Overview
This document provides the complete working configuration for dynamic VLAN assignment on Mikrotik RouterOS 7.x wireless access points using RADIUS authentication with EAP-TLS (certificate-based authentication).
Must Have RADIUS Attribute: RouterOS 7.x requires the Mikrotik-Wireless-VLANID RADIUS attribute for wireless dynamic VLAN assignment to work properly.
Authentication Method: EAP-TLS using client certificates with UPN (User Principal Name) in the Subject Alternative Name field.
Network Architecture: Mikrotik acts as a wireless access point only. DHCP services are provided by a remote server, not by the Mikrotik router.
X.509 Certificate User Identification
In modern PKI (Public Key Infrastructure) setups, X.509v3 certificates identify users through specific certificate fields that contain user identity information. The most common methods are:
Important Note: Using the Common Name (CN) or other X.500 subject fields for user identification is considered outdated and deprecated in modern PKI deployments. RFC 5280 and subsequent standards recommend using Subject Alternative Name (SAN) extensions for identity information.
Why CN is Deprecated: - Limited scope: CN can only contain a single identity value - Ambiguity: CN doesn’t specify the type of identity (user, host, service) - Security concerns: CN validation is less strict than SAN validation - Modern standards: RFC 5280, RFC 6125, and RFC 8399 mandate SAN usage - Browser deprecation: Modern browsers no longer trust CN for hostname validation
User Principal Name (UPN)
The User Principal Name (UPN) is the primary method for user identification in enterprise environments. It follows the format username@domain.com and is stored in the certificate’s Subject Alternative Name (SAN) extension.
Certificate Field Location:
Subject Alternative Name:
otherName: 1.3.6.1.4.1.311.20.2.3 (UPN)
Email: user@domain.comExample UPN in Certificate:
X509v3 Subject Alternative Name:
otherName: 1.3.6.1.4.1.311.20.2.3, SEQUENCE:UTF8String:userA@company.comEmail Address in Subject Alternative Name
Alternatively, user identification can be based on the email address field in the Subject Alternative Name extension.
Certificate Field Location:
Subject Alternative Name:
Email: user@domain.com ← Used for user identificationHow RADIUS Uses Certificate Identity
During EAP-TLS authentication:
- Client presents certificate to the RADIUS server
- RADIUS extracts user identity from either:
- UPN in the SAN extension (preferred)
- Email address in the SAN extension (fallback)
- RADIUS maps the identity to VLAN assignment rules
- RADIUS returns VLAN attributes based on the user identity
Example RADIUS Processing:
Certificate UPN: userA@company.com
↓
RADIUS looks up userA@company.com in user database
↓
RADIUS finds VLAN assignment: VLAN 1812
↓
RADIUS returns: Tunnel-Private-Group-Id = 1812Certificate Requirements for Dynamic VLAN Assignment
For proper dynamic VLAN assignment, client certificates must contain:
- Valid UPN or email address in the Subject Alternative Name extension
- Proper certificate chain trusted by the RADIUS server
- Valid certificate dates (not expired, not future-dated)
- Appropriate key usage (digital signature, key encipherment)
Comparison: Old vs Modern Certificate Identity
Old Approach (Deprecated):
Subject: CN=userA, OU=IT, O=Company, C=US- Uses Common Name (CN) from subject field
- Limited to single identity value
- No type specification
- Not recommended for modern deployments
Modern Approach (Recommended):
Subject: CN=userA, OU=IT, O=Company, C=US
X509v3 Subject Alternative Name:
otherName: 1.3.6.1.4.1.311.20.2.3, SEQUENCE:UTF8String:userA@company.com
Email: userA@company.com- Uses Subject Alternative Name (SAN) extension
- Supports multiple identity types
- Clear type specification (UPN, email)
- Compliant with modern PKI standards
Network Architecture Diagram
┌─────────────────────────────────────────────────────────┐
│ CLIENT A PATH (VLAN 1812) │
└─────────────────────────────────────────────────────────┘
┌─────────────┐
│ Client A │
│(EAP-TLS) │
│userA@... │
└─────┬───────┘
│ 802.11
▼
┌─────────────┐
│ Mikrotik AP │
│RouterOS 7.x │
│ ┌─────────┐ │ ← RADIUS assigns VLAN 1812
│ │ wlan1/2 │ │ based on userA@domain.com
│ └───┬─────┘ │
│ ┌───▼─────┐ │ ← VLAN filtering enabled
│ │ bridge │ │ ingress-filtering=no
│ └───┬─────┘ │
└─────┼───────┘
│ 802.1Q VLAN 1812
▼
┌─────────────┐
│ Upstream │
│Switch/Router│
