Our institute started using 802.1x recently and I decided to purchase some routers that do 802.1x.
On reading RouterOS does 802.1x natively, I purchase a number of them.
Unfortunately, none of them appeared to work with our 2-phase 802.1x, despite trying various settings.
Finally we decided to flash the MIPS MikroTik routers with OpenWRT and 802.1x worked.
But we still have some MikroTik routers that are ARM and cannot be flashed OpenWRT.
Can someone, anyone teach me how to set dot1x?
We tried setting the eap method in dot1x to eap peap or eap mschapv2 or both, none worked. Note that we were explicitly told to leave the certificate field “none” in 802.1x instructions for linux
The openWRT configuration is (/etc/config/wpa.conf), using the wpad package
It should be:
/interface dot1x client
add interface=INTERFACE eap-methods=eap-peap identity=USERNAME password=PASSWORD
However, from the help pages “CA certificates are required for eap-tls, eap-ttls and eap-peap authentication methods”. Mikrotiks have no default list of CA certificates, whereas linux has a predefined list installed. It would be what you specify with ca_cert= when using wpad - note this is different to also having a client certificate for eap-tls which may be what your site instructions are referring to (this would be specified by client_cert=, private_key= and private_key_password= for wpad).
Does this mean if I upload Ubuntu’s CA certificate bundle (located at “/etc/ssl/certs/ca-certificates.crt”, from Mozilla) into Files, then System→Import it, it would appear in the certificate drop down menu when I select New Dot1x Client? And then selecting it as the Certificate would make things work automagically?
I’ve not tried importing a file containing multiple CA certificates so it may not work. It would be better to import the specific CA certificate which your organisations RADIUS server certificate is signed by, and in some cases it may be have been signed by a local self-signed CA rather than a well-known public CA in which case it would not exist in the public bundle in any case.
Preliminary tests show that it is possible to import a file with multiple certs, so we are going to take the linux certificate bundle and import it and then check to see which, if any certificate makes the radius server tick — there is a limited number because surely it is one of my country’s certs. And the openWRT connection doesn’t need to supply a cert so it must be in the ca-certificates bundle.
The problem is mostly resolved; our 2-phase 802.1x works when
we File→Upload and System→Import the Ubuntu CA-certs (we later narrowed our Radius server CA cert to one particular CA cert)
we choose EAP method PEAP and leave the Cert field empty in the new Dot1x client page
we update the TIME correctly (otherwise the certificate fails to verify), this can be automatic if you have NTP on another wire.
Thank you very much for your assistance. We note the fact that time needs to be correct (not always true if you don’t have a time-service source) for friends in the future.