In our network at this time we are using ubiquiti clients, (Mikrotiks only for AP, router, core router, bridge etc.) but we want to start using Mikrotik clients and slowly build all network based on Mikrotik products.
But we have one problem, now we are using EAP-TTLS authorisation, ubnt clients are authorising with username and password. FreeRADIUS is our AAA server. and we cant just change all the things and implement eap-tls or mac auth in our network. I think this problem will have many WISPs, so Mikrotik, please add this feature to RouterOS, this will be great!
Yap, I am trying to setup 802.11x using user-manager (radius) on mikrotik and it looks like it does not support PEAP.
In log file I get “authentication failed”. It would be really great that we can use just one device for secure wifi
Hello, is there a possibility to support eap-ttls.
In our setup we are trying to connect to an eduroam AP an need to transport username/password, therefore eap-ttls is required in station mode.
It would be so nice to see this feature in the next release 6.2X.
Manuel
They aren’t turned on right now, but you have to do it in the CLI, not through winbox or webfig. in the security profile or on the wireless interface there is an option for mschap username and mschap password and identity. Connects as a station just fine. Then we GRE tunnel back to a CCR1036 and do VPLS for bridging.
It’s been awhile, but, should you still be using eduroam with a Mikrotik in station/client mode, can you supply the wifi interface and security-profile bits of your config? I’m really stumped and actually doing the exact same thing (I think), which is trying to connect to eduroam. I think an example might help a lot.
The person I’m corresponding with successfully tested eap-ttls-mschapv2 using the following set-up:
“…a test EAP radius server and got connected with an android phone and then
repeated the connection with the RouterOS as a client and it was working fine
when specifying the supplicant-identity and the mschapv2-user/password and and
setting tls-mode=dont-verify-certificate”
I personally don’t have access to a eap-ttls-mschapv2 setup at the moment, but testing it with a cert would probably be good. I know this thread is regarding PEAP, but can anyone verify they have eap-ttls-mschapv2 working with a cert? (or let me know if there is something I don’t understand )
Now, about PEAP, the person I’m corresponding with reasserted and noted the following:
“Since we don’t have PEAP support eap-peap method will not work.
Currently we don’t have any plans to add support the PEAP for the RouterOS
wireless client.”
I’ve asked if a formal feature request can be put in and if the eap-ttls-mschapv2 stuff can be put into the GUIs. I’ll update when I hear more.
aside interoperability, noted by OP, its just make sense “in general” and quite would b nice feature.
i would also dream about EAPOL support in ROS. to be prepared to MacSec/PortSec deployment aswell to be able deploy Properly 802.1x-2010 in networking(required by authorities at endpoint/CPE in some regions).
Please, remember that all Mikrotik users need the implementation of PEAP-MSCHAPv2 Wireless Station Mode. We have more that 7 years waiting for it option.
)