│(Trunk Port) │
└─────┬───────┘
│ VLAN 1812
▼
┌─────────────┐
│ Remote DHCP │
│Server VLAN │
│192.168.44.x │
└─────────────┘
┌─────────────────────────────────────────────────────────┐
│ CLIENT B PATH (VLAN 2000) │
└─────────────────────────────────────────────────────────┘
┌─────────────┐
│ Client B │
│(EAP-TLS) │
│userB@... │
└─────┬───────┘
│ 802.11
▼
┌─────────────┐
│ Mikrotik AP │
│RouterOS 7.x │
│ ┌─────────┐ │ ← RADIUS assigns VLAN 2000
│ │ wlan1/2 │ │ based on userB@domain.com
│ └───┬─────┘ │
│ ┌───▼─────┐ │ ← VLAN filtering enabled
│ │ bridge │ │ ingress-filtering=no
│ └───┬─────┘ │
└─────┼───────┘
│ 802.1Q VLAN 2000
▼
┌─────────────┐
│ Upstream │
│Switch/Router│
│(Trunk Port) │
└─────┬───────┘
│ VLAN 2000
▼
┌─────────────┐
│ Remote DHCP │
│Server VLAN │
│192.168.55.x │
└─────────────┘
┌─────────────────────────────────────────────────────────┐
│ SHARED INFRASTRUCTURE │
└─────────────────────────────────────────────────────────┘
┌─────────────┐
│ FreeRADIUS │
│ Server │
│ ┌─────────┐ │ ← Processes certificate UPN
│ │ EAP-TLS │ │ Returns VLAN attributes
│ └─────────┘ │
│ ┌─────────┐ │ ← Adds Mikrotik-Wireless-VLANID
│ │Post-Auth│ │ attribute for RouterOS 7.x
│ └─────────┘ │
└─────────────┘VLAN Assignment Flow
Client A (userA@domain.com):
1. Client A connects with EAP-TLS certificate
└── Certificate contains UPN: userA@domain.com
2. Mikrotik sends RADIUS request to FreeRADIUS
└── Includes certificate UPN: userA@domain.com
3. FreeRADIUS processes UPN and returns:
└── Tunnel-Type = VLAN
└── Tunnel-Medium-Type = IEEE-802
└── Tunnel-Private-Group-Id = 1812
└── Mikrotik-Wireless-VLANID = 1812 ← REQUIRED for RouterOS 7.x
4. Mikrotik assigns Client A to VLAN 1812
└── Client A traffic is tagged with VLAN 1812
└── Sent to upstream switch via trunk port
5. Upstream switch routes VLAN 1812 traffic
└── To remote DHCP server for VLAN 1812
└── Client A gets IP from 192.168.44.x subnet
Client B (userB@domain.com):
1. Client B connects with EAP-TLS certificate
└── Certificate contains UPN: userB@domain.com
2. Mikrotik sends RADIUS request to FreeRADIUS
└── Includes certificate UPN: userB@domain.com
3. FreeRADIUS processes UPN and returns:
└── Tunnel-Type = VLAN
└── Tunnel-Medium-Type = IEEE-802
└── Tunnel-Private-Group-Id = 2000
└── Mikrotik-Wireless-VLANID = 2000 ← REQUIRED for RouterOS 7.x
4. Mikrotik assigns Client B to VLAN 2000
└── Client B traffic is tagged with VLAN 2000
└── Sent to upstream switch via trunk port
5. Upstream switch routes VLAN 2000 traffic
└── To remote DHCP server for VLAN 2000
└── Client B gets IP from 192.168.55.x subnetPrerequisites
- RouterOS 7.x with classic
wirelesspackage (notwifiwave2) - FreeRADIUS server configured for EAP-TLS authentication
- Client certificates properly configured and trusted by RADIUS server
- RADIUS server must send
Mikrotik-Wireless-VLANIDattribute - Upstream switch/router with VLAN trunking configured
- Remote DHCP server (not local to Mikrotik) configured for each VLAN subnet
Complete RouterOS Configuration
1. Bridge Configuration
/interface bridge
add admin-mac=AA:BB:CC:DD:EE:FF auto-mac=no comment=defconf name=bridge vlan-filtering=yes ingress-filtering=noCritical Settings: - vlan-filtering=yes - Enables VLAN filtering - ingress-filtering=no - REQUIRED for dynamic VLAN assignment in RouterOS 7.x - frame-types=admit-all - Allows all frame types
2. VLAN Interfaces
/interface vlan
add interface=bridge name=vlan1812 vlan-id=1812
add interface=bridge name=vlan2000 vlan-id=20003. Wireless Security Profile
/interface wireless security-profiles
add authentication-types=wpa2-eap,wpa3-eap comment=EAP-RADIUS-SECURITY disabled=no encryption=tkip,gcmp,gcmp-256 name=EAP-RADIUS-SECURITY4. Wireless Interfaces
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX comment=wpa-enterprise-2GHz country=bulgaria disabled=no distance=indoors frequency=auto installation=outdoor mode=ap-bridge security-profile=EAP-RADIUS-SECURITY ssid=wpa-enterprise vlan-mode=use-tag wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX comment=wpa-enterprise-5GHz country=bulgaria disabled=no distance=indoors frequency=auto installation=outdoor mode=ap-bridge security-profile=EAP-RADIUS-SECURITY ssid=wpa-enterprise vlan-mode=use-tag wireless-protocol=802.11 wps-mode=disabledCritical Settings: - vlan-mode=use-tag - Enables dynamic VLAN assignment - security-profile=EAP-RADIUS-SECURITY - Uses EAP-RADIUS authentication
5. Bridge Ports
