I am trying to diagnose why a wireless network using EAP-TTLS rejects association from a MikroTik station. Adding wireless,debug and even full wireless topic does not give me more messages about the 802.1X EAP negotiation.
The logs look like:
wireless,debug wlan1: must select network
Station scans SSIDs
wireless,debug 00:00:00:00:00:00: on 0000 AP: yes SSID SSID caps 0x1111 rates 0xOFDM:24-54 BW:1x-4x SGI:1x-4x HT:3-7,9-15,17-31 VHTMCS:SS1=0-9,SS2=0-9,SS3=0-9,SS4=0-9 basic 0xOFDM:24 BW:1x VHTMCS:SS1=0-7 MT: no
wireless,info 00:00:00:00:00:00@wlan1 established connection on 0000000, SSID SSID
Station receives deauth
wireless,debug wlan1: must select network
I typically get either deauth reason:
wireless,info 00:00:00:00:00:00@wlan1: lost connection, received deauth: IEEE 802.1X authentication failed (23)
wireless,info 00:00:00:00:00:00@wlan1: lost connection, received deauth: class 2 frame received (6)
I would like to debug and diagnose why I am unable to authenticate even though the account works on other hardware.
Is there another log topic I can use, or other diagnosis steps I can take?
I have enabled logging of 802.1x topic, but unfortunately I get no information whatsoever. I believe wireless 802.1x implementation is separate from wired 802.1x that is in /interface/dot1x.
I am not sure if it is even possible to use that dot1x for wireless interfaces, I may try.
It does not seem possible to use /interface/dot1x client for wireless interface. I can set interface as wlan1 using CLI, however WinBox and WebFig do not like that and keep defaulting to ether1. This is with security profile set to profile with EAP passthrough.
I also do not see any logging activity under radius or dot1x.
I know my outer identity is working, because using a test bad identity results in an immediate deauth. Using a good outer identity results in staying associated for a bit (15-30 seconds) before receiving a deauth.