Community discussions

MikroTik App

Add WAP-EAP PEAP support?

Yes
43 (100%)
No
No votes
Look at comment
No votes
Who is where?
No votes
 
Total votes: 43
 
User avatar
FFAMax
newbie
Topic Author
Posts: 28
Joined: Sat Oct 01, 2016 12:50 am

PEAP-MSCHAPv2

Sat Oct 01, 2016 1:00 am

Dear customers.

Please support this feature request.
Exactly in Russia Rostelecom now deployed APs this PEAP authentication and MT user not able to connect to such ISPs.
(особенно для тех, кто уже столкнулся с УЦН и невозможностью подключиться на родном оборудовании).

Last answer from support was
currently we do not support WAP-EAP PEAP as wireless station in RouterO
We will look if we could add this support in future, but it might not happen so fast as we haven't received lot of request for such feature.
I believe that it needed feature, please leave comment (vote) if You need it too.
 
torius
just joined
Posts: 2
Joined: Fri Oct 14, 2016 11:15 am

Re: PEAP-MSCHAPv2

Fri Oct 14, 2016 11:19 am

I completely agree, this is the most widespread method for authenticating with username/password and sometimes we can't change (since we're connecting to the network we have no control over).

I bought SXT Lite 2 and much to my surprise can't use it since I need WPA2-EAP-PEAP-MSCHAPV2 support.

MikroTik, please add this feature which is present in most other OS (OpenWRT etc).
 
User avatar
FFAMax
newbie
Topic Author
Posts: 28
Joined: Sat Oct 01, 2016 12:50 am

Re: PEAP-MSCHAPv2

Wed Feb 22, 2017 10:09 am

Good news:
we have added this feature in our to do list but currently is is not a higher priority feature.
So, awaiting...
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: PEAP-MSCHAPv2

Wed Feb 22, 2017 11:46 am

I would like to see it as well, it certainly would make our WiFi network a lot easier to manage.
No idea how much work it would involve, I think the underlying software already supports it, it is mainly a configuration issue.
(adding some fields, setting parameters for the underlying software)
 
CsXen
Frequent Visitor
Frequent Visitor
Posts: 94
Joined: Wed Sep 10, 2014 8:31 pm
Location: Budapest - Hungary

Re: PEAP-MSCHAPv2

Sat Apr 22, 2017 6:20 pm

Hi. I see some great news at viewtopic.php?f=21&t=116357&p=593227&hilit=peap#p593227

Version 6.39rc68 has been released.

Changes since previous version:
(...)
*) wireless - added PEAP authentication support for wireless station mode;

I will test it in a week. :)

Best regards: CsXen
 
User avatar
FFAMax
newbie
Topic Author
Posts: 28
Joined: Sat Oct 01, 2016 12:50 am

Re: PEAP-MSCHAPv2

Sun Apr 23, 2017 10:14 am

Hi. I see some great news at viewtopic.php?f=21&t=116357&p=593227&hilit=peap#p593227

Version 6.39rc68 has been released.

Changes since previous version:
(...)
*) wireless - added PEAP authentication support for wireless station mode;

I will test it in a week. :)

Best regards: CsXen
I still have lost connection, 802.1x authentication timeout, do You have another (success) result?
 
User avatar
FFAMax
newbie
Topic Author
Posts: 28
Joined: Sat Oct 01, 2016 12:50 am

Re: PEAP-MSCHAPv2

Mon Apr 24, 2017 4:15 pm

Support wrote:
we were able to improve the compatibility with the PEAP and in one of the next RC versions it will be added - just check the changelog entry and then test that version.
After than please report back if it works ok.
So, just waiting a little bit again.
 
ifc
just joined
Posts: 8
Joined: Thu Apr 27, 2017 9:51 am

Re: PEAP-MSCHAPv2

Thu Apr 27, 2017 5:16 pm

Hi. Is there any news about PEAP-MSCHAPv2 support?
 
