Community discussions

 
User avatar
EMOziko
Member Candidate
Member Candidate
Topic Author
Posts: 129
Joined: Mon Aug 23, 2010 9:42 pm
Location: Georgia

Feature Request: EAP-TTLS/EAP-PEAP

Sun Mar 03, 2013 10:17 pm

Hello.

In our network at this time we are using ubiquiti clients, (Mikrotiks only for AP, router, core router, bridge etc.) but we want to start using Mikrotik clients and slowly build all network based on Mikrotik products.

But we have one problem, now we are using EAP-TTLS authorisation, ubnt clients are authorising with username and password. FreeRADIUS is our AAA server. and we cant just change all the things and implement eap-tls or mac auth in our network. I think this problem will have many WISPs, so Mikrotik, please add this feature to RouterOS, this will be great!
We want new versions of The Dude!!!!!!!
 
User avatar
EMOziko
Member Candidate
Member Candidate
Topic Author
Posts: 129
Joined: Mon Aug 23, 2010 9:42 pm
Location: Georgia

Re: Feature Request: EAP-TTLS/EAP-PEAP

Tue Mar 12, 2013 7:54 pm

I cant believe that no one is interested about this :(
We want new versions of The Dude!!!!!!!
 
shrek777
Member Candidate
Member Candidate
Posts: 264
Joined: Wed Jan 21, 2009 9:44 am

Re: Feature Request: EAP-TTLS/EAP-PEAP

Sun Mar 31, 2013 12:08 am

I think that no one have enterprise network here,

If i am wrong please post your configuration, what type of security you are using? may be someone have better solution then EAP-TTLS?
 
rstik
just joined
Posts: 4
Joined: Thu Sep 04, 2014 12:27 am

Re: Feature Request: EAP-TTLS/EAP-PEAP

Fri Oct 10, 2014 11:25 am

Yap, I am trying to setup 802.11x using user-manager (radius) on mikrotik and it looks like it does not support PEAP.
In log file I get "authentication failed". It would be really great that we can use just one device for secure wifi
 
User avatar
maximan
Trainer
Trainer
Posts: 549
Joined: Sat May 29, 2004 12:10 am
Location: Rio Cuarto, Argentina
Contact:

Re: Feature Request: EAP-TTLS/EAP-PEAP

Fri Oct 10, 2014 5:25 pm

RouterOS support a lot of type EAP with Radius. Only EAP-TLS is native on OS, the another can be used with external radius

M
MKE Solutions > Professional Support IT (Spanish / English)
FastNetMon / FNM Manager: DDoS Detection Tools.
 
rstik
just joined
Posts: 4
Joined: Thu Sep 04, 2014 12:27 am

Re: Feature Request: EAP-TTLS/EAP-PEAP

Sun Oct 12, 2014 12:03 am

Maximan, so it is not possible to setup 802.11x without external device/radius server?
 
User avatar
maximan
Trainer
Trainer
Posts: 549
Joined: Sat May 29, 2004 12:10 am
Location: Rio Cuarto, Argentina
Contact:

Re: Feature Request: EAP-TTLS/EAP-PEAP

Thu Oct 16, 2014 4:59 pm

only EAP-TLS without radius

M.
MKE Solutions > Professional Support IT (Spanish / English)
FastNetMon / FNM Manager: DDoS Detection Tools.
 
dermanu
just joined
Posts: 6
Joined: Wed Feb 19, 2014 9:17 pm

Re: Feature Request: EAP-TTLS/EAP-PEAP

Mon Oct 27, 2014 12:14 am

Hello, is there a possibility to support eap-ttls.
In our setup we are trying to connect to an eduroam AP an need to transport username/password, therefore eap-ttls is required in station mode.
It would be so nice to see this feature in the ***next*** release 6.2X.
Manuel
 
roadracer96
Forum Veteran
Forum Veteran
Posts: 714
Joined: Tue Aug 25, 2009 12:01 am

Re: Feature Request: EAP-TTLS/EAP-PEAP

Tue Oct 28, 2014 4:59 pm

I haven't tried eap-ttls in station mode, but eap-mschapv2 does work in station mode. Works fine on our eduroam network.
 
dermanu
just joined
Posts: 6
Joined: Wed Feb 19, 2014 9:17 pm

Re: Feature Request: EAP-TTLS/EAP-PEAP

Tue Oct 28, 2014 5:15 pm

Hey roadracer, thanks for your reply.
Would you mind sharing (parts) of your configuration, or give me some hints. I am a bit out of ideas right now :(.

