I am trying to connect a MikroTik LHG 2 (RBLHG-2nD) to an eduroam network in wireless station mode, but 802.1X authentication consistently fails.
Summary of the situation:
Device: MikroTik LHG 2 (RBLHG-2nD)
RouterOS: RouterOS v7.x (stable)
Mode: wireless station
Location: indoor, device is placed near a window and pointed directly at the university building (~400–500 meters)
Line of sight is mostly clear
The device successfully scans, sees, and associates with the eduroam access point
Wireless signal levels (eduroam AP):
RSSI: typically between -64 and -70 dBm
Noise floor: around -95 dBm
SNR: approximately 30 dB
Association remains stable (no frequent disconnects)
Security configuration used
(based strictly on eduroam settings verified on a working laptop connected to the same network):
Security: WPA2-Enterprise
EAP method: EAP-TTLS
Inner authentication: MSCHAPv2
Anonymous (outer) identity: configured (same format as used on the laptop)
CA certificate: imported and selected (same CA certificate used by the laptop)
TLS fragmentation: enabled
Observed behavior:
The LHG 2 successfully associates with the access point
802.1X authentication starts
Authentication fails with an 802.1X authentication error
The 802.1X port never becomes authorized, so no data traffic passes
Data rates remain at fallback values because authentication never completes
Comparison and verification:
Using the exact same eduroam credentials, a laptop can connect successfully when placed in the same physical location (near the same window, facing the same university building). This confirms that:
Credentials are correct
The eduroam RADIUS backend is functioning correctly
Signal level and link quality are sufficient for authentication
Additional notes:
WPA2-PSK networks work correctly on the same LHG 2 device
The issue only occurs with WPA2-Enterprise / 802.1X (eduroam)
This does not appear to be a pure signal quality issue
Question:
Is there any known limitation, compatibility issue, or missing feature in RouterOS wireless station mode when using EAP-TTLS with MSCHAPv2 on eduroam networks?
Any guidance or confirmation from MikroTik staff or users with similar experience would be greatly appreciated.
Before opening this topic, I searched extensively both on your forum and on other forums and resources regarding eduroam. I also specifically reviewed the existing “eduroam” related topics on the MikroTik forum.
However, most of the answers I found are quite old. Almost all of them are from 4–5 years ago, and even the most recent replies are around 2 years old. None of these topics seem to end with a confirmed working solution.
Additionally, all of those replies were written before RouterOS v7 was released. I am currently testing this using RouterOS v7, but I am unable to establish a working connection despite following the available guidance.
For this reason, I opened a new topic to clarify whether there is any up-to-date information, known behavior, or supported approach specifically for RouterOS v7.
What do you mean by selected? The CA, plus intermediate server certificates if not included by the RADIUS server (they should be if it has been configured to best practices), only have to be imported into the Mikrotik certificate store and set to be trusted.
As ever it is best to provide the current configuration from /export after redacting any personally identifiable information (public IPs, usernames/passwords, etc.). In this case the output of /certificate print would also be useful.
Regarding the CA certificate, I have already tried importing the university's CA certificate into the MikroTik storage and selecting it in the profile, but it did not solve the problem. That is why my current configuration might look empty or set to "none"—I have been testing every variation. I am a student at Akdeniz University (Antalya / Turkey) and I am trying to establish this connection from my dormitory.
Here is the current configuration export from my LHG 2nd (RB-LHG-2nD):
/interface/wireless/security-profiles/export
Plaintext
[# 2025-12-30 01:41:20 by RouterOS 7.20.6
# software id = LHBY-HA6X
#
# model = RBLHG2nD
# serial number = 8240085A629A
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
As a reference, my laptop connects perfectly to the same eduroam network using EAP-TTLS / PAP via the SecureW2 agent. While the network provides both 2.4 GHz and 5 GHz, my laptop connects via 5 GHz (Channel 52). Since the LHG 2 is a legacy device limited to the 2.4 GHz band, I suspect there might be a driver-level limitation in RouterOS v7 for this specific hardware when handling TTLS-PAP over 2.4 GHz.
I am seriously considering switching to OpenWRT to use the full wpa_supplicant stack, as RouterOS seems to struggle with this setup.
I have already tried the "do not verify certificate" (certificate=none) option multiple times. Even with this setting, the log consistently returns "802.1X authentication failed".
I checked the official IT documentation from my university. The guide explicitly states that for EAP-TTLS, the Phase 2 (Inner Authentication) must be set to PAP. Here is the official link from the University’s IT Department: [https://bidb.akdeniz.edu.tr/tr/eduroam_baglanti_ayarlariandroid-12403\]. Even though the guide is shown for Android, the RADIUS server configuration is fixed to PAP for all clients on this campus.
I don't know anything about this stuff, but it is at least "queer" that user manager (per docs) supports PAP:
but you cannot use it to authenticate as station.
And - from what I understand - the eduroam is not an unknown niche network, it comprises tens or hundreds of universities, so - potentially - tens of thousands possible users.
@kochanenes
Do make a support request, in the worse case you will have some official answers that it is not posssible and you can move on to OpenWRT (or whatever actually works) being certain that it is not you or your configuration the issue.
Thank you for the insight. You confirmed my suspicion that RouterOS is the bottleneck here as it cannot handle PAP in station mode. I am already in the process of moving to OpenWRT specifically to bypass this limitation. Currently, I am working on the TFTP boot process to flash the OpenWRT image onto the LHG 2nd.
Exactly, that is the dead end I reached with RouterOS. Since PAP is a strict requirement for my university's eduroam, I have no choice but to switch to OpenWRT to get the job done.
I would say that it's strange that eduroam does support only such an old standard.
There is such a hype on WPA3, 2FA, TLS, HTTPS, encryption, protection si they seem to be older dinosaurs than ROS is
I don’t think this means that it is a world standard. I looked it up and the Eduroam system here in the Netherlands uses MSCHAPv2. It also says it uses PEAP, not EAP-TTLS, but probably that already has been tried by @kochanenes
So maybe it is time to write to the Turkish Edu authority about keeping up with the times…
It isn’t a problem to make the network compatible with different kinds of authentication. The only issue one could see is that MSCHAPv2 authentication servers often store the password in plaintext form, not hashed, although it is possible to store some Microsoft-invented (and often claimed to be insecure) hash instead of the plaintext password.
