Dot1X (802.1X) Port-Based Network Access Control: A Complete Guide

Dot1X (802.1X) Port-Based Network Access Control: A Complete Guide

RouterOS Version: 7.x+ Difficulty: Intermediate Estimated Time: 45 minutes

Overview

Dot1X implements the IEEE 802.1X standard for port-based network access control. Before a device can send any traffic through a port, it must authenticate. This creates a powerful security boundary—no authentication means no network access.

The system involves three components:

• Supplicant (Client): The device requesting network access
• Authenticator (Server): The MikroTik switch/router controlling port access
• Authentication Server: A RADIUS server that validates credentials

RouterOS can function as both a supplicant (connecting to protected networks) and an authenticator (protecting your network). With User Manager installed, RouterOS can also serve as the RADIUS authentication server, creating a complete solution.

Limitation: Dot1X is not supported on SMIPS devices (hAP lite, hAP lite TC, hAP mini).

How 802.1X Works: The Authentication Dance

┌─────────────┐     ┌─────────────────┐     ┌─────────────────┐
│  Supplicant │     │   Authenticator │     │  RADIUS Server  │
│  (Client)   │────▶│   (MikroTik)    │────▶│  (FreeRADIUS/   │
│             │     │                 │     │   User Manager) │
└─────────────┘     └─────────────────┘     └─────────────────┘
      │                      │                       │
      │   1. EAPOL-Start     │                       │
      │─────────────────────▶│                       │
      │                      │                       │
      │   2. EAP-Request/    │                       │
      │      Identity        │                       │
      │◀─────────────────────│                       │
      │                      │                       │
      │   3. EAP-Response/   │                       │
      │      Identity        │                       │
      │─────────────────────▶│                       │
      │                      │   4. Access-Request   │
      │                      │──────────────────────▶│
      │                      │                       │
      │         ... EAP method exchange ...          │
      │                      │                       │
      │                      │   5. Access-Accept    │
      │                      │◀──────────────────────│
      │   6. EAP-Success     │                       │
      │◀─────────────────────│                       │
      │                      │                       │
      │   Port is now open for traffic               │

Key insight: Until authentication succeeds, the port blocks ALL traffic except EAPOL (EAP over LAN) authentication packets. This means a malicious device can’t even get an IP address via DHCP before proving its identity.

Supported EAP Methods

Method	Description	Certificate Required
EAP-TLS	Certificate-based mutual authentication	Yes (client + server)
EAP-TTLS	Tunneled authentication, flexible inner methods	Server only
EAP-MSCHAPv2	Microsoft challenge-response, password-based	No
PEAPv0/EAP-MSCHAPv2	Protected EAP with MSCHAPv2 inner method	Server only

Recommendation: For enterprise deployments, use EAP-TLS for highest security. For simpler setups, PEAP with MSCHAPv2 provides good security with password-based authentication.

Server Configuration (Authenticator)

Menu Path

/interface dot1x server

Server Properties

Property	Type	Default	Description
interface	interface name	-	Interface to protect with 802.1X
auth-types	dot1x, mac-auth	dot1x	Authentication method(s)
auth-timeout	time	1m	Total time allowed for authentication
retrans-timeout	time	30s	EAP retransmission interval
reauth-timeout	time	-	Periodic re-authentication interval
accounting	yes/no	yes	Send RADIUS accounting requests
interim-update	time	-	RADIUS Interim-Update interval
guest-vlan-id	integer	-	VLAN for devices without 802.1X support
reject-vlan-id	integer	-	VLAN for failed authentication
server-fail-vlan-id	integer	-	VLAN when RADIUS server unreachable
mac-auth-mode	mac-as-username, mac-as-username-and-password	-	How MAC address is sent to RADIUS
disabled	yes/no	no	Enable/disable server
comment	string	-	Descriptive comment

VLAN Assignment Options

VLAN Property	When Used
guest-vlan-id	Device doesn’t support 802.1X (no EAPOL response)
reject-vlan-id	Authentication explicitly rejected by RADIUS
server-fail-vlan-id	RADIUS server unreachable
Dynamic (RADIUS)	Successful authentication with VLAN attributes

