Usermanager, with D-link AP

RouterOS The User Manager
1

Hello

I have set up usermanager 4B4 on a routerboard.
Added a test user to usermanager.

A D-link wireless AP is connected to this RB.

On the D-link I have set up:
Authentication wpa enterpise
WPA Mode Auto wpa/wpa2
Cipher Type Auto
RADIUS Server 192.168.2.18 Port 1812
RADIUS Secret 1234

D-link has 192.168.2.20
RB has 192.168.2.18

Connecting to the wireless network fails.
This is the log output:

14:15:26 manager,debug,packet received Access-Request with id 4 from 192.168.2.20:1045 
14:15:26 manager,debug,packet     Signature = 0xd1e5c2efadc08c71274002a1ef82dd18 
14:15:26 manager,debug,packet     User-Name = "test" 
14:15:26 manager,debug,packet     NAS-IP-Address = 192.168.2.20 
14:15:26 manager,debug,packet     NAS-Identifier = "00:22:b0:de:86:b1" 
14:15:26 manager,debug,packet     NAS-Port = 0 
14:15:26 manager,debug,packet     Called-Station-Id = "00-22-B0-DE-86-B1:Admin NET" 
14:15:26 manager,debug,packet     Calling-Station-Id = "00-16-44-8C-89-2C" 
14:15:26 manager,debug,packet     Framed-MTU = 1400 
14:15:26 manager,debug,packet     NAS-Port-Type = 19 
14:15:26 manager,debug,packet     Connect-Info = "CONNECT 11Mbps 802.11b" 
14:15:26 manager,debug,packet     EAP-Message = 0x020100090174657374 
14:15:26 manager,debug,packet     Message-Authenticator = 0x168e47acb60c5c6d692e26621bb550f0 
14:15:26 manager,debug received Access-Request 11 from 192.168.2.20:1045 
14:15:26 manager,debug sending Access-Reject 11 
14:15:26 manager,debug,packet sending Access-Reject with id 4 to 192.168.2.20:1045 
14:15:26 manager,debug,packet     Signature = 0x271fb43e675fd0c552946106067b7ac2 
14:15:26 manager,debug,packet     Reply-Message = "unknown authentication algorithm"

What am I missing here?

2

Usermanager can’t understand the authentication used.

If you are using wpa enterprise (rather than wpa personal):
Authentication type is either: wpa-enterprise or wpa2-enterprise (not plain wpa)
Authentication mode is either: wpa-eap or wpa2-eap (not psk, not auto)
Cipher type is either: tkip (for wpa) or aes (for wpa2) not auto.
You can use either a dynamic or a static key.

About your setup, is it that you have a RB with the dlink AP wired to one of its ether interfaces?
What service are you using the Radius for: ppp, hotspot, wireless?

3

Thank you eneimi

I tried setting the AP up with just WPA or WPA2, but the results are the same.
Should it not be possible to run auto here? WPA2 if supported by client, WPA if not?

I tried setting this up according to the “wireless” guide in the wiki.
Witch setup should I have used?

What I`m trying to achieve is a wireless LAN where I can have full control over users in usermanager, setting bandwith etc.
There will be some users coming and going, therefor it must be easy to manage.

Also there will be no normal WPA key with WPA enterprise right? There will be username/password?

4

You didn’t say how you have it set up.
What routerboard? What interfaces? Dlink AP is connected to what interface of routerboard - ether or wlan? Your clients connect to what device - dlink AP or RB wlan?

You mentioned that you followed the mikrotik wireless manual - that setup is for mikrotik wireless clients or APs, not dlink. So please clarify your setup.

5

Sorry, I was a bit unclear.

The RB does not have a WLAN interface.
It is only for usermanager/radius use.

The D-link AP(s) will be wired to the RB.

Clients connect wireless to the D-link AP.
I use these APs because they are a part of existing infrastructure.
In future they will be exchanged for MT APs.

I followed the wireless guide because I thought it fitted my setup best…

6

I really need some help with this.
Need it running by the weekend.

Anybody got tips to this kind of setup?

7

What service are you running on mikrotik radius (/radius print)?
If you disable wpa on the dlink, does it work?

8

What is the username and password stored in User Manager? Is the username “test” with empty password?

P.S. WPA has nothing to do with this error message regarding to unknown authentication method. This error means “authentication method used in Radius protocol has not been understood by User Manager”.

9

Username is:test
Password is:demo

10

No password is sent by D-link (as we can conclude from the log entry you provided). Either you can use MAC-authentication (store MAC address as username), or force D-link to send password in Radius requests.

11

Ok, thank you.

I can`t see that there is any options for making the D-Link send password in any way.

The best now I guess is to reset all configuration and try again.

What type of setup shuld I use for this senario?
I do not want to use MAC for autentication, users must be able to use different computers etc.
Would hotspot work here?

12

Configure ether1 (wan) of routerboard as usual.
Run dhcp server setup on ether2 and then run hotspot setup wizard, also on ether2.
Connect dlink to ether2 (directly or through a switch).
Configure dlink as AP. Any ip you assign the dlink will be just for you to access the web config of dlink.
Set your hotspot server (on ether2) to use radius (/ip hotspot profile set-radius=yes)
Enable radius on the routerboard (/radius service=hotspot address=127.0.0.1 secret=xxxxxx)
Configure usermanager as per wiki http://wiki.mikrotik.com/wiki/User_Manager
That’s it.

13

Look at this post "http://forum.mikrotik.com/t/using-usermanager-as-radius-for-other-ap/20825/1

Sergejs said.
I believe that User-Manager is not able to provide with PEAP or similar authentication.
Currently you need to use Free RADIUS or similar product to get PEAP or other kind of authentication.

That was last year. Don’t know if the status has changed but i have same issue here now.