Hi again, Enabling debugging on the router appears to reveal my problem: 22:18:30 radius,debug,packet received Access-Accept with id 128 from 192.168.55.55:1812 22:18:30 radius,debug,packet Signature = 0x******************************** 22:18:30 radius,debug,packet User-Name = "REDACTED\davidh" 22:18:30 radius,debug,packet MT-Wireless-VLAN-ID-Type = 0 22:18:30 radius,debug,packet MT-Wireless-VLAN-ID = 666 22:18:30 radius,debug,packet MS-MPPE-Recv-Key = 0x******************************** 22:18:30 radius,debug,packet ******************************** 22:18:30 radius,debug,packet ******************************** 22:18:30 radius,debug,packet 6abe 22:18:30 radius,debug,packet MS-MPPE-Send-Key = 0x******************************** 22:18:30 radius,debug,packet ******************************** 22:18:30 radius,debug,packet ******************************** 22:18:30 radius,debug,packet 6cbc 22:18:30 radius,debug,packet EAP-Message = 0x030b0004 22:18:30 radius,debug,packet Message-Authenticator = 0x******************************** 22:18:30 radius,debug received reply for 82:3e 22:18:30 dot1x,packet s ether4 tx EAPOL-Packet EAP-Success id:11 22:18:30 dot1x,debug s ether4 "REDACTED\davidh" authorized 22:18:30 dot1x,debug s ether4 UNBLOCK
I had very simply added the following to the Mikrotik.pm file in /usr/local/pf/lib/Switch: [admin@packetfence2 ~]# diff -uNr Mikrotik.pm.orig /usr/local/pf/lib/pf/Switch/Mikrotik.pm; --- Mikrotik.pm.orig 2021-05-08 07:38:14.976719201 +0200 +++ /usr/local/pf/lib/pf/Switch/Mikrotik.pm 2021-05-18 21:57:33.528217009 +0200 @@ -46,6 +46,8 @@ # CAPABILITIES # access technology supported use pf::SwitchSupports qw( + WiredMacAuth + WiredDot1x WirelessMacAuth ExternalPortal WebFormRegistration According to documentation wired 802.1x does not use custom attribute names so I need to figure out how to send standard attributes when using wired 802.1x (example below) and the existing custom attributes when using wireless 802.1x: 09:51:45 radius,debug,packet received Access-Accept with id 64 from 10.1.2.3:1812 09:51:45 radius,debug,packet Tunnel-Type = 13 09:51:45 radius,debug,packet Tunnel-Medium-Type = 6 09:51:45 radius,debug,packet Tunnel-Private-Group-ID = "666" (..) 09:51:45 radius,debug,packet User-Name = "dot1x-user" Regards David Herselman From: David Herselman Sent: Tuesday, 18 May 2021 9:27 PM To: Quiniou-Briand, Nicolas <nquin...@akamai.com>; packetfence-users@lists.sourceforge.net Subject: RE: MikroTik dot1x (Ethernet not WiFi) Hi Nicolas, MikroTik have at least 3 integration options with their products. Most people appear to want to integrate their centrally managed WiFi solutions called CAPsMAN, but most of my integration to Packet Fence has been with individual MikroTik routers with wireless interfaces. We have RADIUS disconnect working well in this scenario, after making the following subtle change. VLAN assignment has been reliable and RADIUS accounting is working perfectly for single sign on to a Check Point security gateway: --- Mikrotik.pm.orig 2021-05-08 07:38:14.976719201 +0200 +++ /usr/local/pf/lib/pf/Switch/Mikrotik.pm 2021-05-16 09:39:14.703284401 +0200 @@ -139,7 +139,8 @@ sub deauthTechniques { my ($self, $method, $connection_type) = @_; my $logger = $self->logger; - my $default = $SNMP::SSH; + my $default = $SNMP::RADIUS; my %tech = ( $SNMP::SSH => 'deauthenticateMacSSH', $SNMP::RADIUS => 'deauthenticateMacRadius', @@ -257,8 +258,8 @@ Don't forget to fill /usr/share/freeradius/dictionary.mikrotik with the following attributes: -ATTRIBUTE Mikrotik-Wireless-VlanID 26 integer -ATTRIBUTE Mikrotik-Wireless-VlanIDType 27 integer +ATTRIBUTE Mikrotik-Wireless-VLANID 26 integer +ATTRIBUTE Mikrotik-Wireless-VLANID-Type 27 integer =cut The attribute name changes are actually just comment corrections, references in the code appeared to have been changed relatively recently to match the FreeRADIUS defaults. MikroTik RouterOS v6.45.1 (changelog here<https://forum.mikrotik.com/viewtopic.php?t=149786> from 2019/07) introduced dot1x (manual here<https://help.mikrotik.com/docs/display/ROS/Dot1X>) as an implementation of IEEE 802.1X port-based network access control using EAPOL (EAP over LAN), as both supplicant (client) and authenticator (server). Supported EAP methods are EAP-TLS, EAP-TTLS, EAP-MSCHAPv2, PEAPv0/EAP-MSCHAPv2 and it appears to support MAB fallback. PS: RouterOS is a free upgrade on any RouterBoard device and all current software release channels (long term, stable, testing and development) have this feature. I would essentially like to hack around with the switch module to hopefully get both wired and wireless 802.1X working as authenticator. Perl appears to be readable but I have no idea where to start looking at what variables and functions I need to possibly copy to support both wired 802.1x and wired MAC auth. Regards David Herselman From: Quiniou-Briand, Nicolas <nquin...@akamai.com<mailto:nquin...@akamai.com>> Sent: Tuesday, 18 May 2021 2:24 PM To: packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net> Cc: David Herselman <d...@syrex.co<mailto:d...@syrex.co>> Subject: RE: MikroTik dot1x (Ethernet not WiFi) Hello David, 1. Which features do you use on Mikrotik module: Wireless MAC Auth ? Webauth Wireless ? Or both ? If you only use Wireless MAC Auth, you can try to create your own switch template [1] to support features you need ('WiredDot1x' and 'WiredMacAuth'). [1] https://www.packetfence.org/doc/PacketFence_Developers_Guide.html#_creating_a_new_switch_via_a_template It looks like current switch module returned following attribute: #v+ 'Mikrotik-Wireless-VLANID' => $args->{'vlan'} . "", 'Mikrotik-Wireless-VLANID-Type' => "0", }; #v- You certainly need to adapt switch template to return something similar for wired. Nicolas Quiniou-Briand Product Support Engineer [cid:image001.png@01D74C34.74AE4F70] Office: +33156696210 Akamai Technologies 145 Broadway Cambridge, MA 02142 Connect with Us: [cid:image002.jpg@01D74C34.74AE4F70]<https://community.akamai.com/> [cid:image003.png@01D74C34.74AE4F70] <http://blogs.akamai.com/> [cid:image004.png@01D74C34.74AE4F70] <https://twitter.com/akamai> [cid:image005.png@01D74C34.74AE4F70] <http://www.facebook.com/AkamaiTechnologies> [cid:image006.png@01D74C34.74AE4F70] <http://www.linkedin.com/company/akamai-technologies> [cid:image007.png@01D74C34.74AE4F70] <http://www.youtube.com/user/akamaitechnologies?feature=results_main>
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users