Community discussions

MikroTik App
 
frittentheke
newbie
Topic Author
Posts: 45
Joined: Mon Dec 24, 2012 1:12 am
Location: Germany

WPA2 with EAP-TTLS + PAP (user+passwd) against a RADIUS?

Wed May 14, 2014 10:38 am

Hey all,

Short summary: I want to setup a Mikrotik AP with WPA2 encryption using EAP-TTLS+PAP against a Radiator RADIUS server.


I know the subject "EAP-TTLS" has been subject of a few posts in the recent years. But even though I used the search quite a bit, I cannot get a clear and plain "YES" or "NO" to my question.

1) http://forum.mikrotik.com/viewtopic.php?f=2&t=54538
2) http://forum.mikrotik.com/viewtopic.php?f=7&t=45124
3) http://forum.mikrotik.com/viewtopic.php?f=2&t=39079

There has even been a feature request for EAP-TTLS support http://forum.mikrotik.com/viewtopic.php?f=1&t=70426 which confused me even more.
So please excuse me opening another post to the subject ...


I am running a RB2011 and have another RB 751G to play with and would like to achieve the following:

a) Have a an AP with WPA2 security and EAP
b) As EAP "layer" I'd like EAP-TTLS to have a secure and authenticated (SSL certificate) TLS tunnel towards my authentication server
c) Inside the EAP-TTLS tunnel I'd like to do PAP (yeah it's plain text, but the TLS from EAP-TTLS protects the data here. The PAP should then check username/password against a RADIUS.

Pretty much like it's described here http://www.juniper.net/techpubs/softwar ... P-024.html.
This kind of setup (EAP-TTLS) is widely used by eduroam (https://www.eduroam.org/) that allows university students to use wifi at pretty much every other university.
There is some documentation of how to set this up on the radius side( https://confluence.terena.org/display/H ... +on+campus) , but unfortunately there is nothing on configuring a Mikrotik AP accordingly. There is also another post http://forum.mikrotik.com/viewtopic.php?f=2&t=83893 which asks particularly about setting up an eduroam AP.


My questions are:

a) Can this even be done with Mikrotik?
b) How do I set up the wireless security-profile for such an AP? Is passthrough the right option here and will everything else then be done by the RADIUS?
c) How and where do I configure the TTLS tunnel endpoint? ("Server" in the Juniper example). Is that automagically the RADIUS server?
d) If then the tunnel endpoint is set, how do I tell the client to do PAP inside this tunnel? Is that done by the RADIUS or is there anything I need to set on the RB?




Thanks for you help !

Who is online

Users browsing this forum: No registered users and 21 guests