I want to set up a wisp with Mikrotik APs and clients and need to know which option is right for me, to have security and access control to the network.
The equipment that will be used are 5HPND-SAR2 as APs and 5HPND as stations.
In the core of the network will be used a RB1100x2.

Already have a radius infrastructure with Freeradius and I want to use for this.

OPTION 1:
At first I thought to use WPA2 security plus PPPoE.

WPA2-PSK security between 5HPND-SAR2 AP and 5HPND station provides encription and security, but doesn't offer radius accounting (correct me if I'm wrong).
PPPoE between RB1100x2 and final customer through radius provides authentication, automatic simple queues creation, optionally IP address, status and disconnect via API and radius accounting for historic log of sessions, traffic, etc.

AP -> WPA2 -> STATION
RB1100x2 (PPPoE, simple queues) -> AP -> STATION -> CUSTOMER
Radius do: auth PPPoE in RB1100x2 + reply Simple queues in RB1100x2




OPTION 2: I think this is better
After some research I found options like EAP and 802.1x that seem more convenient, but I do not understand well, or at least, I do not know which suits for this work. I understand that implementing some type of 802.1x could have security plus the accounting system of radius in a more direct way.

802.1x (EAP, EAP-TLS or some of them) security between 5HPND-SAR2 AP and 5HPND station provides encryption, security, simple queues in AP (can be done?), authorization (which station is accepted in network and which not) and radius accounting (correct me if I'm wrong).
From there I could have direct and transparent connection with the customer, offering IP via DHCP.

AP (simple queues) -> 802.1x -> STATION
RB1100x2 (DHCP to customer) -> AP -> STATION -> CUSTOMER
Radius do: auth 802.1x for stations in AP + reply Simple queues in AP



If I choose to use 802.1x also would like to see the options I have for deployment, I must install a certificate on each mikrotik station device? It is easy to install? Instead of a certificate could use a common password?

I would like to have a relatively secure system without the complexity of a NASA launch.

Anyone have idea?
Thank you.

1) WPA is dead, use WPA2-PSK (only!) with (only!) aes-ccm

2) EAP + DHCP use more bandwidth for do the same, and is very more complex setup...

3) The right choice for me (4000 users) is to use:

internet -> router -> gateway -> pppoe-server -> eoip-tunnel-start -> wisp infrastructure -> non wds acces-point -> eoip-tunnel-end -> bridge -> wlan module ->
elecrto-magnetic waves ->
CPE non wds wlan station -> pppoe-client -> dhcp-server -> ethernet -> client

from router also:
router -> dns server (DNS proxy really...)
router -> user-manager


You have too much question for a WISP starter.
If you start on wrong way, you can not go further...

Search for a RouterOS basic course...

I will use wpa2.
I wrote WPA referring to WPA2 in a generic way, I go to edit...

1) WPA is dead, use WPA2-PSK (only!) with (only!) aes-ccm

You're right, we will use WPA2.

2) EAP + DHCP use more bandwidth for do the same, and is very more complex setup...

Uses more bandwidth for encryption? or for other reasons?

3) The right choice for me (4000 users) is to use:

internet -> router -> gateway -> pppoe-server -> eoip-tunnel-start -> wisp infrastructure -> non wds acces-point -> eoip-tunnel-end -> bridge -> wlan module ->
elecrto-magnetic waves ->
CPE non wds wlan station -> pppoe-client -> dhcp-server -> ethernet -> client

from router also:
router -> dns server (DNS proxy really...)
router -> user-manager

I assume that you use WPA2 as security, right?
Your stations dials PPPoE?

>>>>>>2) EAP + DHCP use more bandwidth for do the same, and is very more complex setup...
>>>Uses more bandwidth for encryption? or for other reasons?
If you create transparent network, all the traffic go to gateway, included multicast and broadcast traffic, etc.

>>>I assume that you use WPA2 as security, right?
Obviously WPA2-PSK with aes-ccm WITHOUT WPA or tkip....

internet -> router -> gateway -> pppoe-server -> eoip-tunnel-start -> wisp infrastructure -> non wds acces-point -> eoip-tunnel-end -> bridge -> wlan module ->
elecrto-magnetic waves ->
CPE non wds wlan station -> pppoe-client -> dhcp-server -> ethernet -> client

>>>Your stations dials PPPoE?
Ok ,the schema can make confusion, but is clear: I use pppoe server/client pair for authentication (dial)

>>>Your stations dials PPPoE?
Ok ,the schema can make confusion, but is clear: I use pppoe server/client pair for authentication (dial)

Who dials PPPoE? Final customers or stations?

>>>Your stations dials PPPoE?
Ok ,the schema can make confusion, but is clear: I use pppoe server/client pair for authentication (dial)

Who dials PPPoE? Final customers or stations?

PPPoE Server are on Gateway, PPPoE client are on CPE and automatically "dialed" when CPE is powered.
End-user do not have access to CPE config, and do not do anyting, just plug the ethernet to pc, or buy one acces-point.

PPPoE Server are on Gateway, PPPoE client are on CPE and automatically "dialed" when CPE is powered.
End-user do not have access to CPE config, and do not do anyting, just plug the ethernet to pc, or buy one acces-point.

Ahh, is similar to option 1 mine. The main difference is that in my network the end user dials PPPoE while on your network the station dials PPPoE.

Thank you Rextended for taking the time to explain, is clear. And is quite simpler and fast to deploy WPA2+PPPoE than 802.1x, and surely it is more convenient for 90% of cases.

Now, I want to take the challenge of trying to run 802.1x without PPPoE, as some customers have requested it recently, as in option 2.
I start with WPA-PSK without certificates to test that can be made with the standard 802.1x on my network.

If you or anyone else has any experience, I would be grateful to share it.