hAP ax3 not sending EAP-Message with WPA2-EAP

RouterOS Wireless Networking
1

Hello,

I am attempting to replace my venerable hAP ac with a new hAP ax3.

Logs from my freeRADIUS server show that the ax3 is not sending an “EAP-Message,” when trying to authenticate via WPA2-EAP, despite connecting with the same client device.

The difference of course is partly due to the new drivers on the ax3 (“wifi” vs “wireless”), but the documentation does indicate that the EAP authentication should be passthrough when the ax3 is in AP mode, which it is. I am thus surprised that there is no EAP message. Is there a configuration that I’m missing to get the ax3 to passthrough the EAP authentication?



freeRADIUS log with the ac:

(0) Received Access-Request Id 5 from 192.168.XX.XX:58727 to 192.168.XX.YY:1812 length 203
(0)   Service-Type = Framed-User
(0)   Framed-MTU = 1400
(0)   User-Name = “myphone”
(0)   NAS-Port-Id = "wlan5-N/AC"
(0)   NAS-Port-Type = Wireless-802.11
(0)   Calling-Station-Id = "ZZ-ZZ-ZZ-ZZ-ZZ-ZZ"
(0)   Called-Station-Id = "YY-YY-YY-YY-YY-YY:MySSID"
(0)   EAP-Message = 0x0200001b01636861726d2e70617463686361742e70726976617465
(0)   NAS-Identifier = "MikroTik"
(0)   NAS-IP-Address = 192.168.XX.XX
(0)   Message-Authenticator = 0xf513b41cf7c7df2bc461057aefae1983

freeRADIUS log with the ax3:

(0) Received Access-Request Id 34 from 192.168.XX.XX:56271 to 192.168.XX.YY:1812 length 209
(0)   Service-Type = Framed-User
(0)   NAS-Port-Id = "wifi5"
(0)   NAS-Port-Type = Wireless-802.11
(0)   NAS-Port = 27
(0)   User-Name = "ZZ:ZZ:ZZ:ZZ:ZZ:ZZ"
(0)   User-Password = ""
(0)   Acct-Session-Id = "82b00018"
(0)   Calling-Station-Id = "ZZ-ZZ-ZZ-ZZ-ZZ-ZZ"
(0)   Called-Station-Id = "WW-WW-WW-WW-WW-WW:MySSID"
(0)   NAS-Identifier = "NewMikrotik"
(0)   NAS-IP-Address = 192.168.XX.XX
(0)   Message-Authenticator = 0x9af0d01745856b1922d2b7d9ee86ded0

hAP ac configuration :
routeros 7.17.1
wireless 7.17.1

/interface wireless security-profiles
add authentication-types=wpa2-eap management-protection=allowed mode=dynamic-keys name=secprofile radius-mac-authentication=yes radius-mac-format=XX-XX-XX-XX-XX-XX supplicant-identity="" tls-mode=dont-verify-certificate

/interface wireless
set [ find default-name=wlan1 ] antenna-gain=2 band=2ghz-onlyn default-authentication=no disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge name=wlan2-N security-profile=secprofile ssid=MySSID station-roaming=enabled wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] antenna-gain=3 band=5ghz-n/ac channel-width=20/40mhz-XX default-authentication=no disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge name=wlan5-N/AC security-profile=secprofile ssid=MySSIDstation-roaming=enabled wireless-protocol=802.11 wps-mode=disabled

/interface wireless access-list
add comment="my phone" mac-address=ZZ:ZZ:ZZ:ZZ:ZZ:ZZ vlan-mode=no-tag

/radius
add address=192.168.XX.YY require-message-auth=no service=wireless

hAP ax3 configuration:
routeros 7.17.1
wifi-qcom 7.17.1

/interface wifi security
add authentication-types=wpa2-eap disabled=no management-protection=required name=secprofile

/interface wifi configuration
add country="United States" disabled=no mode=ap name=cfg1 security=secprofile ssid=MySSID

