Difference between revisions of "Manual:Interface/Dot1x"

From MikroTik Wiki
Jump to: navigation, search
(RouterOS Supplicant configuration: Use eap method that actually uses anon-identity)
(Server)
 
(24 intermediate revisions by 2 users not shown)
Line 21: Line 21:
 
|type=string
 
|type=string
 
|default=
 
|default=
|desc=Identity for outer layer EAP authentication. Used only with <var>eap-ttls</var> and <var>eap-peap</var> methods.
+
|desc=Identity for outer layer EAP authentication. Used only with <var>eap-ttls</var> and <var>eap-peap</var> methods. If not set, value from <var>identity</var> parameter will be used for outer layer EAP authentication.
 
}}
 
}}
  
 
{{Mr-arg-table
 
{{Mr-arg-table
|arg=client-certificate
+
|arg=certificate
 
|type=string
 
|type=string
 
|default=
 
|default=
 
|desc=Name of a certificate listed in [[M:System/Certificates | System/Certificates]]. Necessary when <var>eap-tls</var> method is used.
 
|desc=Name of a certificate listed in [[M:System/Certificates | System/Certificates]]. Necessary when <var>eap-tls</var> method is used.
 +
}}
 +
 +
{{Mr-arg-table
 +
|arg=comment
 +
|type=string
 +
|default=
 +
|desc=Short description of the entry.
 
}}
 
}}
  
Line 87: Line 94:
 
|desc=Possible statuses:
 
|desc=Possible statuses:
 
* <var>authenticated</var> - the client has successfully authenticated;
 
* <var>authenticated</var> - the client has successfully authenticated;
* <var>authenticated-without-server</var> - access to the port is granted without communication with server;
+
* <var>authenticated without server</var> - access to the port is granted without communication with server;
 
* <var>authenticating</var> - the server is reached and authentication process is ongoing;
 
* <var>authenticating</var> - the server is reached and authentication process is ongoing;
 
* <var>connecting</var> - initial stage of the authentication process;
 
* <var>connecting</var> - initial stage of the authentication process;
 
* <var>disabled</var> - the client is disabled;
 
* <var>disabled</var> - the client is disabled;
* <var>err</var> - an internal error has occurred;
+
* <var>error</var> - an internal error has occurred;
* <var>iface-down</var> - the parent interface is not running;
+
* <var>interface is down</var> - the parent interface is not running;
 
* <var>rejected</var> - the server denied the authentication.
 
* <var>rejected</var> - the server denied the authentication.
 
}}
 
}}
Line 103: Line 110:
 
|prop=Property
 
|prop=Property
 
|desc=Description
 
|desc=Description
 +
}}
 +
 +
{{Mr-arg-table
 +
|arg=accounting
 +
|type=yes {{!}} no
 +
|default=yes
 +
|desc=Whether to send RADIUS accounting requests to authentication server.
 +
}}
 +
 +
{{Mr-arg-table
 +
|arg=auth-timeout
 +
|type=time
 +
|default=1m
 +
|desc=Total time available for EAP authentication.
 +
}}
 +
 +
{{Mr-arg-table
 +
|arg=auth-types
 +
|type=dot1x {{!}} mac-auth
 +
|default=dot1x
 +
|desc=Used authentication type on a server interface, both options can be selected at the same time.
 +
}}
 +
 +
{{Mr-arg-table
 +
|arg=comment
 +
|type=string
 +
|default=
 +
|desc=Short description of the entry.
 
}}
 
}}
  
Line 109: Line 144:
 
|type=yes {{!}} no
 
|type=yes {{!}} no
 
|default=no
 
|default=no
|desc=Whether server is enabled or not.
+
|desc=Whether server config is enabled or not.
 
