Announcement

Collapse
No announcement yet.

SSO with 802.1x on a Mikrotik fails

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • SSO with 802.1x on a Mikrotik fails

    Greetings!

    Laptop and phones can connect using 802.1x. The users are stored in Userman, a built-in Radius on mikrotik. The same device is the access point, router, dhcp and radius.

    RouterOS version is 7.20.5

    Do I need to tell the dhcp server in Mikrotik to use radius so it will send accounting packets to the NxFilter so it can create the mapping?

    Mikrotik is not inserting the Framed-IP-Address when the 802.1x happens because it does not know the IP.

    Do the Unifi access points do some sniffing to detect the IP and then send the Framed-IP-Address seconds later for accounting purposes and that is what NxFilter uses?

    Thanks for answering.

  • #2
    Yeah, NxFilter works as an accounting server and you need send the accounting message to NxFilter. So, you should have a default user associating the whole IP range of the network. The users will be appeared as the default user before NxFilter receiving the accouting message for them.

    Comment


    • #3
      After capturing outgoing packets towards the NxFilter port 1813 for some minutes, there is no Framed-IP-Address inside the packets that the Mikrotik router is sending to the NxFilter. In the Mikrotik, radius is only used for 802.1x, not dhcp.

      If in the Mikrotik the DHCP is used with Radius, then the Framed-IP-Address is included and since "Auto-register for New User" is active, a new account is created with the mac-address of the client as the username, not the username that was previously reported during 802.1x authentication.

      Don't NxFilter could map user to mac based on both packets, radius and dhcp?

      Comment


      • #4
        There's no MAC in a DNS packet. We can't use it on NxFilter side unless we run the integrated DHCP server. However, I guess you already have a DHCP server. So, it's not an option for you I guess.

        If you have to implement 802.1x then you have to enable DHCP on the router.

        Comment


        • #5
          Once the integrated DHCP server works, will NxFilter be able to map the MAC address from the DHCP with the MAC and username received as the radius accounting server?

          Comment


          • #6
            No. We don't take the MAC from a radius server. And if you run the DHCP server by NxFilter, your DHCP will not be working. I guess it would be easier for you to run a DHCP server with Mikrotik.

            Comment


            • #7
              After analyzing the accounting packets sent to NxFilter with Wireshark, I found that MikroTik access points acting as RADIUS authenticators do not include the user’s Framed-IP-Address in their accounting records. Also, when using the built-in DHCP with radius for accounting, it only sends once a packet when leased but not when renewed so it is hard to track.

              Will try a syslog to radius accounting translator, so mikrotik could send all dhcp and 802.1x logs to it and this app could inject the proper accounting packets that NxFilter could undestand to map user to IP.

              Comment


              • #8
                I think it's too complicated. It's better to use FreeRadius in my opinion. I know there are users using FreeRadius with NxFilter. It sends IP and it also has a built-in DHCP server in my memory.

                Comment


                • #9
                  Originally posted by support200 View Post
                  I think it's too complicated. It's better to use FreeRadius in my opinion. I know there are users using FreeRadius with NxFilter. It sends IP and it also has a built-in DHCP server in my memory.
                  The one reporting the framed-ip over accouting packets is not the authentication server (freeradius) but the authenticator. In the documentation sample about using radius I see it was used a Ubiquiti AP, fortunatelly that brand reports the framed-ip to NxFilter after authorized and sniffing some packets.

                  The Mikrotik AP (RouterOS 7.20) does not send the framed-ip to NxFilter, that is why I am seraching for ways how to get it.

                  If NxFilter is used as the DHCP server, and it receives the 802.1x radius accouting packet with the MAC and the user, NxFilter could glue them. That would be the best way to have that mapping 802.1x user to IP given by the DHCP.

                  Comment


                  • #10
                    In that case, it's only for people who use NxFilter’s DHCP together with a RADIUS server that does not send the Framed-IP-Address. This is not a preferable solution for us, as it is a very non-standard setup.

                    Did you look into FreeRadius DHCP server? I think I tested it several years ago and it worked fine. And we also tested it with Unifi router and Windows RADIUS server.

                    Comment

                    Working...
                    X