Community discussions

 
JorgeAmaral
Trainer
Trainer
Topic Author
Posts: 199
Joined: Wed Mar 04, 2009 11:53 pm
Location: /ip route add type=blackhole

Feature request: EAP-PEAP for wireless client

Sun Dec 27, 2009 4:48 am

I would like to use it, because its more simple to manage in a production environment. The wireless security that we can use with RB4x as clients is EAP-TLS. Its indeed very secure, but now with the network growing, it will take a lot of time with each client to update the their certificate.

Kindly regards, very good Christmas and a happy new year for all.

Jorge
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6616
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: Feature request: EAP-PEAP for wireless client

Mon Dec 28, 2009 1:28 pm

Thank you very much for the feature request.
Currently we do not have plans to change security configuration for mode=station, but probably we will do it in the future.
 
slavik
just joined
Posts: 5
Joined: Fri Feb 12, 2016 8:00 am

Re: Feature request: EAP-PEAP for wireless client

Fri Feb 12, 2016 8:02 am

Thank you very much for the feature request.
Currently we do not have plans to change security configuration for mode=station, but probably we will do it in the future.
is there still no EAP-PEAP in routeros in station mode?
 
pe1chl
Forum Guru
Forum Guru
Posts: 5920
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature request: EAP-PEAP for wireless client

Fri Feb 12, 2016 10:32 am

Thank you very much for the feature request.
Currently we do not have plans to change security configuration for mode=station, but probably we will do it in the future.
is there still no EAP-PEAP in routeros in station mode?
No :(
I also requested it. It seems to be a simple addition, but nothing is happening :(
Ubiquiti access points support it, so I think they want you to take your business elsewhere...
 
slavik
just joined
Posts: 5
Joined: Fri Feb 12, 2016 8:00 am

Re: Feature request: EAP-PEAP for wireless client

Fri Feb 12, 2016 10:40 am

No :(
I also requested it. It seems to be a simple addition, but nothing is happening :(
Ubiquiti access points support it, so I think they want you to take your business elsewhere...
but inside security profile we have some PEAP related stuff
eap-methods=eap-ttls-mschapv2 mschapv2-username="peap-user1" mschapv2-password="P@ssword123"
so i want answer from MikroTik Support, is it works or not.
if works - how to configure it, because in my case i got "lost connection, 802.1x authentication timeout", but android phone works perfectly
 
fractalbrain
just joined
Posts: 12
Joined: Sat Feb 13, 2016 6:00 am

Re: Feature request: EAP-PEAP for wireless client

Sat Feb 13, 2016 6:16 am

I've been tearing my hair out about this for days while evaluating an SXT ac device!

I brought an SXT to a recent NANOG conference (North American Network Operators Group) with an express intent of getting the SXT to authenticate to the conference network via 802.1x. I could get it to associate with their ap fine, but their logs kept filling up with "no username" and "no password" supplied messages.

I kept changing the method to eap-ttls-mschapv2 (because the UI would change it back...presumably since it doesn't exist in the UI!!) and supplying a mschap username and password! Nothing. It looked like their server just kept getting no username and password over and over again. From the timing of everything, it felt like their server was waiting for a username and password to be entered and eventually timed out.

I'm really hoping they pick this task up again and get 802.1x implemented properly.

Has anyone gotten this working?
 
slavik
just joined
Posts: 5
Joined: Fri Feb 12, 2016 8:00 am

Re: Feature request: EAP-PEAP for wireless client

Sat Feb 13, 2016 11:16 am

Has anyone gotten this working?
looks like at least one - http://forum.mikrotik.com/viewtopic.php?t=75519
as for me - mikrotik support is so unresponsive, its very bad for community and device popularity
 
Beone
Member Candidate
Member Candidate
Posts: 243
Joined: Fri Feb 11, 2011 1:11 pm

