I'm trying to set up advanced username / password authentication in my network. I will be posting this to both Mikrotik and Unifi forums as the line is really blurred for me right now as to why's my set up not working.
Firstly I want my goals for this setup to be very clear,
What I DON'T want:
MAC / phy address based auth and vlan assignment,
Multiple SSID's where there's one SSID per VLAN
What I DO want:
Single SSID, WPA2-Enterprise authentication, No certificates unless necessary, Depending on the username and password entered in wpa2-eap prompt connect the device into a specific vlan, multiple devices can share the same username and password combinations.
Information about my network topology: I'm using mikrotik router (.0.1) as my edge router, and a unifi U6 Lite access point (.0.5) connected directly to MT's PoE out port. I believe this is the only relevant info about my topology.
Current configuration:
On mikrotik, there are a few VLANs set up, since I just set them up and verified they're working with their respective DHCP servers, there's not any client isolation or other differences or restrictions between them YET, as I first want to get this wifi eap stuff working before I start closing them off etc...
Additionally, I have a RADIUS server set up and a test user added through user manager, all on the mikrotik. I have verified using `radtest user1 password 192.168.0.1:1812 0 presharedPasswd` that radius is returning sensible replies, for example:
Code: Select all
Sent Access-Request Id 175 from 0.0.0.0:60696 to 192.168.0.1:1812 length 75
User-Name = "user1"
User-Password = "password"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "password"
Received Access-Accept Id 175 from 192.168.0.1:1812 to 192.168.0.111:60696 length 64
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "22" # 22 is my guest vlan
Class = 0xc584c102cb8e610a
Message-Authenticator = 0x3a2168a8e66cbaa65a8ed3cf39698996
At this point, authentication keeps failing when connecting to the AP. From the long debug logs I pulled out what I believe is the culprit:
Code: Select all
21:02:43 2024 daemon.debug hostapd[31915]: ra2: STA 82:23:ab:94:ee:8d IEEE 802.1X: received EAP packet (code=2 id=190 len=141) from STA: EAP Response-PEAP (25)
21:02:44 2024 daemon.debug hostapd[31915]: ra2: STA 82:23:ab:94:ee:8d IEEE 802.1X: decapsulated EAP packet (code=4 id=190 len=4) from RADIUS server: EAP Failure
21:02:44 2024 daemon.warn hostapd[31915]: ra2: STA 82:23:ab:94:ee:8d IEEE 802.1X: authentication failed - EAP type: 25 (PEAP)
The unifi AP / port it is connected to, have I added as a client in Mikrotiks dot1x. It is currently showing status "authenticated without server", however my authentication issues still persist. Here are the current unifi logs I believe are relevant:
Code: Select all
22:52:28 2024 daemon.debug hostapd[31915]: ra2: STA 82:23:ab:94:ee:8d IEEE 802.1X: Sending EAP Packet (identifier 1)
22:52:28 2024 kern.warn kernel: [18042.461662] EAPOL RTS Failed for WCID = 7
22:52:29 2024 daemon.info hostapd[23755]: rai0: STA 2c:fe:4f:0c:88:62 IEEE 802.11: authenticated
22:52:29 2024 daemon.debug hostapd[23755]: rai0: STA 2c:fe:4f:0c:88:62 IEEE 802.1X: unauthorizing port
22:52:29 2024 daemon.debug hostapd[23755]: rai0: STA 2c:fe:4f:0c:88:62 WPA: pairwise key handshake completed (RSN)
22:52:29 2024 daemon.info hostapd[23755]: rai0: STA 2c:fe:4f:0c:88:62 WPA: pairwise key handshake completed (RSN)
Code: Select all
# 2024-03-03 23:13:31 by RouterOS 7.14
#
# model = L009UiGS
/interface bridge
add admin-mac=78:9A:18:A1:D9:68 auto-mac=no comment=defconf name="LAN Bridge" port-cost-mode=short vlan-filtering=\
yes
/interface ethernet
set [ find default-name=ether8 ] comment="Unifi U6-lite PoE AP" poe-out=forced-on
/interface vlan
add interface="LAN Bridge" name=admin-vlan-33 vlan-id=33
add interface="LAN Bridge" name=base-vlan-11 vlan-id=11
