How can I migrate from UBNT to Mikrotik APs and CPEs with WPA2 / PEAP?

With UBNT RADIUS is very simple to configure WPA2/PEAP with username ans password. Register the AP on FreeRADIUS as client and configure username and password in the CPEs. WPA2/PEAP works!

How I do with Mikrotik?

I don't remember this as being difficult on the Mikrotik as well.You define a Radius shared secret via Radius menu and put it on the Radius server , create a wireless security profile that has WPA2/PEAP in it and set the Ap or VAp to use that security profile.

Check out the Wiki entries for some information

http://wiki.mikrotik.com/wiki/Manual:RADIUS_Client
http://wiki.mikrotik.com/wiki/How_to_se ... _By_Ramona

None describes wpa peap.

Already RADIUS for hotspot and pppoe, my problem is with WPA2 / PEAP clients mikrotik and UBNT for mikrotik APs.

I'll have to check if I made some docs since we use WPA2/PEAP to authenticate certain Active Directory users to certain RB951/RB2011 without any hotspot facility via NPS on Server 2008R2.

Hello.
I'm no slve the problem, I'm having is to have working WPA with RADIUS.

CPEs can connect to access-list configured on the AP with the same password as the CPE, but does not connect when I put a different password in the access-list and the correct password on the RADIUS.

I get this information in the log:

echo: wireless,debug wlan1-cjzndoasxt1so: 4C:5E:0C:XX:XX:XX attempts to associate
echo: wireless,debug wlan1-cjzndoasxt1so: 4C:5E:0C:XX:XX:XX in local ACL, accept
echo: wireless,info 4C:5E:0C:XX:XX:XX@wlan1-cjzndoasxt1so: connected, wants bridge
echo: wireless,info 4C:5E:0C:XX:XX:XX@wlan1-cjzndoasxt1so: disconnected, unicast key exchange timeout
echo: wireless,debug wlan1-cjzndoasxt1so: 4C:5E:0C:XX:XX:XX attempts to associate
echo: wireless,debug wlan1-cjzndoasxt1so: reject 4C:5E:0C:XX:XX:XX, banned (last failure - unicast key exchange timeout)

You should not have an entry in the Access list for CPEs that you wish to authenticate by Radius.

When the CPE connects to the AP, the AP checks the Access List for entry that match the CPE. If an entry if found then the Radius is not consulted but if no entry is found in the Access List then Radius is consulted.

In your case, there is an entry for the CPE in Access List with a WPA password that is different from what the CPE is supplying. So, the AP will reject the CPE (due to wrong password) without consulting the Radius Server.

Delete the entry from the Access List and the AP will attempt to authenticate the CPE by Radius.

Thank you very much.