Hi,

I'm new to Mikrotik and RouterOS but not new to routers and wireless networking. I'm using an RB411 with a R52 wifi mini-pci card. I'd like to know whether this combo coupled with RouterOS (v4.13 or v5.0rc3) can connect as a client wirelessly using WPA2 Enterprise using PEAP and MS-CHAPv2 (identity and password, not certificates). I need this to connect to "eduroam" networks, some of you may know of them.

I have briefly looked through the options in winbox on a routerboard in our lab. I really liked the plethora of configuration options and I'm considering buying a routerboard for myself but being able to use it as a client in WPA2-EAP + PEAP + MS-CHAPv2 is critical for me.

Could a kind soul tell me if it's possible and maybe guide me through setting it up on the RouterOS/winbox?

Thanks in advance

p.s. I've done it many times until now on laptops and other routers running OpenWRT (using wpa_supplicant).

Sorry mate, but it´s on the todo list.

A couple of us already had asked for that feature.

I believe that it will support it, but there's no time-line, so we will have to wait.

Best regards,

Wow ... and when I saw the looks of that winbox interface I thought that there is nothing that this thing cannot do! I was still hoping I missed something or that winbox does not show controls for all features.

Such a shame. This is needed for eduroam networks (http://www.eduroam.org), which are already popular throughout Europe and (almost) all of them use WPA2-EAP with PEAP. Most universities/research institutions have eduroam APs throughout the respective city. I got this RB411 especially for this purpose ...

Nevertheless, minutes ago I just finished compiling and flashing the RB411 with the latest OpenWRT trunk. I then got it working on the nearby eduroam network in less than 2 minutes with wpa_supplicant.

Since RouterOS is built on linux, wpa_supplicant could easily be incorporated without much effort and then we could use the RB in client mode with any auth and encryption type. Please?!?

I actually feel bad for scraping off RouterOS entirely as I loved the plethora of features and the winbox interface ... but in my situation it was all useless without WPA2-EAP + PEAP.

Cheers,

Well, it it possible to use PEAP in the Passtrough mode. The AP will then passtrough eap packets in radius to a radius server, such as freeradius or NPS.
PEAP isn't supported nativly...

But I need to use the mikrotik as a wifi client which is required to use WEP2-EAP with PEAP/MSCHAPv2 ... it's such a pity this is not supported. Why is that?

We are forced to use the CPE UBNT Nanostation because they support the protocol EAP-PEAP-MSCHAPv2

We are forced to use the CPE UBNT Nanostation because they support the protocol EAP-PEAP-MSCHAPv2

Funny you should mention that ... I bought some Ubiquiti devices for the exact same reason.

Well, why don't you switch your authentication mode to eap-tls? Only protecting your wireless network with EAP-TLS or WPA2/CCMP(strong passwords) will make you sleep well. Everyone with a laptop and a wifi card is able to mitm a peap connection to get the informatin aout of the inner tunnel.

So, it is better to switch the AP Mode of the Access Point performing authentication. Buying equipment for less secure operation from my pov is a bad workaround.

Greetz, kokel

it's already supported..

it's already supported..

Really? How you do that?

it's already supported..

Really? How you do that?

Fabio probably means if you set it up as a non-client -
I've been asking the same question, and it was raised in feature requests years ago - don't expect it to be supported anytime soon I guess

There is some way to connect as client at this kind of wireless networks???

Thank you!!

Any new information about this problem? Has this feature been implemented yet or is planned?
Thanks in advance.

It is now working in release 6.39!

It is now working in release 6.39!

Could you please enlighten me about that? I need to configure an AP of the cAP series in client mode connected to a network with WPA2 Enterprise. I just updated the operating system to 6.40.5 version.

I am also interested. Tried to connect mikrotik to eduroam but it always ended up with network disconnected because 802.1x was not authenticated.

From my mikrotik test unit I can connect to my SSIDs protected with WPA2 PSK no problem.
I can connect from my laptop to my PEAP protected SSID with no problems, however, I can't connection from my mikrotik. I've went through all my settings on the NPS server and AP and tried a number of other settings that didn't make sense for connecting this mikrotik as a PEAP client but its a no go.

I'm looking through RADIUS logs and the Windows PC client is passing the credentials on for authentication in the logs. The mikrotik is not sending a username from what I can see, however, the mikrotik log says authentication failed.

Update: Digging through the logs it looks like Mikrotik is providing the "Supplicant Identity" on the general tab of the Security Profile as the EAP authentication username. So I decided to put the userman into that field and it works. Its using the Supplicant Identity as the username and the EAP MSCHAPv2 password as the password.

No, the "Supplicant Identity" field is used for what is usually called "anonymous identity" in WPA2-EAP.
The "MSCHAPv2 Username" field is used for the username.

When you are not concerned with keeping the username secret and/or have no control over the configuration of the remote end, you can put the same thing in both of these fields.

Hi, i have the same problem but with normal TLS security not with MSCHAPv2. As you can see here i have also problem with that mikrotik not provide identity. What can be wrong?

Provide link of my post where is all info and images: viewtopic.php?p=1059141&hilit=wpa2+enterprise#p1059141