I am trying to connect to a network as a client, not to have an accesspoint. Is your setup simmiliar?
Manu
 
roadracer96
Forum Veteran
Forum Veteran
Posts: 714
Joined: Tue Aug 25, 2009 12:01 am

Re: Feature Request: EAP-TTLS/EAP-PEAP

Thu Nov 06, 2014 7:51 pm

They aren't turned on right now, but you have to do it in the CLI, not through winbox or webfig. in the security profile or on the wireless interface there is an option for mschap username and mschap password and identity. Connects as a station just fine. Then we GRE tunnel back to a CCR1036 and do VPLS for bridging.
 
fractalbrain
just joined
Posts: 12
Joined: Sat Feb 13, 2016 6:00 am

Re: Feature Request: EAP-TTLS/EAP-PEAP

Tue Feb 16, 2016 7:20 am

They aren't turned on right now, but you have to do it in the CLI, not through winbox or webfig. in the security profile or on the wireless interface there is an option for mschap username and mschap password and identity. Connects as a station just fine. Then we GRE tunnel back to a CCR1036 and do VPLS for bridging.
It's been awhile, but, should you still be using eduroam with a Mikrotik in station/client mode, can you supply the wifi interface and security-profile bits of your config? I'm really stumped and actually doing the exact same thing (I think), which is trying to connect to eduroam. I think an example might help a lot.
 
fractalbrain
just joined
Posts: 12
Joined: Sat Feb 13, 2016 6:00 am

Re: Feature Request: EAP-TTLS/EAP-PEAP

Thu Feb 18, 2016 7:04 pm

Hey everyone! I heard back from support today.

They said "note that we support eap-ttls-mschapv2 and we don't have PEAP support."

Note that I am using RouterOS release candidate 6.35rc11 and the "current" RouterOS is 6.34.1.
 
fractalbrain
just joined
Posts: 12
Joined: Sat Feb 13, 2016 6:00 am

Re: Feature Request: EAP-TTLS/EAP-PEAP

Fri Feb 19, 2016 7:21 pm

Update:

I got another reply from Mikrotik.

The person I'm corresponding with successfully tested eap-ttls-mschapv2 using the following set-up:

"...a test EAP radius server and got connected with an android phone and then
repeated the connection with the RouterOS as a client and it was working fine
when specifying the supplicant-identity and the mschapv2-user/password and and
setting tls-mode=dont-verify-certificate"

I personally don't have access to a eap-ttls-mschapv2 setup at the moment, but testing it with a cert would probably be good. I know this thread is regarding PEAP, but can anyone verify they have eap-ttls-mschapv2 working with a cert? (or let me know if there is something I don't understand :-))

Now, about PEAP, the person I'm corresponding with reasserted and noted the following:
"Since we don't have PEAP support eap-peap method will not work.
Currently we don't have any plans to add support the PEAP for the RouterOS
wireless client."

I've asked if a formal feature request can be put in and if the eap-ttls-mschapv2 stuff can be put into the GUIs. I'll update when I hear more.

-e
 
Zorro
Long time Member
Long time Member
Posts: 676
Joined: Wed Apr 16, 2014 2:43 pm

Re: Feature Request: EAP-TTLS/EAP-PEAP

Sun Feb 21, 2016 10:40 pm

aside interoperability, noted by OP, its just make sense "in general" and quite would b nice feature.
i would also dream about EAPOL support in ROS. to be prepared to MacSec/PortSec deployment aswell to be able deploy Properly 802.1x-2010 in networking(required by authorities at endpoint/CPE in some regions).
 
juliobrito
just joined
Posts: 8
Joined: Mon Oct 14, 2013 7:36 am

Re: Feature Request: EAP-TTLS/EAP-PEAP

Tue May 24, 2016 5:12 pm

Regards,

Please, remember that all Mikrotik users need the implementation of PEAP-MSCHAPv2 Wireless Station Mode. We have more that 7 years waiting for it option.

Who is online

Users browsing this forum: MSN [Bot] and 8 guests