Dear customers.

Please support this feature request.
Exactly in Russia Rostelecom now deployed APs this PEAP authentication and MT user not able to connect to such ISPs.
(особенно для тех, кто уже столкнулся с УЦН и невозможностью подключиться на родном оборудовании).

Last answer from support was

currently we do not support WAP-EAP PEAP as wireless station in RouterO
We will look if we could add this support in future, but it might not happen so fast as we haven't received lot of request for such feature.

I believe that it needed feature, please leave comment (vote) if You need it too.

I completely agree, this is the most widespread method for authenticating with username/password and sometimes we can't change (since we're connecting to the network we have no control over).

I bought SXT Lite 2 and much to my surprise can't use it since I need WPA2-EAP-PEAP-MSCHAPV2 support.

MikroTik, please add this feature which is present in most other OS (OpenWRT etc).

Good news:

we have added this feature in our to do list but currently is is not a higher priority feature.

So, awaiting...

I would like to see it as well, it certainly would make our WiFi network a lot easier to manage.
No idea how much work it would involve, I think the underlying software already supports it, it is mainly a configuration issue.
(adding some fields, setting parameters for the underlying software)

Hi. I see some great news at viewtopic.php?f=21&t=116357&p=593227&hilit=peap#p593227

Version 6.39rc68 has been released.

Changes since previous version:
(...)
*) wireless - added PEAP authentication support for wireless station mode;

I will test it in a week.

Best regards: CsXen

Hi. I see some great news at viewtopic.php?f=21&t=116357&p=593227&hilit=peap#p593227

Version 6.39rc68 has been released.

Changes since previous version:
(...)
*) wireless - added PEAP authentication support for wireless station mode;

I will test it in a week.

Best regards: CsXen

I still have lost connection, 802.1x authentication timeout, do You have another (success) result?

Support wrote:

we were able to improve the compatibility with the PEAP and in one of the next RC versions it will be added - just check the changelog entry and then test that version.
After than please report back if it works ok.

So, just waiting a little bit again.

Hi. Is there any news about PEAP-MSCHAPv2 support?

Hi. Is there any news about PEAP-MSCHAPv2 support?

No

I need to test it but it is a bit difficult as I don't have a MikroTik as station myself.
So I need to get remote access to someone else's device and be able to experiment without losing the connection.
Maybe later.

I need to test it but it is a bit difficult as I don't have a MikroTik as station myself.
So I need to get remote access to someone else's device and be able to experiment without losing the connection.
Maybe later.

Do You from developers team?

what do you mean? I don't understand your question.

please upgrade to v6.40rc2 and check again.

what do you mean? I don't understand your question.

Are you a developer?

No of course not, I am a user. But at home I have a Ubiquiti AP. There it works.
Other people in our network have MikroTik and I need to debug via one of their APs.

please upgrade to v6.40rc2 and check again.

At 6.40rc2 with Rostelecom's AP still 802.1x authentication timeout

Supout at support mail. If needed real test in production network- just tell me.

I have tested in our HAMNET against a MikroTik AP configured with radius and it works OK with version 6.39 !

Client side config:
AP side config:

eap-methods=eap-tls,passthrough

How Radius processing certs in your case? Trying to install some certs to client side?

Connecting to UPC WI-Free, working, thank you mikrotik.

How Radius processing certs in your case? Trying to install some certs to client side?

No we use MSCHAPv2. That was what we were waiting for, certs was already supported I think.

And news from our test.

Generally, at 6.40rc2, with Rostelecom working too! Bottom details in russian.

Итак, господа, настало счастье для пользователей УЦН - оно работает, но прочитайте текст ниже, чтобы сходу не наступить на грабли.
У РТ есть какая-то привязка. После подключения под МАСом "Альфа" нельзя сразу подключаться с другого девайса с МАСом "Бета".
То есть, склонируйте МАС-адрес на Микротик во избежании проблем, если совсем недавно подключались с какого-то другого девайса. То же самое касается тех, кто будет использовать виртуальные интерфейсы с МАС-адресами, отличными от того, который чуть ранее выходил в сеть (если выходил).
Еще раз на пальцах: Настраиваем интерфейс, успешно подключаемся, отключаем интерфейс, меняем МАС и больше не можем подключиться - будет ошибка 802.1x authentication timeout, словно введен неверный логин/пароль или не поддерживается PEAP.
Мой рабочий конфиг выглядел так:
Дальше получаем на интерфейса адрес и натим.

Спасибо Uldis за поддержку.