User avatar
FFAMax
newbie
Topic Author
Posts: 28
Joined: Sat Oct 01, 2016 12:50 am

Re: PEAP-MSCHAPv2

Fri Apr 28, 2017 4:06 pm

Hi. Is there any news about PEAP-MSCHAPv2 support?
No
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: PEAP-MSCHAPv2

Fri Apr 28, 2017 6:11 pm

I need to test it but it is a bit difficult as I don't have a MikroTik as station myself.
So I need to get remote access to someone else's device and be able to experiment without losing the connection.
Maybe later.
 
User avatar
FFAMax
newbie
Topic Author
Posts: 28
Joined: Sat Oct 01, 2016 12:50 am

Re: PEAP-MSCHAPv2

Fri Apr 28, 2017 6:14 pm

I need to test it but it is a bit difficult as I don't have a MikroTik as station myself.
So I need to get remote access to someone else's device and be able to experiment without losing the connection.
Maybe later.
Do You from developers team?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: PEAP-MSCHAPv2

Fri Apr 28, 2017 6:17 pm

what do you mean? I don't understand your question.
 
uldis
MikroTik Support
MikroTik Support
Posts: 3446
Joined: Mon May 31, 2004 2:55 pm

Re: PEAP-MSCHAPv2

Fri Apr 28, 2017 6:18 pm

please upgrade to v6.40rc2 and check again.
 
User avatar
FFAMax
newbie
Topic Author
Posts: 28
Joined: Sat Oct 01, 2016 12:50 am

Re: PEAP-MSCHAPv2

Fri Apr 28, 2017 6:19 pm

what do you mean? I don't understand your question.
Are you a developer?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: PEAP-MSCHAPv2

Fri Apr 28, 2017 6:42 pm

No of course not, I am a user. But at home I have a Ubiquiti AP. There it works.
Other people in our network have MikroTik and I need to debug via one of their APs.
 
User avatar
FFAMax
newbie
Topic Author
Posts: 28
Joined: Sat Oct 01, 2016 12:50 am

Re: PEAP-MSCHAPv2

Fri Apr 28, 2017 7:32 pm

please upgrade to v6.40rc2 and check again.
At 6.40rc2 with Rostelecom's AP still 802.1x authentication timeout

Supout at support mail. If needed real test in production network- just tell me.
Last edited by FFAMax on Fri Apr 28, 2017 7:35 pm, edited 1 time in total.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: PEAP-MSCHAPv2

Sat Apr 29, 2017 1:33 pm

I have tested in our HAMNET against a MikroTik AP configured with radius and it works OK with version 6.39 !

Client side config:
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-eap eap-methods=peap mode=\
    dynamic-keys mschapv2-password=XXXXXXX mschapv2-username=XXXXXXX \
    supplicant-identity=XXXXXXXX tls-mode=dont-verify-certificate
AP side config:
/interface wireless security-profiles
add authentication-types=wpa2-eap eap-methods=eap-tls,passthrough \
    management-protection-key=XXXXXX mode=dynamic-keys name=WPA2-EAP \
    radius-eap-accounting=yes supplicant-identity=MikroTik
 
User avatar
FFAMax
newbie
Topic Author
Posts: 28
Joined: Sat Oct 01, 2016 12:50 am

Re: PEAP-MSCHAPv2

Sat Apr 29, 2017 2:50 pm

eap-methods=eap-tls,passthrough
How Radius processing certs in your case? Trying to install some certs to client side?
 
linux25
just joined
Posts: 5
Joined: Sat Apr 29, 2017 4:09 pm

Re: PEAP-MSCHAPv2

Sat Apr 29, 2017 4:20 pm

Connecting to UPC WI-Free, working, thank you mikrotik.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: PEAP-MSCHAPv2

Sat Apr 29, 2017 7:26 pm

How Radius processing certs in your case? Trying to install some certs to client side?
No we use MSCHAPv2. That was what we were waiting for, certs was already supported I think.
 
User avatar
FFAMax
newbie
Topic Author
Posts: 28
Joined: Sat Oct 01, 2016 12:50 am

Re: PEAP-MSCHAPv2

Wed May 03, 2017 9:23 pm

And news from our test.

Generally, at 6.40rc2, with Rostelecom working too! Bottom details in russian.

