Community discussions

MikroTik App
 
jakubm
just joined
Topic Author
Posts: 3
Joined: Mon Nov 14, 2022 2:23 pm

User manager + EAP authentication.

Mon Nov 14, 2022 2:42 pm

Hi all,

I've followed https://help.mikrotik.com/docs/display/ ... Manager+v5 to enable EAP user/password authentication on my network, but my use case is simpler - I only have one AP, but I can't seem to get it working.
Any hints as what could be wrong are welcome - I've given up after spending good few hours on this. Here's my setup:
AP IP: 192.168.88.254/24
EAP auth enabled on 2nd wifi interface.

Certificates:
[admin@MikroTik] > /certificate/ print
Flags: K - PRIVATE-KEY; L - CRL; A - AUTHORITY; I, R - REVOKED; T - TRUSTED
Columns: NAME, COMMON-NAME, SUBJECT-ALT-NAME, FINGERPRINT
# NAME COMMON-NAME SUBJECT-ALT-NAME FINGERPRINT
0 KLA T radius-ca RADIUS CA 0ed4ae7d5b6ec25b1ba6d07191f9f6516682e5f0f666cb7b0ddf6ccdf994b36a
1 K I userman-cert admin.test.localdomain DNS:admin.test.localdomai c81b5e227bfeea39691c411b36f4e7954a3c810c024694ec9d7f50f85f3b493d
[admin@MikroTik] > /certificate/settings/ print
crl-download: yes
crl-use: yes
crl-store: ram
[admin@MikroTik] /user-manager>
User manager:
[admin@MikroTik] /user-manager> print
enabled: yes
authentication-port: 1812
accounting-port: 1813
certificate: userman-cert
use-profiles: yes
[admin@MikroTik] /user-manager>
[admin@MikroTik] /user-manager> router/ print
Flags: X - disabled
0 name="ap1" shared-secret="asdf1234" address=192.168.88.254 coa-port=3799
[admin@MikroTik] /user-manager>
[admin@MikroTik] /user-manager> user group print
Flags: * - default
0 * name="default" default-name="default" outer-auths=eap-tls,eap-peap inner-auths=ttls-pap,ttls-chap,ttls-mschap1,ttls-mschap2,peap-mschap2 attributes=""
1 * name="default-anonymous" default-name="default-anonymous" outer-auths=eap-ttls,eap-peap inner-auths="" attributes=""
2 name="wifi" outer-auths=mschap1,eap-peap inner-auths=peap-mschap2 attributes=""
3 name="certificate-authenticated" outer-auths=eap-tls inner-auths="" attributes=""
[admin@MikroTik] /user-manager>
[admin@MikroTik] /user-manager> user print
Flags: X - disabled
0 name="test" password="test" otp-secret="" group=default shared-users=1 attributes=""
[admin@MikroTik] /user-manager>
RADIUS:
[admin@MikroTik] /radius> print
Columns: SERVICE, ADDRESS, SECRET
# SERVICE ADDRESS SECRET
0 wireless 192.168.88.254 asdf1234
[admin@MikroTik] /radius>
[admin@MikroTik] /radius> /interface/wireless/security-profiles/ print
Flags: * - default
(...)
3 name="radius" mode=dynamic-keys authentication-types=wpa2-eap unicast-ciphers=aes-ccm group-ciphers=aes-ccm wpa-pre-shared-key="" wpa2-pre-shared-key="" supplicant-identity="MikroTik" eap-methods=passthrough
tls-mode=dont-verify-certificate tls-certificate=radius-ca mschapv2-username="" mschapv2-password="" disable-pmkid=no static-algo-0=none static-key-0="" static-algo-1=none static-key-1="" static-algo-2=none static-key-2=""
static-algo-3=none static-key-3="" static-transmit-key=key-0 static-sta-private-algo=none static-sta-private-key="" radius-mac-authentication=no radius-mac-accounting=no radius-eap-accounting=no interim-update=0s
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username radius-called-format=mac:ssid radius-mac-caching=disabled group-key-update=5m management-protection=disabled management-protection-key=""
[admin@MikroTik] /radius>

[admin@MikroTik] /radius> /interface/wireless/ print
Flags: X - disabled; R - running
0 name="wlan1" mtu=1500 l2mtu=1600 mac-address=48:8F:5A:A9:7A:93 arp=enabled interface-type=QCA9984 mode=ap-bridge ssid="mkt" frequency=auto band=5ghz-onlyac channel-width=20/40/80mhz-XXXX secondary-frequency=auto scan-list=default
wireless-protocol=802.11 vlan-mode=no-tag vlan-id=1 wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no bridge-mode=enabled default-authentication=yes default-forwarding=yes default-ap-tx-limit=0
default-client-tx-limit=0 hide-ssid=no security-profile=default compression=no

1 R name="wlan2" mtu=1500 l2mtu=1600 mac-address=48:8F:5A:80:B0:2E arp=enabled interface-type=Atheros AR9300 mode=ap-bridge ssid="mkt" frequency=auto band=2ghz-b/g/n channel-width=20/40mhz-XX secondary-frequency="" scan-list=default
wireless-protocol=802.11 vlan-mode=no-tag vlan-id=1 wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no bridge-mode=enabled default-authentication=yes default-forwarding=yes default-ap-tx-limit=0
default-client-tx-limit=0 hide-ssid=no security-profile=default compression=no

2 name="wlan3" mtu=1500 l2mtu=1600 mac-address=4A:8F:5A:A9:7A:93 arp=enabled interface-type=virtual master-interface=wlan1 mode=ap-bridge ssid="TEST EAP" vlan-mode=no-tag vlan-id=1 wds-mode=disabled wds-default-bridge=none
wds-ignore-ssid=no bridge-mode=enabled default-authentication=yes default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no security-profile=radius

3 name="wlan4" mtu=1500 l2mtu=1600 mac-address=4A:8F:5A:80:B0:2E arp=enabled interface-type=virtual master-interface=wlan2 mode=ap-bridge ssid="TEST EAP" vlan-mode=no-tag vlan-id=1 wds-mode=disabled wds-default-bridge=none
wds-ignore-ssid=no bridge-mode=enabled default-authentication=yes default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no security-profile=radius
[admin@MikroTik] /radius>
Thanks in advance,
J

Who is online

Users browsing this forum: sinisa and 24 guests