Wed Dec 22, 2021 3:50 pm
Clients are Window 10 workstations.
I have stripped out RADIUS so authentication is certificate only "on box"
Full export of the unit
[admin@Mikrotik] > /export
# dec/22/2021 21:38:54 by RouterOS 7.1
# software id = 3QK9-P1KA
#
# model = 951G-2HnD
# serial number = 6430051F32B2
/interface bridge
add name=bridge1
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-eap eap-methods=eap-tls management-protection=allowed mode=dynamic-keys name=Garth2-Server supplicant-identity="" tls-certificate=Garth2Server tls-mode=verify-certificate
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=australia disabled=no frequency=auto mode=ap-bridge security-profile=Garth2-Server ssid=Garth224 wps-mode=disabled
/routing bgp template
set default as=65530 disabled=no name=default output.network=bgp-networks
/routing ospf instance
add name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether1
add bridge=bridge1 ingress-filtering=no interface=ether2
add bridge=bridge1 ingress-filtering=no interface=ether3
add bridge=bridge1 ingress-filtering=no interface=ether4
add bridge=bridge1 ingress-filtering=no interface=ether5
add bridge=bridge1 ingress-filtering=no interface=wlan1
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/ip dhcp-client
add interface=bridge1
/system clock
set time-zone-autodetect=no time-zone-name=Australia/Perth
/system identity
set name=TV-Switch
/system ntp client
set enabled=yes
/system ntp client servers
add address=pool.ntp.org
/system package update
set channel=testing
Certificates were all generated "on box" and exported as per below
## Create CA (Certificate Authority) Certificate:
/certificate add name=Garth2-ca-template common-name=Garth2-ca country=AU days-valid=3650 key-size=2048 locality="Perth" organization="ORG" state=WA trusted=yes unit="Technical Services" key-usage=digital-signature,key-cert-sign,crl-sign;
/certificate sign Garth2-ca-template name=Garth2-ca ca-crl-host="192.168.123.1"
/certificate export-certificate Garth2-ca export-passphrase="12345678"
/certificate export-certificate Garth2-ca export-passphrase="12345678" type=pkcs12
## Create SERVER Certificate
/certificate add name=Garth2-Server-template common-name="Garth2Server" country=AU days-valid=3650 key-size=2048 locality="Perth" organization="ORG" state=WA trusted=yes unit="Technical Services" key-usage=digital-signature,data-encipherment,key-agreement,ipsec-tunnel,ipsec-end-system,tls-server,tls-client;
/certificate sign Garth2-Server-template ca=Garth2-ca name=Garth2Server
/certificate set Garth2Server trusted=yes
/certificate export-certificate Garth2Server export-passphrase="12345678"
/certificate export-certificate Garth2Server export-passphrase="12345678" type=pkcs12
## Create CLIENT Certificates
/certificate add name=Garth2Client-template common-name=Garth2Client country=AU days-valid=3650 key-size=2048 locality="Perth" organization="ORG" state=WA trusted=yes unit="Technical Services" key-usage=digital-signature,data-encipherment,key-agreement,ipsec-tunnel,ipsec-end-system,tls-client;
/certificate sign Garth2Client-template ca=Garth2-ca name=Garth2Client
/certificate set Garth2Client trusted=yes
/certificate export-certificate Garth2Client export-passphrase="12345678"
/certificate export-certificate Garth2Client export-passphrase="12345678" type=pkcs12
Then imported into an EAP-TLS profile on the workstation
I can send you screenshots of this if you really want.
- But roll back the unit to 6.49 and the Windows 10 machine can connect.
- Roll forward to ROS7 and it can't.
- Does not matter if I generate the certificates on box or somewhere else or if I generate them in v6 or v7 same result