}}
 
}}
  
Line 116: Line 151:
 
|type=string
 
|type=string
 
|default=
 
|default=
|desc=Name of the interface the server will run on.
+
|desc=Name of the interface or [[#Interface/List| interface list]] the server will run on.
 +
}}
 +
 
 +
{{Mr-arg-table
 +
|arg=interim-update
 +
|type=time
 +
|default=0s
 +
|desc=Interval between scheduled RADIUS Interim-Update messages.
 +
}}
 +
 
 +
{{Mr-arg-table
 +
|arg=mac-auth-mode
 +
|type=mac-as-username {{!}} mac-as-username-and-password
 +
|default=mac-as-username
 +
|desc=Allows to control User-Name and User-Password RADIUS attributes when using MAC authentication.
 +
}}
 +
 
 +
{{Mr-arg-table
 +
|arg=radius-mac-format
 +
|type=XX-XX-XX-XX-XX-XX {{!}} XX:XX:XX:XX:XX:XX {{!}} XXXXXXXXXXXX {{!}} xx-xx-xx-xx-xx-xx {{!}} xx:xx:xx:xx:xx:xx {{!}} xxxxxxxxxxxx
 +
|default=XX:XX:XX:XX:XX:XX
 +
|desc=Controls how the MAC address of the client is encoded in the User-Name and User-Password attributes when using MAC authentication.
 +
}}
 +
 
 +
{{Mr-arg-table
 +
|arg=reject-vlan-id
 +
|type=nteger: 1..4094
 +
|default=!reject-vlan-id
 +
|desc=Assigned VLAN when authentication failed and a RADIUS server responded with an Access-Reject message. This property will not apply if the RADIUS server is not responding at all, the client authentication will simply timeout and the service will be unavailable. This property only has an effect when bridge <var>vlan-filtering</var> is enabled.
 
}}
 
}}
  
 
{{Mr-arg-table-end
 
{{Mr-arg-table-end
|arg=profile
+
|arg=retrans-timeout
|type=string
+
|type=time
|default=default
+
|default=30s
|desc=Name of the [[#Profile| profile template]] that will be used by this instance.
+
|desc=Time interval between message retransmissions if no response is received from supplicant.
 
}}
 
}}
  
Line 149: Line 212:
 
===Active===
 
===Active===
  
Currently authenticated interfaces are listed in this menu.
+
Currently authenticated clients are listed in this menu.
  
 
'''Read only properties'''
 
'''Read only properties'''
Line 156: Line 219:
 
|prop=Property
 
|prop=Property
 
|desc=Description
 
|desc=Description
 +
}}
 +
 +
{{Mr-arg-ro-table
 +
|arg=client-mac
 +
|type=mac-address
 +
|desc=MAC Address of the supplicant.
 
}}
 
}}
  
Line 168: Line 237:
 
|type=string
 
|type=string
 
|desc=Unique session identifier.
 
|desc=Unique session identifier.
}}
 
 
{{Mr-arg-ro-table
 
|arg=user-mac
 
|type=mac-address
 
|desc=MAC Address of the supplicant.
 
 
}}
 
}}
  
Line 183: Line 246:
  
 
{{Mr-arg-ro-table-end
 
{{Mr-arg-ro-table-end
|arg=vlan
+
|arg=vlan-id
 
|type=string
 
|type=string
 
|desc=Untagged VLAN ID that is assigned to the interface. VLAN ID filtering must be enabled on bridge.
 
|desc=Untagged VLAN ID that is assigned to the interface. VLAN ID filtering must be enabled on bridge.
}}
 
 
===Profile===
 
 
'''Properties'''
 
 
{{Mr-arg-table-h
 
|prop=Property
 
|desc=Description
 
}}
 
 
{{Mr-arg-table
 
|arg=accounting
 
|type=yes {{!}} no
 
|default=yes
 
|desc=Whether to send RADIUS accounting requests to authentication server.
 
}}
 
 
{{Mr-arg-table
 
|arg=auth-timeout
 
|type=time
 
|default=1m
 
|desc=
 
}}
 
 
{{Mr-arg-table
 
|arg=interim-update
 
|type=time
 
|default=0s
 
|desc=Interval between scheduled RADIUS Interim-Update messages.
 
}}
 
 
{{Mr-arg-table
 
|arg=name
 
|type=string
 
|default=
 
|desc=Name of the profile.
 
}}
 
 
{{Mr-arg-table-end
 
|arg=retrans-timeout
 
|type=time
 
|default=30s
 
|desc=
 
}}
 
 
 
'''Read only properties'''
 
 
{{Mr-arg-table-h
 
|prop=Property
 
|desc=Description
 
}}
 
 
{{Mr-arg-ro-table
 
|arg=default
 
|type=yes {{!}} no
 
|desc=Whether this is a default system entry.
 
