Hi all,
I've a strange problem with Mikrotik-FreeRadius integration.
I've configured Wpa2-eap integration with External FreeRadius 2.2.x.
I receive Access-Accept from FreeRadius, but my devices won't log in and keep me asking for the password so i enter in a loop.
Any ideas?

I attach you my radiusd -X output:

Executing section post-auth from file /etc/raddb/sites-enabled/default

+group post-auth {
[sql] expand: %{User-Name} -> 92:7C:A6:XX:xx:XX@Enterprise
[sql] sql_set_user escaped user --> '92:7C:A6:X:xx:XX@Enterprise'
++[sql] = noop
++[exec] = noop
+} # group post-auth = noop
Sending Access-Accept of id 55 to 192.168.0.95 port 39276
Mikrotik-Address-List := "TOP_BUSINESS"
Acct-Interim-Interval := 300
Finished request 36.
Going to the next request



Thank you so much!

Fotografia_dello_schermo_042120_053053_PM.jpg598×223 23.8 KB

Fotografia_dello_schermo_042120_053027_PM.jpg602×411 32.2 KB

Fotografia_dello_schermo_042120_053005_PM.jpg1247×444 85.7 KB

Up there

Screenshots do not show enough detail, posting the output of /export hide-sensitive is a good starting point.

The FreeRADIUS output seems incomplete, there is no indication of EAP messages - sending an Access-Accept outside of the EAP handshake will fail as there is no keying information provided.

Thank you for answering me.
Here is my export:

[admin@MikroTik] > /export hide-sensitive
# apr/24/2020 16:32:58 by RouterOS 6.46.5
# software id = 33M6-5J3I
#
# model = 751U-2HnD
# serial number = xxxxxxxx
/interface bridge
add name=bridge1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-eap interim-update=1m mode=dynamic-keys \
    mschapv2-username= name=EAP_AP radius-called-format=mac \
    radius-eap-accounting=yes radius-mac-mode=as-username-and-password \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=2 antenna-mode=txa-rxb band=\
    2ghz-b/g/n country=italy disabled=no frequency=2427 installation=indoor \
    mode=ap-bridge preamble-mode=long security-profile=EAP_AP ssid=MikroTiKWpa2 \
    wireless-protocol=802.11 wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] radius-interim-update=1m use-radius=yes
/ip pool
add name=dhcp ranges=192.168.8.100-192.168.8.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1 use-radius=\
    accounting
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,passw\
    ord,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=wlan1
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.8.1/24 interface=ether2 network=192.168.8.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.8.0/24 gateway=192.168.8.1 netmask=24
/ip firewall nat
add action=masquerade chain=srcnat limit=100,5:packet out-interface-list=WAN
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge1 type=internal
add interface=ether1 type=external
/radius
add address=192.168.0.254 service=ppp,login,hotspot,wireless
/radius incoming
set accept=yes
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Rome
/system logging
add topics=radius
/system ntp client
set enabled=yes primary-ntp=193.204.114.232 secondary-ntp=193.204.114.233
[admin@MikroTik] >

Nothing obvious. You appear to have configured the RADIUS connector to handle PPP, login, hotspot & wireless - these will send requests in differing formats so your RADIUS server will have to handle them appropriately, the PPP and hotspot options appear to be redundant as there are no PPP or hostpot services configured.

It is most likely a RADIUS server configuration issue, there should be much more debug output and the username being a MAC address is unusual with the wireless EAP method set to passthrough.

Leaving only wireless under radius connector doesn’t change my situation.
I tried different kinds of auth but with DHCP Mikrotik doesn’t send my user password once a client try to log in, so I modified my policy to use my mac address as the password.

My Mikrotik receive the Accept (i can see it into the log) but my device keep asking me for username/password.

but with DHCP Mikrotik

DHCP shouldn’t have anything to do with this authentication problem.

use my mac address as the password

A MAC is public information so should not be used as a secure credential, i.e. password. Anyway, what are you trying to do? It sounds like some kind of MAC authentication, which isn’t really WPA2-Enterprise with an EAP method. Since you mention username/password on the client, I suspect you want to do EAP-PEAP-MSCHAPv2, which requires a username/password, but this user/pass will come from the wireless client, not the AP. Do have any X.509 certs in play?

An OTA (over the air) capture can be useful as well to debug these problems. It shows the EAP method chosen, the certs that are used, versions, etc.

What I’m trying to accomplish is a WPA2 Enterprise login with my Mikrotik and my external FreeRadius with MySQL Users.
Any kind of suggestion?

As I said in an earlier post the FreeRADIUS output seems incomplete, sending an Access-Accept outside of an EAP conversation will never work.

The choice of MAC address as username is most unusual - typical setups are either EAP-PEAP-MSCHAPv2 with someuser@realm + somepassword as credentials allowing a person to connect multiple devices, or one of the methods requiring both server and client certificates (this is more secure as only devices with a valid client certificate can connect, but more difficult to manage as you need a secure certificate distribution mechanism).

Do you have any guide or a link in order to try your suggestion?
Thank you so much!

https://carloalbertoscola.it/2019/network/security/linux/freeradius-3-setup-mysql-eap-ttls/

Hi All,
FYI just trying the same Mt configuration but with FreeRadius 3.x everything works like a charm!
2.2.x seems to have different configurations and I’m currently investigating this by using diffmerge everything possible.

I’ll let you know ASAP.
Thanks anyway!