Итак, господа, настало счастье для пользователей УЦН - оно работает, но прочитайте текст ниже, чтобы сходу не наступить на грабли.
У РТ есть какая-то привязка. После подключения под МАСом "Альфа" нельзя сразу подключаться с другого девайса с МАСом "Бета".
То есть, склонируйте МАС-адрес на Микротик во избежании проблем, если совсем недавно подключались с какого-то другого девайса. То же самое касается тех, кто будет использовать виртуальные интерфейсы с МАС-адресами, отличными от того, который чуть ранее выходил в сеть (если выходил).
Еще раз на пальцах: Настраиваем интерфейс, успешно подключаемся, отключаем интерфейс, меняем МАС и больше не можем подключиться - будет ошибка 802.1x authentication timeout, словно введен неверный логин/пароль или не поддерживается PEAP.
Мой рабочий конфиг выглядел так:
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-eap eap-methods=peap management-protection=allowed mode=dynamic-keys mschapv2-password=pasW0000000rd mschapv2-username=7700000006 name=7700000006 supplicant-identity=7700000006 tls-mode=dont-verify-certificate
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no frequency=auto security-profile=7700000006 ssid=RTWiFi wps-mode=disabled
Дальше получаем на интерфейса адрес и натим.

Спасибо Uldis за поддержку.

Какие схемы работают, а какие нет (на всех схемах опечатка - virtial читать как virtual):
РАБОТАЕТ:
Image

НЕ работает:
Image
wlan1 и virtual2 успешно получают адреса по DHCP, но шлюз видят только через один из интерфейсов. Через оба сразу трафик не побежит (L2 с AP по второму подключению не работает, кроме DHCP).

Все извраты с попыткой уйти от маршрутизации и обойтись псевдобриджом также не помогают - ну не работает 2 одновременных station подключения.
Если Микротик сможет это пофиксить - будет здорово!

Сейчас объясню почему это так важно.
Image
Image

Если все будут жить под мачтой и пользоваться услугой сидя под столбом - вопросов нет.
Но до жилых домов расстояние больше, чем зона покрытия.
Мы сделали большой шаг, чтобы зацепиться за точку доступа, уже можно использовать SXT для приема сигнала, но что делать, если расстояние слишком большое?
Тогда нужно терминировать много-много клиентов на одной SXT, дотянуть их до места распределения, примерно так:
Image
Для реализации схемы не хватает капельки чуда :-)
 
ifc
just joined
Posts: 8
Joined: Thu Apr 27, 2017 9:51 am

Re: PEAP-MSCHAPv2

Fri May 12, 2017 10:51 am

Hello!
And it was not possible to force to care on the firmware 6.40rc2, 6.40rc4, 6.40rc5, and also on 6.39.1.
On 6.39.1, the 802.1x authentication timeout error.
On the firmware 6.40rc2, 6.40rc4, 6.40rc5 the connection is established but the authorization apparently does not pass (I tried different login-password pairs, not even existing ones).
Here is an example of a log:
10:47:51 wireless, debug rtk: no network that satisfies connect-list, by default choose with strongest
Signal
10:47:52 wireless, info EC: 4C: 4D: 55: 9A: 38 @ rtk established connection on 2472000, SSID RTWiFi
and that is all.
RX Rate at the same time costs 1 Mbps.
 
uldis
MikroTik Support
MikroTik Support
Posts: 3446
Joined: Mon May 31, 2004 2:55 pm

Re: PEAP-MSCHAPv2

Fri May 12, 2017 11:15 am

ifc, what exactly is not working?
Make sure you specify the supplicant-identity the same as the mschanp username an also set tls-mode=dont-verify-certificate
 
User avatar
FFAMax
newbie
Topic Author
Posts: 28
Joined: Sat Oct 01, 2016 12:50 am

