Community discussions

MikroTik App
 
sindy
Forum Guru
Forum Guru
Topic Author
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

EAP-TLS wireless authentication - why a Mikrotik station cannot connect to a Mikrotik AP?

Fri Mar 26, 2021 11:59 am

Hello everybody,

I wanted to get ready to use a routerboard device as a STA in a 3rd party WiFi network that requires clients to authentify themselves to the infrastructure using certificates.

So the logical first step was to create my own AP with mode=dynamic-keys authentication-types=wpa2-eap unicast-ciphers=aes-ccm group-ciphers=aes-ccm eap-methods=eap-tls tls-mode=verify-certificate tls-certificate=server-test in its security profile and try to connect the STA to it.

As I was getting wireless,info 74:4D:28:12:37:BA@wlan2: disconnected, 802.1x authentication failed at both the STA and the AP, I've decided to simplify the task by setting tls-mode to dont-verify-certificate, which means that the AP presents its own certificate to the STA, but doesn't request a certificate from the STA. The result was the same - 802.1x authentication failed logged at both the AP and the STA.

So I've created a new AP certificate with both the common-name and subject-alt-name=DNS: matching the ssid of the interface, but still the same outcome.

Out of desperation (it should work with CAPsMAN too, shouldn't it), I've used the /system identity name value of the AP as the certificate's common-name and subject-alt-name=DNS:, still the same outcome.

All the certificates (the three different ones for the AP and the one for the STA) have been signed by the same CA, both the AP and the STA have that CA's certificate installed. The AP certificates have both tls-server and tls-client in the key-usage list.

If I set tls-mode=no-certificates, it works fine.

So my question, which neither the documentation nor the log answers, is - what are the requirements of the RouterOS acting as STA (and also of RouterOS acting as an AP for the later stage) on the contents of the other party's certificate? Or maybe the cipher suites used by contemporary RouterOS versions when generating the certificate are not the same ones required by those same versions of RouterOS to verify the certificate when acting as a STA?

There is a topic at Serverfault by forum user @LinuxEngineer which deals with this subject, except that it doesn't use Mikrotik as a STA. Microsoft states that the AP certificate for this purpose must have the AP's FQDN as the subject-alt-name but I have problems to understand how the STA can verify any relationship of the FQDN to the AP during initial authentification of the STA to the network while it has no IP connectivity yet.

Windows 10 are happy with the CA certificate and the server certificate provided by the AP even though its CN and SAN do not match the SSID, and it is enough for them to connect to such AP if the CA is installed in their Trusted Root CAs certificate store. It even doesn't matter that the Client Hello sent by Windows indicates TLS 1.2 whereas the AP's messages are TLS 1.0. So it's the TLS client in the Mikrotik STA that is picky.

Tested with dont-verify-certificate so far, i.e. STA certificate wasn't required.
 
sindy
Forum Guru
Forum Guru
Topic Author
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: EAP-TLS wireless authentication - why a Mikrotik client cannot connect to Mikrotik AP?  [SOLVED]

Sat Mar 27, 2021 2:03 pm

OK, so the answer to the topic title is "because the wording in the manual is misleading". It says:

eap-methods | ... This property only has effect on Access Points. ...

tls-mode | This property has effect only when eap-methods contains eap-tls.

tls-certificate | ... Client needs a certificate only if Access Point is configured with tls-mode set to verify-certificate. ...

So my understanding of the above is that the STA ignores both eap-methods and tls-mode and behaves depending on the information received from the AP in the course of the authentication process.

As I couldn't find any topic value in /system logging that would cause logging of the 802.1x processing, wireless sniffing had to come to help (one of advantages of living in countryside is that there are just a few interfering APs), and it has revealed that whilst the Client Hello packet from the Windows client offers 21 cipher suites, the one from the RouterOS client was offering just two: TLS_DH_anon_WITH_3DES_EDE_CBC_SHA and TLS_EMPTY_RENEGOTIATION_INFO_SCSV. Aligning the ROS version at the STA with the one at the AP has not changed anything.

And then it clicked - when tls-mode is set to no-certificates, "TLS session is established using 2048 bit anonymous Diffie-Hellman key exchange" according to the manual. So what if the STA actually does not ignore the TLS settings in the /interface wireless security-profile?

Indeed, both the eap-methods and tls-mode on the STA have to match those set on the AP. To the extent that even verify-certificate and dont-verify-certificate make a difference - if the AP is set to dont-verify-certificate, so it does not ask the STA to provide a certificate during the 802.1x dialog, the authentication fails if the STA is set to verify-certificate.

To respond also the question which was in the topic title originally, the only requirements on the certificates seem to be that their key-usage list must contain tls-server for the AP one and tls-client for the STA one (and of course the obvious ones, i.e. that the certificates are not expired/not valid yet and are signed by a CA trusted by the recipient). The STA doesn't compare the common-name or subject-alt-name of the AP's certificate with the SSID, nor does the AP compare the common-name or subject-alt-name of the STA's certificate with the client identity configured in the supplicant-identity. I haven't tried to use certificates with no subject-alt-name.

