I would like to lift up security of mi WiFi networks, but still keeping it simple.
Username / password for accessing wifi would be enough, but I would like to skip certificates.
I would appreciate info in this regard, and a tutorial or two as I can’t find anything.
Other option would be a PSKs for each device for the same WiFi LAN (SSID).
Thanks!
MikroTik does not support having different PSK per device under WPA2-PSK.
It is possible to do this under WPA2-EAP, but you will find that not all client devices support that, and when they do they may mandate the installation of a certificate (this is not strictly required for the protocol to operate, but some suppliers babysit their user security).
What you can realistically do is use an access list. Add every device you are using to the access list (available as a right-button action in the registration tab) and after you have done that for all your devices you can remove the “default authenticate” and “default forward” checkmarks in the wifi configuration, and only devices in the access list can still connect.
When you have more than one MikroTik WiFi AP, you can also configure user-manager on one of them, and set the wireless devices for MAC authentication via RADIUS, so you need to maintain only 1 copy of the access list (in user-manager) and clients can connect to all your APs.
This is intended for a rather large network. I have separated it in four tiers:
From what you say, I would be able to make it work this way with WPA2-EAP? Do I have to have certificates installed on Windows machines to make this work?
OK, so in CapsMan I add the device based on mac and when I turn off the default auth, than I have opposite of deny - only clients that match an access list rule with an allow action will be authenticated and if a client does not match any rule, they are dropped.
This is also OK, but could be spoofed I guess.
Do I need this if I am managing this through the CapsMan? (Haven’t done blocking or enabling access due to MAC before, that is why I ask.)
User Manager procedure seems straight forward:
(A guide would be really helpful here..)
Thanks a lot @pe1chl! 
Yes it is possible to make WPA2-EAP work on Windows and e.g. Android and IOS, we have that here at my work.
But I can tell you it is a royal pain in the b*tt to make it all working and to get the certificates installed etc.
In the end I have made it all work automatically with INTUNE and a UBNT Linux-hosted controller + freeradius, but that is not something I can share.
We even have all the different network environments (similar to yours) on the same WiFi SSID and the VLAN is determined based on the system being connected.
Except for the “guest” network which has a separate SSID with WPA2-PSK, because it is just too difficult to enroll guests.
(e.g. for WPA2-PSK you can make a QR code containing all information, but for WPA2-EAP that does not work)
I would like to stay away from Microsoft as much as I can. DC, file sharing and GPO are on Windows servers, and I am looking to offload fileshares from Windows servers to Synology boxes as have features I need - namely recycle bins for shares. Also, backing up and other stuff is so mych simpler with Syno stuff.
As for the WiFi, the logic I am after is the following:
1. The general network is where people (and guests) keep their stuff (phones and other stuff. They are filtered, and firewalled and I don’t care what happens there.
2. The terminals part is for warehouse and industrial terminals, where internet is blocked and I can use PSK there. No harm done even if I have a rouge client. No connectivity from outside and almost no points to inside.
3. The internal networks - the clients connecting there is laptops and devices specifically set up by me. No one else can do that, and I would like to keep it as secure as possible, without being too much of a hassle.
From what you are saying WPA2-EAP can be done, but I have to wrestle with certificates? I could set them to 25 Y and that’s it.
As for radius… Why you are not using MirkoTik implementation?
It is all one would need really? There are even external clients for managing MT radius server.
Thanks
The reason why I home-crafted a solution is that I want to stay away from Microsoft too. The normal way would be to use SCEP.
The entire assignment of certificates, usernames, passwords, authentication is done on Linux.
We do not use user-manager because it sucks. It does not even provide replication. We have redundant RADIUS servers. Freeradius is much better when you have a script solution to manage the user database. We have an internal website that generates your username/password, shows it, and puts it in the user database. Then you can either login manually or leave it to INTUNE scripting which automatically does the same thing and puts the values in the registry without need to type the long and complicated passwords.
In Windows it is still possible to work without certificates and use only username/password, but it will ask you “are you sure you trust connecting to this network” every time, which is the right thing to do. The certificate of the network will make the computer trust the network.
It is also possible to use certificates for client authentication but then you would need to manually install them when you do not use SCEP.
May I ask how big is the system? - Complex solutions are warranted only on very large systems, and your solution does seem quite a hassle to develop and maintain. I presume your spans hundreds of machines. Probably in the range from 200-400? Or more?
I just checked, and really - there is no replication for MT radius.. FreeRadius seems a go, but then I have one more failure point (host) to maintain as I would have one more server.
My logic is that I could relatively easily replace entire router with a new one, and I keep entire core on one router including AAA, which is not a big deal because without MT core router nothing works… Each time I do a change, I back-up and save config externally. If a router dies, I can replicate everything relatively quickly on a same model hardware. Now when I do larger networks, I always order +1 device of everything, and for APs even more, so I can replicate.
I am in a cunundrum now. … Will I use ACLs, or not? How much more secure is ACL access as an expert hacker could quickly understand what is at hand. Etc.
I have one test installation with Cambium, and that seems quite nice and simple to implement, including multiple passwords per user (AFAIK), but I don’t like beeing with my hands tied (their management is a joke compared to CapsMan).
