User-manager + WPA2 Enterprise + LinkSys AP

BlackRat · July 30, 2014, 9:59am

Hi.
Use this config:

Access Point: LinkSys WRT54GL
Access Point: Apple AirPort time capsule
Switch: MikroTik CRS125-24G-1S

I use User Manager on MikroTik and try to configure WPA2 Enterprise on AP’s. But I’ve got an error in User Manager:
Username: user01
User IP: 0.0.0.0
Host IP: 10.10.10.240
Status: Authorization failure
Time: 07/30/2014 08:47:24
Description: unknown authentication algorithm for user
NAS port: 50
NAS port ID:
ACCT Session ID:
Calling station ID: c8f7335d042b

Doesn’t matter Apple or LinkSys. The difference only in Host IP and Calling station ID.

Is it possible to use User Manager to provide WPA enterprise or WPA2 Enterprise in my company (with LinkSys and Apple AP’s)?
If NO, what AP’s models (and vendors) I can use to reach enterprise security?

rextended · July 30, 2014, 8:02pm

MikroTik, all models with wlan and Level 4 or 5 Licence.

BlackRat · July 31, 2014, 5:41am

Use mikrotik, but still can’t authenticate users from usermanager.
Use this config:

base router with usermanager (6.17): 2011UAS-2HnD
ap (6.17): 751G-2HnD

on the ap:
/interface bridge
add admin-mac=D4:CA:6D:20:E3:99 auto-mac=no l2mtu=1598 name=bridge-local
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=ether5-slave-local
set [ find default-name=ether1 ] master-port=ether2-master-local
/ip neighbor discovery
set ether1 discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods=“” mode=dynamic-keys radius-eap-accounting=yes supplicant-identity=“” wpa-pre-shared-key=2F7A0234B2EF wpa2-pre-shared-key=WPAWEPJustForTest!
add authentication-types=wpa2-eap mode=dynamic-keys name=enterprise radius-eap-accounting=yes supplicant-identity=“”
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-ht-above country=russia disabled=no distance=indoors l2mtu=2290 mode=ap-bridge security-profile=enterprise ssid=Test wireless-protocol=802.11
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m mac-cookie-timeout=3d
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
/ip address
add address=192.168.253.251/24 comment=“default configuration” interface=bridge-local network=192.168.253.0
/ip dhcp-client
add comment=“default configuration” dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dns
set servers=192.168.0.250
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment=“default configuration” protocol=icmp
add chain=input comment=“default configuration” connection-state=established
add chain=input comment=“default configuration” connection-state=related
add action=drop chain=input comment=“default configuration” in-interface=ether1
add chain=forward comment=“default configuration” connection-state=established
add chain=forward comment=“default configuration” connection-state=related
add action=drop chain=forward comment=“default configuration” connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration” out-interface=ether1 to-addresses=0.0.0.0
/ip ipsec policy
add template=yes
/ip route
add distance=1 gateway=192.168.253.254
/ip upnp
set allow-disable-external-interface=no
/radius
add address=192.168.253.254 secret=63874iurehdfs service=wireless src-address=192.168.253.251
/radius incoming
set accept=yes port=1700
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=test
/system leds
set 0 interface=wlan1
/system ntp client
set enabled=yes primary-ntp=192.168.0.250
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local

and got error in the user manager log:
Username: user01
User IP: 0.0.0.0
Host IP: 192.168.253.251
Status: Authorization failure
Time: 07/31/2014 05:19:12
Description: unknown authentication algorithm for user
NAS port: 0
NAS port ID: wlan1
ACCT Session ID:
Calling station ID: 00-02-6F-E9-53-A9

coylh · July 31, 2014, 11:01pm

If I remember correctly, it doesn’t work. You could use a different radius server.

BlackRat · August 6, 2014, 9:34am

No answers means no solutions for wireless clients?