Hi,
We have been trying to cut down on the amount of SSIDs being broadcast. Combining MPSK + radius MAC authentication is an obvious one.
Does anyone know how to have RouterOS test a client against an MPSK group and on fail, fallback to a RADIUS query using the client MAC address?
The 7.21 release candidate has an item:
*) wifi - fixed multi-passphrase usage in combination with access-list;
Is that Mikrotik code for MPSK now supporting fallback when no match is found in the group (would be lovely if each item linked a public ticket or post detailing what was being resolved)?
Tested a few combinations, none succeed:
2x access-list items, first a match against an MPSK group, then a radius-query. MPSK works, but RADIUS is never queried on fail. Not surprisingly as first matched item in an access-list is the end of the line for each event.
Another config, set the MPSK group on the WiFi security profile and then a radius-query in the access list. That continues to work for MPSK matches and surprisingly RADIUS is being queried on fail, but the MT-Wireless-PSK attribute does not seem to get tested against the client MIC as the logs print:
1A:3C:8D:52:AB:EC@wifi1-mpsk(Test-Direct) disassociated, key handshake timeout (wrong pass), signal strength -54
Right after the Radius query returns.