Today I use 'Access List' to specify a different WPA2/PSK keys to my custumers, Its so hard. Is there way of the use radius to store the keys ?

Not with PSK, but if you use EAP the keys will be generated and supplied automatically...

So you should use WPA2/EAP to solve this.


--Tom

It's a good ideia, but my wireless clients (the firmware) do not support EAP method.

I ask again,

why I cant auth PSK agaist radius ? are there technical problems that make it impossible ?

I ask again,
why I cant auth PSK agaist radius ? are there technical problems that make it impossible ?

PSK is designed for the end user to enter the key, whilst using EAP method (mostly) it's designed to be pushed out from a RADIUS server.

There is something called EAP-PSK which uses a combination but I'm not well read on this.

Sorry.

Hello,
this function is very important for us. We have almost 50 routers running StarOs and plan to migrate to Mikrotik or Madwifi. So that I would like to know if Mikrotik developers will implement different WPA2 keys for various users over radius protocol. If not we will choose Madwifi becouse it has open source code and we can add it. We have users information system and it controls access to network via radius so that adding WPA2 keys to access list is too much additional work.

if Mikrotik developers will implement different WPA2 keys for various users over radius protocol.

What would be the advantage of your implementation compared to EAP with certificates, which is a standards-based technology that already works on RouterOS today?

--Tom

Today I use 'Access List' to specify a different WPA2/PSK keys to my custumers, Its so hard. Is there way of the use radius to store the keys ?

Use this attribute:
Mikrotik-Wireless-Psk

Use this attribute:
Mikrotik-Wireless-Psk

Will is avaiable on next release/beta version ?

It is available from the beginning of version3.

It is available from the beginning of version3.

I need to update my MkT Radius Dictionary to use this ? I'm trying here but radius says:

Please update your Radius dictionary with new attribute

Please update your Radius dictionary with new attribute

Code: Select all

ATTRIBUTE       Mikrotik-Wireless-PSK               16       string

uldis,

Great! It works now!

I updated my Radius dictonary with this new attribute and added a new row in my radreply table.


Thanks

Users are connecting and then the connection is closed.

NAS-Port-Id = "wlan1 - mar_teste1"
User-Name = "00:16:44: AD: 92:18"
Acct-Session-Id = "8,230,003th"
Acct-Authentic = RADIUS
Acct-Status-Type = Stop
Acct-Terminate-Cause = Port-Error

---------------------

0 ) Dicionario

/usr/local/share/freeradius/dictionary.mikrotik

ATTRIBUTE Mikrotik-Wireless-PSK 16 string

1 ) Registro no Radius

INSERT INTO radcheck VALUES(1, 'machado', 'Password', '==', 'machado', '', '');
INSERT INTO radcheck VALUES(2, '00:16:44:ad:92:18', 'Password', '==', '00:16:44:ad:92:18', '', '');

INSERT INTO radgroupcheck VALUES(1, '128', 'Simultaneous-Use', ':=', '1');
INSERT INTO radgroupcheck VALUES(2, 'wireless', 'Auth-Type', ':=', 'Local');

INSERT INTO radgroupreply VALUES(1, '128', 'Mikrotik-Rate-Limit', ':=', '128k/128k', 0);
INSERT INTO radgroupreply VALUES(2, '128', 'Framed-Pool', ':=', 'liberado', 0);

INSERT INTO radreply VALUES(1, '00:16:44:ad:92:18', 'Mikrotik-Wireless-PSK', '=', '12121212');

INSERT INTO usergroup VALUES(1, 'machado', '128');
INSERT INTO usergroup VALUES(2, '00:16:44:AD:92:18', 'wireless');

2 ) Autenticação

2.1 )

Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.

2.2 )

rad_recv: Access-Request packet from host 189.xxx.xxx.xxx:43263, id=130, length=173
Service-Type = 2
NAS-Port-Id = "wlan1 - mar_teste1"
User-Name = "00:16:44:AD:92:18"
Acct-Session-Id = "8230003a"
Calling-Station-Id = "00-16-44-AD-92-18"
Called-Station-Id = "00-02-6F-53-53-C7:mar_teste"
Password = "00:16:44:AD:92:18"
NAS-Identifier = "MikroTik"
NAS-IP-Address = 10.0.0.3

2.3 )

rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
Login OK: [00:16:44:ad:92:18/00:16:44:ad:92:18] (from client mar port 0 cli 00-16-44-AD-92-18)
Processing the post-auth section of radiusd.conf

2.4 )

modcall[post-auth]: module "sql" returns ok for request 0
modcall: leaving group post-auth (returns ok) for request 0
Sending Access-Accept of id 130 to 189.xxx.xxx.xxx port 43263
Mikrotik-Wireless-PSK = "12121212"
Finished request 0

2.5 )

Service-Type = 2
NAS-Port-Id = "wlan1 - mar_teste1"
User-Name = "00:16:44:AD:92:18"
Acct-Session-Id = "8230003a"
Acct-Authentic = RADIUS
Acct-Status-Type = Start
NAS-Identifier = "MikroTik"
NAS-IP-Address = 10.0.0.3
Acct-Delay-Time = 0

Service-Type = 2
NAS-Port-Id = "wlan1 - mar_teste1"
User-Name = "00:16:44:AD:92:18"
Acct-Session-Id = "8230003a"
Acct-Authentic = RADIUS
Acct-Status-Type = Stop
Acct-Terminate-Cause = Port-Error
Acct-Session-Time = 5
Acct-Input-Octets = 0
Acct-Input-Gigawords = 0
Acct-Input-Packets = 0
Acct-Output-Octets = 645
Acct-Output-Gigawords = 0
Acct-Output-Packets = 5
NAS-Identifier = "MikroTik"
NAS-IP-Address = 10.0.0.3
Acct-Delay-Time = 0

can this be used to set up dynamic VLAN assignments based on used Private-PSK?

If I read well in the following links, then ...

It's not yet the Ruckus DPSK (https://data.kommago.nl/files/pdf/byod-ruckus.pdf)
The user identification is still by the MAC address and not the (D)PSK. (see pages 38 till 46 in: https://mdbrasil.com.br/academy/wp-cont ... 9_Maia.pdf )

So the VLAN id for the user is linked to the MAC address, not just to the PSK used when connecting with the same or for any other MAC address
But the "access-list" with "MAC address, PSK, VLANid" is moved from the AP's or CAPsMAN to the RADIUS server.