}}
 
 
{{Mr-arg-ro-table-end
 
|arg=default-name
 
|type=string
 
|desc=Default profile name in case it has changed.
 
 
}}
 
}}
  
 
===State===
 
===State===
  
Statuses of all active dot1x servers are listed in this menu.
+
Statuses of all active dot1x server interfaces are listed in this menu.
  
 
'''Read only properties'''
 
'''Read only properties'''
Line 275: Line 274:
 
* <var>authorized</var> - access to interface is granted;
 
* <var>authorized</var> - access to interface is granted;
 
* <var>iface-down</var> - interface is not running;
 
* <var>iface-down</var> - interface is not running;
* <var>rejected-holding</var>
+
* <var>rejected-holding</var> - access was rejected by the RADIUS server;
 
* <var>un-authorized</var> - access to interface is not granted.
 
* <var>un-authorized</var> - access to interface is not granted.
 
}}
 
}}
Line 294: Line 293:
 
{{ Note | if RADIUS communication is done over public network, it is advised to use RadSec for RADIUS communication. More information: [[M:RADIUS_Client | RADIUS Client]] }}
 
{{ Note | if RADIUS communication is done over public network, it is advised to use RadSec for RADIUS communication. More information: [[M:RADIUS_Client | RADIUS Client]] }}
  
Add new dot1x server profiles if necessary and server instances.
+
Add new dot1x server instances.
 
 
<pre>
 
/interface dot1x server profile
 
add name=accounted interim-update=30s
 
add name=notaccounted accounting=no
 
</pre>
 
  
 
<pre>
 
<pre>
 
/interface dot1x server
 
/interface dot1x server
add interface=ether2 profile=accounted
+
add interface=ether2 interim-update=30s comment=accounted
add interface=ether12 profile=notaccounted
+
add interface=ether12 accounting=no comment=notaccounted
 
</pre>
 
</pre>
  
Line 358: Line 351:
 
  2  bridge=bridge1 vlan-ids=12 tagged=ether1 untagged="" current-tagged=ether1 current-untagged=ether12  
 
  2  bridge=bridge1 vlan-ids=12 tagged=ether1 untagged="" current-tagged=ether1 current-untagged=ether12  
 