Re: PEAP-MSCHAPv2

Fri May 12, 2017 11:17 am

Put your output
/in wi export
(hide passwords by ***)
Hello!
And it was not possible to force to care on the firmware 6.40rc2, 6.40rc4, 6.40rc5, and also on 6.39.1.
On 6.39.1, the 802.1x authentication timeout error.
On the firmware 6.40rc2, 6.40rc4, 6.40rc5 the connection is established but the authorization apparently does not pass (I tried different login-password pairs, not even existing ones).
Here is an example of a log:
10:47:51 wireless, debug rtk: no network that satisfies connect-list, by default choose with strongest
Signal
10:47:52 wireless, info EC: 4C: 4D: 55: 9A: 38 @ rtk established connection on 2472000, SSID RTWiFi
and that is all.
RX Rate at the same time costs 1 Mbps.
 
ifc
just joined
Posts: 8
Joined: Thu Apr 27, 2017 9:51 am

Re: PEAP-MSCHAPv2

Fri May 12, 2017 11:29 am

[root@MikroTik] > /in wi export
# may/12/2017 11:38:12 by RouterOS 6.40rc4
# software id = M5IJ-FFHA
#
/interface wireless security-profiles
set [ find default=yes ] eap-methods="" radius-eap-accounting=yes radius-mac-mode=\
as-username-and-password
add authentication-types=wpa-eap eap-methods=peap group-ciphers=tkip group-key-update=1m \
interim-update=1s management-protection-key=77970047518 mode=dynamic-keys mschapv2-password=\
*** mschapv2-username=77970047518 name=77970047518 radius-eap-accounting=yes \
radius-mac-mode=as-username-and-password supplicant-identity=77970047518 tls-mode=\
dont-verify-certificate unicast-ciphers=tkip
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC country=russia2 frequency=\
auto ht-supported-mcs="mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7,mcs-8,mcs-9,mcs-10,mcs-11,\
mcs-12,mcs-13,mcs-14,mcs-15" keepalive-frames=disabled l2mtu=1500 mtu=1400 multicast-buffering=\
disabled multicast-helper=disabled name=rtk radio-name=77970047518 security-profile=77970047518 \
ssid=RTWiFi station-roaming=disabled tx-power=21 tx-power-mode=all-rates-fixed wds-mode=dynamic \
wireless-protocol=802.11 wmm-support=enabled
/interface wireless align
set audio-max=-80 audio-min=-140 receive-all=yes ssid-all=yes
 
User avatar
FFAMax
newbie
Topic Author
Posts: 28
Joined: Sat Oct 01, 2016 12:50 am

Re: PEAP-MSCHAPv2

Fri May 12, 2017 11:37 am

Looks good.
Jump to 6.40rc2
Register new account (login+password for Wi-Fi). Newer use new login except Mikrotik (use only current (old) login for manipulation with accounts).
Disable wlan interface.
Put new login and password to MT box.
Be sure that new Wi-Fi login activated (balance +).
Enable wlan and try to connect.
 
User avatar
FFAMax
newbie
Topic Author
Posts: 28
Joined: Sat Oct 01, 2016 12:50 am

Re: PEAP-MSCHAPv2

Fri May 12, 2017 11:38 am

And change like this
management-protection=allowed
authentication-types=wpa2-eap
 
uldis
MikroTik Support
MikroTik Support
Posts: 3446
Joined: Mon May 31, 2004 2:55 pm

Re: PEAP-MSCHAPv2

Fri May 12, 2017 11:51 am

I would suggest to remove the tkip and use only aes encryption.
 
User avatar
FFAMax
newbie
Topic Author
Posts: 28
Joined: Sat Oct 01, 2016 12:50 am

Re: PEAP-MSCHAPv2

Fri May 12, 2017 12:05 pm

I would suggest to remove the tkip and use only aes encryption.
Yes, right!

At next time i should use export verbose for best detalization.
 
