Community discussions

MikroTik App
 
microlyme
just joined
Topic Author
Posts: 9
Joined: Thu Nov 11, 2021 2:28 pm

Wireless 802.1X Debugging

Fri Apr 07, 2023 11:33 pm

I am trying to diagnose why a wireless network using EAP-TTLS rejects association from a MikroTik station. Adding wireless,debug and even full wireless topic does not give me more messages about the 802.1X EAP negotiation.

The logs look like:
wireless,debug wlan1: must select network
Station scans SSIDs
wireless,debug 00:00:00:00:00:00: on 0000 AP: yes SSID SSID caps 0x1111 rates 0xOFDM:24-54 BW:1x-4x SGI:1x-4x HT:3-7,9-15,17-31 VHTMCS:SS1=0-9,SS2=0-9,SS3=0-9,SS4=0-9 basic 0xOFDM:24 BW:1x VHTMCS:SS1=0-7 MT: no
wireless,info 00:00:00:00:00:00@wlan1 established connection on 0000000, SSID SSID
Station receives deauth
wireless,debug wlan1: must select network
I typically get either deauth reason:
wireless,info 00:00:00:00:00:00@wlan1: lost connection, received deauth: IEEE 802.1X authentication failed (23)
wireless,info 00:00:00:00:00:00@wlan1: lost connection, received deauth: class 2 frame received (6)
I would like to debug and diagnose why I am unable to authenticate even though the account works on other hardware.

Is there another log topic I can use, or other diagnosis steps I can take?
 
blingblouw
Member
Member
Posts: 345
Joined: Wed Aug 25, 2010 9:43 am

Re: Wireless 802.1X Debugging

Fri Apr 07, 2023 11:37 pm

We don’t do 802.1x on MT hardware but as authentication failed, I’d probably try enable radius logs to see what happens in that process
 
microlyme
just joined
Topic Author
Posts: 9
Joined: Thu Nov 11, 2021 2:28 pm

Re: Wireless 802.1X Debugging

Fri Apr 07, 2023 11:44 pm

I have enabled logging of 802.1x topic, but unfortunately I get no information whatsoever. I believe wireless 802.1x implementation is separate from wired 802.1x that is in /interface/dot1x.

I am not sure if it is even possible to use that dot1x for wireless interfaces, I may try.
 
microlyme
just joined
Topic Author
Posts: 9
Joined: Thu Nov 11, 2021 2:28 pm

Re: Wireless 802.1X Debugging

Fri Apr 07, 2023 11:52 pm

It does not seem possible to use /interface/dot1x client for wireless interface. I can set interface as wlan1 using CLI, however WinBox and WebFig do not like that and keep defaulting to ether1. This is with security profile set to profile with EAP passthrough.

I also do not see any logging activity under radius or dot1x.
 
blingblouw
Member
Member
Posts: 345
Joined: Wed Aug 25, 2010 9:43 am

Re: Wireless 802.1X Debugging

Sat Apr 08, 2023 12:47 pm

If you don’t see anything under radius (I’m assuming your using radius) then there’s an issue there. Try post you config
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Wireless 802.1X Debugging

Sat Apr 08, 2023 4:41 pm

How does your wireless security profile look?
Try something like this:
/interface wireless security-profiles
add authentication-types=wpa2-eap eap-methods=eap-ttls-mschapv2 mode=\
    dynamic-keys mschapv2-password=YOURPASSWORD mschapv2-username=YOURUSERNAME name=\
    wpa2-eap supplicant-identity=YOURUSERNAME tls-mode=dont-verify-certificate
 
microlyme
just joined
Topic Author
Posts: 9
Joined: Thu Nov 11, 2021 2:28 pm

Re: Wireless 802.1X Debugging

Sat Apr 08, 2023 7:32 pm

I know my outer identity is working, because using a test bad identity results in an immediate deauth. Using a good outer identity results in staying associated for a bit (15-30 seconds) before receiving a deauth.
[admin@MikroTik] > /interface wireless security-profiles export
add authentication-types=wpa2-eap eap-methods=eap-ttls-mschapv2 management-protection=allowed mode=dynamic-keys mschapv2-password="YOURPASSWORD" \
    mschapv2-username=YOURUSERNAME (no realm) name=security-profile-name supplicant-identity=anonymous@realm tls-certificate=realm.pkcs1 tls-mode=verify-certificate
I have also tried with tls-mode=dont-verify-certificate.

Who is online

Users browsing this forum: Ponytred and 13 guests