I’m playing around with User Manager, trying to hopefully introduce it into my network after figuring it out…
I’ve successfully made users authenticate via the hotspot web page, but I’m trying to also enable WPA2-EAP authentication, so that the same credentials can be used by WiFi devices.
I can’t get it to work at all. The exact same username and password, and authentication fails. If I don’t authenticate over WiFi, I can then authenticate over the hotspot page, which is a good start, but is insecure (and inconvenient… WiFi devices don’t remember HTTP cookies as aggressively as WiFi passwords).
Turning on debug logs shows that upon EAP login attempt, the error message from User Manager is “unknown authentication algorithm”.
Here’s my entire export, with (what I assume are) the key parts highlighted:
/interface bridge
add admin-mac=D4:CA:6D:F5:C3:9B arp=reply-only auto-mac=no mtu=1500 name=
bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=
ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=
ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=
ether5-slave-local
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=bulgaria
default-forwarding=no disabled=no distance=indoors frequency=auto l2mtu=
1600 mode=ap-bridge ssid=FFFF wireless-protocol=802.11 wmm-support=
enabled
/ip neighbor discovery
set ether1-gateway discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-eap mode=dynamic-keys
radius-eap-accounting=yes
add authentication-types=wpa-psk,wpa2-psk eap-methods=“” name=anonymous
supplicant-identity=“”
/interface wireless
add default-forwarding=no disabled=no l2mtu=1600 mac-address=
D6:CA:6D:F5:C3:9F master-interface=wlan1 name=wlan2 security-profile=
anonymous ssid=“FFFF Guests”
/ip hotspot profile
set [ find default=yes ] dns-name=router.local hotspot-address=192.168.88.1
nas-port-type=ethernet split-user-domain=yes use-radius=yes
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp bootp-lease-time=lease-time bootp-support=
dynamic disabled=no interface=bridge-local name=default
/ip hotspot
add address-pool=dhcp disabled=no interface=bridge-local name=hotspot1
/queue simple
add max-limit=100M/100M name=total target=bridge-local
add name=rogue parent=total target=bridge-local
/ip hotspot user profile
set [ find default=yes ] insert-queue-before=rogue parent-queue=total
/tool user-manager customer
set admin access=
own-routers,own-users,own-profiles,own-limits,config-payment-gw currency=
BGN time-zone=+02:00
/tool user-manager profile
add name=Unlimited name-for-users=Unlimited override-shared-users=unlimited
owner=admin price=0 starts-at=logon validity=0s
add name=cheap name-for-users=“Low offer” override-shared-users=unlimited
owner=admin price=10 starts-at=logon validity=4w2d
/tool user-manager profile limitation
add address-list=“” download-limit=0B group-name=“” ip-pool=“” name=
low-limits owner=admin rate-limit-min-rx=10485760B rate-limit-min-tx=
10485760B rate-limit-rx=10485760B rate-limit-tx=10485760B transfer-limit=
0B upload-limit=0B uptime-limit=0s
/interface bridge filter
add action=drop chain=forward in-interface=wlan2
add action=drop chain=forward out-interface=wlan2
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=wlan2
/interface wireless access-list
add ap-tx-limit=1000000 forwarding=no interface=wlan2
/ip address
add address=192.168.88.1/24 comment=“default configuration” interface=
ether2-master-local network=192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=“default configuration” dhcp-options=hostname,clientid disabled=
no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.88.0/24 comment=“default configuration” dns-server=
192.168.88.1 gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.88.1
/ip dns static
add address=192.168.88.1 name=router.local
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=
“place hotspot rules here” disabled=yes
add chain=input comment=“default configuration” disabled=yes protocol=icmp
add chain=input comment=“default configuration” connection-state=established
add chain=input comment=“default configuration” connection-state=related
add action=drop chain=input comment=“default configuration” in-interface=
ether1-gateway
add chain=forward comment=“default configuration” connection-state=
established
add chain=forward comment=“default configuration” connection-state=related
add action=drop chain=forward comment=“default configuration”
connection-state=invalid
add action=drop chain=forward comment=“[security] Drop TCP port 0” port=0
protocol=tcp
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=
“place hotspot rules here” disabled=yes
add action=masquerade chain=srcnat comment=“default configuration”
out-interface=ether1-gateway to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment=“masquerade hotspot network”
src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment=“masquerade hotspot network”
src-address=192.168.88.0/24
/ip hotspot user
add name=admin
/ip service
set telnet disabled=yes
set ssh disabled=yes
/ip smb
set domain=WORKGROUP enabled=yes interfaces=ether2-master-local
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge-local type=internal
add interface=ether1-gateway type=external
/radius
add address=127.0.0.1 secret=1234 service=hotspot,wireless,dhcp src-address=
127.0.0.1
/radius incoming
set accept=yes
/system clock
set time-zone-name=Europe/Sofia
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set wlan2 disabled=yes display-time=5s
set bridge-local disabled=yes display-time=5s
set wlan1 disabled=yes display-time=5s
set ether1-gateway disabled=yes display-time=5s
set ether2-master-local disabled=yes display-time=5s
set ether3-slave-local disabled=yes display-time=5s
set ether4-slave-local disabled=yes display-time=5s
set ether5-slave-local disabled=yes display-time=5s
/system leds
set 0 interface=wlan1 leds=wlan-led type=wireless-status
set 1 interface=ether1-gateway leds=led1
set 2 interface=ether2-master-local leds=led2
set 3 interface=ether3-slave-local leds=led3
set 4 interface=ether4-slave-local leds=led4
set 5 interface=ether5-slave-local leds=led5 type=interface-activity
/system logging
add topics=packet,debug
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=wlan1
add disabled=yes interface=wlan2
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=wlan1
add disabled=yes interface=wlan2
/tool user-manager database
set db-path=user-manager
/tool user-manager profile profile-limitation
add from-time=0s limitation=low-limits profile=cheap till-time=23h59m59s
weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
/tool user-manager router
add coa-port=1700 customer=admin disabled=no ip-address=127.0.0.1 log=“”
name=localhost shared-secret=1234 use-coa=no
/tool user-manager user
add customer=admin disabled=no name=emily password=emily shared-users=
unlimited wireless-enc-algo=aes-ccm wireless-enc-key=emily wireless-psk=
emily
Any ideas?
Does User Manager actually support EAP logins at all?