Hi Fabrice,

Even better! 😊

Herewith my minimal modifications, I’ll submit a patch after doing some more 
testing but everything looks good so far:
--- Mikrotik.pm.orig                            2021-05-08 07:38:14.976719201 
+0200
+++ /usr/local/pf/lib/pf/Switch/Mikrotik.pm     2021-05-19 23:05:18.489619568 
+0200
@@ -29,6 +29,7 @@
     $SSID
     $WIRELESS_MAC_AUTH
     $WEBAUTH_WIRELESS
+    $WIRELESS
);
sub description { 'Mikrotik' }

@@ -46,6 +47,8 @@
# CAPABILITIES
# access technology supported
use pf::SwitchSupports qw(
+    WiredMacAuth
+    WiredDot1x
     WirelessMacAuth
     ExternalPortal
     WebFormRegistration
@@ -139,7 +142,8 @@
sub deauthTechniques {
     my ($self, $method, $connection_type) = @_;
     my $logger = $self->logger;
-    my $default = $SNMP::SSH;
+    my $default = $SNMP::RADIUS;
     my %tech = (
         $SNMP::SSH    => 'deauthenticateMacSSH',
         $SNMP::RADIUS => 'deauthenticateMacRadius',
@@ -257,8 +261,8 @@

Don't forget to fill /usr/share/freeradius/dictionary.mikrotik with the 
following attributes:

-ATTRIBUTE       Mikrotik-Wireless-VlanID                26      integer
-ATTRIBUTE       Mikrotik-Wireless-VlanIDType            27      integer
+ATTRIBUTE       Mikrotik-Wireless-VLANID                26      integer
+ATTRIBUTE       Mikrotik-Wireless-VLANID-Type           27      integer

=cut

@@ -276,10 +280,18 @@
     # Inline Vs. VLAN enforcement
     my $role = "";
     if ( (!$args->{'wasInline'} || ($args->{'wasInline'} && $args->{'vlan'} != 
0) ) && isenabled($self->{_VlanMap})) {
-        $radius_reply_ref = {
-            'Mikrotik-Wireless-VLANID' => $args->{'vlan'} . "",
-            'Mikrotik-Wireless-VLANID-Type' => "0",
-        };
+        if (($args->{'connection_type'} & $WIRELESS) == $WIRELESS) {
+            $radius_reply_ref = {
+                'Mikrotik-Wireless-VLANID' => $args->{'vlan'} . "",
+                'Mikrotik-Wireless-VLANID-Type' => "0",
+            };
+        } else {
+            $radius_reply_ref = {
+                'Tunnel-Type' => "13",
+                'Tunnel-Medium-Type' => "6",
+                'Tunnel-Private-Group-ID' => $args->{'vlan'} . "",
+            };
+        }
     }

     $logger->info("(".$self->{'_id'}.") Returning ACCEPT with VLAN 
$args->{'vlan'} and role $role");



PS: mac fallback is confirmed to be a problem since 6.48 and should get fixed 
in the next stable release…


Regards
David Herselman

From: Fabrice Durand <oeufd...@gmail.com>
Sent: Wednesday, 19 May 2021 3:00 AM
To: David Herselman <d...@syrex.co>
Subject: Re: [PacketFence-users] MikroTik dot1x (Ethernet not WiFi)

Hello David,
what you can do instead of merging wired and wireless attributes is to test the 
connection type.

use pf::config qw(
    $MAC
    $SSID
    $WIRELESS_MAC_AUTH
    $WEBAUTH_WIRELESS
    $WIRELESS
);

....

if (($args->{'connection_type'} & $WIRELESS) == $WIRELESS) {

} else {

}

Regards
Fabrice

_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Reply via email to