Same requirement here. Trying to connect to XFINITY secure network. It’s EAP-TTLS/PAP (GTC Phase 2). No version of routeros seems to support it currently ?
The most interesting thing of all is that no one has deigned to answer, as if you were asking for plans to make a dirty nuclear explosive device…
On the other hand, it is an attempt to connect to the largest European wireless network by a product of one of the largest European network equipment manufacturers…
The place to ask for features that will definitely boost the sales is by an email to sales@mikrotik.com or by making a support ticket, not by posting a forum topic and typing +1 or bump in it.
don’t make me laugh… this question was first raised more then ten years ago and was never answered by anyone from mikrotik … so we can sit and cry ur flush our routers with inferior software which at least will support what we need…
There are many examples of feature requests that were never answered by MikroTik, never implemented, always promised for v7 but still not implemented there, etc etc.
But I have never seen that a forum topic with hundreds of “+1”, “me too!”, “up”, “bump” etc replies actually accelerated it.
Years ago, when I asked at a MUM about the sad state of IPv6 support, the answer was that “nobody every asks for that”, and when I said “but I am asking for it…” the reply indicated that they mainly listen to what their distributors and large customers demand. And of course that can be justified, after all it is them that they make money from, not me that my buy like 10 routers and be involved in 100 other routers being sold.
So the general reply was that when I had a business case for something, I could always mail to that sales address and they would consider it.
When you (and others in the topic) have a business case for Eduroam support, and you can tell them “you will sell 1000 more APs when you have that!”, they will probably consider it.
However, you should be warned that Eduroam support is among the least of issues with MikroTik WiFi when deploying in an environment with many users and many APs, like a school or university. You may want to think again before you buy MikroTik for that.
Let’s go back to the start here. EDUROAM isn’t exactly uncommon — since the whole idea of eduroam is a common Wi-Fi auth scheme across educational institutions. The local university broadcasts where I’m at even supports it, and suggest settings are: https://its.ucsc.edu/wireless/eduroam-manual-config.html
The magic needed is in “Dot1X” section in winbox. You need to add a Dot1X client to the wireless interface (and set WPA2-EAP in /interface/wireless/security-profile to use WPA2-eap). I can’t test this but something like this:
You may have to add the root certificate, for eduroam, but dunno. Anyway…I can’t say the exact config – e.g. not sure how inner and outer auth scheme are selected (it’s a dropdown), but docs do say “PEAPv0/EAP-MSCHAPv2” is supported which EDUROAM seems to want – so it should work. If docs say it, totally valid support case. But I fiddle with dot1x settings (e.g. try eap-peap) in Dot1x setting instead of the mschapv2 first). Also, you may need the root certificate for the particular eduroam site you’re at, see https://eduroam.dk/node/33?language=en and if you have a root cert, use /certificate import on RouterOS to add it.
If those don’t work…open a ticket at help.mikrotik.com — include a supout.rif (created in winbox from left menue, download and attach to case if you open a case with Mikrotik) . This seems like something that should work.
Footnotes:
Also note, not sure if V7 only feature.
802.1X (“Dot1x” in RouterOS) auth is NOT supported on SMIPS devices (hAP lite, hAP lite TC and hAP mini)
I understand you, but don’t you think it’s at least funny that users ask vendors for such banal functionalities?
Mikrotik is no longer a 10 man company but a serious networking company, and on the other hand I’m not trying to connect to an obscure HotSpot on a beach in New Zealand (no offense to New Zealanders) but to EDUROAM.
With that, I don’t understand your last sentence that Eduroam is at the end of the company’s interests, and especially the recommendation that I take something else instead of Mikrotik.
I have been patient with Mikrotik almost from the very beginning (I still have ROS v1.x on 7 floppy disks somewhere) because I think and believe that they are smart and of high quality, and that, in addition, they have optimal prices and I am not inclined to give up after 25 years
So I’m still looking for a solution…
Well, I sometimes doubt that… No idea how many actual developers there are at MikroTik, but to re-implement a feature that actually worked in v6 into v7 they claim it is a “work in progress” for about a year and a half already. That does not give me the confidence that they have a lot of developers.
and on the other hand I’m not trying to connect to an obscure HotSpot on a beach in New Zealand (no offense to New Zealanders) but to EDUROAM.
With that, I don’t understand your last sentence that Eduroam is at the end of the company’s interests, and especially the recommendation that I take something else instead of Mikrotik.
Yeah sorry, in the reply above I sort of assumed that you were trying to deploy an indoor WiFi network in an educational environment and wanted the users to connect using EDUROAM, which of course is a bit different from using a hAP mini to connect an ethernet-only device to the EDUROAM network in your school.
MikroTik WiFi is many years behind the competition. Features like 802.11k/r/v are not implemented (there is some unusable alfa test implementation for a small number of devices only), and many other enterprise features that even competitors in the same market segment are offering are not present.
The years long mistake of selling devices with only 16MB flash memory effectively means no chance of future addition of many of those features (competitors often have 256MB or more flash storage for the firmware).
However, I always believed that networks like EDUROAM use WPA2-EAP with EAP-TTLS and MSCHAPv2. And MikroTik does support that.
You can add a security profile like this:
Sorry, I meant this seem like something Mikrotik would want to fix.
From a couple docs on EDUROAM specs it looks supported – but yeah the config isn’t clear to me.
I think my point was more: have you opened a ticket at help.mikrotik.com? At least give them a chance to respond, I don’t think they troll the forum looking for issues.
