I’m in the process of setting up a network that will employ Radius for authentication of wireless client MAC addresses. In this setup I’d like to use AES-CCM or TKIP encryption using per-station private keys, with the per-station keys being stored in the Radius server.
This works fine with WEP-40 and WEP-104 and the Radius attributes Wireless-Enc-Algo and Wireless-Enc-Key, but a look at the MikroTik Radius dictionary indicates that one can only send
VALUE Wireless-Enc-Algo No-encryption 0
VALUE Wireless-Enc-Algo 40-bit-WEP 1
VALUE Wireless-Enc-Algo 104-bit-WEP 2
for the per-station encryption modes in the Radius reply?! I’d like to send a Radius reply that will tell the router to use AES-CCM or TKIP for the authenticated client MAC address, and not one of the WEP modes. The Wireless-Enc-Key in the reply will then of course hold the 32-character hexadecimal AES-CCM key.
So it appears that we’re missing something like
VALUE Wireless-Enc-Algo AES-CCM 3
VALUE Wireless-Enc-Algo TKIP 4
Anyone of you guys got something like that to work? Or is this currently only supported for WEP?
I’d sure like to see this scheme work for AES-CCM and TKIP, and I assume it should be a rather simple extension of the existing code for MT to do this…
–Tom