Need WPA2-enterprise PEAP-MSCHAPv2 with TLS v1.2 support

RouterOS General
1

I tried to setup routerboard in an enterprise WIFI network this week, this is a WPA2-enterprise network which requires PEAP-MSCHAPv2 with TLS v1.2, after many attempts it ended up with ‘authentication timeout’ error log.

My laptop could join the network with no issue, I caught the network packet and it verified the TLS handshake is TLS v1.2. Then I suspect the board failed during TLS handshake and there is no authentication at all.

Then I setup a freeradius environment, the board only works under TLS v1.0, both TLS 1.1/1.2 failed.

Since TLS v1.0 is very old, it will be more useful to support TLS v1.2 with PEAP. Hope this feature request could be put on schedule.

Thanks!

2

Here is the security profile I use:

2 name=“EAP_AP_client” mode=dynamic-keys authentication-types=wpa-eap,wpa2-eap unicast-ciphers=tkip,aes-ccm group-ciphers=tkip,aes-ccm wpa-pre-shared-key=“” wpa2-pre-shared-key=“” supplicant-identity=“testing” eap-methods=peap
tls-mode=dont-verify-certificate tls-certificate=none mschapv2-username=“testing” mschapv2-password=“password” disable-pmkid=no static-algo-0=none static-key-0=“” static-algo-1=none static-key-1=“” static-algo-2=none
static-key-2=“” static-algo-3=none static-key-3=“” static-transmit-key=key-0 static-sta-private-algo=none static-sta-private-key=“” radius-mac-authentication=no radius-mac-accounting=no radius-eap-accounting=no
interim-update=0s radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username radius-called-format=mac:ssid radius-mac-caching=disabled group-key-update=5m management-protection=disabled management-protection-key=“”

Here is my wireless interface config:

Flags: X - disabled, R - running
0 X name=“wlan1” mtu=1500 l2mtu=1600 mac-address=XX:XX:XX:XX:XX:XX arp=enabled interface-type=Atheros AR9300 mode=station ssid=“ap_bridge” frequency=auto band=5ghz-a/n channel-width=20/40mhz-XX secondary-channel=“”
scan-list=default wireless-protocol=802.11 vlan-mode=no-tag vlan-id=1 wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no bridge-mode=enabled default-authentication=yes default-forwarding=yes default-ap-tx-limit=0
default-client-tx-limit=0 hide-ssid=no security-profile=EAP_AP_client compression=no



This is the radius server TLS config “raddb/mods-enabled/eap”

eap {

tls-config tls-common {

#disable_tlsv1_2 = no
disable_tlsv1_1 = yes
disable_tlsv1 = yes

tls_min_version = “1.2”
tls_max_version = “1.2”

}
}



This is the FreeRADIUS error log:

Wed Jun 17 04:33:57 2020 : ERROR: (21) eap_peap: ERROR: TLS Alert write:fatal:protocol version
Wed Jun 17 04:33:57 2020 : Error: tls: TLS_accept: Error in error



When I change the radius server TLS to 1.0-1.2, the board will be able to connect

eap {

tls-config tls-common {

#disable_tlsv1_2 = no
disable_tlsv1_1 = no
disable_tlsv1 = no

tls_min_version = “1.0”
tls_max_version = “1.2”

}
}



Could someone share some info about TLS 1.2 support?

Thanks!