Re: [PacketFence-users] MikroTik dot1x (Ethernet not WiFi)

Tue, 18 May 2021 17:45:30 -0700 

Hi again,

Enabling debugging on the router appears to reveal my problem:
22:18:30 radius,debug,packet received Access-Accept with id 128 from 
192.168.55.55:1812
22:18:30 radius,debug,packet     Signature = 0x********************************
22:18:30 radius,debug,packet     User-Name = "REDACTED\davidh"
22:18:30 radius,debug,packet     MT-Wireless-VLAN-ID-Type = 0
22:18:30 radius,debug,packet     MT-Wireless-VLAN-ID = 666
22:18:30 radius,debug,packet     MS-MPPE-Recv-Key = 
0x********************************
22:18:30 radius,debug,packet       ********************************
22:18:30 radius,debug,packet       ********************************
22:18:30 radius,debug,packet       6abe
22:18:30 radius,debug,packet     MS-MPPE-Send-Key = 
0x********************************
22:18:30 radius,debug,packet       ********************************
22:18:30 radius,debug,packet       ********************************
22:18:30 radius,debug,packet       6cbc
22:18:30 radius,debug,packet     EAP-Message = 0x030b0004
22:18:30 radius,debug,packet     Message-Authenticator = 
0x********************************
22:18:30 radius,debug received reply for 82:3e
22:18:30 dot1x,packet s ether4 tx EAPOL-Packet EAP-Success id:11
22:18:30 dot1x,debug s ether4 "REDACTED\davidh" authorized
22:18:30 dot1x,debug s ether4 UNBLOCK

I had very simply added the following to the Mikrotik.pm file in 
/usr/local/pf/lib/Switch:
[admin@packetfence2 ~]# diff -uNr Mikrotik.pm.orig 
/usr/local/pf/lib/pf/Switch/Mikrotik.pm;
--- Mikrotik.pm.orig    2021-05-08 07:38:14.976719201 +0200
+++ /usr/local/pf/lib/pf/Switch/Mikrotik.pm     2021-05-18 21:57:33.528217009 
+0200
@@ -46,6 +46,8 @@
# CAPABILITIES
# access technology supported
use pf::SwitchSupports qw(
+    WiredMacAuth
+    WiredDot1x
     WirelessMacAuth
     ExternalPortal
     WebFormRegistration


According to documentation wired 802.1x does not use custom attribute names so 
I need to figure out how to send standard attributes when using wired 802.1x 
(example below) and the existing custom attributes when using wireless 802.1x:
09:51:45 radius,debug,packet received Access-Accept with id 64 from 
10.1.2.3:1812
09:51:45 radius,debug,packet     Tunnel-Type = 13
09:51:45 radius,debug,packet     Tunnel-Medium-Type = 6
09:51:45 radius,debug,packet     Tunnel-Private-Group-ID = "666"
(..)
09:51:45 radius,debug,packet     User-Name = "dot1x-user"


Regards
David Herselman

From: David Herselman
Sent: Tuesday, 18 May 2021 9:27 PM
To: Quiniou-Briand, Nicolas <nquin...@akamai.com>; 
packetfence-users@lists.sourceforge.net
Subject: RE: MikroTik dot1x (Ethernet not WiFi)

Hi Nicolas,

MikroTik have at least 3 integration options with their products. Most people 
appear to want to integrate their centrally managed WiFi solutions called 
CAPsMAN, but most of my integration to Packet Fence has been with individual 
MikroTik routers with wireless interfaces. We have RADIUS disconnect working 
well in this scenario, after making the following subtle change. VLAN 
assignment has been reliable and RADIUS accounting is working perfectly for 
single sign on to a Check Point security gateway:
--- Mikrotik.pm.orig    2021-05-08 07:38:14.976719201 +0200
+++ /usr/local/pf/lib/pf/Switch/Mikrotik.pm     2021-05-16 09:39:14.703284401 
+0200
@@ -139,7 +139,8 @@
sub deauthTechniques {
     my ($self, $method, $connection_type) = @_;
     my $logger = $self->logger;
-    my $default = $SNMP::SSH;
+    my $default = $SNMP::RADIUS;
     my %tech = (
         $SNMP::SSH    => 'deauthenticateMacSSH',
         $SNMP::RADIUS => 'deauthenticateMacRadius',
@@ -257,8 +258,8 @@

