Community discussions

MikroTik App
 
hoh
just joined
Topic Author
Posts: 5
Joined: Fri Aug 27, 2021 12:13 pm

EAP PEAP-MSCHAPv2 as station with v7

Thu Nov 24, 2022 4:56 pm

We need to connect MikroTik as a client (station) to a WPA2-Enteprise secured wifi network using PEAP-MSCHAPv2. With ROS 6.49.7, everything works fine with this security-profile config.
/interface wireless security-profiles add authentication-types=wpa2-eap eap-methods=peap management-protection=allowed mode=dynamic-keys mschapv2-password=_SECRET_ mschapv2-username=_USERNAME_ name=wifi_client supplicant-identity=_USERNAME_ tls-mode=dont-verify-certificate
When trying the same with v7, it silently fails. The only trace is this message in the log: “XX:XX:XX:XX:XX:XX@wlan2: lost connection, 802.1x authentication timeout”. I tried to tweak all possible settings in /interface/wireless with no success. I also opened SUP-98029 with MikroTIk but so far there is no reaction.

Anybody hit the same issue?
 
hoh
just joined
Topic Author
Posts: 5
Joined: Fri Aug 27, 2021 12:13 pm

Re: EAP PEAP-MSCHAPv2 as station with v7

Tue Jan 24, 2023 3:13 pm

Nobody needs PEAP-MSCHAPv2? Searching forum's history, I see it had been a long awaited feature, so having a bug in ROS v7 should hit somebody ...

If anybody from MikroTik reads this ... your support sucks! I opened SUP-98029 trying to follow all guidelines (providing all information, supout files for working and broken scenario etc.). There is no answer for more than 2 month. I completely understand that this is no payed support with SLA, but still, ignoring the request completely is not very kind. Any answer would be better than this, even a "won't fix" one.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2983
Joined: Mon Apr 08, 2019 1:16 am

Re: EAP PEAP-MSCHAPv2 as station with v7

Wed Jan 25, 2023 12:09 am

Works fine in ROS6 indeed.

Does adding [ logging topics = "radius,!packet" ] give extra information on the AP or station?
 
hoh
just joined
Topic Author
Posts: 5
Joined: Fri Aug 27, 2021 12:13 pm

Re: EAP PEAP-MSCHAPv2 as station with v7

Wed Jan 25, 2023 10:04 pm

No extra log with topics=radius on station. I even tried topics=debug. The above mentioned message "lost connection, 802.1x authentication timeout” is the only trace I'm able to get. There is also no interesting log when using ROS6 (which works fine).

I do not control the AP side - we need to connect MikroTik as station to a network operated by another company. But I was able to test against several networks built on different platforms with the same result (ROS6 works, ROS7 fails), so I doubt it would be a AP/controller issue. I could build a MikroTik-based AP with EAP in a lab to get AP-side logs. But since MikroTik support keeps ignoring my rigorous bug report, this looks like a waste of time ...
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2983
Joined: Mon Apr 08, 2019 1:16 am

Re: EAP PEAP-MSCHAPv2 as station with v7

Thu Jan 26, 2023 8:46 pm

Well might be hard to debug or diagnose without the full AP side access and control.

If RADIUS works , it's great. Issues with TLS versions for me are not very easy to diagnose/correct.
With FreeRADIUS (open source code) at least there is a lot of information and debug mode.

ROS6-ROS7 , might have different TLS version handling. And then the supported TLS versions in the AP matters.
Maybe @sindy can help here. See: viewtopic.php?t=173848 .
See also https://github.com/multiduplikator/mikrotik_EAP . I know it's more about the server side.
And https://freeradius-users.freeradius.nar ... on-too-low
 
hoh
just joined
Topic Author
Posts: 5
Joined: Fri Aug 27, 2021 12:13 pm

Re: EAP PEAP-MSCHAPv2 as station with v7

Fri Jan 27, 2023 10:42 am

Thanks, bpwl, for the links and ideas!

OK, I'll try to prepare a lab environment with MikroTIk station and MikroTik AP, sniff the air to check TLS versions and get back then.
 
m4rk3J
just joined
Posts: 18
Joined: Thu Jan 27, 2022 2:41 pm

Re: EAP PEAP-MSCHAPv2 as station with v7

Sat Jan 28, 2023 10:26 pm

I ran into the same problem when connecting RouterOS v7 CPE as station to v7 cAP ac controlled by CAPsMAN...
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2983
Joined: Mon Apr 08, 2019 1:16 am

Re: EAP PEAP-MSCHAPv2 as station with v7

Tue Apr 18, 2023 3:14 pm

Works fine in ROS6 indeed.

Does adding [ logging topics = "radius,!packet" ] give extra information on the AP or station?
Have to correct this. Does not always work fine in ROS6.
My combination with a Draytek main router, used for RADIUS authentication, works fine with all known systems ... tablet,smartphone, PC, watch, ... IOS, Windows, Linux, Android.
But it fails with Mikrotik router as client on ROS 6.45.6 (a good one) and even with ROS 6.49.7, the latest ROS6
That Mikrotik router works fine on the Enterprise login from all my ISP providers with the PEAP client setup. (https://wiki.mikrotik.com/wiki/Manual:W ... FreeRADIUS)

What I diagnosed in the Draytek, is that it requires the "Supplicant Identity" in the Mikrotik client to match a registered user, what is not a usual requirement. This to avoid "RADIUS SRV: User-Name not found from user database" in the Draytek. But it still fails to get an "accept" from the Draytek Radius.

Why Draytek, and not Mikrotik ROS7 User-manager V5 ? A license limit that is way too strict in ROS7: 20 or 50 sessions, or License level 6 is needed.
Different sequence of methods negotiated between Radius server and client. ???

PS : further tests: Did the test with ROS 7.8 User Manager v5 as RADIUS server .... Error in the LOG file is: "EAP auth stopped for <""> reason: timeout + ssl: no common ciphers"
 
slavik
just joined
Posts: 6
Joined: Fri Feb 12, 2016 8:00 am

Re: EAP PEAP-MSCHAPv2 as station with v7

Sat Jan 13, 2024 9:34 am

7.13 same error- lost connection, 802.1x authentication timeout

Who is online

Users browsing this forum: spookymulder84 and 24 guests