Also, there is no point in creating an /interface wireless security-profile item per each client at the AP as the ServerFault topic mentioned in my OP suggests. With tls-mode=verify-certificate, any STA certificate signed by a CA known to the AP is considered valid. So to prevent a STA presenting a valid certificate from authenticating, that certificate has to be revoked and the tls-mode must be set to verify-certificate-with-crl.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: EAP-TLS wireless authentication - why a Mikrotik station cannot connect to a Mikrotik AP?

Sat Mar 27, 2021 2:11 pm

Sounds like a case of knowing too much. I would have simply put the square peg into the square hole instead of contemplating the depth of the hole and what instrument was used to cut the holes.
In other words Zing over my head but glad you worked it out.

So what I dont get is wifi is just a medium, at the end of the day doesnt one have to reach a radius server to be authenticated?
Or are you using wifi authentication as the ENTRY to a system where one asks not only for password but also for some sort of certificate proof (and if its not VPN how does this look like - for example if logging into wifi network from my iphone).

In other words I dont quite get from a practical user perspective what is going on here??
 
sindy
Forum Guru
Forum Guru
Topic Author
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: EAP-TLS wireless authentication - why a Mikrotik station cannot connect to a Mikrotik AP?

Sat Mar 27, 2021 3:31 pm

Sounds like a case of knowing too much. I would have simply put the square peg into the square hole instead of contemplating the depth of the hole and what instrument was used to cut the holes.
With a usual client like the Windows or iOS one, the peg is flexible, so you can push it into a hole of any form. The client recognizes the authentication mode requested by the AP and asks the user for the credentials (username&password or certificate) needed during the course of the authentication process. I was assuming the RouterOS client to behave the same way, except that the credentials must be made available in advance rather than requested from the user at first connection. What I did not expect was that the EAP-TLS settings themselves (the form of the hole) needed to be configured too.

So what I dont get is wifi is just a medium, at the end of the day doesnt one have to reach a radius server to be authenticated?
Or are you using wifi authentication as the ENTRY to a system where one asks not only for password but also for some sort of certificate proof (and if its not VPN how does this look like - for example if logging into wifi network from my iphone).
If you want to authenticate to the WiFi by an individual username and password rather than a common passphrase for all clients, you have to use a RADIUS server. In RouterOS 6, the embedded one (User Manager) wasn't able to work with WiFi; in RouterOS 7, it is. But if you use a certificate to authenticate the client, you don't need RADIUS, but you may still use it if you prefer.

In other words I dont quite get from a practical user perspective what is going on here??
From a practical user perspective, it's all a matter of security. Making the STA verify the identity of the AP using a certificate makes sense in order that no one could switch on their own AP with your SSID and intercept your STAs' traffic; making the AP verify the identity of a user using a certificate makes the client password alone useless if eventually leaked, because the client password is only used to allow use of the private key of the certificate, or not used at all if retrieval of the private key from the client is made impossible.

In my particular case, it's what I wrote at the beginning of the OP - I was getting ready to use Mikrotik as a client in a network not managed by myself which requires that clients authenticate themselves using certificates, and I wanted to make sure everything would run smoothly on site.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: EAP-TLS wireless authentication - why a Mikrotik station cannot connect to a Mikrotik AP?

Sat Mar 27, 2021 8:18 pm

In my particular case, it's what I wrote at the beginning of the OP - I was getting ready to use Mikrotik as a client in a network not managed by myself which requires that clients authenticate themselves using certificates, and I wanted to make sure everything would run smoothly on site.
Thanks for the explanation. The part that I find hard to fathom is using the mikrotik as a client. I normally think of people as clients who need authenticating.
Different twist to connect devices in such a manner as normally they are on your LAN and thus secure and then some using vlans etc.
In this case any AP could be out there and thus you are making sure that only your AP can do whatever it is that is required (to gain access to the network).
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2983
Joined: Mon Apr 08, 2019 1:16 am

Re: EAP-TLS wireless authentication - why a Mikrotik station cannot connect to a Mikrotik AP?

Sun Jul 16, 2023 12:22 am

Maybe I have to test again. ... viewtopic.php?t=191120#p996981

ROS AP security profile is on TLS-mode "dont verify certificate" and ROS as client security profile with TLS-mode "no certificates" , they did not connect, but maybe this is no correct match, as @Sindy says they should be identical setting.
TLS-certificate is "none" on both sides.

It's a remote installation and in use, and now runs a link on a separate WLAN interface with WPA2/PSK. Don't want to disturb those users right now. :(

Who is online

Users browsing this forum: 4l4R1, Ahrefs [Bot], Amazon [Bot], Bing [Bot], Guntis, mogiretony, Semrush [Bot] and 104 guests