802.1X Port Based Authentication on the MikroTik Switch

Another nice feature on Layer 2 is 802.1X Port-Based Authentication, normally referred to dot1x. This option is available on RouterOS since version 6.45.

It provides port-based network access control using EAP over LAN known as EAPOL.

The Dot1x has three components:

  • Supplicant (Client): it is the one requesting access to the network which can be a user workstation, print, IP phone but also can be a router or a switch.
  • Authenticator (Switch): it is the device receiving the request from the supplicant and forwarding the Dot1x credentials from the supplicant to the authentication server. This is what is mostly the job of the MikroTik Switch.
  • Authentication Server (Radius): It is the device that has the full user database and allowing/disallowing the authentication of the supplicants. Most people use a Radius server for this job because most Radius servers support 802.1X. To mention that the Radius server doesn’t need to be in the same LAN with the Authenticator, it could be over the public internet. If this is the case, it is highly recommended to use an encrypted tunnel to the Radius server.

Extensible Authentication Protocol (EAP) is the protocol used to allow the authentication to pass between the supplicant and the authentication server.

Here below in the illustration you can see how the communication can happen between the supplication and the Authentication server.

Let’s start speaking about the supplicant. As said, the supplicant is the device requesting to join the network. The MikroTik RouterOS can be also a supplicant device with the 802.1x Authentication. The make the MikroTik Switch /Router as a supplicant, you can go to Dot1X Tab on Winbox and fill the client tab with the information needed as following:

You see there are different EAP Methods to be used which are:

  • EAP MSCHAPv2
  • EAP PEAP
  • EAP TLS
  • EAP TTLS

In most cases, you require to make the MikroTik Switch as an Authenticator. You can do the Switch as an Authenticator on one or more ports. To make it as an Authenticator it is straight forward as following:

 

That’s all you need to know about Dot1X.

Course Content

0 Comments

Submit a Comment

About