Re: Feature request: EAP-PEAP for wireless client

Sun Feb 14, 2016 12:54 pm

It's already in there, tested with v6.35rc8 and works like a charm
 
slavik
just joined
Posts: 5
Joined: Fri Feb 12, 2016 8:00 am

Re: Feature request: EAP-PEAP for wireless client

Sun Feb 14, 2016 4:48 pm

It's already in there, tested with v6.35rc8 and works like a charm
please post your config
wireless and security profiles
 
fractalbrain
just joined
Posts: 12
Joined: Sat Feb 13, 2016 6:00 am

Re: Feature request: EAP-PEAP for wireless client

Mon Feb 15, 2016 5:55 pm

Hi everyone!! Thanks so much for the replies!! I believe that was my first forum post after years of lurking :-).
Beone
It's already in there, tested with v6.35rc8 and works like a charm
Referencing @slavik, @Beone, can you post your working config bits, if you don't mind?

I've pasted my "non-working" security profile, wireless interface, and cert info that I used during NANOG.

Below is the security profile. I tried tls-mode with "verify-certificate" and tried with and without a supplicant identity. ...about that supplicant identity. There was only one username for everyone, "nanog" (it's a pretty open network with a focus on efficiency, not restricting usage). I used that for the supplicant identity. I'm wondering if I should have used my system name, or something random. Thoughts?
5   name="nanog1" mode=dynamic-keys authentication-types=wpa2-eap unicast-ciphers=aes-ccm
     group-ciphers=aes-ccm wpa-pre-shared-key="" wpa2-pre-shared-key=""
     supplicant-identity="nanog" eap-methods=eap-ttls-mschapv2 tls-mode=dont-verify-certificate
     tls-certificate=auth.meetings.nanog.org.cer_0 mschapv2-username="someusername"
     mschapv2-password="somepassword" static-algo-0=none static-key-0="" static-algo-1=none
     static-key-1="" static-algo-2=none static-key-2="" static-algo-3=none static-key-3=""
     static-transmit-key=key-0 static-sta-private-algo=none static-sta-private-key=""
     radius-mac-authentication=no radius-mac-accounting=no radius-eap-accounting=no
     interim-update=0s radius-mac-format=XX:XX:XX:XX:XX:XX
     radius-mac-mode=as-username-and-password radius-mac-caching=disabled group-key-update=5m
     management-protection=disabled management-protection-key=""
Since NANOG is now over, I changed the following interface profile to match what I'm pretty sure I used before (I'm sure the frequency is different):
0  R name="wlan1-gateway" mtu=1500 l2mtu=1600 mac-address=4C:5E:0C:D7:73:14 arp=enabled
      interface-type=Atheros AR9888 mode=station ssid="nanog" frequency=5805 band=5ghz-a/n/ac
      channel-width=20mhz scan-list=default wireless-protocol=802.11 vlan-mode=no-tag vlan-id=1
      wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no bridge-mode=enabled
      default-authentication=yes default-forwarding=yes default-ap-tx-limit=0
      default-client-tx-limit=0 hide-ssid=no security-profile=nanog1 compression=no
And here is some info about the certificate I used:
6   L    T name="auth.meetings.nanog.org.cer_0"
            issuer=C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com, Inc.,OU=http:,,certs.godaddy.com,
       repository,,CN=Go Daddy Secure Certificate Authority - G2
            unit="Domain Control Validated" common-name="auth.meetings.nanog.org" key-size=2048
            subject-alt-name=DNS:auth.meetings.nanog.org days-valid=1093 trusted=yes
            key-usage=digital-signature,key-encipherment,tls-server,tls-client
            serial-number="someserialnumber"
            fingerprint="somefingerprint"
            invalid-before=may/29/2015 21:01:38 invalid-after=may/27/2018 16:03:43
I don't have an opportunity to test this out again on the NANOG network until the June (which gives visibility on both sides), but I'll test it out later today/tomorrow using a university network using similar settings.

