Dot1X

RouterOS General
1

Hello,
I have a new RB951Ui-2HnD and I am new here. I would like to attach the router to a 802.1x protected wired network and so I would like the router to authenticate it. EPA method at the network is EAP PEAP with MSCHAPv2, but the routers GUI shows only the methods “EAP PEAP” or “EAP MSCHAPv2” and unfortunately both won’t authenticate. Interface, identity, anonymous identity, password and root certificate are set. Is there any chance to choose EAP PEAP with MSCHAPv2 or to debug it?

At “wpa_supplicant” shipped with most Linux distros the configuration looks like this:

network={
key_mgmt=WPA-EAP
eap=PEAP
anonymous_identity="any@mycompany.com"
identity="jdoe@mycompany.com"
password="xxxxxxxxx"
ca_cert="my_root_certificate.crt" 
phase2="auth=MSCHAPV2"
}

Kind Regards
Olli

2

I’m afraid you may have bumped into this issue.

3

Hello sindy,
I’m not sure if that matches. Isn’t EAP-MSCHAPv2 part of PEAPv0 protocol? Will try to check out by wireshark.
Regards
Olli

4

No. EAP-MSCHAPv2 is plain old MSCHAPv2, so man-in-the middle attacks gathering the handshake are possible - these allow the NTLM password hash to be recovered. Protected EAP may be used as an “outer” method wrapping an “inner” insecure EAP method inside a TLS tunnel to prevent eavesdropping. The full name would be EAP-PEAPv0/EAP-MSCHAPv2, often shortened to EAP-PEAP/MSCHAPv2, PEAP/EAP-MSCHAPv2 or PEAP/MSCHAPv2.

Hopefully the dot1x client verifies the server certificate for the secure methods, otherwise they are not! (This was an issue with the OpenVPN client implementation for several years.)

5

Thank you very much for the explanation. Yes, EAP-PEAPv0/EAP-MSCHAPv2 is the method I have to use.

Hopefully the dot1x client verifies the server certificate for the secure methods, otherwise they are not! (This was an issue with the OpenVPN client implementation for several years.)

Yes, for that I copied the root certificate “T-Telesec Global Root Class 2.crt” to the router, because the radius servers certificate is signed by that.
So I configured EAP-method, identity, anon. identity, password and the certificate in the routers WebFig, but unfortunately it does not authenticate. Any ideas?
Oli

6

Hi,
any ideas how to fix the problem?
Regards
Olli

7

The latest beta (6.48beta27) has these in the changelog:
*) dot1x - fixed duplicate EAP request packets for server;
*) dot1x - fixed EAP packet version numbering;
which might fix it. I’m sure new current and long-term updates including these will appear at some point if you do not want to run a beta version.

8

PEAP is CHEAP

9

Thanks for the hint. Unfortunately, the changeover to the mentioned testing version has not fixed the problem.
Olli

10

Sorry, I did not understand that. What do you mean by CHEAP?

11

Now I had time to take a closer look at the problem with Wireshark. Without given root CA EAPOL-pakages are sent from Radius server/ Cisco switch to the Mikrotik routerboard and are replied by routerboard until the radius server starts TLS1.2 and sends its server certificate. Then the Mikrotik routerboard sends an “Alert (Level: Fatal, Description: Unknown CA)” as shown in Wireshark. At this point, the routeros should check the validity of the server certificate using the root certificate “T TeleSec GlobalRoot Class 2”. Is it shipped with routeros? I downloaded it as crt to the router but if I select the certificate in the dot1x configuration, the EAPOL process stops immediately. The radius server then no longer starts the TLS protocol and shows its server certificate.
Olli

12

Is it shipped with routeros

no, Router os does not include the ca bundle. Maybe you need to supply all certificates in the trust chain (root ca, intermediate ca, server cert), not only the server cert.

13

In my opinion “T TeleSec GlobalRoot Class 2” was the Root CA but I will try to copy the intermediate CAs to the router, too.
Olli