Community discussions

MikroTik App
 
hoh
just joined
Topic Author
Posts: 5
Joined: Fri Aug 27, 2021 12:13 pm

EAP PEAP-MSCHAPv2 as station with v7

Thu Nov 24, 2022 4:56 pm

We need to connect MikroTik as a client (station) to a WPA2-Enteprise secured wifi network using PEAP-MSCHAPv2. With ROS 6.49.7, everything works fine with this security-profile config.
/interface wireless security-profiles add authentication-types=wpa2-eap eap-methods=peap management-protection=allowed mode=dynamic-keys mschapv2-password=_SECRET_ mschapv2-username=_USERNAME_ name=wifi_client supplicant-identity=_USERNAME_ tls-mode=dont-verify-certificate
When trying the same with v7, it silently fails. The only trace is this message in the log: “XX:XX:XX:XX:XX:XX@wlan2: lost connection, 802.1x authentication timeout”. I tried to tweak all possible settings in /interface/wireless with no success. I also opened SUP-98029 with MikroTIk but so far there is no reaction.

Anybody hit the same issue?
 
hoh
just joined
Topic Author
Posts: 5
Joined: Fri Aug 27, 2021 12:13 pm

Re: EAP PEAP-MSCHAPv2 as station with v7

Tue Jan 24, 2023 3:13 pm

Nobody needs PEAP-MSCHAPv2? Searching forum's history, I see it had been a long awaited feature, so having a bug in ROS v7 should hit somebody ...

If anybody from MikroTik reads this ... your support sucks! I opened SUP-98029 trying to follow all guidelines (providing all information, supout files for working and broken scenario etc.). There is no answer for more than 2 month. I completely understand that this is no payed support with SLA, but still, ignoring the request completely is not very kind. Any answer would be better than this, even a "won't fix" one.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2449
Joined: Mon Apr 08, 2019 1:16 am

Re: EAP PEAP-MSCHAPv2 as station with v7

Wed Jan 25, 2023 12:09 am

Works fine in ROS6 indeed.

Does adding [ logging topics = "radius,!packet" ] give extra information on the AP or station?
 
hoh
just joined
Topic Author
Posts: 5
Joined: Fri Aug 27, 2021 12:13 pm

Re: EAP PEAP-MSCHAPv2 as station with v7

Wed Jan 25, 2023 10:04 pm

No extra log with topics=radius on station. I even tried topics=debug. The above mentioned message "lost connection, 802.1x authentication timeout” is the only trace I'm able to get. There is also no interesting log when using ROS6 (which works fine).

I do not control the AP side - we need to connect MikroTik as station to a network operated by another company. But I was able to test against several networks built on different platforms with the same result (ROS6 works, ROS7 fails), so I doubt it would be a AP/controller issue. I could build a MikroTik-based AP with EAP in a lab to get AP-side logs. But since MikroTik support keeps ignoring my rigorous bug report, this looks like a waste of time ...
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2449
Joined: Mon Apr 08, 2019 1:16 am

Re: EAP PEAP-MSCHAPv2 as station with v7

Thu Jan 26, 2023 8:46 pm

Well might be hard to debug or diagnose without the full AP side access and control.

If RADIUS works , it's great. Issues with TLS versions for me are not very easy to diagnose/correct.
With FreeRADIUS (open source code) at least there is a lot of information and debug mode.

ROS6-ROS7 , might have different TLS version handling. And then the supported TLS versions in the AP matters.
Maybe @sindy can help here. See: viewtopic.php?t=173848 .
See also https://github.com/multiduplikator/mikrotik_EAP . I know it's more about the server side.
And https://freeradius-users.freeradius.nar ... on-too-low
 
hoh
just joined
Topic Author
Posts: 5
Joined: Fri Aug 27, 2021 12:13 pm

Re: EAP PEAP-MSCHAPv2 as station with v7

Fri Jan 27, 2023 10:42 am

Thanks, bpwl, for the links and ideas!

OK, I'll try to prepare a lab environment with MikroTIk station and MikroTik AP, sniff the air to check TLS versions and get back then.
 
m4rk3J
just joined
Posts: 2
Joined: Thu Jan 27, 2022 2:41 pm

Re: EAP PEAP-MSCHAPv2 as station with v7

Sat Jan 28, 2023 10:26 pm

I ran into the same problem when connecting RouterOS v7 CPE as station to v7 cAP ac controlled by CAPsMAN...

Who is online

Users browsing this forum: No registered users and 16 guests