ifc
just joined
Posts: 8
Joined: Thu Apr 27, 2017 9:51 am

Re: PEAP-MSCHAPv2

Fri May 12, 2017 3:40 pm

[root@MikroTik] > /in wi export
# may/12/2017 15:42:40 by RouterOS 6.40rc2
# software id = M5IJ-FFHA
#
/interface wireless security-profiles
set [ find default=yes ] eap-methods="" radius-eap-accounting=yes radius-mac-mode=as-username-and-password
add authentication-types=wpa-eap eap-methods=peap group-ciphers=tkip group-key-update=1m interim-update=1s \
management-protection=allowed mode=dynamic-keys mschapv2-password=**** mschapv2-username=77970047518 name=77970047518 \
radius-mac-mode=as-username-and-password supplicant-identity=77970047518 tls-mode=dont-verify-certificate unicast-ciphers=\
tkip
add authentication-types=wpa-eap eap-methods=peap group-ciphers=tkip management-protection=allowed mode=dynamic-keys \
mschapv2-password=**** mschapv2-username=77970042554 name=77970042554 radius-eap-accounting=yes supplicant-identity=\
77970042554 tls-mode=dont-verify-certificate unicast-ciphers=tkip
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC country=russia2 disabled=no frequency=2472 \
ht-supported-mcs=mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,mcs-15 \
keepalive-frames=disabled l2mtu=1500 mtu=1400 multicast-buffering=disabled multicast-helper=disabled name=rtk radio-name=\
77970042554 security-profile=77970042554 ssid=RTWiFi station-roaming=disabled tx-power=21 tx-power-mode=all-rates-fixed \
wds-mode=dynamic wireless-protocol=802.11 wmm-support=enabled
/interface wireless align
set audio-max=-80 audio-min=-140 receive-all=yes ssid-all=yes
 
ifc
just joined
Posts: 8
Joined: Thu Apr 27, 2017 9:51 am

Re: PEAP-MSCHAPv2

Fri May 12, 2017 3:44 pm

15:43:33 wireless,info EC:4C:4D:55:9A:38@rtk established connection on 2472000, SS
ID RTWiFi
15:44:03 wireless,info EC:4C:4D:55:9A:38@rtk: lost connection, 802.1x authenticati
on timeout

does not work
 
User avatar
FFAMax
newbie
Topic Author
Posts: 28
Joined: Sat Oct 01, 2016 12:50 am

Re: PEAP-MSCHAPv2

Fri May 12, 2017 4:05 pm

Баланс в плюсе, услуга активна (в личном кабинете), и перед этим под этим логопасом с другого девайса (МАСа) не подключались?
Интересно...

Проще всего слизать 1:1 мой конфиг, только замените логин и пароль.
Сделайте бекап, потом сбросьте в дефолт не применяя дефолтный конфиг. Будет голый девайс, в него влейте мою секцию ВиФи заменив логопасс.
 
jarda
Forum Guru
Forum Guru
Posts: 7756
Joined: Mon Oct 22, 2012 4:46 pm

Re: PEAP-MSCHAPv2

Fri May 12, 2017 4:13 pm

Please post in English only. Thank you.
 
ifc
just joined
Posts: 8
Joined: Thu Apr 27, 2017 9:51 am

Re: PEAP-MSCHAPv2

Fri May 12, 2017 5:44 pm

did everything from the beginning. The result is the same.
From your config I changed:
Login: Password
Region: Russia2 (without it will not connect to the frequency 2472)
Channel With: 20/40 MHz eC
WPA EAP (tkip-tkip)

aes-aes:
19:27:52 wireless,debug wlan1: EC:4C:4D:55:9A:38 not acceptable for security profile: does not
have matching group ciphers
19:27:52 wireless,debug wlan1: failed to select network
Last edited by ifc on Fri May 12, 2017 7:30 pm, edited 1 time in total.
 
