I would like to use it, because its more simple to manage in a production environment. The wireless security that we can use with RB4x as clients is EAP-TLS. Its indeed very secure, but now with the network growing, it will take a lot of time with each client to update the their certificate.
Kindly regards, very good Christmas and a happy new year for all.
Jorge
-
-
JorgeAmaral
Trainer
- Posts: 199
- Joined:
- Location: /ip route add type=blackhole
Re: Feature request: EAP-PEAP for wireless client
Thank you very much for the feature request.
Currently we do not have plans to change security configuration for mode=station, but probably we will do it in the future.
Currently we do not have plans to change security configuration for mode=station, but probably we will do it in the future.
Re: Feature request: EAP-PEAP for wireless client
is there still no EAP-PEAP in routeros in station mode?Thank you very much for the feature request.
Currently we do not have plans to change security configuration for mode=station, but probably we will do it in the future.
Re: Feature request: EAP-PEAP for wireless client
Nois there still no EAP-PEAP in routeros in station mode?Thank you very much for the feature request.
Currently we do not have plans to change security configuration for mode=station, but probably we will do it in the future.
I also requested it. It seems to be a simple addition, but nothing is happening
Ubiquiti access points support it, so I think they want you to take your business elsewhere...
Re: Feature request: EAP-PEAP for wireless client
but inside security profile we have some PEAP related stuffNo
I also requested it. It seems to be a simple addition, but nothing is happening
Ubiquiti access points support it, so I think they want you to take your business elsewhere...
eap-methods=eap-ttls-mschapv2 mschapv2-username="peap-user1" mschapv2-password="P@ssword123"
so i want answer from MikroTik Support, is it works or not.
if works - how to configure it, because in my case i got "lost connection, 802.1x authentication timeout", but android phone works perfectly
-
-
fractalbrain
just joined
- Posts: 12
- Joined:
Re: Feature request: EAP-PEAP for wireless client
I've been tearing my hair out about this for days while evaluating an SXT ac device!
I brought an SXT to a recent NANOG conference (North American Network Operators Group) with an express intent of getting the SXT to authenticate to the conference network via 802.1x. I could get it to associate with their ap fine, but their logs kept filling up with "no username" and "no password" supplied messages.
I kept changing the method to eap-ttls-mschapv2 (because the UI would change it back...presumably since it doesn't exist in the UI!!) and supplying a mschap username and password! Nothing. It looked like their server just kept getting no username and password over and over again. From the timing of everything, it felt like their server was waiting for a username and password to be entered and eventually timed out.
I'm really hoping they pick this task up again and get 802.1x implemented properly.
Has anyone gotten this working?
I brought an SXT to a recent NANOG conference (North American Network Operators Group) with an express intent of getting the SXT to authenticate to the conference network via 802.1x. I could get it to associate with their ap fine, but their logs kept filling up with "no username" and "no password" supplied messages.
I kept changing the method to eap-ttls-mschapv2 (because the UI would change it back...presumably since it doesn't exist in the UI!!) and supplying a mschap username and password! Nothing. It looked like their server just kept getting no username and password over and over again. From the timing of everything, it felt like their server was waiting for a username and password to be entered and eventually timed out.
I'm really hoping they pick this task up again and get 802.1x implemented properly.
Has anyone gotten this working?
Re: Feature request: EAP-PEAP for wireless client
looks like at least one - http://forum.mikrotik.com/viewtopic.php?t=75519Has anyone gotten this working?
as for me - mikrotik support is so unresponsive, its very bad for community and device popularity
Re: Feature request: EAP-PEAP for wireless client
It's already in there, tested with v6.35rc8 and works like a charm
Re: Feature request: EAP-PEAP for wireless client
please post your configIt's already in there, tested with v6.35rc8 and works like a charm
wireless and security profiles
-
-
fractalbrain
just joined
- Posts: 12
- Joined:
Re: Feature request: EAP-PEAP for wireless client
Hi everyone!! Thanks so much for the replies!! I believe that was my first forum post after years of lurking 
.