Какие схемы работают, а какие нет (на всех схемах опечатка - virtial читать как virtual):
РАБОТАЕТ:


НЕ работает:

wlan1 и virtual2 успешно получают адреса по DHCP, но шлюз видят только через один из интерфейсов. Через оба сразу трафик не побежит (L2 с AP по второму подключению не работает, кроме DHCP).

Все извраты с попыткой уйти от маршрутизации и обойтись псевдобриджом также не помогают - ну не работает 2 одновременных station подключения.
Если Микротик сможет это пофиксить - будет здорово!

Сейчас объясню почему это так важно.



Если все будут жить под мачтой и пользоваться услугой сидя под столбом - вопросов нет.
Но до жилых домов расстояние больше, чем зона покрытия.
Мы сделали большой шаг, чтобы зацепиться за точку доступа, уже можно использовать SXT для приема сигнала, но что делать, если расстояние слишком большое?
Тогда нужно терминировать много-много клиентов на одной SXT, дотянуть их до места распределения, примерно так:

Для реализации схемы не хватает капельки чуда

Hello!
And it was not possible to force to care on the firmware 6.40rc2, 6.40rc4, 6.40rc5, and also on 6.39.1.
On 6.39.1, the 802.1x authentication timeout error.
On the firmware 6.40rc2, 6.40rc4, 6.40rc5 the connection is established but the authorization apparently does not pass (I tried different login-password pairs, not even existing ones).
Here is an example of a log:
10:47:51 wireless, debug rtk: no network that satisfies connect-list, by default choose with strongest
Signal
10:47:52 wireless, info EC: 4C: 4D: 55: 9A: 38 @ rtk established connection on 2472000, SSID RTWiFi
and that is all.
RX Rate at the same time costs 1 Mbps.

ifc, what exactly is not working?
Make sure you specify the supplicant-identity the same as the mschanp username an also set tls-mode=dont-verify-certificate

Put your output (hide passwords by ***)

Hello!
And it was not possible to force to care on the firmware 6.40rc2, 6.40rc4, 6.40rc5, and also on 6.39.1.
On 6.39.1, the 802.1x authentication timeout error.
On the firmware 6.40rc2, 6.40rc4, 6.40rc5 the connection is established but the authorization apparently does not pass (I tried different login-password pairs, not even existing ones).
Here is an example of a log:
10:47:51 wireless, debug rtk: no network that satisfies connect-list, by default choose with strongest
Signal
10:47:52 wireless, info EC: 4C: 4D: 55: 9A: 38 @ rtk established connection on 2472000, SSID RTWiFi
and that is all.
RX Rate at the same time costs 1 Mbps.

[root@MikroTik] > /in wi export
# may/12/2017 11:38:12 by RouterOS 6.40rc4
# software id = M5IJ-FFHA
#
/interface wireless security-profiles
set [ find default=yes ] eap-methods="" radius-eap-accounting=yes radius-mac-mode=\
as-username-and-password
add authentication-types=wpa-eap eap-methods=peap group-ciphers=tkip group-key-update=1m \
interim-update=1s management-protection-key=77970047518 mode=dynamic-keys mschapv2-password=\
*** mschapv2-username=77970047518 name=77970047518 radius-eap-accounting=yes \
radius-mac-mode=as-username-and-password supplicant-identity=77970047518 tls-mode=\
dont-verify-certificate unicast-ciphers=tkip
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC country=russia2 frequency=\
auto ht-supported-mcs="mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7,mcs-8,mcs-9,mcs-10,mcs-11,\
mcs-12,mcs-13,mcs-14,mcs-15" keepalive-frames=disabled l2mtu=1500 mtu=1400 multicast-buffering=\
disabled multicast-helper=disabled name=rtk radio-name=77970047518 security-profile=77970047518 \
ssid=RTWiFi station-roaming=disabled tx-power=21 tx-power-mode=all-rates-fixed wds-mode=dynamic \
wireless-protocol=802.11 wmm-support=enabled
/interface wireless align
set audio-max=-80 audio-min=-140 receive-all=yes ssid-all=yes

Looks good.
Jump to 6.40rc2
Register new account (login+password for Wi-Fi). Newer use new login except Mikrotik (use only current (old) login for manipulation with accounts).
Disable wlan interface.
Put new login and password to MT box.
Be sure that new Wi-Fi login activated (balance +).
Enable wlan and try to connect.

And change like this

I would suggest to remove the tkip and use only aes encryption.

I would suggest to remove the tkip and use only aes encryption.

Yes, right!

At next time i should use export verbose for best detalization.

