Community discussions

MikroTik App
 
gallp1
just joined
Topic Author
Posts: 16
Joined: Thu Mar 11, 2021 9:12 am

WPA2 EAP-TLS + userman only. Is it possible ?

Sat Apr 03, 2021 9:39 pm

Hello
I'm banging my head about this for couple of hours.
Is there a way to connect windows 10 client to mikrotik router with WPA2 EAP profile using Mikrotik issued client certificate using EAP-TLS and userman RADIUS installed only ?
So far I was only able to connect windows 10 wifi client based on WPA2-PSK userman MAC filtering user profile. Is it possible at all ?
This topic in manual is somewhat lacking in clarity, besides it uses 3rd party RADIUS server
https://wiki.mikrotik.com/wiki/Manual:W ... FreeRADIUS
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: WPA2 EAP-TLS + userman only. Is it possible ?

Mon Apr 05, 2021 1:30 pm

  • for a client authenticating itself to the AP using a certificate alone, you don't need RADIUS at all
  • for a client authenticating itself using a username/password tuple rather than a certificate, you either need an external RADIUS server or you must run RouterOS 7 (I don't know the state of the art there, there's a dedicated topic here on the forum)
For the certificate authentication, bear in mind that the client certificate is only checked for being signed by a CA trusted by the AP and for not being revoked, so depending on your intention, you may need to have the CRL working for the signing CA, or you may have to sign each client certificate by a dedicated CA, so that you could invalidate a client certificate by removing its signing CA certificate from the AP's certificate store.

The required settings in /interface wireless security-profile, or in /caps-man security, are as follows:

authentication-types=wpa2-eap eap-methods=eap-tls tls-mode=verify-certificate tls-certificate=the-certificate-of-the-AP

The certificate of the CA signing the AP's certificate must be known to the client. And on Windows 10, the client certificate must be stored among user ones, not machine ones.
 
gallp1
just joined
Topic Author
Posts: 16
Joined: Thu Mar 11, 2021 9:12 am

Re: WPA2 EAP-TLS + userman only. Is it possible ?

Tue Apr 06, 2021 1:31 pm

  • for a client authenticating itself to the AP using a certificate alone, you don't need RADIUS at all
The required settings in /interface wireless security-profile, or in /caps-man security, are as follows:

authentication-types=wpa2-eap eap-methods=eap-tls tls-mode=verify-certificate tls-certificate=the-certificate-of-the-AP

The certificate of the CA signing the AP's certificate must be known to the client. And on Windows 10, the client certificate must be stored among user ones, not machine ones.
I already tried that,

this is security policy

Flags: * - default
0 name="CertifiedAccess" mode=dynamic-keys authentication-types=wpa2-eap unicast-ciphers=aes-ccm group-ciphers=aes-ccm wpa-pre-shared-key="" wpa2-pre-shared-key="" supplicant-identity="" eap-methods=eap-tls tls-mode=verify-certificate tls-certificate=wifi_server mschapv2-username="" mschapv2-password="" disable-pmkid=no static-algo-0=none static-key-0="" static-algo-1=none static-key-1="" static-algo-2=none static-key-2="" static-algo-3=none static-key-3="" static-transmit-key=key-0 static-sta-private-algo=none static-sta-private-key="" radius-mac-authentication=no radius-mac-accounting=no radius-eap-accounting=no interim-update=0s radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username radius-called-format=mac:ssid radius-mac-caching=disabled group-key-update=5m management-protection=disabled management-protection-key=""

this are certificates i have on my router

Flags: K - private-key, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
0 K A T name="LocalCA" digest-algorithm=sha256 key-type=rsa common-name="LocalCA" key-size=2048 subject-alt-name="" days-valid=365 trusted=yes key-usage=key-cert-sign,crl-sign

2 K I T name="wifi_client" digest-algorithm=sha256 key-type=rsa common-name="wifi_client" key-size=2048 subject-alt-name="" days-valid=365 trusted=yes key-usage=tls-client ca=LocalCA

3 K I T name="wifi_server" digest-algorithm=sha256 key-type=rsa common-name="wifi_server" key-size=2048 subject-alt-name="" days-valid=365 trusted=yes key-usage=digital-signature,data-encipherment,key-agreement,tls-server,tls-client ca=LocalCA

I imported certificates to windows 10 home laptop

LocalCA.crt to Trusted Root Certification Authorities
wifi_client.crt - I have no idea where to put this, if I use automaticly during import it ends up in other people category in certmgr I've tried couple places and finally gave up due to not getting results

So basically i followed with connection creation like this
wpa2ent1.JPG
wpa2ent2.JPG
wpa2ent3.JPG
at this point I was expecting similar window during connection selection
wpa2ent4.JPG
but instead i get information that I can't connect because this connection requires certificate
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: WPA2 EAP-TLS + userman only. Is it possible ?

Tue Apr 06, 2021 2:02 pm

When exporting the certificate generated for the client, have you specified any export-passphrase value? If you don't specify any, the private key to the certificate is not exported at all, and therefore the client cannot use the certificate to authenticate itself.

The fact that you cannot choose the certificate in the drop-down menu on your last screenshot indicates that Windows deem it unusable for the purpose for some reason (or cannot find it at the right place, which may be a consequence of the former).

If you export it as type=pkcs12 and specify the export-passphrase, you get a single file containing the certificate itself, its private key, and the certificates of the CAs all the way to the root one. On Windows, you then import it using an automatic choice of store, and everything should land where necessary: the own certificate itself in Certificates - Current User -> Personal -> Certificates and the CA certificate in Certificates - Current User -> Trusted Root CAs -> Certificates. When you double-click the certificate there, you should see whether Windows like it or not.

If you did all the above properly, the only thing to come to my mind is that Windows have an issue with a missing Subject Alternative Name field in the certificates, so you'd have to generate new ones and specify common-name=wifi-xyz.tv subject-alt-name=DNS:wifi-xyz.tv for them (to formally match the requirements on an fqdn, underscores must not be used and at least one dot must occur in the string; substitute xyz by client and server as needed).
 
gallp1
just joined
Topic Author
Posts: 16
Joined: Thu Mar 11, 2021 9:12 am

Re: WPA2 EAP-TLS + userman only. Is it possible ?

Tue Apr 06, 2021 3:18 pm

Praise to You Sir !!!
It connected and is shown as WPA-Enterprise. The pkcs12 export did the trick. There was no need for Subject Alternative Name configuration it all worked on already created certificates.
There was no option to select certificate though it connected automatically.
So as I understand this particular network is now impervious to deauthorization attacks ?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: WPA2 EAP-TLS + userman only. Is it possible ?

Tue Apr 06, 2021 3:40 pm

It depends on what exactly you mean by a deauthentication attack. If you have in mind that the attacker cannot trick your STA into associating with a forged AP with the same SSID and better signal by sending it a deauthentication frame, then yes, the STA will not authenticate a connection to an AP which does not present a certificate signed by a CA it trusts, so the attacker won't be able to sniff the plaintext traffic of the client at the forged AP. But the attacker can just keep deauthenticating the client, effectively preventing it from maintaining the connection for long enough to be useful.

Other than that, I'm not much happy about the performance of EAP-TLS with Windows 10 client connected to a Mikrotik AP, as from time to time the connection is lost for long enough that the wireless interface goes down completely, so existing SSH connections break. This does not happen if I connect the very same Windows client to an SSID with wpa2-personal running on the very same set of cAPs, so I assume there's something in the speed of connection re-establishment that causes this issue.

Who is online

Users browsing this forum: BinaryTB, GoogleOther [Bot] and 71 guests