Community discussions

MikroTik App
 
aoakeley
Member Candidate
Member Candidate
Topic Author
Posts: 170
Joined: Mon May 21, 2012 11:45 am

EAP-TLS

Sun Nov 28, 2021 2:33 pm

Hi,

Is anyone else having issues with EAP-TLS in v7?

I have stripped it right back to basics just using certificates generated on the router and no RADIUS.

Works fine in 6.49.1
Upgrade to 7.1rc7 and clients cant authenticate
Downgrade back to 6.49.1 clients can authenticate again.

I have tried factory defaulting the device in v7 and re-creating the certificates and re-setting up on the client device. Same issue.
I have tried with an ARM and a MIPS device
I think I have covered all my bases

Ticket logged with support (SUP-67209) but just thought I would post here in case there was something stupid I am missing.

Ta

Andy
You do not have the required permissions to view the files attached to this post.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: EAP-TLS

Wed Dec 22, 2021 11:28 am

Well, what we are missing here is your configuration export (of the relevant sections: wireless, radius).
 
tangent
Forum Guru
Forum Guru
Posts: 1333
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: EAP-TLS

Wed Dec 22, 2021 11:44 am

In addition to having the /export output, I'd like to know what these "clients" are exactly and the general form of your certificate creation commands. Anything dealing with certificates and encryption brings in the possibility of ciphersuite incompatibilities. If you're trying to authenticate ancient Windows XP clients, for instance, I'd expect the problem is that RouterOS v7 no longer supports the algorithms the clients require, every single one of them being considered insecure these days.
 
aoakeley
Member Candidate
Member Candidate
Topic Author
Posts: 170
Joined: Mon May 21, 2012 11:45 am

Re: EAP-TLS

Wed Dec 22, 2021 3:50 pm

Clients are Window 10 workstations.
I have stripped out RADIUS so authentication is certificate only "on box"

Full export of the unit


[admin@Mikrotik] > /export
# dec/22/2021 21:38:54 by RouterOS 7.1
# software id = 3QK9-P1KA
#
# model = 951G-2HnD
# serial number = 6430051F32B2
/interface bridge
add name=bridge1
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-eap eap-methods=eap-tls management-protection=allowed mode=dynamic-keys name=Garth2-Server supplicant-identity="" tls-certificate=Garth2Server tls-mode=verify-certificate
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=australia disabled=no frequency=auto mode=ap-bridge security-profile=Garth2-Server ssid=Garth224 wps-mode=disabled
/routing bgp template
set default as=65530 disabled=no name=default output.network=bgp-networks
/routing ospf instance
add name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether1
add bridge=bridge1 ingress-filtering=no interface=ether2
add bridge=bridge1 ingress-filtering=no interface=ether3
add bridge=bridge1 ingress-filtering=no interface=ether4
add bridge=bridge1 ingress-filtering=no interface=ether5
add bridge=bridge1 ingress-filtering=no interface=wlan1
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/ip dhcp-client
add interface=bridge1
/system clock
set time-zone-autodetect=no time-zone-name=Australia/Perth
/system identity
set name=TV-Switch
/system ntp client
set enabled=yes
/system ntp client servers
add address=pool.ntp.org
/system package update
set channel=testing


Certificates were all generated "on box" and exported as per below



## Create CA (Certificate Authority) Certificate:
/certificate add name=Garth2-ca-template common-name=Garth2-ca country=AU days-valid=3650 key-size=2048 locality="Perth" organization="ORG" state=WA trusted=yes unit="Technical Services" key-usage=digital-signature,key-cert-sign,crl-sign;

/certificate sign Garth2-ca-template name=Garth2-ca ca-crl-host="192.168.123.1"

/certificate export-certificate Garth2-ca export-passphrase="12345678"
/certificate export-certificate Garth2-ca export-passphrase="12345678" type=pkcs12

## Create SERVER Certificate
/certificate add name=Garth2-Server-template common-name="Garth2Server" country=AU days-valid=3650 key-size=2048 locality="Perth" organization="ORG" state=WA trusted=yes unit="Technical Services" key-usage=digital-signature,data-encipherment,key-agreement,ipsec-tunnel,ipsec-end-system,tls-server,tls-client;

/certificate sign Garth2-Server-template ca=Garth2-ca name=Garth2Server

/certificate set Garth2Server trusted=yes

/certificate export-certificate Garth2Server export-passphrase="12345678"
/certificate export-certificate Garth2Server export-passphrase="12345678" type=pkcs12

## Create CLIENT Certificates

/certificate add name=Garth2Client-template common-name=Garth2Client country=AU days-valid=3650 key-size=2048 locality="Perth" organization="ORG" state=WA trusted=yes unit="Technical Services" key-usage=digital-signature,data-encipherment,key-agreement,ipsec-tunnel,ipsec-end-system,tls-client;
/certificate sign Garth2Client-template ca=Garth2-ca name=Garth2Client

/certificate set Garth2Client trusted=yes

/certificate export-certificate Garth2Client export-passphrase="12345678"
/certificate export-certificate Garth2Client export-passphrase="12345678" type=pkcs12


Then imported into an EAP-TLS profile on the workstation

I can send you screenshots of this if you really want.
- But roll back the unit to 6.49 and the Windows 10 machine can connect.
- Roll forward to ROS7 and it can't.
- Does not matter if I generate the certificates on box or somewhere else or if I generate them in v6 or v7 same result
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: EAP-TLS

Wed Dec 22, 2021 4:20 pm

In my setup I have eap-methods=eap-tls,passthrough but this is with RADIUS and a freeradius server. It works on v6 but I have not yet tested it on v7.
 
aoakeley
Member Candidate
Member Candidate
Topic Author
Posts: 170
Joined: Mon May 21, 2012 11:45 am

Re: EAP-TLS

Wed Dec 22, 2021 4:48 pm

In my setup I have eap-methods=eap-tls,passthrough but this is with RADIUS and a freeradius server. It works on v6 but I have not yet tested it on v7.
So not the same config, or using ROSv7, but thanks for trying to help.
 
aoakeley
Member Candidate
Member Candidate
Topic Author
Posts: 170
Joined: Mon May 21, 2012 11:45 am

Re: EAP-TLS  [SOLVED]

Thu Apr 21, 2022 7:34 am


Is anyone else having issues with EAP-TLS in v7?

Ticket logged with support (SUP-67209) but just thought I would post here in case there was something stupid I am missing.
Just to close out this thread. Fix for this is in 7.3beta33

Who is online

Users browsing this forum: No registered users and 15 guests