Community discussions

MikroTik App
just joined
Topic Author
Posts: 20
Joined: Sat Feb 25, 2017 12:48 am

TLS 1.2 & Removal of TLS 1.0 - WPA2-EAP

Thu Apr 09, 2020 3:43 pm


I know that there's been some progress with certain other components of RouterOS as far as supporting TLS 1.2 and giving the ability to disable older protocols but I found a component that it's not yet done with and it's preventing the close-out of security/compliance issues.

Specifically, the WPA2-EAP wireless client, where the RouterOS itself is the client authenticating to a remote radius server such as Microsoft Network Policy Server (NPS).
Since RouterOS itself is the client, this appears to only be capable of TLS 1.0 as the most secure protocol. Disabling TLS 1.0 and 1.1 on the RADIUS hosts breaks the ability of the RouterOS devices to log in to the wireless network. Re-enabling TLS 1.0 restores RouterOS devices' ability to log in.

Windows and Linux wireless clients are unaffected and function well with TLS 1.2-only on the RADIUS servers.

The ability to control which protocols are used (TLS 1.0/1.1/1.2/1.3) and some visibility and control into which ciphers are supported/used would go a long way towards facilitating the use of Mikrotik in environments where security compliance (such as PCI DSS, etc) is a core business constraint.


Who is online

Users browsing this forum: ashoka, Baidu [Spider], Bing [Bot], jvparis, kisman, Majestic-12 [Bot], mktkRB and 187 guests