Page 1 of 1

WPA/WPA2 entreprise with EAP-PEAP autentications

Posted: Fri Mar 16, 2012 12:10 am
by marclobelle
Hello,
For a project in Benin I plan to buy tens to hundreds of mikrotik access points and routers of different type but this selection of Mikrotik is submit to a hard condition: users must be autheticated using EAP-PEAP and a radius server before accessing to the network.
For the access points, this means WPA/WPA2 entreprise with EAP-PEAP (this uses 802.1x) and for routers, this means that in order to receive an address from the DHCP server they must also be authenticated by EAP-PEAP. Both for the AP as for the router requirements, there are products that support it, say cisco APs, Zcom APs, Huawei leayer 3 switches etc. (that's what I use now)

I would prefer using mikrotik devices everywhere to get the same OS and the same user interface everywhere and this way ease the life of the operators and getting more devices for the money available. But this is only possible if the above requirements are satisfied.

So, 2 questions: 1. Is this supported by routerOS
2. If yes, how can it be configured? is it possible with the last version of the web interface, must one use command line. Could you gie me a clear escription, complete enough to be also usable by the operators.

Thank you in advance and best regards

Marc

Re: WPA/WPA2 entreprise with EAP-PEAP autentications

Posted: Fri Mar 16, 2012 6:57 am
by vik1988
Yes Mikrotik Supports EAP/Peap Authentication via Radius on Wireless.

And yes on DHCP too..
mt1.JPG
MT2.JPG
MT3.JPG

Re: WPA/WPA2 entreprise with EAP-PEAP autentications

Posted: Sun Mar 18, 2012 9:36 pm
by marclobelle
I tried as explained for wireless. there are minor differences in the eap wireless screen: I had to select passthrough in eapmethods, not in TLS mode. In tlsmode, I tried nocertificate and dont verify certificate. In both instances several requests are sent, but all time out, there are also many resends but no reply.

Are there other parameters that I should set (called id, domain, realm, src address?

I can ping the radius server i use (81.92.236.228) and the shared secret is correctly used. This radius server is correctly used with cisco and Zcomax APs Coputers connect using EAP-PEAP and EAPTTLS using these non mikrotik APs. I tried with eap-peap from a windows xp notebook.

Do you see what could be wrong ?

Marc

Re: WPA/WPA2 entreprise with EAP-PEAP autentications

Posted: Mon Mar 19, 2012 5:56 am
by vik1988
What is the mac-format you used as Username and password and what format is described in Radius Server does matters.

paste logs....

Re: WPA/WPA2 entreprise with EAP-PEAP autentications

Posted: Mon Aug 04, 2014 11:35 pm
by dtk001
Hello, I would like to know if MIkrotik is compatible with Microsoft windows server 2008 IAS or NPS ?

Can we authenticate the users via wireless againt AD using Microsoft radius server ?


Kindly confirm if you've already try it before.


Regards,

Re: WPA/WPA2 entreprise with EAP-PEAP autentications

Posted: Thu Apr 23, 2015 1:28 pm
by YaroslavEremin
Hello, I would like to know if MIkrotik is compatible with Microsoft windows server 2008 IAS or NPS ?

Can we authenticate the users via wireless againt AD using Microsoft radius server ?


Kindly confirm if you've already try it before.


Regards,
In that case Mikrotik just delegate all auth process to Radius (NPS)

/interface wireless security-profiles
add authentication-types=wpa2-eap mode=dynamic-keys name=\
itwonline-peap-ms-chap-v2 radius-mac-mode=as-username-and-password \
supplicant-identity=""

Read more hear https://plus.google.com/+%D0%AF%D1%80%D ... pp3pvuAZne