/interface wireless access-list add comment=Jayden mac-address=5C:1D:D9:C3:C6:15 private-pre-shared-key=supersecretpasswordexample vlan-mode=no-tag
/ caps-man访问列表添加action =接受allow-signal-out-of-range=10s comment=Jayden disabled=no mac-address=5C:1D:D9:C3:C6:15 private-passphrase=\ supersecretpasswordexample
Do you have a link to the presentations? I assume you mean youtube, but I cannot seem to find them in English.Furthermore, you can associate a RADIUS to manage the mac-address/password association.
的re are few presentations that covered this topic.
MikroTik was there for ages, too bad they didn't use it as a good advertisement.
Its been in there for years.
Go into your access control list under wireless. You can generate/set per Mac address passwords.
Code:Select all/interface wireless access-list add comment=Jayden mac-address=5C:1D:D9:C3:C6:15 private-pre-shared-key=supersecretpasswordexample vlan-mode=no-tag
Which Ruckus AP do you prefer within 100-150 Euros price range ?的more I use Mikrotik wireless... The more I love Ruckus.
do you have a working example?This would be way more useful if the Access List didn't stop on the first failure but went on to try and validate against the next matching rule. You could then have multiple PSK's without defined MAC addresses allowing you to set different keys for different users without the need to pre-register MAC addresses.
This is how the Group DPSK function works on Ruckus and is very handy for users with multiple devices.
Mikrotik-Wireless-PSK
how you do you do that?Its been in there for years.
....
Further... you can go back and add a VLAN tag to bounce a device into another subnet AFTER ITS BEEN ON THE SYSTEM. (in Ruckus its set once you generate the file)
Go into to ACL.how you do you do that?Its been in there for years.
....
Further... you can go back and add a VLAN tag to bounce a device into another subnet AFTER ITS BEEN ON THE SYSTEM. (in Ruckus its set once you generate the file)
could you share the config to do so?Go into to ACL.
Add the Mac address and password you want the client to bind together.
Select a VLAN tag.
/ caps-man访问列表添加action =接受mac-address=MAC_User1_Device1 private-passphrase= PPSK_User1 vlan-id=VLAN_User1vlan-mode=use-tag comment=User1 add action=accept mac-address=MAC_User1_Device2 private-passphrase= PPSK_User1 vlan-id=VLAN_User1 vlan-mode=use-tag comment=User1 add action=accept mac-address=MAC_User2_Device1 private-passphrase= PPSK_User2 vlan-id=VLAN_User2 vlan-mode=use-tag comment=User2
/ caps-man访问列表添加action =接受mac-address=00:00:00:00:00:00 private-passphrase= PPSK_User1 vlan-id=VLAN_User1 vlan-mode=use-tag comment=User1 add action=accept mac-address=00:00:00:00:00:00 private-passphrase= PPSK_User1 vlan-id=VLAN_User1 vlan-mode=use-tag comment=User1 add action=accept mac-address=00:00:00:00:00:00 private-passphrase= PPSK_User2 vlan-id=VLAN_User2 vlan-mode=use-tag comment=User2
Move my laptop into a different VLAN based on the password I used.could you share the config to do so?Go into to ACL.
Add the Mac address and password you want the client to bind together.
Select a VLAN tag.
I'm still on vacation and far from home to check it out at my system
would it be like
Code:Select all/ caps-man访问列表添加action =接受mac-address=MAC_User1_Device1 private-passphrase= PPSK_User1 vlan-id=VLAN_User1vlan-mode=use-tag comment=User1 add action=accept mac-address=MAC_User1_Device2 private-passphrase= PPSK_User1 vlan-id=VLAN_User1 vlan-mode=use-tag comment=User1 add action=accept mac-address=MAC_User2_Device1 private-passphrase= PPSK_User2 vlan-id=VLAN_User2 vlan-mode=use-tag comment=User2
Could thePPSKbasedaccess-listbe used to realize a feature likeWorking with Dynamic Pre-Shared Keys (commscope.com)by either using00:00:00:00:00:00as MAC or omitting the MAC altogether?
So the code for a PPSK based VLAN assignment could be like:Code:Select all/ caps-man访问列表添加action =接受mac-address=00:00:00:00:00:00 private-passphrase= PPSK_User1 vlan-id=VLAN_User1 vlan-mode=use-tag comment=User1 add action=accept mac-address=00:00:00:00:00:00 private-passphrase= PPSK_User1 vlan-id=VLAN_User1 vlan-mode=use-tag comment=User1 add action=accept mac-address=00:00:00:00:00:00 private-passphrase= PPSK_User2 vlan-id=VLAN_User2 vlan-mode=use-tag comment=User2
code was written on what was mentioned in this topic and inwireless access list vlan mode & id function? - MikroTikandCan each wireless user connect to their own VLAN? - MikroTik
/ caps-man访问列表添加action =接受allow-signal-out-of-range=10s comment="Windows LapTop" \ disabled=no mac-address=C8:FF:28:3C:35:35 private-passphrase=pn4XaFnnKX \ ssid-regexp=WhateverSSID vlan-id=254 vlan-mode=use-tag
this assumes that the MAC is known, but what if theMAC is not known in advance?Move my laptop into a different VLAN based on the password I used.