</pre>
 
</pre>
 +
====Dynamic switch rule configuration====
 +
In some network configurations, additional access rules are needed for a particular supplicant to restrict or allow certain network services. This can be done using a Mikrotik-Switching-Filter attribute, please see the [[Manual:RADIUS_Client/vendor_dictionary | RADIUS vendor dictionary]]. When a client is successfully authenticated by an authentication server, the server can pass back the Mikrotik-Switching-Filter attribute. Based on the received information, the authenticator will create dynamic access rules on a switch port where the client resides. These rules will be active as long as the client session is active and the interface is running. There are certain order and restrictions regarding correct switch rule implementation:
 +
* The <var>mac-protocol</var>, <var>dst-address</var>, <var>dst-port</var> and <var>protocol</var> conditional parameters are supported. Only hexadecimal or decimal representation can be used for <var>mac-protocol</var> and <var>protocol</var> parameters
 +
* The <var>src-mac-address</var>, <var>switch</var> and <var>ports</var> conditional parametrs are automatically set for each rule
 +
* Each rule should end with an <var>action</var> property, supported values are either <b>drop</b> or <b>allow</b>
 +
* Multiple rules are supported for a single supplicant and they must be separated by a comma ","
 +
Below are some examples of Mikrotik-Switching-Filter attributes and dynamic switch rules they create:
 +
<pre>
 +
# Drop ARP frames (EtherType: 0x0806 or 2054)
 +
Mikrotik-Switching-Filter = "mac-protocol 2054 action drop"
 +
 +
[admin@MikroTik] /interface ethernet switch rule print
 +
Flags: X - disabled, I - invalid, D - dynamic
 +
0  D ;;; dot1x dynamic
 +
      switch=switch1 ports=ether1 src-mac-address=CC:2D:E0:11:22:33/FF:FF:FF:FF:FF:FF mac-protocol=arp copy-to-cpu=no redirect-to-cpu=no mirror=no new-dst-ports=""
 +
 +
# Allow UDP (IP protocol: 0x11 or 17) destination port 100 and drop all other packets
 +
Mikrotik-Switching-Filter = "protocol 17 dst-port 100 action allow, action drop"
 +
 +
[admin@MikroTik] /interface ethernet switch rule print
 +
Flags: X - disabled, I - invalid, D - dynamic
 +
0  D ;;; dot1x dynamic
 +
      switch=switch1 ports=ether1 src-mac-address=CC:2D:E0:11:22:33/FF:FF:FF:FF:FF:FF protocol=udp dst-port=100 copy-to-cpu=no redirect-to-cpu=no mirror=no
 +
 +
1  D ;;; dot1x dynamic
 +
      switch=switch1 ports=ether1 src-mac-address=CC:2D:E0:11:22:33/FF:FF:FF:FF:FF:FF copy-to-cpu=no redirect-to-cpu=no mirror=no new-dst-ports=""
 +
</pre>
 +
 +
 +
In our example, Supplicant2 on ether2 is only allowed to access the 192.168.50.0/24 network with UDP destination port 50, all other traffic should be dropped. First, make sure that hardware offloading is working on bridge ports, otherwise switch rules might not work properly.
 +
<pre>
 +
[admin@MikroTik] /interface bridge port print
 +
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload
 +
#    INTERFACE                  BRIDGE                  HW  PVID PRIORITY  PATH-COST INTERNAL-PATH-COST    HORIZON
 +
0  H ether1                      bridge1                  yes    1    0x80        10                10      none
 +
1  H ether2                      bridge1                  yes    1    0x80        10                10      none
 +
2  H ether12                    bridge1                  yes    1    0x80        10                10      none
 +
</pre>
 +
 +
With enabled RADIUS debug logs it is possible to see complete RADIUS message packets with all attributes. In our example, Mikrotik-Switching-Filter attribute is received in Access-Accept message from RADIUS server:
 +
<pre>
 +
02:35:38 radius,debug,packet received Access-Accept with id 121 from 10.1.2.3:1812
 +
(..)
 +
02:35:38 radius,debug,packet    MT-Switching-Filter = "mac-protocol 2048 dst-address 192.168.50.0/24 dst-port 50 protocol 17 action allow,action drop"
 +
</pre>
 +
 +
The dynamic switch rules are now present under the switch menu:
 +
<pre>
 +
[admin@MikroTik] > interface ethernet switch rule print
 +
Flags: X - disabled, I - invalid, D - dynamic
 +
0  D ;;; dot1x dynamic
 +
      switch=switch1 ports=ether2 src-mac-address=CC:2D:E0:11:22:33/FF:FF:FF:FF:FF:FF mac-protocol=ip dst-address=192.168.50.0/24 protocol=udp dst-port=50 copy-to-cpu=no redirect-to-cpu=no mirror=no
 +
 +
1  D ;;; dot1x dynamic
 +
      switch=switch1 ports=ether2 src-mac-address=CC:2D:E0:11:22:33/FF:FF:FF:FF:FF:FF copy-to-cpu=no redirect-to-cpu=no mirror=no new-dst-ports=""
 +
</pre>
 +
 +
{{ Note | Dynamic switch rules will only apply to RouterBoards with switch rule support - CRS3xx series switches, devices with QCA8337, Atheros8327 and Atheros8316 switch chips. CRS1xx/2xx series switches do no support this functionality. Take into consideration the maximum number of rules for each device, see [[Manual:CRS3xx_series_switches#Models | CRS3xx table]] and [[Manual:Switch_Chip_Features#Introduction | basic switch chip table]]}}
  
 
===RouterOS Supplicant configuration===
 
===RouterOS Supplicant configuration===
Line 383: Line 434:
 
/interface dot1x client print  
 
/interface dot1x client print  
 
Flags: I - inactive, X - disabled  
 
Flags: I - inactive, X - disabled  
  0  interface=ether1 eap-methods=eap-peap identity="dot1x-user" password="dot1xtest" anon-identity="anonymous" client-certificate=dot1x-client status="authenticated"  
+
  0  interface=ether1 eap-methods=eap-peap identity="dot1x-user" password="dot1xtest" anon-identity="anonymous" certificate=dot1x-client status="authenticated"  
 