I've pasted my "non-working" security profile, wireless interface, and cert info that I used during NANOG.
Below is the security profile. I tried tls-mode with "verify-certificate" and tried with and without a supplicant identity. ...about that supplicant identity. There was only one username for everyone, "nanog" (it's a pretty open network with a focus on efficiency, not restricting usage). I used that for the supplicant identity. I'm wondering if I should have used my system name, or something random. Thoughts?
Since NANOG is now over, I changed the following interface profile to match what I'm pretty sure I used before (I'm sure the frequency is different):
And here is some info about the certificate I used:
I don't have an opportunity to test this out again on the NANOG network until the June (which gives visibility on both sides), but I'll test it out later today/tomorrow using a university network using similar settings.
Thanks so much everyone! -ej
EDIT:
1. Fixed quote.
2. Added supplicant identity detail.
.Referencing @slavik, @Beone, can you post your working config bits, if you don't mind?Beone
It's already in there, tested with v6.35rc8 and works like a charm
I've pasted my "non-working" security profile, wireless interface, and cert info that I used during NANOG.
Below is the security profile. I tried tls-mode with "verify-certificate" and tried with and without a supplicant identity. ...about that supplicant identity. There was only one username for everyone, "nanog" (it's a pretty open network with a focus on efficiency, not restricting usage). I used that for the supplicant identity. I'm wondering if I should have used my system name, or something random. Thoughts?
Code: Select all
5 name="nanog1" mode=dynamic-keys authentication-types=wpa2-eap unicast-ciphers=aes-ccm
group-ciphers=aes-ccm wpa-pre-shared-key="" wpa2-pre-shared-key=""
supplicant-identity="nanog" eap-methods=eap-ttls-mschapv2 tls-mode=dont-verify-certificate
tls-certificate=auth.meetings.nanog.org.cer_0 mschapv2-username="someusername"
mschapv2-password="somepassword" static-algo-0=none static-key-0="" static-algo-1=none
static-key-1="" static-algo-2=none static-key-2="" static-algo-3=none static-key-3=""
static-transmit-key=key-0 static-sta-private-algo=none static-sta-private-key=""
radius-mac-authentication=no radius-mac-accounting=no radius-eap-accounting=no
interim-update=0s radius-mac-format=XX:XX:XX:XX:XX:XX
radius-mac-mode=as-username-and-password radius-mac-caching=disabled group-key-update=5m
management-protection=disabled management-protection-key=""
Code: Select all
0 R name="wlan1-gateway" mtu=1500 l2mtu=1600 mac-address=4C:5E:0C:D7:73:14 arp=enabled
interface-type=Atheros AR9888 mode=station ssid="nanog" frequency=5805 band=5ghz-a/n/ac
channel-width=20mhz scan-list=default wireless-protocol=802.11 vlan-mode=no-tag vlan-id=1
wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no bridge-mode=enabled
default-authentication=yes default-forwarding=yes default-ap-tx-limit=0
default-client-tx-limit=0 hide-ssid=no security-profile=nanog1 compression=no
Code: Select all
6 L T name="auth.meetings.nanog.org.cer_0"
issuer=C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com, Inc.,OU=http:,,certs.godaddy.com,
repository,,CN=Go Daddy Secure Certificate Authority - G2
unit="Domain Control Validated" common-name="auth.meetings.nanog.org" key-size=2048
subject-alt-name=DNS:auth.meetings.nanog.org days-valid=1093 trusted=yes
key-usage=digital-signature,key-encipherment,tls-server,tls-client
serial-number="someserialnumber"
fingerprint="somefingerprint"
invalid-before=may/29/2015 21:01:38 invalid-after=may/27/2018 16:03:43
Thanks so much everyone! -ej
EDIT:
1. Fixed quote.
2. Added supplicant identity detail.
-
-
fractalbrain
just joined
- Posts: 12
- Joined:
Re: Feature request: EAP-PEAP for wireless client
Yeah, can you post your config bits?It's already in there, tested with v6.35rc8 and works like a charm
I'm stumped. I tried this at the campus network 802.1x keeps timing out after about 30 seconds. I did try upgrading to the latest release candidate (6.35rc8 i think) and the wireless-rep package.