Don't forget to fill /usr/share/freeradius/dictionary.mikrotik with the 
following attributes:

-ATTRIBUTE       Mikrotik-Wireless-VlanID                26      integer
-ATTRIBUTE       Mikrotik-Wireless-VlanIDType            27      integer
+ATTRIBUTE       Mikrotik-Wireless-VLANID                26      integer
+ATTRIBUTE       Mikrotik-Wireless-VLANID-Type           27      integer

=cut

The attribute name changes are actually just comment corrections, references in 
the code appeared to have been changed relatively recently to match the 
FreeRADIUS defaults.


MikroTik RouterOS v6.45.1 (changelog 
here<https://forum.mikrotik.com/viewtopic.php?t=149786> from 2019/07) 
introduced dot1x (manual 
here<https://help.mikrotik.com/docs/display/ROS/Dot1X>) as an implementation of 
IEEE 802.1X port-based network access control using EAPOL (EAP over LAN), as 
both supplicant (client) and authenticator (server). Supported EAP methods are 
EAP-TLS, EAP-TTLS, EAP-MSCHAPv2, PEAPv0/EAP-MSCHAPv2 and it appears to support 
MAB fallback.
PS: RouterOS is a free upgrade on any RouterBoard device and all current 
software release channels (long term, stable, testing and development) have 
this feature.

I would essentially like to hack around with the switch module to hopefully get 
both wired and wireless 802.1X working as authenticator. Perl appears to be 
readable but I have no idea where to start looking at what variables and 
functions I need to possibly copy to support both wired 802.1x and wired MAC 
auth.


Regards
David Herselman


From: Quiniou-Briand, Nicolas <nquin...@akamai.com<mailto:nquin...@akamai.com>>
Sent: Tuesday, 18 May 2021 2:24 PM
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Cc: David Herselman <d...@syrex.co<mailto:d...@syrex.co>>
Subject: RE: MikroTik dot1x (Ethernet not WiFi)

Hello David,

1. Which features do you use on Mikrotik module: Wireless MAC Auth ? Webauth 
Wireless ? Or both ?

If you only use Wireless MAC Auth, you can try to create your own switch 
template [1] to support features you need ('WiredDot1x' and 'WiredMacAuth').

[1] 
https://www.packetfence.org/doc/PacketFence_Developers_Guide.html#_creating_a_new_switch_via_a_template

It looks like current switch module returned following attribute:
#v+
            'Mikrotik-Wireless-VLANID' => $args->{'vlan'} . "",
            'Mikrotik-Wireless-VLANID-Type' => "0",
        };
#v-
You certainly need to adapt switch template to return something similar for 
wired.

Nicolas Quiniou-Briand
Product Support Engineer
[cid:image001.png@01D74C34.74AE4F70]
Office: +33156696210
Akamai Technologies
145 Broadway
Cambridge, MA 02142
Connect with Us:
[cid:image002.jpg@01D74C34.74AE4F70]<https://community.akamai.com/> 
[cid:image003.png@01D74C34.74AE4F70] <http://blogs.akamai.com/>  
[cid:image004.png@01D74C34.74AE4F70] <https://twitter.com/akamai>  
[cid:image005.png@01D74C34.74AE4F70] 
<http://www.facebook.com/AkamaiTechnologies>  
[cid:image006.png@01D74C34.74AE4F70] 
<http://www.linkedin.com/company/akamai-technologies>  
[cid:image007.png@01D74C34.74AE4F70] 
<http://www.youtube.com/user/akamaitechnologies?feature=results_main>


_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users






















					Reply via email to