hello guys can anyone help me. currently i’m working on my hAP ax3 making a wireless network with RADIUS server (user manager) as the authenticator. as i know to setup the wifi i first need to setup the security profile and inherit it to configuration profile which then will also get inherited to wifi1 & wifi2 interface. but when i do it like this my SSID become open with no authentication. as i read, everyone says that i should just select security profile at configuration section without ticking anything and on wifi1 & wifi2 interface i shouldn’t even touch the security section. here below are my configuration for reference :
2025-12-08 22:53:21 by RouterOS 7.20.6
software id = HVZY-AC3M
model = C53UiG+5HPaxD2HPaxD
serial number = removed
/interface bridge
add disabled=yes name=Employee-Bridge vlan-filtering=yes
add name=LAN vlan-filtering=yes
/interface vlan
add interface=LAN name=Employee vlan-id=100
/interface ethernet switch
set 0 cpu-flow-control=yes
/interface wifi aaa
add disabled=no name=aaa-emp nas-identifier=emp-nas
/interface wifi datapath
add bridge=LAN disabled=no name=dp-emp vlan-id=100
/interface wifi configuration
add aaa=aaa-emp country=Malaysia datapath=dp-emp disabled=no installation=
indoor mode=ap name=cfg-emp security.authentication-types="" .encryption=
"" ssid=WiFiEmployee
/interface wifi
set [ find default-name=wifi1 ] configuration=cfg-emp configuration.mode=ap
disabled=no security.authentication-types="" .encryption=""
set [ find default-name=wifi2 ] configuration=cfg-emp configuration.mode=ap
disabled=no security.authentication-types="" .encryption=""
/interface wifi security
add authentication-types=wpa2-eap disabled=yes eap-accounting=yes
eap-certificate-mode=dont-verify-certificate eap-methods=peap,ttls
encryption=ccmp group-encryption=ccmp name=emp-sec
/ip pool
add name=employee ranges=192.168.100.2-192.168.100.254
add name=LAN-Pool ranges=192.168.50.2-192.168.50.254
/ip dhcp-server
add address-pool=employee interface=Employee lease-time=10m name=employee
add address-pool=LAN-Pool interface=LAN lease-time=10m name=LAN-DHCP
/user-manager user
add name=Employee1
add name=Employee2
add name=Employee3
add attributes=Mikrotik-Rate-Limit:1M name=CappedUser
add name=3SharedUsers
/interface bridge port
add bridge=LAN interface=ether2
add bridge=LAN interface=ether3
add bridge=LAN interface=ether4
add bridge=LAN interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=LAN tagged=wifi1,wifi2 vlan-ids=""
/interface ovpn-server server
add mac-address=FE:C9:95:0D:9B:D0 name=ovpn-server1
/ip address
add address=192.168.0.2/24 interface=ether1 network=192.168.0.0
add address=192.168.50.1/24 interface=LAN network=192.168.50.0
add address=192.168.100.1/24 interface=Employee network=192.168.100.0
/ip dhcp-server network
add address=192.168.50.0/24 dns-server=8.8.8.8 gateway=192.168.50.1
add address=192.168.100.0/24 dns-server=8.8.8.8 gateway=192.168.100.1
/ip dns
set servers=8.8.8.8
/ip firewall filter
add action=accept chain=input disabled=yes dst-port=1812 protocol=udp
src-address=127.0.0.1
add action=accept chain=input disabled=yes dst-port=1813 protocol=udp
src-address=127.0.0.1
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat comment="masquerade hotspot network"
disabled=yes src-address=192.168.100.0/24
/ip hotspot user
add name=admin
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.0.1 routing-table=main
suppress-hw-offload=no
/ppp aaa
set use-radius=yes
/radius
add address=127.0.0.1 service=wireless,dot1x
/radius incoming
set accept=yes
/system clock
set time-zone-name=Asia/Kuala_Lumpur
/system identity
set name=Mikrotik-Router
/system logging
add action=echo prefix="[USM]" topics=manager
/system ntp client
set enabled=yes
/system ntp client servers
add address=pool.ntp.org
add address=asia.pool.ntp.org
/user aaa
set accounting=no use-radius=yes
/user-manager
set certificate=*0 enabled=yes
/user-manager router
add address=127.0.0.1 name=Mikrotik-Router