Thanks so much everyone! -ej

EDIT:
1. Fixed quote.
2. Added supplicant identity detail.
 
fractalbrain
just joined
Posts: 12
Joined: Sat Feb 13, 2016 6:00 am

Re: Feature request: EAP-PEAP for wireless client

Tue Feb 16, 2016 6:40 am

It's already in there, tested with v6.35rc8 and works like a charm
Yeah, can you post your config bits?

I'm stumped. I tried this at the campus network 802.1x keeps timing out after about 30 seconds. I did try upgrading to the latest release candidate (6.35rc8 i think) and the wireless-rep package.

I feel like I should be seeing something called "eap-peap-mschapv2", maybe a way to automatically pull the certificate from the ap/radius server (reminder: I'm trying to connect in station/client mode), and all of that in the GUI. Without really knowing enough, it just "feels" like there are some missing bits that are not working.

To be clear (again, I'm a tad un-clear on all of this), but the campus network has a certificate that gets dolled out to the clients. The campus network requires a username and password. They are using eap, peap, mschapv2.

Is this really working for other people? If not, is it really not implemented? ...confused.

PS- Still no word from support :-(. I'll try again tomorrow if I don't get a response.
 
fractalbrain
just joined
Posts: 12
Joined: Sat Feb 13, 2016 6:00 am

Re: Feature request: EAP-PEAP for wireless client

Thu Feb 18, 2016 7:03 pm

Hey everyone! I heard back from support today.

They said "note that we support eap-ttls-mschapv2 and we don't have PEAP support."

Note that I am using RouterOS release candidate 6.35rc11 and the "current" RouterOS is 6.34.1.
 
fractalbrain
just joined
Posts: 12
Joined: Sat Feb 13, 2016 6:00 am

Re: Feature request: EAP-PEAP for wireless client

Fri Feb 19, 2016 7:20 pm

Update:

I got another reply from Mikrotik.

The person I'm corresponding with successfully tested eap-ttls-mschapv2 using the following set-up:

"...a test EAP radius server and got connected with an android phone and then
repeated the connection with the RouterOS as a client and it was working fine
when specifying the supplicant-identity and the mschapv2-user/password and and
setting tls-mode=dont-verify-certificate"

I personally don't have access to a eap-ttls-mschapv2 setup at the moment, but testing it with a cert would probably be good. I know this thread is regarding PEAP, but can anyone verify they have eap-ttls-mschapv2 working with a cert? (or let me know if there is something I don't understand :-))

Now, about PEAP, the person I'm corresponding with reasserted and noted the following:
"Since we don't have PEAP support eap-peap method will not work.
Currently we don't have any plans to add support the PEAP for the RouterOS
wireless client."

I've asked if a formal feature request can be put in and if the eap-ttls-mschapv2 stuff can be put into the GUIs. I'll update when I hear more.

-e
 
juliobrito
just joined
Posts: 8
Joined: Mon Oct 14, 2013 7:36 am

Re: Feature request: EAP-PEAP for wireless client

Tue May 24, 2016 5:16 pm

Regards,

Please, remember that all Mikrotik users need the implementation of PEAP-MSCHAPv2 Wireless Station Mode. We have more that 7 years waiting for it option.
 
Zorro
Long time Member
Long time Member
Posts: 676
Joined: Wed Apr 16, 2014 2:43 pm

Re: Feature request: EAP-PEAP for wireless client

Thu May 26, 2016 7:03 am

why not also EAPoL too ? in both EAP/PEAP flavors ? and probably PEAPv1/EAP-GTC too ? :)
 
User avatar
ArtursL
MikroTik Support
MikroTik Support
Posts: 8
Joined: Wed Jul 05, 2017 4:50 pm

Re: Feature request: EAP-PEAP for wireless client

Tue Nov 20, 2018 9:46 am

A guide on how to configure basic PEAP wireless client with RADIUS now is available in MikroTik Wiki.

Who is online

Users browsing this forum: No registered users and 78 guests