ROS 7.1.5 + Wireless +EAP(User/pass not certificates)

fritzme · March 24, 2022, 8:10am

Hello,
I just took yesterday a leap of faith and I just installed ROS 7.1.5 on my Router ( RB450gx4)
SO, here is current setup:

router+ UM : IP: 192.168.90.3

/user-manager profile
add name=prof1 name-for-users=prof1
/user-manager user group
add inner-auths=peap-mschap2 name=tsa outer-auths=mschap1,eap-peap
/user-manager user
add group=tsa name=pikacku
add group=tsa name=raichu
/user-manager
set enabled=yes
/user-manager router
add address=192.168.90.1 name=AP2
add address=192.168.100.170 name=sles1
/user-manager user-profile
add profile=prof1 user=florin

[admin@core-router] > /user-manager/user/print
Flags: X - disabled 
 0   name="pikachu" password="cucurigu" otp-secret="" group=tsa shared-users=1 attributes="" 

 1   name="raichu" password="cucurigu" otp-secret="" group=tsa shared-users=1 attributes=""

AP: HAP-AC2, IP: 192.168.90.1

wireless security profile

 name="virtualPEAP" mode=dynamic-keys authentication-types=wpa2-eap unicast-ciphers=aes-ccm group-ciphers=aes-ccm 
     wpa-pre-shared-key="" wpa2-pre-shared-key="" supplicant-identity="" eap-methods=passthrough tls-mode=no-certificates 
     tls-certificate=none mschapv2-username="" mschapv2-password="" disable-pmkid=no static-algo-0=none static-key-0="" 
     static-algo-1=none static-key-1="" static-algo-2=none static-key-2="" static-algo-3=none static-key-3="" static-transmit-key=key-0 
     static-sta-private-algo=none static-sta-private-key="" radius-mac-authentication=no radius-mac-accounting=no 
     radius-eap-accounting=yes interim-update=0s radius-mac-format=XX-XX-XX-XX-XX-XX radius-mac-mode=as-username-and-password 
     radius-called-format=mac:ssid radius-mac-caching=disabled group-key-update=10m management-protection=disabled 
     management-protection-key=""

radius

[admin@AP2] > /radius/pr
Columns: SERVICE, ADDRESS, SECRET
# SERVICE   ADDRESS         SECRET     
;;; core-router: radius
0 ppp       192.168.90.3    xoxxox
wireless

Now, with this current setup, just plain and simple wireless/eap clients fail to auth.

A. I have defined on AP a 2nd RADIUS server ( synology) and using the same wireless profile , clients do auth.
B. I have enable on AP login with radius, so for instance user rachu can login to AP, that means there is no connectivity issues between AP and router.

Now, from this point I’m lost, no clue what to do

Enton72 · June 30, 2022, 1:54pm

I got an issue with ciphers (i think) even if I set “TLS Mode: no certificates”.
I am trying with ROS v7.3.1, similar config as yours.

This is an log output:

Jun/30/2022 15:44:27 wireless,debug DBG: : wlan1: E3:40:F5:7F:37:71 attempts to associate
Jun/30/2022 15:44:27 wireless,debug DBG: : wlan1: E3:40:F5:7F:37:71 not in local ACL, by default accept
Jun/30/2022 15:44:27 radius,debug DBG: : new request 58:6c code=Access-Request service=wireless called-id=F5-CA-6D-61-4E-A0:Pokemon Wifi
Jun/30/2022 15:44:27 radius,debug DBG: : sending 58:6c to 192.168.9.1:1812
Jun/30/2022 15:44:27 radius,debug DBG: : received reply for 58:6c
Jun/30/2022 15:44:27 manager,debug DBG: : >>> rx Access-Request from [192.168.9.1]:34758, id: 109
Jun/30/2022 15:44:27 manager,debug DBG: : <<< tx Access-Challenge to [192.168.9.1]:34758, id: 109
Jun/30/2022 15:44:27 radius,debug DBG: : new request 58:6d code=Access-Request service=wireless called-id=F5-CA-6D-61-4E-A0:Pokemon Wifi
Jun/30/2022 15:44:27 radius,debug DBG: : sending 58:6d to 192.168.9.1:1812
Jun/30/2022 15:44:27 radius,debug DBG: : received reply for 58:6d
Jun/30/2022 15:44:27 manager,debug DBG: : >>> rx Access-Request from [192.168.9.1]:45751, id: 110
Jun/30/2022 15:44:27 manager,debug DBG: : <<< tx Access-Challenge to [192.168.9.1]:45751, id: 110
Jun/30/2022 15:44:27 radius,debug DBG: : new request 58:6e code=Access-Request service=wireless called-id=F5-CA-6D-61-4E-A0:Pokemon Wifi
Jun/30/2022 15:44:27 radius,debug DBG: : sending 58:6e to 192.168.9.1:1812
Jun/30/2022 15:44:27 manager,debug DBG: : >>> rx Access-Request from [192.168.9.1]:51223, id: 111
Jun/30/2022 15:44:27 certificate,debug DBG: : start CRL update
Jun/30/2022 15:44:27 radius,debug DBG: : received reply for 58:6e
Jun/30/2022 15:44:27 manager,debug DBG: : <<< tx Access-Challenge to [192.168.9.1]:51223, id: 111
Jun/30/2022 15:44:30 manager,debug DBG: : EAP auth stopped for < raichu> reason: timeout + ssl: no common ciphers

Does anyone know how to disable TLS/SSL?

Thank you.

bpwl · June 30, 2022, 9:01pm

Never managed to use Userman without certificates. Actually all my alternate Radius servers (FreeRadius, Synology, Draytek, …) do have self-signed certificates.
clients don’t specify certificates and do not verify certificates for server identity, the CA is not installed as trusted on the client.. Still the Radius Server has them, probably needed to encrypt the communication with the Radius server. Not sure. Would love not to have to use them, but it only worked after installing the correct certificates.

Luckely MT provides all the needed commands in “help” to create such CA and server certificates. (FreeRadius has something similar built in: demo certificates.)

https://help.mikrotik.com/docs/display/ROS/Enterprise+wireless+security+with+User+Manager+v5

Thanks to @strods for helping me out : http://forum.mikrotik.com/t/new-user-manager-in-routeros-v7/135338/1