My university internet requires wired 802.1x authentication to get internet. I am trying to configure this on a hAP ac (RouterOS v6.48.1) with the following settings:
[] interface: ether1
[] eap-methods: eap-peap
[] identity: ******
[] password: ******
[] anon. identity: none
[] certificate: DigiCert_Assured_ID_Root_CA (as required by the university in their instructions)
However, I get the error “rejected: no key for certificate found”. The certificate was imported as described in the manual without any problems.
When I remove the CA certificate I get “handshake failed: certificate is not yet valid” which tells me some kind of certificate is expected here.
My previous router was a ubiquiti edgerouter lite, which uses wpa_supplicant in wired mode for 802.1x. I got it working with these settings:
[] key_mgmt=IEEE8021X
[] eap=PEAP
[] phase2=“auth=MSCHAPV2”
[] identity=******
[] password=*****
[] eapol_flags=0
[] ca_cert=“/usr/share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_CA.crt”
Am I missing something here, or is this a bug in the dot1x implementation?
Thanks
In more detail, there is a certificate signed by that CA certificate, which your Mikrotik receives from the switch. So to verify its validity, the CA certificate must be installed on the Mikrotik’s certificate store, as a trusted CA. The Tik will not provide your credentials to a switch whose certificate it doesn’t consider valid. No client certificate is required in the setup chosen by the uni.
Now the issue is that until the Mikrotik connects to internet after cold start, its time is not set correctly as there is no RTC chip in the device. So you have to resolve this chicken-or-egg problem by setting the time on the Mikrotik manually. If you want to automate it, the time you set after power-on using a scheduled script has to fit into the validity period of both the CA certificate and the switch certificate, which may not be the same.
Hi, I am facing a similar issue where I need to use dot1x authentication in my university network.
I could not make it work on my Mikrotik device.
It works on an OpenWRT router with below settings, in Network → cd802.1x client:
username: myuser
password: mypass
interfaces: WAN
EAP: PEAP
Now on my Mikrotik, I go to Dot1x and create a New Dot1X Client with the below settings:
Interface: WAN
EAP Methods: EAP PEAP
Identity: myuser
password: mypass
interfaces: ether1 (where my internet cable is connected)
Anon identity: blank
Certificate: none
After I press apply on my Mikrotik, status is stuck on “Authentificating” and I am unable to get internet.
Any ideas what I should do? I have no certificate from my university, they seem to support only OpenWRT in the official connection guide, and that works with the above settings without importing any certificate.
As it is only peripherally related you should really start a new topic rather than resurrecting a years old one.
Your site may require a realm in the outer / anonymous identity to direct the request to the appropriate servers (e.g. local or a national proxy). A CA certificate is not required but without it you are vulnerable to man-in-the-middle attacks allwoing your MSCHAPv2 password to be captured. Your site may use a well-known CA (such as DigiCert, Let’s Encrypt, etc.), and whilst larger operating systems (Windows, macOS, Linux, iOS, Android) have built-in lists of certificate authorities, you have to download and install any appropriate ones on Mikrotiks as they come with none.
Hi @tdw, thank you for your feedback.
I thought it is related, sorry. Should I open a new topic or continue there?
In the meantime, I am trying to see if I can find information about the CA certificate used. It’s not helpful that I don’t see more information in the logs either…
Might as well continue here for now. If not set the outer identity should use the inner identity, but it may be worth trying setting it explicitly. It isn’t clear from the documentation if the dot1x client will refuse to authenticate if no CA has been imported.
You should be able to add additional logging with /system logging add action=memory topics=dot1x,debug (or possibly topics=dot1x,debug,!packet if too much information generated)