add interface="LAN Bridge" name=guest-vlan-22 vlan-id=22
add interface="LAN Bridge" name=iot-vlan-55 vlan-id=55
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=VLAN-11-BASE ranges=10.100.11.100-10.100.11.199
add name=VLAN-22-GUEST ranges=10.100.22.10-10.100.22.254
add name=VLAN-33-ADMIN ranges=10.100.33.10-10.100.33.254
add name=VLAN-55-UNTRUSTED-IOT ranges=10.100.55.10-10.100.55.254
/ip dhcp-server
add address-pool=VLAN-11-BASE bootp-lease-time=lease-time bootp-support=dynamic interface=base-vlan-11 lease-time=\
1d name=VLAN-11
add address-pool=VLAN-22-GUEST bootp-lease-time=lease-time bootp-support=dynamic interface=guest-vlan-22 \
lease-time=1d name=VLAN-22
add address-pool=VLAN-33-ADMIN bootp-lease-time=lease-time bootp-support=dynamic interface=admin-vlan-33 \
lease-time=1d name=VLAN-33
add address-pool=VLAN-55-UNTRUSTED-IOT bootp-lease-time=lease-time bootp-support=dynamic interface=iot-vlan-55 \
lease-time=1d name=VLAN-55
/user-manager user
add attributes=Tunnel-Type:13,Tunnel-Medium-Type:6,Tunnel-Private-Group-ID:22 name=user1
/interface bridge port
add bridge="LAN Bridge" comment=defconf interface=ether3 internal-path-cost=10 path-cost=10
add bridge="LAN Bridge" comment=defconf interface=ether4 internal-path-cost=10 path-cost=10
add bridge="LAN Bridge" comment=defconf interface=ether5 internal-path-cost=10 path-cost=10
add bridge="LAN Bridge" comment=defconf interface=ether6 internal-path-cost=10 path-cost=10
add bridge="LAN Bridge" comment=defconf interface=ether7 internal-path-cost=10 path-cost=10
add bridge="LAN Bridge" comment=defconf interface=ether8 internal-path-cost=10 path-cost=10
add bridge="LAN Bridge" comment=defconf interface=sfp1 internal-path-cost=10 path-cost=10
add bridge="WAN Bridge" interface=ether1 internal-path-cost=10 path-cost=10
add bridge="WAN Bridge" interface=ether2 internal-path-cost=10 path-cost=10
add bridge="LAN Bridge" interface=veth1-adguard internal-path-cost=10 path-cost=10
/interface bridge vlan
add bridge="LAN Bridge" tagged="LAN Bridge,ether4,ether7,ether8" vlan-ids=11
add bridge="LAN Bridge" tagged="LAN Bridge,ether4,ether7,ether8" vlan-ids=22
add bridge="LAN Bridge" tagged="LAN Bridge,ether4,ether7,ether8" vlan-ids=33
add bridge="LAN Bridge" tagged="LAN Bridge,ether4,ether7,ether8" vlan-ids=55
/interface dot1x client
add eap-methods=eap-mschapv2,eap-peap,eap-ttls identity=U6AP interface=ether8
/interface list member
add comment=defconf interface="LAN Bridge" list=LAN
add comment=defconf interface="WAN Bridge" list=WAN
add interface=admin-vlan-33 list=LAN
/ip address
add address=192.168.0.1/24 comment=defconf interface="LAN Bridge" network=192.168.0.0
add address=10.100.11.1/24 interface=base-vlan-11 network=10.100.11.0
add address=10.100.22.1/24 interface=guest-vlan-22 network=10.100.22.0
add address=10.100.33.1/24 interface=admin-vlan-33 network=10.100.33.0
add address=10.100.55.1/24 interface=iot-vlan-55 network=10.100.55.0
/ip dhcp-server network
add address=10.100.11.0/24 dns-server=10.100.11.1 gateway=10.100.11.1
add address=10.100.22.0/24 dns-server=10.100.22.1 gateway=10.100.22.1
add address=10.100.33.0/24 dns-server=10.100.33.1 gateway=10.100.33.1
add address=10.100.55.0/24 dns-server=10.100.55.1 gateway=10.100.55.1
/ip dns
set allow-remote-requests=yes cache-size=48828KiB doh-max-concurrent-queries=150 doh-max-server-connections=10 \
max-concurrent-queries=200 servers=192.168.0.50,192.168.0.60 verify-doh-cert=yes
/radius
add address=127.0.0.1 service=login,wireless,dhcp,dot1x
/radius incoming
set accept=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/user-manager
set certificate=*0 enabled=yes
/user-manager router
add address=127.0.0.1 name="This MikroTIk"
add address=192.168.0.111 name=msprg-pc
add address=192.168.0.5 name="UNIFI-AP U6 Lite"
add address=192.168.0.50 name="(unifi controller)"