query-radius is new action (compared to WLAN driver). So no experience.
But is this a 2 phase authentication? First access-list, then additional PSK or EAP authentication, or not?
Yes, I guess that is how it works? I am not sure about the order though, but both the PSK and a positive reply from the radius are needed.
For WPAx-EAP with MAC based authentication with WLAN driver, The MAC address was the EAP username and password. in RADIUS.
A match in the "access list" with the authentication unchecked, would not even allow the WPAx-EAP to try.
For WPA-EAP I am not using an access list at all, and it just works. All I set was the EAP security profile, and in /radius set the radius client to be used for wireless. I assumed the same would be true for WPA-PSK but no.
A bit confusing , what MT writes in the HELP documentation for wifi(wave2).
"MAC address authentication
Implemented through the query-radius action, MAC address authentication is a way to implement a centralized whitelist of client MAC addresses using a RADIUS server.
When a client device tries to associate with an AP, which is configured to perform MAC address authentication, the AP will send an access-request message to a RADIUS server with the device's MAC address as the user name and an empty password. If the RADIUS server answers with access-accept to such a request, the AP proceeds with whatever regular authentication procedure (passphrase or EAP authentication) is configured for the interface."
And with access list authentication: "Just make that the specific client doesn't get matched by a more generic access list rule first."
But what makes : " is configured to perform MAC address authentication" ??? This was a checkbox in the WLAN driver security profile.
Exactly. For WPA-EPA, nothing is needed. For WPA-PSK, what do I need?
The only idea I have left is to try using capsman and see if it magically works. I have never used it, so it will take a week or two until I have that set up.
A question in that regard. I have a a pfsense router, a CRS326 currently running SwitchOS and doing only layer two stuff (VLAN), and two cAP AX in series (CRS326 <-> AP1 <-> AP2). Would I be better of running capsman on the CRS326 (changing to RouterOS but not doing any layer 3 stuff), or using AP1 for both capsman and caps, and AP2 for caps?