WPA2 802.1X on mikrotik

RouterOS Wireless Networking
1

I am trying to set up WPA2 (Enterprise) on a Mikrotik AP and am a little confused. I have done this before with wili and other access points but can not figure out how to do it with MK. I have the Radius server set up and working with other access points (wili) running wpa2 enterprise. Is this even possible on MK? Is it just not possible from the qui tool? I know this post is a little light on info so I will update it when I am back at work but I was hoping for a kick in the right direction.

Is 802.1x supported on RB2011UiAS-2HnD-IN RouterOS ver 6
WPA EAP setup pointers
2

Yes, of course it is possible for access-point.

  1. you need to enable radius client, radius menu is used for that. Add address shared-secret and service wireless.

  2. Use interface wireless security-profiles to setup WPA enterprise, like this
    ‘interface wireless security-profiles set default authentication-types=dynamic-keys authentication-types=wpa2-eap eap-methods=passtrough’.
    Look for security profiles settings in Winbox to find out these menus.

3

I’m also having some problems with 802.1x.
I’m running RouterOS on a PC and i have a RADIUS server (with user manager) on the same machine.
The wireless connection is not secure but all users have to identify them selves on my hotspot (also running on the same PC).

Now I want to secure the network using 802.1x so each user has it’s own authentication and encryption. Is this scenaro possible?
I realy need help with this.

  • Which service should i put? Wireles, login?!?!
  • Security profile ->RADIUS (MAC authentication, MAC accounting, EAP accounting!!!)
4

  1. For RADIUS client configuration, you need to put wireless.

  2. For EAP you need to put at least,
    interface wireless security-profiles set default authentication-types=dynamic-keys authentication-types=wpa2-eap eap-methods=passtrough’.

MAC-authentication you need to put, when you need client’s MAC-address authentication over RADIUS.

MAC-accounting is used, when accounting for MAC-authenticated clients is required.

EAP-accounting, when accounting is necessary for EAP sessions.

5

Hm… It`s posible to autenticate diferent port traffic?

for ex.

On the user side: Antenna – Switch – PC
|------VOIP

PC autenticates by given user name and VOIP device autenticates by MAC address.

6

You will need to use HotSpot for this,
http://www.mikrotik.com/testdocs/ros/3.0/pnp/hotspot.php

user is authenticated by login/password form on HTTP page,
VOIP device is authenticated by MAC-address, as soon as it is connected to the network.