[root@MikroTik] > /in wi export
# may/12/2017 15:42:40 by RouterOS 6.40rc2
# software id = M5IJ-FFHA
#
/interface wireless security-profiles
set [ find default=yes ] eap-methods="" radius-eap-accounting=yes radius-mac-mode=as-username-and-password
add authentication-types=wpa-eap eap-methods=peap group-ciphers=tkip group-key-update=1m interim-update=1s \
management-protection=allowed mode=dynamic-keys mschapv2-password=**** mschapv2-username=77970047518 name=77970047518 \
radius-mac-mode=as-username-and-password supplicant-identity=77970047518 tls-mode=dont-verify-certificate unicast-ciphers=\
tkip
add authentication-types=wpa-eap eap-methods=peap group-ciphers=tkip management-protection=allowed mode=dynamic-keys \
mschapv2-password=**** mschapv2-username=77970042554 name=77970042554 radius-eap-accounting=yes supplicant-identity=\
77970042554 tls-mode=dont-verify-certificate unicast-ciphers=tkip
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC country=russia2 disabled=no frequency=2472 \
ht-supported-mcs=mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,mcs-15 \
keepalive-frames=disabled l2mtu=1500 mtu=1400 multicast-buffering=disabled multicast-helper=disabled name=rtk radio-name=\
77970042554 security-profile=77970042554 ssid=RTWiFi station-roaming=disabled tx-power=21 tx-power-mode=all-rates-fixed \
wds-mode=dynamic wireless-protocol=802.11 wmm-support=enabled
/interface wireless align
set audio-max=-80 audio-min=-140 receive-all=yes ssid-all=yes

15:43:33 wireless,info EC:4C:4D:55:9A:38@rtk established connection on 2472000, SS
ID RTWiFi
15:44:03 wireless,info EC:4C:4D:55:9A:38@rtk: lost connection, 802.1x authenticati
on timeout

does not work

Баланс в плюсе, услуга активна (в личном кабинете), и перед этим под этим логопасом с другого девайса (МАСа) не подключались?
Интересно...

Проще всего слизать 1:1 мой конфиг, только замените логин и пароль.
Сделайте бекап, потом сбросьте в дефолт не применяя дефолтный конфиг. Будет голый девайс, в него влейте мою секцию ВиФи заменив логопасс.

Please post in English only. Thank you.

did everything from the beginning. The result is the same.
From your config I changed:
Login: Password
Region: Russia2 (without it will not connect to the frequency 2472)
Channel With: 20/40 MHz eC
WPA EAP (tkip-tkip)

aes-aes:
19:27:52 wireless,debug wlan1: EC:4C:4D:55:9A:38 not acceptable for security profile: does not
have matching group ciphers
19:27:52 wireless,debug wlan1: failed to select network

17:42:52 wireless,debug EC:4C:4D:55:9A:38: on 2472 AP: yes SSID RTWiFi caps 0x831 rates 0xCCK:1-11 OFDM:6-54 BW:1x-2x S
GI:1x-2x HT:0-15 basic 0xCCK:1-11 OFDM:6,12,24 MT: no
17:42:52 wireless,debug EC:4C:4D:55:9A:39: on 2472 AP: yes SSID RTFree caps 0x831 rates 0xCCK:1-11 OFDM:6-54 BW:1x-2x S
GI:1x-2x HT:0-15 basic 0xCCK:1-11 OFDM:6,12,24 MT: no
17:42:52 wireless,debug EC:4C:4D:55:9A:3A: on 2472 AP: yes SSID RTOpen caps 0x821 rates 0xCCK:1-11 OFDM:6-54 BW:1x-2x S
GI:1x-2x HT:0-15 basic 0xCCK:1-11 OFDM:6,12,24 MT: no
17:42:52 wireless,debug wlan1: no network that satisfies connect-list, by default choose with strongest signal
17:42:52 wireless,info EC:4C:4D:55:9A:38@wlan1 established connection on 2472000, SSID RTWiFi
17:43:23 wireless,debug wlan1: start background scan
17:43:27 wireless,debug wlan1: background scan complete, must select network
17:43:27 wireless,debug wlan1: no network that satisfies connect-list, by default choose with strongest signal
17:43:27 wireless,debug wlan1: failed to select network
17:43:27 wireless,debug wlan1: did not find better AP
17:43:57 wireless,debug wlan1: start background scan