ifc
just joined
Posts: 8
Joined: Thu Apr 27, 2017 9:51 am

Re: PEAP-MSCHAPv2

Fri May 12, 2017 5:45 pm

17:42:52 wireless,debug EC:4C:4D:55:9A:38: on 2472 AP: yes SSID RTWiFi caps 0x831 rates 0xCCK:1-11 OFDM:6-54 BW:1x-2x S
GI:1x-2x HT:0-15 basic 0xCCK:1-11 OFDM:6,12,24 MT: no
17:42:52 wireless,debug EC:4C:4D:55:9A:39: on 2472 AP: yes SSID RTFree caps 0x831 rates 0xCCK:1-11 OFDM:6-54 BW:1x-2x S
GI:1x-2x HT:0-15 basic 0xCCK:1-11 OFDM:6,12,24 MT: no
17:42:52 wireless,debug EC:4C:4D:55:9A:3A: on 2472 AP: yes SSID RTOpen caps 0x821 rates 0xCCK:1-11 OFDM:6-54 BW:1x-2x S
GI:1x-2x HT:0-15 basic 0xCCK:1-11 OFDM:6,12,24 MT: no
17:42:52 wireless,debug wlan1: no network that satisfies connect-list, by default choose with strongest signal
17:42:52 wireless,info EC:4C:4D:55:9A:38@wlan1 established connection on 2472000, SSID RTWiFi
17:43:23 wireless,debug wlan1: start background scan
17:43:27 wireless,debug wlan1: background scan complete, must select network
17:43:27 wireless,debug wlan1: no network that satisfies connect-list, by default choose with strongest signal
17:43:27 wireless,debug wlan1: failed to select network
17:43:27 wireless,debug wlan1: did not find better AP
17:43:57 wireless,debug wlan1: start background scan
Last edited by ifc on Fri May 12, 2017 5:48 pm, edited 2 times in total.
 
ifc
just joined
Posts: 8
Joined: Thu Apr 27, 2017 9:51 am

Re: PEAP-MSCHAPv2

Fri May 12, 2017 5:46 pm

[admin@MikroTik] > /in wi export
# may/12/2017 17:46:26 by RouterOS 6.40rc2
# software id = M5IJ-FFHA
#
/interface wireless security-profiles
add authentication-types=wpa-eap eap-methods=peap group-ciphers=tkip management-protection=allowed mode=dynamic-keys
mschapv2-password=*** mschapv2-username=77970047518 name=77970047518 supplicant-identity=77970047518 tls-mo
dont-verify-certificate unicast-ciphers=tkip
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC country=russia2 frequency=auto security-pr
77970047518 ssid=RTWiFi wps-mode=disabled
 
romirazz
just joined
Posts: 6
Joined: Tue May 16, 2017 11:06 am

Re: PEAP-MSCHAPv2

Mon May 29, 2017 8:40 am

A similar problem is with the ifc. Installed RouterOS 6.39.1 on mikrotik sxt lite2.
Only MAC is different:

15:43:33 wireless,info EC:4C:4D:55:A6:7A@wlan1 established connection on 2472000, SSID RTWiFi
15:44:03 wireless,info EC:4C:4D:55:A6:7A@wlan1: lost connection, 802.1x authentication timeout

I did everything as FFAMax wrote, I used it config but with my login and password.X Rate at the same time costs 1 Mbps. It was registered with mikrotik sxt lite2 via an accessible RTOpen.
This is only when the Group Ciphers tkip is enabled, otherwise only the frequency search is performed.
Last edited by romirazz on Tue May 30, 2017 10:51 am, edited 2 times in total.
 
romirazz
just joined
Posts: 6
Joined: Tue May 16, 2017 11:06 am

Re: PEAP-MSCHAPv2

Mon May 29, 2017 9:31 am

Here's what I found at the base point of Rostelecom:

The program and testing technique of the wireless access point equipment for the implementation of the Internet access service from the Universal Communications Services
Technique of checking the functionality of equipment
Authentication and security testing
Support for 802.1x authentication using an external radius server.
Test Name: Support for 802.1x authentication using an external server radius.
The purpose of the test: Ensure that 802.1x authentication is supported using the external radius of the server and the EAP-PEAP protocols.
Importance of the test: Basic
Test procedure: Configure the access point with two SSIDs on one of (SSID1) which specify the encryption mode of WPA2 (or WPA2 AES); The 802.1x authentication mode with the EAP-PEAP authentication option.
As the authentication algorithm in the second authorization phase, specify MSCHAPV2. The setup should allow the user to authenticate with the login / password pair without having to use certificates on the client hardware.
2. Through the BTC GUI, configure the external radius of the server-specify the IP address, port and secret key for the FreeRadius lab server.
3. On the FreeRadius laboratory radius server, configure two users of TestUser1 and TestUser2. Define for them different passwords for access. Configure server
Certificate for the radius of the server. Configure BTC as the NAS client for the FreeRadius server.
4. Set SSID1 authentication mode through the external radius server (Enterprise) mode.
5. Activate the session using a Windows 7/8 client on a laptop with 802.1x authentication settings and a recommended user name and password.
Expected Result: Make sure that clients with a pair of login / password specified in the Radius server get access to the SSID
1. Ensure that clients with an incorrect password do not gain access to SSID1. Ensure that clients with 802.1x authentication disabled or do not support this authentication do not gain access to 802.1x.