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=wpa-enterprise-2GHz interface=wlan1
add bridge=bridge comment=wpa-enterprise-5GHz interface=wlan2
add bridge=bridge comment=ether1/upstream interface=ether16. Bridge VLAN Table
/interface bridge vlan
add bridge=bridge tagged=ether1,bridge,wlan1,wlan2 vlan-ids=1812
add bridge=bridge tagged=ether1,bridge,wlan1,wlan2 vlan-ids=2000Critical Settings: - Wireless interfaces (wlan1, wlan2) must be tagged (not untagged) - All interfaces that need dynamic VLAN assignment must be in the tagged list
7. RADIUS Configuration
/radius
add address=192.168.0.254 comment=192.168.0.254 service=wirelessCritical Settings: - service=wireless - Required for wireless VLAN assignment - Ensure RADIUS secret matches on both sides
8. Bridge Port Settings (Automatic)
The bridge ports will automatically have these settings: - pvid=1 - Default VLAN ID - frame-types=admit-all - Allows all frame types - ingress-filtering=yes - Per-port ingress filtering
Verification Commands
1. Check Bridge Configuration
/interface bridge print detailExpected Output:
name="bridge" vlan-filtering=yes ingress-filtering=no frame-types=admit-all2. Check Bridge VLAN Table
/interface bridge vlan printExpected Output:
# BRIDGE VLAN-IDS CURRENT-TAGGED CURRENT-UNTAGGED
1 bridge 1812 bridge,ether1,wlan1,wlan2
2 bridge 2000 bridge,ether1,wlan1,wlan23. Check Wireless Registration Table
/interface wireless registration-table printExpected Output:
Columns: INTERFACE, MAC-ADDRESS, AP, SIGNAL-STRENGTH, TX-RATE, UPTIME
# INTERFACE MAC-ADDRESS AP SIGNAL-STRENGTH TX-RATE UPTIME
0 wlan1 9C:EF:D5:FB:DB:62 no -27dBm@HT20-0 1Mbps 7sImportant: This command shows connected clients but does NOT display VLAN assignment information. The VLAN assignment happens transparently in the background. Do not expect to see a VLAN-ID column or VLAN information in this output - this is normal behavior for RouterOS 7.x.
4. Check RADIUS Configuration
/radius printExpected Output:
# SERVICE ADDRESS SECRET
0 wireless 192.168.0.254 test1235. Verify Dynamic VLAN Assignment
Important: The /interface wireless registration-table print command does NOT show VLAN information in RouterOS 7.x. This is normal behavior - do not expect to see VLAN-ID columns or VLAN assignment details in this output.
To verify dynamic VLAN assignment is working:
- Check client IP address - Client should get IP from the assigned VLAN subnet (provided by remote DHCP server)
- Check upstream switch/router - Verify traffic is tagged with correct VLAN
- Monitor FreeRADIUS logs - Confirm
Mikrotik-Wireless-VLANIDis being sent - Test connectivity - Client should only reach resources in assigned VLAN
Troubleshooting
Issue: Client Gets IP from Wrong VLAN
Symptoms: Client connects successfully but gets IP from default VLAN instead of assigned VLAN.
Solution: Ensure RADIUS is sending Mikrotik-Wireless-VLANID attribute and check upstream switch port trunking configuration.
Issue: DHCP Server Not Responding
Symptoms: Client connects but cannot get an IP address.
Solution: Check upstream switch port trunking and remote DHCP server configuration for the assigned VLAN. Verify the remote DHCP server is listening on the correct VLAN and has available IP addresses.
Issue: Authentication Fails
Symptoms: Client cannot authenticate at all.
Solution: Check RADIUS server connectivity and EAP-TLS certificate configuration. Verify client certificates are valid and trusted by the RADIUS server.
Common Mistakes
- Missing
ingress-filtering=noon bridge - Required for dynamic VLANs - Wireless interfaces as untagged in bridge VLAN table - Must be tagged
- Missing
Mikrotik-Wireless-VLANIDin RADIUS reply - Required for RouterOS 7.x - Wrong RADIUS service - Must be
service=wireless - Wrong
vlan-mode- Must bevlan-mode=use-tag
RouterOS Version Compatibility
- RouterOS 6.x: Works with standard RADIUS attributes only
- RouterOS 7.x: Requires
Mikrotik-Wireless-VLANIDattribute - wifiwave2 package: Does not support dynamic VLAN assignment
Summary
The key to making wireless dynamic VLAN assignment work in RouterOS 7.x is:
- Correct bridge configuration with
ingress-filtering=no - Wireless interfaces as tagged in bridge VLAN table
- RADIUS sending
Mikrotik-Wireless-VLANIDattribute - Proper wireless interface configuration with
vlan-mode=use-tag
This configuration has been tested and verified to work with RouterOS 7.19.2 and FreeRADIUS with EAP-TLS authentication.
0 comments:
Post a Comment