Radius service on mikrotik

Hello everyone hope you’re all having good day

I about to start work with school environment Network

And I want to establish the following:

Radius server to authenticate wifi users

A users with certificates connecting directly without username and password “for or own devices “

My question here is

What should I use Radius server or hotspot service

And how to achieve the certification authentication on mikrotik

Please note my digram is

Mikrotik router

Access switch

Wifi access points “non mikrotik”

If you need this then RouterOS can't help you. You cannot use User Manager as RADIUS server because it only supports username/password for authentication. You'll need some other 3rd party RADIUS server. You will also not be able to use the Hotspot feature of RouterOS. Instead, your "non MikroTik" access points must have support for WPA2-Enterprise/WPA3-Enterprise, and they will be the one talking to the RADIUS server(s).

Your RouterOS devices will only do the routing and switching.

There is an example on setting both password and certificate based authentication up here:
https://help.mikrotik.com/docs/spaces/ROS/pages/92635137/Enterprise+wireless+security+with+User+Manager+v5

Thanks for the correction. I didn't know about User Manager matching the SAN/CN with the username.

Thank you for responding

So you mean i can authenticate my wifi users both ways via username/password and certificate

Here im using mikrotik as a router only

Yes, I just did some tests and login with EAP-TLS using User Manager as RADIUS server (as described by the link above) works for both WPA2/WPA3-Enterprise (Android and Windows clients) as well as 802.1X for ethernet ports (Dot1X in RouterOS) with Windows clients.

Pay attention to the session limit though: RouterOS license keys - RouterOS - MikroTik Documentation

For > 50 active sessions, either you'll need devices with L6 licenses, or buy extra L6 licenses for existing devices with lower level, or buy CHR licenses.

I have tried user/pass method and it’s working

But when I try install certificate on windows to connect without username/password it getting rejected

It says

EAP rejected for user in winboc logs

I think im not fully understanding the certification logic here

As I understand you need to create a certificate on mikrotik router and send it to client machine install it then connect to wifi? Im right here?

If you have setup User Manager as well as your access points so that login with username & password already works, then adding EAP-TLS support is very easy. You don't even need to make changes to User Manager or the Access Point.

Make sure you set the common-name of the generated certificate to be the same as the username in User Manager, then you export the certificate (with passphrase) from the this section of the guide that @xrlls posted above:

image1221×340 15.7 KB

Just double-click the file in Windows and import it into the "Personal" certificate store of the current User. If you are already connected to the SSID using username and password (PEAP + MSCHAPv2) then "Forget" that WiFi profile in Windows first. Then try to connect to the SSID again but this time instead of Protected EAP (PEAP) choose Smart Card or other certificate (EAP-TLS) and Windows will present you with a dropdown box to select the certificate that you've imported.

Alternatively, you can use this in Control Panel to manually add the WiFi profile:

Screenshots

image612×583 71.2 KB

image611×453 12.1 KB

image781×510 51.7 KB

image788×513 72 KB

The certificate will then need to be selected once, when you first try to connect to the SSID.

I really want to thank you sir for all the help you provided

My last question

In my case I should prepare this setup for a school

The school have about 20 class each class with 25 students , each student with one tablet “our tablet “

for this setup what you suggest do i need to create certificate for each tablet or can i do one for all