/interface wifi
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=10min-cac .width=20mhz configuration=cfg1 configuration.mode=ap security=secprofile security.authentication-types="" .ft=yes .ft-over-ds=yes
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=10min-cac .width=20/40mhz configuration=cfg1 configuration.mode=ap name=wifi5 security=secprofile security.authentication-types="" .ft=yes .ft-over-ds=yes

/interface wifi access-list
add action=query-radius client-isolation=yes comment="my phone" disabled=no interface=any mac-address=ZZ:ZZ:ZZ:ZZ:ZZ:ZZ
add action=reject comment="DEFAULT REJECT" disabled=no

/radius
add address=192.168.XX.YY require-message-auth=no service=wireless
2

Well, the solution seems to be to NOT use “query radius” in an Access List. The documentation (https://help.mikrotik.com/docs/spaces/ROS/pages/224559120/WiFi#WiFi-AccessList.1) says that

query-radius - connection is allowed if MAC address authentication of the client’s MAC address succeeds

which I guess means that if an Access List rule with a “query-radius” action is triggered, ROS will query the configured RADIUS server with the MAC as the username, but without an EAP message, even if EAP Authentication type is explicitly configured for the interface. When I disabled all the access-list entries, ROS does send RADIUS messages to the server with EAP included.

This not well explained by the documentation, so hope this helps anyone else puzzled over the same situation.

3

I have similar issue, the Framed-IP-Address not sent to Radius

20:56:08 radius,debug,packet sending Accounting-Request with id 88 to 192.168.100.19:1813
20:56:08 radius,debug,packet Signature = 0x9ebd67fd465f65e0f0f96b900fdc819f
20:56:08 radius,debug,packet Service-Type = 2
20:56:08 radius,debug,packet NAS-Port-Id = “wifi2”
20:56:08 radius,debug,packet NAS-Port-Type = 19
20:56:08 radius,debug,packet NAS-Port = 9
20:56:08 radius,debug,packet User-Name = “heri-hw”
20:56:08 radius,debug,packet Class = 0x57494e455441444d494e
20:56:08 radius,debug,packet Class = 0xd6a70b8e0000013700010200c0a86413
20:56:08 radius,debug,packet 000000009eb4b4e95726249501db739f
20:56:08 radius,debug,packet f6feea180000000000001258
20:56:08 radius,debug,packet Acct-Session-Id = “82b00009”
20:56:08 radius,debug,packet Calling-Station-Id = “56-9C-F1-D9-7B-A0”
20:56:08 radius,debug,packet Called-Station-Id = “48-A9-8A-C8-3C-E7:WMIS-TEST2Ghz”
20:56:08 radius,debug,packet Acct-Authentic = 1
20:56:08 radius,debug,packet Acct-Status-Type = 3
20:56:08 radius,debug,packet Acct-Session-Time = 130
20:56:08 radius,debug,packet Acct-Input-Octets = 16658
20:56:08 radius,debug,packet Acct-Input-Gigawords = 0
20:56:08 radius,debug,packet Acct-Input-Packets = 193
20:56:08 radius,debug,packet Acct-Output-Octets = 11609
20:56:08 radius,debug,packet Acct-Output-Gigawords = 0
20:56:08 radius,debug,packet Acct-Output-Packets = 31
20:56:08 radius,debug,packet NAS-Identifier = “OFFICE - MISTEST”
20:56:08 radius,debug,packet Acct-Delay-Time = 0
20:56:08 radius,debug,packet NAS-IP-Address = 162.168.20.10
20:56:08 radius,debug,packet received Accounting-Response with id 88 from 192.168.100.19:1813
20:56:08 radius,debug,packet Signature = 0xec0f498769adb34f444ff5c93136e969
20:56:08 radius,debug received reply for 8a:00
20:56:08 radius,debug request 8a:00 processed
20:56:12 system,info,account user admin logged in from 5C:A6:E6:54:E9:D9 via winbox