Client Configuration (Supplicant)

Menu Path

/interface dot1x client

Client Properties

Property	Type	Default	Description
interface	interface name	-	Interface to authenticate on
eap-methods	list	eap-tls	Ordered list of authentication methods
identity	string	-	Username/identity for authentication
password	string	-	Password for authentication
anon-identity	string	-	Outer identity for tunneled methods (TTLS/PEAP)
client-certificate	certificate name	-	Certificate from /system certificates (for EAP-TLS)
disabled	yes/no	no	Enable/disable client
comment	string	-	Descriptive comment

Client Status Values

Status	Meaning
authenticated	Successfully authenticated, port open
authenticating	Authentication in progress
connecting	Attempting to connect
rejected	Authentication rejected by server
error	Authentication error occurred
disabled	Client is disabled

RADIUS Server Configuration

Basic RADIUS Client Setup

/radius add address=10.1.2.3 secret=radiussecret service=dot1x

RADIUS Properties for Dot1X

Property	Description
address	RADIUS server IP address
secret	Shared secret (must match RADIUS server)
service	Must include dot1x
authentication-port	Default 1812
accounting-port	Default 1813
timeout	Request timeout
domain	Domain suffix (leave empty if issues occur)

Supported RADIUS Attributes

Attribute	Purpose
Tunnel-Type	Must be VLAN (13)
Tunnel-Medium-Type	Must be IEEE-802 (6)
Tunnel-Private-Group-ID	VLAN ID to assign
Mikrotik-Switching-Filter	Dynamic ACL rules

Configuration Examples

Example 1: Basic Dot1X Server with RADIUS

Protect switch ports using external RADIUS server:

Step 1: Configure RADIUS client

/radius add address=192.168.1.10 secret=MyRadiusSecret service=dot1x

Step 2: Enable Dot1X on interface

/interface dot1x server add interface=ether2 comment="Protected Port"

Step 3: Verify configuration

/interface dot1x server print
/interface dot1x server active print

Example 2: Dot1X with Guest VLAN

Allow unauthenticated devices into a restricted guest network:

Step 1: Create bridge with VLAN filtering

/interface bridge add name=bridge1 vlan-filtering=yes
/interface bridge port add bridge=bridge1 interface=ether2 pvid=100
/interface bridge port add bridge=bridge1 interface=ether3 pvid=100
/interface bridge vlan add bridge=bridge1 vlan-ids=100 tagged=bridge1 untagged=ether2,ether3
/interface bridge vlan add bridge=bridge1 vlan-ids=999 tagged=bridge1 comment="Guest VLAN"

Step 2: Configure RADIUS

/radius add address=192.168.1.10 secret=MyRadiusSecret service=dot1x

Step 3: Enable Dot1X with guest VLAN

/interface dot1x server add interface=ether2 guest-vlan-id=999 \
    reject-vlan-id=999 server-fail-vlan-id=999

Now devices without 802.1X support land in VLAN 999 (guest network).

Example 3: Dot1X with Dynamic VLAN Assignment

Let RADIUS server assign VLANs based on user credentials:

Step 1: Configure bridge with multiple VLANs

/interface bridge add name=bridge1 vlan-filtering=yes
/interface bridge port add bridge=bridge1 interface=ether2 pvid=1
/interface bridge port add bridge=bridge1 interface=ether-uplink pvid=1
/interface bridge vlan add bridge=bridge1 vlan-ids=10 tagged=bridge1,ether-uplink comment="Staff VLAN"
/interface bridge vlan add bridge=bridge1 vlan-ids=20 tagged=bridge1,ether-uplink comment="Guest VLAN"
/interface bridge vlan add bridge=bridge1 vlan-ids=30 tagged=bridge1,ether-uplink comment="IoT VLAN"

Step 2: Configure RADIUS (on FreeRADIUS server)

# users file
staffuser    Cleartext-Password := "password"
    Tunnel-Type = VLAN,
    Tunnel-Medium-Type = IEEE-802,
    Tunnel-Private-Group-ID = 10

guestuser    Cleartext-Password := "guestpass"
    Tunnel-Type = VLAN,
    Tunnel-Medium-Type = IEEE-802,
    Tunnel-Private-Group-ID = 20

Step 3: Enable Dot1X on MikroTik

/radius add address=192.168.1.10 secret=MyRadiusSecret service=dot1x
/interface dot1x server add interface=ether2

When staffuser authenticates, they’re placed in VLAN 10. When guestuser authenticates, they’re placed in VLAN 20.