//As a weird off-idea, one could script a failover MT radius server. Backup and restore backup on another RB on another IP via a share/script. Do a constant check of Radius every 5 minutes or so. 5 consecutive fails and router kills off one port, and translates all calls to another IP. - Not sure how to do this practically, but it could work, methinks.//
Was this feature removed recently? There is “Private Pre Shared Key” in Access List, and I think it was possible with RADIUS too. Not sure about ROS 7, but it worked a few years ago in ROS 6 (I remember I had a working lab test setup, didn’t yet have the time to deploy on a larger scale).
Yes, it is possible to have a private pre-shared key in Wireless ACL (I think not in user-manager, but maybe I am wrong), but that ties it to a MAC address.
What MikroTik cannot do (and some other manufacturers can) is have one SSID with WPA2-PSK and several different PSKs, and then a user can connect using either of those PSKs and further attributes are derived from the actual PSK used, e.g. a VLAN being assigned, a rate limiting profile selected, etc.
It has been requested to get this in RouterOS as well, but it has not happened. And the introduction of wifiwave2 probably makes it less likely to happen soon (look, they do not even have 4-address mode in wifiwave2).
We have about 250 Windows machines, a similar number of Android phones, and about 2500 “guest” devices that use the wireless network.
There are 39 access points over 3 different office locations. RADIUS runs on Linux VMs on VMware ESXi hosts at 2 of the 3 locations.
(we also use RADIUS for 802.1x authentication on wired switch ports)
Remember: when your RADIUS server is down, your entire network is down. So we really do not want to depend on one user-manager on one router.
Well that’s a shame… I’ve seen this feature on TP-Links and few other brands… And for me it is a strong selling point… Right now I have 3-4 networks and everything could be solved with just one if they have this function…
Yes. At home I went to a single SSID and using user-manager with user groups and assigned VLANs, but I need to first add the MAC address to user-manager for each new device. At work that is not practical to do.
It would be neat when MikroTik offered this, but now we have “wireless” (the old driver) where “no further development will be done”, and “wifiwave2” (the Qualcomm driver imported with as little changes as possible) and it lacks lots of features and I would not expect such a new feature to be on top of the list. IF there is any such in-driver development to be done, I get the impression that from now on they want to avoid that as much as possible.
(which I can understand, because it makes it much easier to import a new version of the driver when e.g. new chips have been added or new WiFi standard features have been implemented. the problem with the old driver was that it was many years behind WiFi development)
Hey pe1chl, can you elaborate how to use user manager at home, seems interesting to me.
So only authorized mac addresses are permitted but iphones switch their mac address around??
For this to work you need to disable that mis-feature. Also I think Apple has stopped doing that long ago.
Good workaround but looks like a lot of trouble for a small home network.
Also this maybe isn’t the best solution for guest wifi, you must ask them MAC address, disable random MAC and i know for e.g that xiaomi phones by default have random mac enabled.
Random MAC is, as far as I know, not random after the wireless network is added to the device. Otherwise Kid Control wouldn’t work (for me).
I disable that as soon as I get device so I didn’t test if every time phone connects to the network change it’s MAC.
Random MAC (private administered MAC) seems to be stable in IOS, Adroid and Windows, when connecting to the same SSID.
How stable, how long (24h?) ? I don’t know.
Users are connecting with username/password in EAP (enterprise security) anyway. So random MAC is not a problem as long as all limits are bound to the username (RADIUS accounting and profile limits).
In wifi “registrations”, the used username for RADIUS is not visible, so I add it in the “Mikrotik-Wireless-Comment” attribute. This is visible in “Registrations”, and DUDE collects them all. With the classic WLAN driver this record also shows the client IP address.
Certificate is only needed in the RADIUS server (eg User Manager), It can be self-signed and nothing needs to be sent to the client device. Only don’t check the certificate.(yes there is a warning, to be skipped)
Method :EAP,
Phase2 : MSCHAPV2,
CA-certificate: don’t validate
Domain:
Identity:
Anonymous Identity:
Password
Forget this SSID in the client device for changing user or password. (There is no error message if username or password is invalid)
Yes, WPA2-EAP is a much better solution, however it suffers from a couple of problems:
It can all be worked around, but it just isn’t as convenient as WPA2-PSK, and that depends on decisions made by the client device manufacturers, which you cannot influence.
E.g. Windows still allows joining a WPA2-EAP protected network by telling it only a username and a password, Android used to allow that (although you had to set several other parameters) but now it insists on having a root certificate. And to install that, you require access to the authentication used by the user.
E.g. when an Android device user walks by and asks to be connected to the WPA2-EAP network, and hands over the device with screen unlocked, you still cannot complete the procedure without giving it back to them halfway to enter their pincode, password, fingerprint or whatever.
So it all works, but it is a hassle.
Unfortunately no. It is a standard feature now.
That’s a lot of guests. For now, I don’t need the system to be so restrictive (although I admit I started drooling over 802.1x - haven’t used it before). Downage of Radius for a while is acceptable in my case. If I was at your place, I would also do something similar to what you did. Also, I like it that you use ESXi. I have hyperV, but most people use it.