I want to set up a wisp with Mikrotik APs and clients and need to know which option is right for me, to have security and access control to the network.
The equipment that will be used are 5HPND-SAR2 as APs and 5HPND as stations.
In the core of the network will be used a RB1100x2.
Already have a radius infrastructure with Freeradius and I want to use for this.
OPTION 1:
At first I thought to use WPA2 security plus PPPoE.
WPA2-PSK security between 5HPND-SAR2 AP and 5HPND station provides encription and security, but doesn't offer radius accounting (correct me if I'm wrong).
PPPoE between RB1100x2 and final customer through radius provides authentication, automatic simple queues creation, optionally IP address, status and disconnect via API and radius accounting for historic log of sessions, traffic, etc.
AP -> WPA2 -> STATION
RB1100x2 (PPPoE, simple queues) -> AP -> STATION -> CUSTOMER
Radius do: auth PPPoE in RB1100x2 + reply Simple queues in RB1100x2
OPTION 2: I think this is better
After some research I found options like EAP and 802.1x that seem more convenient, but I do not understand well, or at least, I do not know which suits for this work. I understand that implementing some type of 802.1x could have security plus the accounting system of radius in a more direct way.
802.1x (EAP, EAP-TLS or some of them) security between 5HPND-SAR2 AP and 5HPND station provides encryption, security, simple queues in AP (can be done?), authorization (which station is accepted in network and which not) and radius accounting (correct me if I'm wrong).
From there I could have direct and transparent connection with the customer, offering IP via DHCP.
AP (simple queues) -> 802.1x -> STATION
RB1100x2 (DHCP to customer) -> AP -> STATION -> CUSTOMER
Radius do: auth 802.1x for stations in AP + reply Simple queues in AP
If I choose to use 802.1x also would like to see the options I have for deployment, I must install a certificate on each mikrotik station device? It is easy to install? Instead of a certificate could use a common password?
I would like to have a relatively secure system without the complexity of a NASA launch.
Anyone have idea?
Thank you.