Code:Select all/ caps-man访问列表添加action =接受allow-signal-out-of-range=10s comment="Windows LapTop" \ disabled=no mac-address=C8:FF:28:3C:35:35 private-passphrase=pn4XaFnnKX \ ssid-regexp=WhateverSSID vlan-id=254 vlan-mode=use-tag
Just tried it. Device was allowed to connect.this assumes that the MAC is known, but what if theMAC is not known in advance?Move my laptop into a different VLAN based on the password I used.
Code:Select all/ caps-man访问列表添加action =接受allow-signal-out-of-range=10s comment="Windows LapTop" \ disabled=no mac-address=C8:FF:28:3C:35:35 private-passphrase=pn4XaFnnKX \ ssid-regexp=WhateverSSID vlan-id=254 vlan-mode=use-tag
Using what configuration, the one posted before?Just tried it. Device was allowed to connect.
/caps-man access-list add action=accept private-passphrase= PPSK_User1 vlan-id=VLAN_User1 vlan-mode=use-tag comment=User1 add action=accept private-passphrase= PPSK_User2 vlan-id=VLAN_User2 vlan-mode=use-tag comment=User2
I was on a standalone hAP AC2 that is not running caps-manUsing what configuration, the one posted before?Just tried it. Device was allowed to connect.
Does the following work as well?Code:Select all/caps-man access-list add action=accept private-passphrase= PPSK_User1 vlan-id=VLAN_User1 vlan-mode=use-tag comment=User1 add action=accept private-passphrase= PPSK_User2 vlan-id=VLAN_User2 vlan-mode=use-tag comment=User2
的last time I tested this it didn’t work. I think that was v6.48. The logic seems to be - check the PSK for first rule that matches the MAC address pattern (in this case any Mac), if that fails then fail auth. At the time of my testing it would not then go on to check another rule that also matches the Mac pattern. But I wish it would!No problem, thanks a lot for testing and sharing.
I'm currently only on mobile so I cannot contribute anything.
Would it still work if it is done with 2 rules like that but with different private-pre-shared-key?
Like
private-pre-shared-key="user1" vlan-id=1
private-pre-shared-key="user2" vlan-id=2
do you run now v6.49.x to test it again?的last time I tested this it didn’t work. I think that was v6.48. T
When I get a chance I will try it again. I’ve kept a close eye on release notes and I’ve never seen any work on this topic though; sadly I get the impression that MikroTik doesn’t see this as an issue and I don’t think I’ve been able to encourage anyone to see the value in DPSK style functionality. It’s frustrating, we use Ruckus DPSK on loads of client sites and MDUs, I’d love it if we could offer it on Mikrotik as an alternative to Ruckus.do you run now v6.49.x to test it again?的last time I tested this it didn’t work. I think that was v6.48. T
May it works in v7.x?
Its the inability for Mikrotik radios to deal with some 2.4 clients at all and especially under any sort of crowded environment, that made the systems crumble.I broadly agree with you Gotsprings, we too deploy a lot of Ruckus. But I also think there is a place in the Market for MikroTik and have found many places to successfully use their Radios as well.
This isn’t a discussion over who’s better; just an examination of DPSK functionality and if it’s possible to replicate it on MikroTik.
I confirm same behaviour with 6.49.3 where it check the first 00:00:00:00:00:00 and if failed, does not check other. So close to a working solution...的last time I tested this it didn’t work. I think that was v6.48. The logic seems to be - check the PSK for first rule that matches the MAC address pattern (in this case any Mac), if that fails then fail auth. At the time of my testing it would not then go on to check another rule that also matches the Mac pattern. But I wish it would!No problem, thanks a lot for testing and sharing.
I'm currently only on mobile so I cannot contribute anything.
Would it still work if it is done with 2 rules like that but with different private-pre-shared-key?
Like
private-pre-shared-key="user1" vlan-id=1
private-pre-shared-key="user2" vlan-id=2
After using DPSK for years... I can say that EPSK is not the same.Cambian have EPSK, which is basically the same thing.
Seems like marketing, rather than technical patent.
Good effort btw.
Ahh...We use Ruckus DPSK in the “group DPSK” mode. Like this it doesn’t care about MAC addresses, just that your device knows the PSK for that group. We tend to use it in MDU environments, one DPSK per apartment, landing the user on the associated VLAN for that DPSK.
AGREED!的more I use Mikrotik wireless... The more I love Ruckus.
If you need a solution... RUCKUS.
If you don't mind a hobby... Mikrotik.
This is completely the opposite of Mikrotik routing.