Example 4: MAC Authentication Bypass

Allow devices without 802.1X capability (printers, IoT) via MAC authentication:

Step 1: Configure RADIUS with MAC entries

# FreeRADIUS users file (MAC as username, lowercase with colons)
00:11:22:33:44:55    Cleartext-Password := "00:11:22:33:44:55"
    Tunnel-Type = VLAN,
    Tunnel-Medium-Type = IEEE-802,
    Tunnel-Private-Group-ID = 30

Step 2: Enable Dot1X with MAC auth fallback

/interface dot1x server add interface=ether2 auth-types=dot1x,mac-auth \
    mac-auth-mode=mac-as-username-and-password

Devices first attempt 802.1X. If no response (no supplicant), MAC authentication is tried.

Example 5: Dot1X Client (Router as Supplicant)

Connect MikroTik to an 802.1X protected network:

Using EAP-PEAP/MSCHAPv2:

/interface dot1x client add interface=ether1 \
    eap-methods=eap-peap identity=router01 password=MyPassword

Using EAP-TLS (certificate-based):

# First import certificates
/certificate import file-name=client.crt passphrase=""
/certificate import file-name=client.key passphrase=""

# Configure client
/interface dot1x client add interface=ether1 \
    eap-methods=eap-tls identity=router01 client-certificate=client.crt_0

Example 6: Re-authentication and Accounting

Enable periodic re-authentication and RADIUS accounting:

/interface dot1x server add interface=ether2 \
    reauth-timeout=1h \
    accounting=yes \
    interim-update=5m

This re-authenticates clients every hour and sends accounting updates every 5 minutes.

Monitoring and Verification

View Active Sessions

/interface dot1x server active print

Output shows:

• client-mac: Authenticated device MAC
• username: Identity used for authentication
• session-id: Unique session identifier
• auth-info: EAP method used
• vlan-id: Assigned VLAN (if dynamic)

View Server State

/interface dot1x server state print

Status values:

• authorized: Client authenticated successfully
• un-authorized: No authenticated client
• rejected-holding: Client rejected, in hold period
• iface-down: Interface is down

View Client Status

/interface dot1x client print

Check status field for current authentication state.

Debug Logging

/system logging add topics=dot1x,radius,debug action=memory
/log print where topics~"dot1x"

Common Problems and Solutions

Problem 1: “No RADIUS server found”

Symptoms: Log shows radius,debug no radius server found followed by timeout.

Causes:

• RADIUS server unreachable (firewall, routing)
• Wrong RADIUS server address
• domain field causing lookup issues

Solutions:

1. Verify RADIUS server is reachable: /ping 10.1.2.3
2. Check firewall allows UDP 1812/1813 outbound
3. Set domain="" (empty): /radius set [find] domain=""
4. Verify shared secret matches exactly on both sides

Problem 2: Authentication Timeout

Symptoms: FreeRADIUS shows Access-Accept, but client disconnects after 15-20 seconds.

Causes:

• EAP method mismatch
• Certificate issues
• RADIUS ports incorrect

Solutions:

1. Verify RADIUS ports (1812 auth, 1813 accounting)
2. Match EAP methods on client and server
3. Check certificate chain is complete for TLS methods
4. Increase auth-timeout if network latency is high

Problem 3: VLAN Assignment Not Working

Symptoms: User authenticates but doesn’t get assigned to correct VLAN.

