UserManger on ROS 7 +WiFi Ent (user/pass)

Hello,
I just have upgraded my RB450Gx4 to ROS 7.1.5
…and for couple of days trying to figure out why plain and simple aut with user/pass for wifi Ent (PEAP) is not working…

router has multiple vlans ( my case vlan 80 [192.168.80.3] has direct connection to unifi AP)

[admin@core-router] > /user-manager/export 
# model = RB450Gx4
/user-manager profile
add name=prof1 name-for-users=prof1 starts-when=first-auth
/user-manager user group
add inner-auths=peap-mschap2 name=tsa outer-auths=pap,chap,mschap1,eap-peap,eap-mschap2
/user-manager user
add group=tsa name=test1
add group=tsa name=test2 shared-users=2
/user-manager
set enabled=yes
/user-manager router
add address=192.168.80.4 name=UAP-AC-LR
/user-manager user-profile
add profile=prof1 user=test1
add profile=prof1 user=test2

I have a UNIFI AP that has managemnt IP: 192.168.80.4 , connects by cable vlan80 directly to router.

router log:

 13:36:58 manager,debug >>> rx Access-Request from [192.168.80.4]:56227, id: 117
 13:36:58 manager,debug <<< tx Access-Challenge to [192.168.80.4]:56227, id: 117
 13:36:58 manager,debug >>> rx Access-Request from [192.168.80.4]:56227, id: 118
 13:36:58 manager,debug <<< tx Access-Challenge to [192.168.80.4]:56227, id: 118
 13:36:58 manager,debug >>> rx Access-Request from [192.168.80.4]:56227, id: 119
 13:36:58 manager,debug <<< tx Access-Challenge to [192.168.80.4]:56227, id: 119
 13:37:02 manager,debug >>> rx Access-Request from [192.168.80.4]:56227, id: 120
 13:37:02 manager,debug <<< tx Access-Challenge to [192.168.80.4]:56227, id: 120
 13:37:02 manager,debug >>> rx Access-Request from [192.168.80.4]:56227, id: 121
 13:37:02 manager,debug <<< tx Access-Challenge to [192.168.80.4]:56227, id: 121

I have a Synology NAS with radius enabled, now, if I configure unifi AP to use Synology, everything is working flawless…

[quote=StanGilbertlandria post_id=923900 time=1649139654 user_id=199268]
Has anyone been able to install and use this?
[/quote]
user manager is in the extra package if that’s implanted for your device.
[attachment=0]2022-04-05_15-58-07.png[/attachment]

It’s working fine.
You should check this Document.
https://help.mikrotik.com/docs/display/ROS/Enterprise+wireless+security+with+User+Manager+v5

Hi @own3r1138

Oki, I’ve figured out in fact how system works
Meantime, can you point out how do you use lets encrypt certificates ?

++ side node, clients CAN now auth, however usermanager sessions shows no session ?!

Hello,
https://help.mikrotik.com/docs/display/ROS/Certificates#Certificates-Let’sEncryptcertificates

Did you use passthrough or PEAP? honestly, I was trying to replicate your config “MSCHAPv2” and I was unsuccessful.
For the active session log that will work if you use user-man as radius, are you?
This is what I found and did not work it’s an old post.

So, here it’s what I have:

1. core router where userman is installed

• cert generated for radius: CA + tls_server+tls_client
• cert activated for userman

/user-manager/user group/pr
name=“cert_auth” outer-auths=eap-tls,eap-peap,eap-mschap2 inner-auths=peap-mschap2 attributes=“”


2. AP:
name=“EAP-PEAP_TLS” mode=dynamic-keys authentication-types=wpa2-eap unicast-ciphers=aes-ccm group-ciphers=aes-ccm
wpa-pre-shared-key=“” wpa2-pre-shared-key=“” supplicant-identity=“” eap-methods=passthrough tls-mode=verify-certificate
tls-certificate=EAP_TLS mschapv2-username=“” mschapv2-password=“” disable-pmkid=no static-algo-0=none static-key-0=“”
static-algo-1=none static-key-1=“” static-algo-2=none static-key-2=“” static-algo-3=none static-key-3=“”
static-transmit-key=key-0 static-sta-private-algo=none static-sta-private-key=“” radius-mac-authentication=no
radius-mac-accounting=no radius-eap-accounting=no interim-update=0s radius-mac-format=XX-XX-XX-XX-XX-XX
radius-mac-mode=as-username-and-password radius-called-format=mac:ssid radius-mac-caching=disabled group-key-update=10m
management-protection=disabled management-protection-key=“”


3. cert imported on android + windows machines

NOW, ALL clients can auth but, usermanager doesn’t show any active sessions ?!!?

radius-eap-accounting=no

This should be set to "yes".

2022-04-07_15-23-08.png494×406 9.5 KB

2022-04-07_15-22-23.png489×183 6.94 KB

Flawless
Everything is working: radius, win, android, linux

However, have any idea how to force close sessions with “not active” status as it seems that sessions now is flooded by this type of sessions( can’t close them)

I’m no expert and all of these are assumptions.
To me looks like the user-man is not aware of the latest status of the connection.
You have a different AP so maybe you should use CAPsMAN. (Does the main router have a Wifi interface? so that you can test and find out if the problem with the session is still there “NO AP” involved, everything runs locally.)

/ip firewall address-list
add address=127.0.0.1 list=RAS
/ip firewall filter
add action=accept chain=input comment=RAS dst-address-list=RAS dst-port=1812,1813,3799 protocol=udp src-address-list=RAS

Any log/config export may help.

Ye, so far I am quite satisfied by the new updated userman.
Some minor issues, but now I can fully use for wireless auth, also for some network switches.

Hi guys, thanks for the information.
In my case, authenticating is working fine, but i have nothing about accounting , I am receiving a timeout when the usermanager try to send a accounting update.
Also I have no session listed on the session window.

share log entries

/system logging
add disabled=yes prefix=RAS-----> topics=radius

share config

/radius> print
/user-manager/router export
/ip firewall filter export
/ip firewall raw export   (if you have any)