Scribd Logo
Upload

Welcome to Scribd!

  • 6 views

    Presentation 3107 1461137144

    Uploaded by

    danjinac

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Presentation 3107 1461137144

    Uploaded by

    danjinac
    6 views22 pages

    Original Title

    presentation_3107_1461137144

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    6 views22 pages

    Presentation 3107 1461137144

    Uploaded by

    danjinac

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 22

    Dynamic VLAN Assignment with

    RADIUS and CAPsMAN Configuration


    Example
    MUM China ‐ April 10, 2016
    Jesse Liu, Lethbridge
    About Me
    • Jesse Liu, Lethbridge
    – Over 10 yyears experience
    p usingg RouterOS
    – Specialization in Wireless, Tunnel and Routing
    – MikroTik Certified Consultant
    – MikroTik MTCNA, MTCWE, MTCTCE Certifications
    – Cisco CCNP, CCDP Certifications

    2
    Special Thanks

    3
    802 1X
    802.1X
    • 802.1X is NOT an encryption type. It is basically just a
    per‐user (e.g. username and password)
    authentication mechanism.
    • WPA2 is a security scheme that specifies two main
    aspects of your wireless security:
    – Authentication:
    u e ca o Your ou cchoice
    o ce o
    of PSK
    S ("Personal")
    ( e so a ) o or
    EAP ("Enterprise").
    – Encryption: Always AES‐CCMP.
    AES‐CCMP

    4
    Dynamic VLAN assignment
    • VLANs are used to assign wireless users to different
    networks without requiring the use of multiple SSIDs.
    • Each user’s VLAN assignment is stored in the user
    database of the RADIUS server that authenticates the
    users.

    5
    Network Diagram

    CAPsMAN

    CAP

    RADIUS Server Internal Network

    user1 / VLAN 21 user2 / VLAN 22

    6
    Security Cfg.
    Cfg

    passthrough – Controller will relay authentication process to the RADIUS server.

    7
    Add a RADIUS Server for wireless
    service

    Timeout – defines how much milliseconds can elapse


    while the answer arrives from the RADIUS server.
    If you are using slower connection to RADIUS server,
    set this timeout higher (3000‐5000 ms).

    8
    To create a RADIUS client

    9
    Create Self Signed Server Certificate

    Click "Generate Certificate" button to create


    the certificate after filling necessary fields.

    10
    Import newly created certificate to
    RADIUS

    Add attribute "TLS‐Server‐Certificate”, type "Check".


    Your certificate will be in the drop down, click [Add/Update].

    11
    VLAN Interfaces

    12
    Datapath

    Enables and specifies type of VLAN tag to be assigned to interface (causes all received data
    to get tagged with VLAN tag and allows interface to only send out data tagged with given tag).

    13
    RADIUS attributes
    • The RADIUS attributes used for the VLAN ID
    g
    assignment are:

    14
    Specifies the VLAN ID
    • For each user, add RADIUS attributes which specify
    the VLAN information to be sent to the CAPsMAN.

    In this example
    example, user1 is assigned VLAN 21 and user2
    is assigned VLAN 22.

    15
    MAC address binding

    16
    Bind multiple MAC addresses to one
    user

    17
    Bind multiple MAC addresses to one
    user

    ‐ Phone
    ‐ Tablet
    ‐ Laptop

    18
    Registration Table
    • Description of an entry. Comment is taken from
    RADIUS attributes if specified.

    19
    Mikrotik Wireless Comment
    Mikrotik‐Wireless‐Comment

    20
    EAP TLS
    EAP‐TLS
    • For RouterOS client, EAP‐TLS is possible only.
    • For RouterOS AP ‐ to clients any EAP method is
    possible.

    21
    More information at:
    http://mum.mikrotik.com/2016/CN/agenda

    Thank you for participating

    You might also like