</pre>
 
</pre>
  

Latest revision as of 09:44, 3 February 2020

Summary

Sub-menu: /interface dot1x


Dot1x is implementation of IEEE 802.1X standard in RouterOS. Main purpose is to provide port-based network access control using EAP over LAN also known as EAPOL. 802.1X consists of a supplicant, an authenticator and an authentication server (RADIUS server). Currently both authenticator and supplicant sides are supported in RouterOS. Supported EAP methods for supplicant are EAP-TLS, EAP-TTLS, EAP-MSCHAPv2 and PEAPv0/EAP-MSCHAPv2.

Client

Properties

Property Description
anon-identity (string; Default: ) Identity for outer layer EAP authentication. Used only with eap-ttls and eap-peap methods. If not set, value from identity parameter will be used for outer layer EAP authentication.
certificate (string; Default: ) Name of a certificate listed in System/Certificates. Necessary when eap-tls method is used.
comment (string; Default: ) Short description of the entry.
disabled (yes | no; Default: no) Whether client is enabled or not.
eap-methods (eap-tls | eap-ttls | eap-peap | eap-mschapv2; Default: ) Ordered list of EAP methods used for authentication.
identity (string; Default: ) Supplicant identity used for EAP authentication.
interface (string; Default: ) Name of the interface the client will run on.
password (string; Default: ) Cleartext password for supplicant.


Read only properties

Property Description
status (authenticated | authenticating | disabled) Possible statuses:
  • authenticated - the client has successfully authenticated;
  • authenticated without server - access to the port is granted without communication with server;
  • authenticating - the server is reached and authentication process is ongoing;
  • connecting - initial stage of the authentication process;
  • disabled - the client is disabled;
  • error - an internal error has occurred;
  • interface is down - the parent interface is not running;
  • rejected - the server denied the authentication.

Server

Properties

Property Description
accounting (yes | no; Default: yes) Whether to send RADIUS accounting requests to authentication server.
auth-timeout (time; Default: 1m) Total time available for EAP authentication.
auth-types (dot1x | mac-auth; Default: dot1x) Used authentication type on a server interface, both options can be selected at the same time.
comment (string; Default: ) Short description of the entry.
disabled (yes | no; Default: no) Whether server config is enabled or not.
interface (string; Default: ) Name of the interface or interface list the server will run on.
interim-update (time; Default: 0s) Interval between scheduled RADIUS Interim-Update messages.
mac-auth-mode (mac-as-username | mac-as-username-and-password; Default: mac-as-username) Allows to control User-Name and User-Password RADIUS attributes when using MAC authentication.
radius-mac-format (XX-XX-XX-XX-XX-XX | XX:XX:XX:XX:XX:XX | XXXXXXXXXXXX | xx-xx-xx-xx-xx-xx | xx:xx:xx:xx:xx:xx | xxxxxxxxxxxx; Default: XX:XX:XX:XX:XX:XX) Controls how the MAC address of the client is encoded in the User-Name and User-Password attributes when using MAC authentication.
reject-vlan-id (nteger: 1..4094; Default: !reject-vlan-id) Assigned VLAN when authentication failed and a RADIUS server responded with an Access-Reject message. This property will not apply if the RADIUS server is not responding at all, the client authentication will simply timeout and the service will be unavailable. This property only has an effect when bridge vlan-filtering is enabled.
retrans-timeout (time; Default: 30s) Time interval between message retransmissions if no response is received from supplicant.


Active

Currently authenticated clients are listed in this menu.

Read only properties

Property Description
client-mac (mac-address) MAC Address of the supplicant.
interface (string) Name of the interface.
session-id (string) Unique session identifier.
username (string) Identity of the supplicant.
vlan-id (string) Untagged VLAN ID that is assigned to the interface. VLAN ID filtering must be enabled on bridge.

State

Statuses of all active dot1x server interfaces are listed in this menu.

Read only properties

Property Description
interface (string) Name of the interface.
status (string) Possible interface statuses:
  • authorized - access to interface is granted;
  • iface-down - interface is not running;
  • rejected-holding - access was rejected by the RADIUS server;
  • un-authorized - access to interface is not granted.

