Network hubs are externally similar to switches. What is the difference between computer networking Hub, Bridge, and Switch? your main router/gateway network IP is 192.168.1.1 and MikroTik router devices attached to MikroTik will have its default subnet range 192.168.88.* which is what we are trying to avoid. The problem is if you don’t want a routing function, DHCP or NAT, in another words, you do not desire a network subnet change because of routing – e.g.
MikroTik routers and “access points” models such as hAP and hAP lite (including their more advanced variants hAP AC² and hAP AC³) are mainly targeted at home networks and small offices (SOHO) environments, they come with RouterOS L4 license and out-of-the-box are usually configured as classic, conventional, well, routers – despite “AP” in their name. Thing is, you will frequently find only the command line configuration tutorials online, but easy to follow step-by-step illustrated guides are virtually nowhere to be found.
Using this method, a user is given access to only one SSID or to predetermined SSIDs throughout an enterprise network.MikroTik runs RouterOS operating system, an overwhelmingly complex feature-rich piece of software which you can use, control and configure both using command line terminal and graphical interfaces WinBox (on Microsoft Windows PCs) and WebFig (in web browsers like Chrome, Firefox, Opera, Edge…). Upon receipt of this information, the access point disassociates David from the wireless LAN network.
However, the permitted SSID list sent back by the RADIUS server indicates that David is only allowed access to the "Engineering" SSID. RADIUS-based SSID access control: David uses the "Marketing" SSID to gain access to the wireless LAN. Using this method, a user is mapped to a fixed wired VLAN throughout an enterprise network.
This may or may not be the default VLAN-ID mapping for the "Engineering" SSID. As shown in Figure 6, when John uses the "Engineering" SSID to gain access to the wireless LAN, the RADIUS server maps John to VLAN-ID 24. VLAN assignment: Both "Engineering" and "Marketing" VLANs are configured to only allow 802.1X authentication (LEAP, EAP-TLS, PEAP, and so on). The SSID used for WLAN access doesn't matter because the user is always assigned to this predetermined VLAN-ID.įigure 6 illustrates both RADIUS-based VLAN access control methods: VLAN assignment and SSID access control. RADIUS-based VLAN assignment: Upon successful 802.1X or MAC address authentication, the RADIUS server assigns the user to a predetermined VLAN-ID on the wired side. Otherwise, the user is disassociated from the access point or bridge.Ģ. If the user used an SSID on the allowed SSID list, then the user is allowed to associate to the WLAN. RADIUS-based SSID access control: Upon successful 802.1X or MAC address authentication, the RADIUS server passes back the allowed SSID list for the WLAN user to the access point or bridge. There are two different ways to implement RADIUS-based VLAN access control features:ġ. This may not be preferred if the WLAN user is confined to a particular VLAN. For example, if the WLAN is set up such that all VLANs use 802.1X and similar encryption mechanisms for WLAN user access, then a user can "hop" from one VLAN to another by simply changing the SSID and successfully authenticating to the access point (using 802.1X). The IT administrator may wish to impose back end (such as RADIUS)-based VLAN access control using 802.1X or MAC address authentication mechanisms. You would need to invlove a radius solution like ACS to do a mac filter by SSID and radius.Īs discussed earlier, each SSID is mapped to a default VLAN-ID on the wired side.