[admin@MikroTik] > /in wi export
# may/12/2017 17:46:26 by RouterOS 6.40rc2
# software id = M5IJ-FFHA
#
/interface wireless security-profiles
add authentication-types=wpa-eap eap-methods=peap group-ciphers=tkip management-protection=allowed mode=dynamic-keys
mschapv2-password=*** mschapv2-username=77970047518 name=77970047518 supplicant-identity=77970047518 tls-mo
dont-verify-certificate unicast-ciphers=tkip
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC country=russia2 frequency=auto security-pr
77970047518 ssid=RTWiFi wps-mode=disabled

A similar problem is with the ifc. Installed RouterOS 6.39.1 on mikrotik sxt lite2.
Only MAC is different:

15:43:33 wireless,info EC:4C:4D:55:A6:7A@wlan1 established connection on 2472000, SSID RTWiFi
15:44:03 wireless,info EC:4C:4D:55:A6:7A@wlan1: lost connection, 802.1x authentication timeout

I did everything as FFAMax wrote, I used it config but with my login and password.X Rate at the same time costs 1 Mbps. It was registered with mikrotik sxt lite2 via an accessible RTOpen.
This is only when the Group Ciphers tkip is enabled, otherwise only the frequency search is performed.

Here's what I found at the base point of Rostelecom:

The program and testing technique of the wireless access point equipment for the implementation of the Internet access service from the Universal Communications Services
Technique of checking the functionality of equipment
Authentication and security testing
Support for 802.1x authentication using an external radius server.
Test Name: Support for 802.1x authentication using an external server radius.
The purpose of the test: Ensure that 802.1x authentication is supported using the external radius of the server and the EAP-PEAP protocols.
Importance of the test: Basic
Test procedure: Configure the access point with two SSIDs on one of (SSID1) which specify the encryption mode of WPA2 (or WPA2 AES); The 802.1x authentication mode with the EAP-PEAP authentication option.
As the authentication algorithm in the second authorization phase, specify MSCHAPV2. The setup should allow the user to authenticate with the login / password pair without having to use certificates on the client hardware.
2. Through the BTC GUI, configure the external radius of the server-specify the IP address, port and secret key for the FreeRadius lab server.
3. On the FreeRadius laboratory radius server, configure two users of TestUser1 and TestUser2. Define for them different passwords for access. Configure server
Certificate for the radius of the server. Configure BTC as the NAS client for the FreeRadius server.
4. Set SSID1 authentication mode through the external radius server (Enterprise) mode.
5. Activate the session using a Windows 7/8 client on a laptop with 802.1x authentication settings and a recommended user name and password.
Expected Result: Make sure that clients with a pair of login / password specified in the Radius server get access to the SSID
1. Ensure that clients with an incorrect password do not gain access to SSID1. Ensure that clients with 802.1x authentication disabled or do not support this authentication do not gain access to 802.1x.

Base station ROTEK rt-br24-wfn2e

Maybe this will help as it sorted out ?!

Transfer of the MAC address of the subscriber when authorizing the subscriber to the Radius server
Test name: Transfer of the MAC address of the subscriber when authorizing the subscriber to the Radius server. The purpose of the test: Ensure the transmission of the MAC address of the subscriber when authorizing the subscriber to the Radius server.
Importance of the test: Basic
Test procedure:
1. For the test, verify by using the analyzer protocol the presence of MAC Client addresses in the Radius message
Expected result Mac client address is present in the Radius message

Can I have a problem with CCQ?

And yet, the real distance to the point of 400 meters.

Hi!

As i wrote in e-mail, try to use 6.40rc2 first.

Hi!

As i wrote in e-mail, try to use 6.40rc2 first.

OK! On the weekend I'll try. Version 6.40 downloaded, I'll try to get closer to the access point, I do not have direct visibility.

Thank you for helping FFAMax! Works with version 6.40rc2.

Hello! I using a version of firmware 6.40rc2 and could not to connect to RTWiFi. The network is connect, but after 4 or 5 seconds its lost and then connect ones more time. Lost-connect-lost-connect...what should I do? Maybe problems with MAC?

Wait I was just trying to connect for an hour to realize that I had to type my username as supplicant-identity. What is difference between mschapv2-username and supplicant-identity? Linux systems (and Android) shows identity and anonymous identity or username and anonymous identity. Why those names are so confusing and what's their actual meaning?

supplicant-identity corresponds with "anonymous identity".
is is kind of a dummy value that is used to establish the initial connection before the encryption is established and the real user/pass are sent.
I think it is mostly because of they way WiFi authentication has evolved.
usually it does not matter what is in supplicant-identity but in our radio network where we do not need to hide the real username, we normally use the same value as for username.

eap-ttls-mschapv2 on capsman ???
can someone help me ?
It is even possible ?