Base station ROTEK rt-br24-wfn2e

Maybe this will help as it sorted out ?!
 
romirazz
just joined
Posts: 6
Joined: Tue May 16, 2017 11:06 am

Re: PEAP-MSCHAPv2

Mon May 29, 2017 9:41 am

Transfer of the MAC address of the subscriber when authorizing the subscriber to the Radius server
Test name: Transfer of the MAC address of the subscriber when authorizing the subscriber to the Radius server. The purpose of the test: Ensure the transmission of the MAC address of the subscriber when authorizing the subscriber to the Radius server.
Importance of the test: Basic
Test procedure:
1. For the test, verify by using the analyzer protocol the presence of MAC Client addresses in the Radius message
Expected result Mac client address is present in the Radius message
 
romirazz
just joined
Posts: 6
Joined: Tue May 16, 2017 11:06 am

Re: PEAP-MSCHAPv2

Wed May 31, 2017 10:25 am

Image

Can I have a problem with CCQ?

And yet, the real distance to the point of 400 meters.
 
User avatar
FFAMax
newbie
Topic Author
Posts: 28
Joined: Sat Oct 01, 2016 12:50 am

Re: PEAP-MSCHAPv2

Wed May 31, 2017 4:04 pm

Hi!

As i wrote in e-mail, try to use 6.40rc2 first.
 
romirazz
just joined
Posts: 6
Joined: Tue May 16, 2017 11:06 am

Re: PEAP-MSCHAPv2

Thu Jun 01, 2017 8:37 am

Hi!

As i wrote in e-mail, try to use 6.40rc2 first.
OK! On the weekend I'll try. Version 6.40 downloaded, I'll try to get closer to the access point, I do not have direct visibility.
 
romirazz
just joined
Posts: 6
Joined: Tue May 16, 2017 11:06 am

Re: PEAP-MSCHAPv2

Mon Jun 05, 2017 8:48 am

Thank you for helping FFAMax! Works with version 6.40rc2.
 
Korzhik
just joined
Posts: 1
Joined: Mon Jun 19, 2017 8:43 am

Re: PEAP-MSCHAPv2

Mon Jun 19, 2017 8:54 am

Hello! I using a version of firmware 6.40rc2 and could not to connect to RTWiFi. The network is connect, but after 4 or 5 seconds its lost and then connect ones more time. Lost-connect-lost-connect...what should I do? Maybe problems with MAC?
 
User avatar
lapsio
Long time Member
Long time Member
Posts: 527
Joined: Wed Feb 24, 2016 5:19 pm

Re: PEAP-MSCHAPv2

Wed Oct 04, 2017 7:47 pm

Wait I was just trying to connect for an hour to realize that I had to type my username as supplicant-identity. What is difference between mschapv2-username and supplicant-identity? Linux systems (and Android) shows identity and anonymous identity or username and anonymous identity. Why those names are so confusing and what's their actual meaning?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: PEAP-MSCHAPv2

Wed Oct 04, 2017 10:00 pm

supplicant-identity corresponds with "anonymous identity".
is is kind of a dummy value that is used to establish the initial connection before the encryption is established and the real user/pass are sent.
I think it is mostly because of they way WiFi authentication has evolved.
usually it does not matter what is in supplicant-identity but in our radio network where we do not need to hide the real username, we normally use the same value as for username.
 
User avatar
rushlife
Member Candidate
Member Candidate
Posts: 254
Joined: Thu Nov 05, 2015 12:30 pm

Re: PEAP-MSCHAPv2

Mon May 14, 2018 11:16 am

eap-ttls-mschapv2 on capsman ???
can someone help me ?
It is even possible ?

Who is online

Users browsing this forum: Artemis and 9 guests