Causes:

• Bridge VLAN filtering not enabled
• VLAN not defined on bridge
• Missing RADIUS attributes

Solutions:

1. Enable VLAN filtering: /interface bridge set bridge1 vlan-filtering=yes
2. Add VLAN to bridge: /interface bridge vlan add bridge=bridge1 vlan-ids=10 tagged=bridge1
3. Verify RADIUS sends all three Tunnel attributes
4. Check hardware offloading is enabled for switch chip rules

Problem 4: MAC Authentication Failing

Symptoms: Devices without 802.1X aren’t authenticating via MAC.

Causes:

• mac-auth not in auth-types
• MAC format mismatch with RADIUS
• Wrong mac-auth-mode

Solutions:

1. Add MAC auth: auth-types=dot1x,mac-auth
2. Match MAC format in RADIUS (typically lowercase with colons: 00:11:22:33:44:55)
3. Try both mac-as-username and mac-as-username-and-password modes

Problem 5: Client Can’t Connect (EAP Method Issues)

Symptoms: Windows/macOS client fails to authenticate.

Causes:

• Unsupported EAP method
• Certificate not trusted
• Inner method mismatch

Solutions:

1. Use PEAP with MSCHAPv2 for Windows/macOS compatibility
2. Install RADIUS server certificate in client trust store
3. Verify inner authentication method matches (MSCHAPv2 is most compatible)

Bridge Integration Requirements

For Dot1X server to work with VLAN assignment:

1. Interface must be bridge port:

   /interface bridge port add bridge=bridge1 interface=ether2

2. Enable VLAN filtering:

   /interface bridge set bridge1 vlan-filtering=yes

3. Define VLANs:

   /interface bridge vlan add bridge=bridge1 vlan-ids=10,20,30 tagged=bridge1

4. Use default protocol mode:

   /interface bridge set bridge1 protocol-mode=rstp

Dynamic Switch Rules (Advanced)

RADIUS can send dynamic ACL rules via Mikrotik-Switching-Filter attribute:

RADIUS attribute format:

Mikrotik-Switching-Filter = "allow src-address=192.168.1.0/24, drop dst-port=445"

Supported conditions:

• mac-protocol
• src-mac-address, dst-mac-address
• src-address, dst-address
• protocol
• src-port, dst-port

Actions: allow (default), drop

Hardware support: CRS3xx, CRS5xx, CCR2116, CCR2216, and devices with QCA8337, Atheros8327, Atheros8316 switch chips.

Security Best Practices

1. Use strong RADIUS secrets: At least 16 random characters
2. Enable accounting: Track authentication events for auditing
3. Implement re-authentication: Prevent session hijacking
4. Use guest VLANs sparingly: Isolate untrusted devices
5. Monitor active sessions: Watch for unauthorized access attempts
6. Prefer EAP-TLS: Certificate-based authentication is strongest
7. Protect RADIUS traffic: Use IPsec or isolated management VLAN

Related Features

• User Manager - Built-in RADIUS server for RouterOS
• Bridge VLAN Filtering - Required for dynamic VLAN assignment
• RADIUS Client - Connects to authentication servers
• Certificates - Required for EAP-TLS authentication
• Firewall - Additional security layer after authentication

Summary

Dot1X provides enterprise-grade port security by requiring authentication before network access. Key points:

• Server mode protects your network—block until authenticated
• Client mode lets RouterOS connect to protected networks
• RADIUS integration enables centralized authentication and dynamic VLANs
• Guest/Reject VLANs handle edge cases gracefully
• MAC authentication supports legacy devices

Start with basic Dot1X authentication, then add dynamic VLANs and MAC fallback as needed.

Related Topics

Prerequisites

• Bridge VLAN Filtering - required for dynamic VLAN assignment
• Certificates - required for EAP-TLS authentication

Authentication Infrastructure

• RADIUS Client - connects to authentication servers
• User Management - local user accounts for testing

Network Security

• Firewall Basics - additional security layer after authentication
• Wireless Security - WPA-Enterprise uses 802.1X

Related Topics

• Hotspot - alternative captive portal authentication
• Bridge Configuration - base switching configuration