I feel like I should be seeing something called "eap-peap-mschapv2", maybe a way to automatically pull the certificate from the ap/radius server (reminder: I'm trying to connect in station/client mode), and all of that in the GUI. Without really knowing enough, it just "feels" like there are some missing bits that are not working.
To be clear (again, I'm a tad un-clear on all of this), but the campus network has a certificate that gets dolled out to the clients. The campus network requires a username and password. They are using eap, peap, mschapv2.
Is this really working for other people? If not, is it really not implemented? ...confused.
PS- Still no word from support
. I'll try again tomorrow if I don't get a response.-
-
fractalbrain
just joined
- Posts: 12
- Joined:
Re: Feature request: EAP-PEAP for wireless client
Hey everyone! I heard back from support today.
They said "note that we support eap-ttls-mschapv2 and we don't have PEAP support."
Note that I am using RouterOS release candidate 6.35rc11 and the "current" RouterOS is 6.34.1.
They said "note that we support eap-ttls-mschapv2 and we don't have PEAP support."
Note that I am using RouterOS release candidate 6.35rc11 and the "current" RouterOS is 6.34.1.
-
-
fractalbrain
just joined
- Posts: 12
- Joined:
Re: Feature request: EAP-PEAP for wireless client
Update:
I got another reply from Mikrotik.
The person I'm corresponding with successfully tested eap-ttls-mschapv2 using the following set-up:
"...a test EAP radius server and got connected with an android phone and then
repeated the connection with the RouterOS as a client and it was working fine
when specifying the supplicant-identity and the mschapv2-user/password and and
setting tls-mode=dont-verify-certificate"
I personally don't have access to a eap-ttls-mschapv2 setup at the moment, but testing it with a cert would probably be good. I know this thread is regarding PEAP, but can anyone verify they have eap-ttls-mschapv2 working with a cert? (or let me know if there is something I don't understand)
Now, about PEAP, the person I'm corresponding with reasserted and noted the following:
"Since we don't have PEAP support eap-peap method will not work.
Currently we don't have any plans to add support the PEAP for the RouterOS
wireless client."
I've asked if a formal feature request can be put in and if the eap-ttls-mschapv2 stuff can be put into the GUIs. I'll update when I hear more.
-e
I got another reply from Mikrotik.
The person I'm corresponding with successfully tested eap-ttls-mschapv2 using the following set-up:
"...a test EAP radius server and got connected with an android phone and then
repeated the connection with the RouterOS as a client and it was working fine
when specifying the supplicant-identity and the mschapv2-user/password and and
setting tls-mode=dont-verify-certificate"
I personally don't have access to a eap-ttls-mschapv2 setup at the moment, but testing it with a cert would probably be good. I know this thread is regarding PEAP, but can anyone verify they have eap-ttls-mschapv2 working with a cert? (or let me know if there is something I don't understand
)Now, about PEAP, the person I'm corresponding with reasserted and noted the following:
"Since we don't have PEAP support eap-peap method will not work.
Currently we don't have any plans to add support the PEAP for the RouterOS
wireless client."
I've asked if a formal feature request can be put in and if the eap-ttls-mschapv2 stuff can be put into the GUIs. I'll update when I hear more.
-e
-
-
juliobrito
just joined
- Posts: 8
- Joined:
Re: Feature request: EAP-PEAP for wireless client
Regards,
Please, remember that all Mikrotik users need the implementation of PEAP-MSCHAPv2 Wireless Station Mode. We have more that 7 years waiting for it option.
Please, remember that all Mikrotik users need the implementation of PEAP-MSCHAPv2 Wireless Station Mode. We have more that 7 years waiting for it option.
Re: Feature request: EAP-PEAP for wireless client
why not also EAPoL too ? in both EAP/PEAP flavors ? and probably PEAPv1/EAP-GTC too ?
Re: Feature request: EAP-PEAP for wireless client
A guide on how to configure basic PEAP wireless client with RADIUS now is available in MikroTik Wiki.