Hello Community,
I have some trouble with our Mikrotik access-point and Radius authentication.
We ware using a Network Access Control System called ARP-Guard from ISL. The ARP-Guard is running a radius Server.
The Arp-Guard is managing some lists of mac-addresses.
The Access-Point asks the radius server for authentication. The radius server accepts client if it is in the allowed list, otherwise it will be rejected.
The Problem in my Security Settings are, that the access points ask the client for a username and a password. If you don’t give a user or a password the system will not start a connection initialization. When I enter some userdata the client starts to connect:
May/24/2018 14:36:23 radius,debug sending 58:5b to 10.9.0.40:1812
May/24/2018 14:36:23 radius,debug,packet sending Access-Request with id 41 to 10.9.0.40:1812
May/24/2018 14:36:23 radius,debug,packet Signature = 0x02f9ff321a484a68fe78945743bb9a74
May/24/2018 14:36:23 radius,debug,packet Service-Type = 2
May/24/2018 14:36:23 radius,debug,packet NAS-Port-Id = "wlan1"
May/24/2018 14:36:23 radius,debug,packet NAS-Port-Type = 19
May/24/2018 14:36:23 radius,debug,packet User-Name = "A0-88-B4-XX-XX-XX"
May/24/2018 14:36:23 radius,debug,packet Calling-Station-Id = "A0-88-B4-XX-XX-XX"
May/24/2018 14:36:23 radius,debug,packet Called-Station-Id = "CC-2D-E0-02-C0-5A:TestSystem"
May/24/2018 14:36:23 radius,debug,packet User-Password = 0x41302d38382d42342d43312d43382d39
May/24/2018 14:36:23 radius,debug,packet 38
May/24/2018 14:36:23 radius,debug,packet NAS-Identifier = "ITV-AP-25489"
May/24/2018 14:36:23 radius,debug,packet NAS-IP-Address = 10.40.206.13
May/24/2018 14:36:23 radius,debug,packet received Access-Accept with id 41 from 10.9.0.40:1812
May/24/2018 14:36:23 radius,debug,packet Signature = 0xdff141a38284af53698f01ee6500c73d
May/24/2018 14:36:23 radius,debug received reply for 58:5b
that’s all correct up to here.
But some milliseconds later, the client/access-point sends a request with the userdata:
ay/24/2018 14:36:23 radius,debug new request 58:5c code=Access-Request service=wireless called-id=CC-2D-E0-02-C0-5A:TestSystem
May/24/2018 14:36:23 radius,debug sending 58:5c to 10.9.0.40:1812
May/24/2018 14:36:23 radius,debug,packet sending Access-Request with id 42 to 10.9.0.40:1812
May/24/2018 14:36:23 radius,debug,packet Signature = 0x43afcdb98d777ad8ca1c60ae2160e3a1
May/24/2018 14:36:23 radius,debug,packet Service-Type = 2
May/24/2018 14:36:23 radius,debug,packet Framed-MTU = 1400
May/24/2018 14:36:23 radius,debug,packet User-Name = "testuser"
May/24/2018 14:36:23 radius,debug,packet NAS-Port-Id = "wlan1"
May/24/2018 14:36:23 radius,debug,packet NAS-Port-Type = 19
May/24/2018 14:36:23 radius,debug,packet Calling-Station-Id = "A0-88-B4-XX-XX-XX"
May/24/2018 14:36:23 radius,debug,packet Called-Station-Id = "CC-2D-E0-02-C0-5A:TestSystem"
May/24/2018 14:36:23 radius,debug,packet EAP-Message = 0x0200000d017465737475736572
May/24/2018 14:36:23 radius,debug,packet Message-Authenticator = 0x3e0df1e95d3169b5a9cb28565360364a
May/24/2018 14:36:23 radius,debug,packet NAS-Identifier = "ITV-AP-25489"
May/24/2018 14:36:23 radius,debug,packet NAS-IP-Address = 10.40.206.13
May/24/2018 14:36:23 radius,debug,packet received Access-Reject with id 42 from 10.9.0.40:1812
May/24/2018 14:36:23 radius,debug,packet Signature = 0xa8714bf0a56734f265e071add0cfb33c
May/24/2018 14:36:23 radius,debug received reply for 58:5c
and the radius server rejects the connection request.
So I have to disable the client authentication.
My config:
Security Profile Settings:
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-eap mode=dynamic-keys supplicant-identity=ITV-AP-25489
add authentication-types=wpa2-eap management-protection=allowed mode=dynamic-keys name=profile1 \
radius-mac-authentication=yes radius-mac-format=XX-XX-XX-XX-XX-XX radius-mac-mode=as-username-and-password \
supplicant-identity=""
Radius Settings:
/radius
add address=10.9.0.40 secret=P4ssw0rd service=wireless
Hope to find some hints for this problem…
Best regards David