Hello,
I’m trying to authenticate wireless clients using WPA 2 Enterprise (EAP-TLS) on my MikroTik hAP ac^2. To achieve that, I have set up a FreeRADIUS server. This same server is successfully used with other APs/servers as well, to authenticate WPA Enterprise and other use cases. This server was also used successfully with this MikroTik hAP ac^2 before. However, at some point in the past, something changed (unfortunately I couldn’t pinpoint exactly what) and now wireless clients can’t connect to MikroTik any longer.
In the debugging logs of both MikroTik and FreeRADIUS I can see the connection attempts being made. However, after the initial handshake, MikroTik just resends the Access-Request because, according to the logs, there has been a timeout. I don’t really understand this behavior as there are no timeouts/warnings/errors being displayed in the FreeRADIUS logs.
Here’s the relevant configuration:
# 2024-07-02 11:39:49 by RouterOS 7.15.1
# software id = X
#
# model = X
# serial number = X
/interface bridge add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge port-cost-mode=short
/interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country="viet nam" distance=indoors frequency=auto installation=indoor mode=ap-bridge name=wlan-2.4G ssid=MikroTik-XXXXXX wireless-protocol=802.11 wps-mode=disabled
/interface wireless set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country="viet nam" disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge name=wlan-5G ssid=MikroTik-XXXXXX wireless-protocol=802.11 wps-mode=disabled
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/interface wireless security-profiles add authentication-types=wpa2-eap mode=dynamic-keys name=custom-ssid supplicant-identity=MikroTik
/interface wireless add disabled=no mac-address=DE:2C:6E:F7:68:E7 master-interface=wlan-5G name=custom-ssid-5G security-profile=custom-ssid ssid=custom-ssid wds-default-bridge=bridge wps-mode=disabled
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=wlan-2.4G internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=wlan-5G internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge ingress-filtering=no interface=custom-ssid-5G internal-path-cost=10 path-cost=10
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/radius add address=X.X.X.X require-message-auth=no service=wireless
/system clock set time-zone-name=Asia/Bangkok
I’d appreciate any help as I have reached an impasse caused by my limited knowledge and competence around RADIUS protocols and wireless authentication.
Please let me know which logs would be relevant for you to trace the issue and I’ll provide them.