Application Example

Dot1x-setup.png

RouterOS Authenticator configuration

Start off by adding a new RADIUS client. The authentication server (RADIUS) does not necessary have to be in the same LAN as authenticator, but it must be reachable from the authenticator, so any firewall limitations must be considered.

/radius
add address=10.1.2.3 secret=radiussecret service=dot1x
Icon-note.png

Note: if RADIUS communication is done over public network, it is advised to use RadSec for RADIUS communication. More information: RADIUS Client


Add new dot1x server instances.

/interface dot1x server
add interface=ether2 interim-update=30s comment=accounted
add interface=ether12 accounting=no comment=notaccounted

Port based VLAN ID assignment

It is possible to assign an authenticated interface to a specific VLAN ID using bridge VLAN filtering. This can be done using RADIUS Tunnel-Type, Tunnel-Medium-Type and Tunnel-Private-Group-ID attributes. Note that only devices with hardware offloaded VLAN filtering will be able to do this in switch chip. See Bridge Hardware Offloading.

First of all, make sure the interface is added to a bridge which has VLAN filtering enabled.

/interface bridge
add name=bridge1 vlan-filtering=yes
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether12

It is necessary to add static VLAN configuration for tagged VLAN traffic to be sent over ether1 interface.

/interface bridge vlan
add bridge=bridge1 tagged=ether1 vlan-ids=2
add bridge=bridge1 tagged=ether1 vlan-ids=12

With enabled RADIUS debug logs it is possible to see complete RADIUS message packets with all attributes. In our example, Tunnel attributes are received in Access-Accept message from RADIUS server:

09:51:45 radius,debug,packet received Access-Accept with id 64 from 10.1.2.3:1812
09:51:45 radius,debug,packet     Tunnel-Type = 13 
09:51:45 radius,debug,packet     Tunnel-Medium-Type = 6 
09:51:45 radius,debug,packet     Tunnel-Private-Group-ID = "12" 
(..)
09:51:45 radius,debug,packet     User-Name = "dot1x-user" 

The VLAN ID is now present in active session list and untagged ports are added to previously created static VLAN configuration.

/interface dot1x server active print 
 0 interface=ether12 username="dot1x-user" user-mac=00:0C:42:EB:71:F6 session-id="86b00006" vlan=12 
/interface bridge vlan print detail 
Flags: X - disabled, D - dynamic 
 0 D bridge=bridge1 vlan-ids=1 tagged="" untagged="" current-tagged="" current-untagged=bridge1,ether3 

 1   bridge=bridge1 vlan-ids=2 tagged=ether1 untagged="" current-tagged=ether1 current-untagged=ether2 

 2   bridge=bridge1 vlan-ids=12 tagged=ether1 untagged="" current-tagged=ether1 current-untagged=ether12 

Dynamic switch rule configuration

In some network configurations, additional access rules are needed for a particular supplicant to restrict or allow certain network services. This can be done using a Mikrotik-Switching-Filter attribute, please see the RADIUS vendor dictionary. When a client is successfully authenticated by an authentication server, the server can pass back the Mikrotik-Switching-Filter attribute. Based on the received information, the authenticator will create dynamic access rules on a switch port where the client resides. These rules will be active as long as the client session is active and the interface is running. There are certain order and restrictions regarding correct switch rule implementation:

  • The mac-protocol, dst-address, dst-port and protocol conditional parameters are supported. Only hexadecimal or decimal representation can be used for mac-protocol and protocol parameters
  • The src-mac-address, switch and ports conditional parametrs are automatically set for each rule
  • Each rule should end with an action property, supported values are either drop or allow
  • Multiple rules are supported for a single supplicant and they must be separated by a comma ","

Below are some examples of Mikrotik-Switching-Filter attributes and dynamic switch rules they create:

# Drop ARP frames (EtherType: 0x0806 or 2054)
Mikrotik-Switching-Filter = "mac-protocol 2054 action drop"

[admin@MikroTik] /interface ethernet switch rule print
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; dot1x dynamic
      switch=switch1 ports=ether1 src-mac-address=CC:2D:E0:11:22:33/FF:FF:FF:FF:FF:FF mac-protocol=arp copy-to-cpu=no redirect-to-cpu=no mirror=no new-dst-ports=""

