Hi Nicolas, MikroTik have at least 3 integration options with their products. Most people appear to want to integrate their centrally managed WiFi solutions called CAPsMAN, but most of my integration to Packet Fence has been with individual MikroTik routers with wireless interfaces. We have RADIUS disconnect working well in this scenario, after making the following subtle change. VLAN assignment has been reliable and RADIUS accounting is working perfectly for single sign on to a Check Point security gateway: --- Mikrotik.pm.orig 2021-05-08 07:38:14.976719201 +0200 +++ /usr/local/pf/lib/pf/Switch/Mikrotik.pm 2021-05-16 09:39:14.703284401 +0200 @@ -139,7 +139,8 @@ sub deauthTechniques { my ($self, $method, $connection_type) = @_; my $logger = $self->logger; - my $default = $SNMP::SSH; + my $default = $SNMP::RADIUS; my %tech = ( $SNMP::SSH => 'deauthenticateMacSSH', $SNMP::RADIUS => 'deauthenticateMacRadius', @@ -257,8 +258,8 @@
Don't forget to fill /usr/share/freeradius/dictionary.mikrotik with the following attributes: -ATTRIBUTE Mikrotik-Wireless-VlanID 26 integer -ATTRIBUTE Mikrotik-Wireless-VlanIDType 27 integer +ATTRIBUTE Mikrotik-Wireless-VLANID 26 integer +ATTRIBUTE Mikrotik-Wireless-VLANID-Type 27 integer =cut The attribute name changes are actually just comment corrections, references in the code appeared to have been changed relatively recently to match the FreeRADIUS defaults. MikroTik RouterOS v6.45.1 (changelog here<https://forum.mikrotik.com/viewtopic.php?t=149786> from 2019/07) introduced dot1x (manual here<https://help.mikrotik.com/docs/display/ROS/Dot1X>) as an implementation of IEEE 802.1X port-based network access control using EAPOL (EAP over LAN), as both supplicant (client) and authenticator (server). Supported EAP methods are EAP-TLS, EAP-TTLS, EAP-MSCHAPv2, PEAPv0/EAP-MSCHAPv2 and it appears to support MAB fallback. PS: RouterOS is a free upgrade on any RouterBoard device and all current software release channels (long term, stable, testing and development) have this feature. I would essentially like to hack around with the switch module to hopefully get both wired and wireless 802.1X working as authenticator. Perl appears to be readable but I have no idea where to start looking at what variables and functions I need to possibly copy to support both wired 802.1x and wired MAC auth. Regards David Herselman From: Quiniou-Briand, Nicolas <nquin...@akamai.com> Sent: Tuesday, 18 May 2021 2:24 PM To: packetfence-users@lists.sourceforge.net Cc: David Herselman <d...@syrex.co> Subject: RE: MikroTik dot1x (Ethernet not WiFi) Hello David, 1. Which features do you use on Mikrotik module: Wireless MAC Auth ? Webauth Wireless ? Or both ? If you only use Wireless MAC Auth, you can try to create your own switch template [1] to support features you need ('WiredDot1x' and 'WiredMacAuth'). [1] https://www.packetfence.org/doc/PacketFence_Developers_Guide.html#_creating_a_new_switch_via_a_template It looks like current switch module returned following attribute: #v+ 'Mikrotik-Wireless-VLANID' => $args->{'vlan'} . "", 'Mikrotik-Wireless-VLANID-Type' => "0", }; #v- You certainly need to adapt switch template to return something similar for wired. Nicolas Quiniou-Briand Product Support Engineer [cid:image001.png@01D74BF2.179A3570] Office: +33156696210 Akamai Technologies 145 Broadway Cambridge, MA 02142 Connect with Us: [cid:image002.jpg@01D74BF2.179A3570]<https://community.akamai.com/> [cid:image003.png@01D74BF2.179A3570] <http://blogs.akamai.com/> [cid:image004.png@01D74BF2.179A3570] <https://twitter.com/akamai> [cid:image005.png@01D74BF2.179A3570] <http://www.facebook.com/AkamaiTechnologies> [cid:image006.png@01D74BF2.179A3570] <http://www.linkedin.com/company/akamai-technologies> [cid:image007.png@01D74BF2.179A3570] <http://www.youtube.com/user/akamaitechnologies?feature=results_main>
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users