authorize) May 16 09:19:58 packetfence2 packetfence_httpd.aaa: httpd.aaa(1992) WARN: [mac:38:60:77:2f:73:f5] (100.127.255.10) Sending REJECT since switch is unsupported (pf::radius::_switchUnsupportedReply) When I review the Pica8 module I see the following, but have no reference as to what they do and whether or not I'm missing something which is possibly clearly documented. Pica8 switch module: use pf::config qw( $ROLE_API_LEVEL $MAC $PORT $WIRED_802_1X $WIRED_MAC_AUTH MikroTik switch module: use pf::config qw( $MAC $SSID $WIRELESS_MAC_AUTH $WEBAUTH_WIRELESS Regards David Herselman _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users