# Allow UDP (IP protocol: 0x11 or 17) destination port 100 and drop all other packets
Mikrotik-Switching-Filter = "protocol 17 dst-port 100 action allow, action drop"

[admin@MikroTik] /interface ethernet switch rule print
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; dot1x dynamic
      switch=switch1 ports=ether1 src-mac-address=CC:2D:E0:11:22:33/FF:FF:FF:FF:FF:FF protocol=udp dst-port=100 copy-to-cpu=no redirect-to-cpu=no mirror=no 

 1  D ;;; dot1x dynamic
      switch=switch1 ports=ether1 src-mac-address=CC:2D:E0:11:22:33/FF:FF:FF:FF:FF:FF copy-to-cpu=no redirect-to-cpu=no mirror=no new-dst-ports=""


In our example, Supplicant2 on ether2 is only allowed to access the 192.168.50.0/24 network with UDP destination port 50, all other traffic should be dropped. First, make sure that hardware offloading is working on bridge ports, otherwise switch rules might not work properly.

[admin@MikroTik] /interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 
 #     INTERFACE                   BRIDGE                   HW  PVID PRIORITY  PATH-COST INTERNAL-PATH-COST    HORIZON
 0   H ether1                      bridge1                  yes    1     0x80         10                 10       none
 1   H ether2                      bridge1                  yes    1     0x80         10                 10       none
 2   H ether12                     bridge1                  yes    1     0x80         10                 10       none

With enabled RADIUS debug logs it is possible to see complete RADIUS message packets with all attributes. In our example, Mikrotik-Switching-Filter attribute is received in Access-Accept message from RADIUS server:

02:35:38 radius,debug,packet received Access-Accept with id 121 from 10.1.2.3:1812 
(..)
02:35:38 radius,debug,packet     MT-Switching-Filter = "mac-protocol 2048 dst-address 192.168.50.0/24 dst-port 50 protocol 17 action allow,action drop"

The dynamic switch rules are now present under the switch menu:

[admin@MikroTik] > interface ethernet switch rule print
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; dot1x dynamic
      switch=switch1 ports=ether2 src-mac-address=CC:2D:E0:11:22:33/FF:FF:FF:FF:FF:FF mac-protocol=ip dst-address=192.168.50.0/24 protocol=udp dst-port=50 copy-to-cpu=no redirect-to-cpu=no mirror=no 

 1  D ;;; dot1x dynamic
      switch=switch1 ports=ether2 src-mac-address=CC:2D:E0:11:22:33/FF:FF:FF:FF:FF:FF copy-to-cpu=no redirect-to-cpu=no mirror=no new-dst-ports="" 
Icon-note.png

Note: Dynamic switch rules will only apply to RouterBoards with switch rule support - CRS3xx series switches, devices with QCA8337, Atheros8327 and Atheros8316 switch chips. CRS1xx/2xx series switches do no support this functionality. Take into consideration the maximum number of rules for each device, see CRS3xx table and basic switch chip table


RouterOS Supplicant configuration

CA certificates are required for eap-tls, eap-ttls and eap-peap authentication methods. Additionally a client certificate is required for eap-tls method. For this example we have already imported a P12 certificate bundle with self signed client and CA certificates. For more information how to import certificates in RouterOS, please visit System/Certificates.

/certificate print 
Flags: K - private-key, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted 
 #         NAME                                            COMMON-NAME                                         SUBJECT-ALT-NAME                                                                      FINGERPRINT                                        
 0 K  A  T dot1x-client                                    ez_dot1x-client                                     IP:10.1.2.34
 1  L A  T dot1x CA                                        ca                                      

Simply add a new dot1x client instance that will initiate authentication process.

/interface dot1x client
add anon-identity=anonymous client-certificate=dot1x-client eap-methods=eap-tls identity=dot1x-user interface=ether1 password=dot1xtest

If authentication was successful, the interface should have status authenticated.

/interface dot1x client print 
Flags: I - inactive, X - disabled 
 0   interface=ether1 eap-methods=eap-peap identity="dot1x-user" password="dot1xtest" anon-identity="anonymous" certificate=dot1x-client status="authenticated" 

[ Top | Back to Content ]