Page 1 of 1

EAP PEAP-MSCHAPv2 as station with v7

Posted: Thu Nov 24, 2022 4:56 pm
by hoh
We need to connect MikroTik as a client (station) to a WPA2-Enteprise secured wifi network using PEAP-MSCHAPv2. With ROS 6.49.7, everything works fine with this security-profile config.
/interface wireless security-profiles add authentication-types=wpa2-eap eap-methods=peap management-protection=allowed mode=dynamic-keys mschapv2-password=_SECRET_ mschapv2-username=_USERNAME_ name=wifi_client supplicant-identity=_USERNAME_ tls-mode=dont-verify-certificate
When trying the same with v7, it silently fails. The only trace is this message in the log: “XX:XX:XX:XX:XX:XX@wlan2: lost connection, 802.1x authentication timeout”. I tried to tweak all possible settings in /interface/wireless with no success. I also opened SUP-98029 with MikroTIk but so far there is no reaction.

Anybody hit the same issue?

Re: EAP PEAP-MSCHAPv2 as station with v7

Posted: Tue Jan 24, 2023 3:13 pm
by hoh
Nobody needs PEAP-MSCHAPv2? Searching forum's history, I see it had been a long awaited feature, so having a bug in ROS v7 should hit somebody ...

If anybody from MikroTik reads this ... your support sucks! I opened SUP-98029 trying to follow all guidelines (providing all information, supout files for working and broken scenario etc.). There is no answer for more than 2 month. I completely understand that this is no payed support with SLA, but still, ignoring the request completely is not very kind. Any answer would be better than this, even a "won't fix" one.

Re: EAP PEAP-MSCHAPv2 as station with v7

Posted: Wed Jan 25, 2023 12:09 am
by bpwl
Works fine in ROS6 indeed.

Does adding [ logging topics = "radius,!packet" ] give extra information on the AP or station?

Re: EAP PEAP-MSCHAPv2 as station with v7

Posted: Wed Jan 25, 2023 10:04 pm
by hoh
No extra log with topics=radius on station. I even tried topics=debug. The above mentioned message "lost connection, 802.1x authentication timeout” is the only trace I'm able to get. There is also no interesting log when using ROS6 (which works fine).

I do not control the AP side - we need to connect MikroTik as station to a network operated by another company. But I was able to test against several networks built on different platforms with the same result (ROS6 works, ROS7 fails), so I doubt it would be a AP/controller issue. I could build a MikroTik-based AP with EAP in a lab to get AP-side logs. But since MikroTik support keeps ignoring my rigorous bug report, this looks like a waste of time ...

Re: EAP PEAP-MSCHAPv2 as station with v7

Posted: Thu Jan 26, 2023 8:46 pm
by bpwl
Well might be hard to debug or diagnose without the full AP side access and control.

If RADIUS works , it's great. Issues with TLS versions for me are not very easy to diagnose/correct.
With FreeRADIUS (open source code) at least there is a lot of information and debug mode.

ROS6-ROS7 , might have different TLS version handling. And then the supported TLS versions in the AP matters.
Maybe @sindy can help here. See: viewtopic.php?t=173848 .
See also . I know it's more about the server side.
And https://freeradius-users.freeradius.nar ... on-too-low

Re: EAP PEAP-MSCHAPv2 as station with v7

Posted: Fri Jan 27, 2023 10:42 am
by hoh
Thanks, bpwl, for the links and ideas!

OK, I'll try to prepare a lab environment with MikroTIk station and MikroTik AP, sniff the air to check TLS versions and get back then.

Re: EAP PEAP-MSCHAPv2 as station with v7

Posted: Sat Jan 28, 2023 10:26 pm
by m4rk3J
I ran into the same problem when connecting RouterOS v7 CPE as station to v7 cAP ac controlled by CAPsMAN...