MikroTik RouterOS • View topic - WPA/WPA2 entreprise with EAP-PEAP autentications

marclobelle · **Posted:** Fri Mar 16, 2012 12:10 am

Hello,
For a project in Benin I plan to buy tens to hundreds of mikrotik access points and routers of different type but this selection of Mikrotik is submit to a hard condition: users must be autheticated using EAP-PEAP and a radius server before accessing to the network.
For the access points, this means WPA/WPA2 entreprise with EAP-PEAP (this uses 802.1x) and for routers, this means that in order to receive an address from the DHCP server they must also be authenticated by EAP-PEAP. Both for the AP as for the router requirements, there are products that support it, say cisco APs, Zcom APs, Huawei leayer 3 switches etc. (that's what I use now)

I would prefer using mikrotik devices everywhere to get the same OS and the same user interface everywhere and this way ease the life of the operators and getting more devices for the money available. But this is only possible if the above requirements are satisfied.

So, 2 questions: 1. Is this supported by routerOS
2. If yes, how can it be configured? is it possible with the last version of the web interface, must one use command line. Could you gie me a clear escription, complete enough to be also usable by the operators.

Thank you in advance and best regards

Marc

vik1988 · **Posted:** Fri Mar 16, 2012 6:57 am

Yes Mikrotik Supports EAP/Peap Authentication via Radius on Wireless.

And yes on DHCP too..

Attachment:

mt1.JPG [ 57.62 KiB | Viewed 1229 times ]

Attachment:

MT2.JPG [ 24.84 KiB | Viewed 1229 times ]

Attachment:

MT3.JPG [ 19.55 KiB | Viewed 1229 times ]

marclobelle · **Posted:** Sun Mar 18, 2012 9:36 pm

I tried as explained for wireless. there are minor differences in the eap wireless screen: I had to select passthrough in eapmethods, not in TLS mode. In tlsmode, I tried nocertificate and dont verify certificate. In both instances several requests are sent, but all time out, there are also many resends but no reply.

Are there other parameters that I should set (called id, domain, realm, src address?

I can ping the radius server i use (81.92.236.228) and the shared secret is correctly used. This radius server is correctly used with cisco and Zcomax APs Coputers connect using EAP-PEAP and EAPTTLS using these non mikrotik APs. I tried with eap-peap from a windows xp notebook.

Do you see what could be wrong ?

Marc

vik1988 · **Posted:** Mon Mar 19, 2012 5:56 am

What is the mac-format you used as Username and password and what format is described in Radius Server does matters.

paste logs....

Who is online