On ROS 7.15.3 is it possible to configure wireless interface to have different passwords for different clients?
The solution should require changes on the router only, not on the clients. Thus WPA-EAP is not an option.
Searching for solutions on the internet I found two, tried them but failed. May someone knowledgeable tell me if this is at all possible?
Disable “default authenticate” on the interface, then add an entry into the wifi access list, specify mac address and private-pre-shared-key. Someone says it used to work in previous versions of the ROS. When I try to add the entry, ROS complains “failure: too short key”. No matter how long the key is. I believe this is broken now.
Setup wireless security profile to use RADIUS. Let it use mac as the username. In user manager create a user with the matching name and a password. I tried with Windows and Android clients - the same result - when connecting to SSID there is no password prompt, instead the connection does not occur, Windows says “can’t connect to this network”. Looking at the intercepted RADIUS packets the conversation is following:
router sends Accept-Request and provides (among other things) User-Name which is equal to MAC and encrypted User-Password. The interesting things is that no one asked for the password and where have the router got it is the mystery to me.
the RADIUS returns Access-Reject with “Username or Password wrong”.
Apparently since client was not presented with the prompt it had not chance to provide a correct password.
It can be done if you know the Mac address of the client. You can set an access-list in wifi to accept a different password on the same SSID IF YOU INCLUDE THE MAC OF THE CLIENT.
@gotsprings Yes, option 1 above. Tried it - does not work.
The keys on the access list are only for WEP.
I followed this manual https://github.com/multiduplikator/mikrotik_EAP and successfully configured the WPA2-EAP without client certificates. However it now prompts clients for username and a password. But my goal is to use MAC address of a client as a username and ask for password only.
If I set “mac authentication” on the wifi security profile then client does not get a prompt at all, and instead RADIUS auth fails with reject for the MAC as user name and some mysterious password which was never entered by client (I believe MT radius client sends “0x” as a password in this case for whatever reason).
AFAIK … MAC authentication in Security profile for RADIUS (User Manager) is a pre-authentication that must be passed, before the EAP (username/password) can be used. Username in EAP can be MAC address.
" It controls whether client is allowed to proceed with authentication, or is rejected immediately."
" When using WPA EAP authentication type, clients that have passed MAC authentication are required to perform EAP authentication before being authorized to pass data on wireless network."
For MAC check only (no EAP username/password) use WPA2 PSK with RADIUS setting, not WPA2 EAP in security profile !? https://www.youtube.com/watch?v=kAan0f164Ls … Well I have to try this with User Manager in ROSv7 which can do PEAP as well
