I want to achieve on my RB2011 v5.25

1. two wireless AP: one for employee (to access LAN), second for quest (this is easy)
2. employee, connected wireless, must enter user-name & password for authentication on RADIUS server (user-manager on same MT for start, external Windows Radius server (AD authentication) in near future) to access LAN resources
3. web page to enter user-name & password, must be accessed via https rather than http....
4. router administration (user manager also) must be not accessible via wireless...
5. What way is better to wifi users acess LAN: bridge LAN and wireless and same IP subnet, or different IP subnet & masquerading?

It's real goal?

Thanks.

I think you want two subnets no NAT. You also want hotspot.

Starting from Wireless config:
SSID, Mode=ap-bridge - it's clear.... Or wrong?
Do I need "Default authentication", "default forward" in this case?

And security-profile:
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-eap mode=dynamic-keys
Do I need more customization here? or It's wrong?
Do I need here RADIUS config?

Next will be Hotspot....

AP Bridge is good.
Yes leave the Default Authenticate and Default Forward enabled which is default.
You can edit the default security profile and set the mode to dynamic keys... check the WPA PSK & WPA2 PSK boxes and set the shared keys for both. Use AES unless you must use TKIP.

Only use EAP if you intend to do radius connections to authenticate the stations. Your stations will need to support WPA EAP.

I have never found a need for EAP connections. Although I think you may be able to use them to send radius paramaters to the station... if you wanted to.

Wireless seems to be configured - now I can connect to wifi_ap & receive IP from DHCP...
WiFi_AP is reachable by pinging IP address

But nothing else... no internet, no lan, no login-windows....

I has setup Hotspot by following wizard.

/ip hotspot profile
add dns-name=hotspot.local hotspot-address=192.168.100.1 name=hsprof1 use-radius=yes

/ip hotspot
add address-pool=wlan_pool disabled=no interface=wlan1 name=hotspot1 profile=hsprof1

/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m transparent-proxy=yes

/ip hotspot service-port
set ftp disabled=yes

/ip hotspot user
add name=admin password=password

/ip hotspot walled-garden
add comment="place hotspot rules here" disabled=yes

/ip hotspot walled-garden ip
add action=accept disabled=no dst-address=192.168.100.1 server=hotspot1

Has setup RADIUS

/radius
add address=127.0.0.1 secret=RADIUSsecret service=hotspot,wireless

has setup User-manager

/tool user-manager router
add coa-port=1700 customer=MikroTik disabled=no ip-address=127.0.0.1 log=auth-fail name=router1 shared-secret=RADIUSsecret use-coa=no

/tool user-manager customer
add backup-allowed=yes disabled=no login=MikroTik password=password paypal-accept-pending=no paypal-allowed=no paypal-secure-response=no permissions=owner \
signup-allowed=no time-zone=-00:00

/tool user-manager user
add customer=MikroTik disabled=no name=username password=userpwd shared-users=1 wireless-enc-algo=aes-ccm wireless-enc-key="" wireless-psk=""

what is wrong here? Or what is missing?

Are you masquerading all traffic going out of the router to the Internet? Check ip firewall NAT.

Of course....
Masquerading is working to lan interface...
This is my rule:
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wan to-addresses=0.0.0.0/0

hotspot setup also has added own entry to srcnat chain
add chain=srcnat action=masquerade to-addresses=0.0.0.0 src-address=192.168.100.0/24

It's OK here "to-address=0.0.0.0" but not "to-address=0.0.0.0/0"?

All firewall chains (in, out, fwd) also have to log everything before dropping, but no log entries are found....

Don't specify the to-address. You don't want to masquerade as 0.0.0.0 you want to masquerade as your public address. By default it will masquerade as the address that is associated to the default route that it is following when leaving the router (your public).

I have removed to-addresses=0.0.0.0 from ALL nat rules, but nothing new....

When pinging DNS-server receive "destination net is unreachable" from AP....
And no firewall log entries are written....

I have temporary disabled radius and hotspot entries - in that case i have internet via wlan

I think problem is in hotspot or Radius config....
Any ideas?