MikroTik

We need to connect MikroTik as a client (station) to a WPA2-Enteprise secured wifi network using PEAP-MSCHAPv2. With ROS 6.49.7, everything works fine with this security-profile config. When trying the same with v7, it silently fails. The only trace is this message in the log: “XX:XX:XX:XX:XX:XX@wlan2: lost connection, 802.1x authentication timeout”. I tried to tweak all possible settings in /interface/wireless with no success. I also opened SUP-98029 with MikroTIk but so far there is no reaction.

Anybody hit the same issue?

Nobody needs PEAP-MSCHAPv2? Searching forum's history, I see it had been a long awaited feature, so having a bug in ROS v7 should hit somebody ...

If anybody from MikroTik reads this ... your support sucks! I opened SUP-98029 trying to follow all guidelines (providing all information, supout files for working and broken scenario etc.). There is no answer for more than 2 month. I completely understand that this is no payed support with SLA, but still, ignoring the request completely is not very kind. Any answer would be better than this, even a "won't fix" one.

Works fine in ROS6 indeed.

Does adding [ logging topics = "radius,!packet" ] give extra information on the AP or station?

No extra log with topics=radius on station. I even tried topics=debug. The above mentioned message "lost connection, 802.1x authentication timeout” is the only trace I'm able to get. There is also no interesting log when using ROS6 (which works fine).

I do not control the AP side - we need to connect MikroTik as station to a network operated by another company. But I was able to test against several networks built on different platforms with the same result (ROS6 works, ROS7 fails), so I doubt it would be a AP/controller issue. I could build a MikroTik-based AP with EAP in a lab to get AP-side logs. But since MikroTik support keeps ignoring my rigorous bug report, this looks like a waste of time ...

Well might be hard to debug or diagnose without the full AP side access and control.

If RADIUS works , it's great. Issues with TLS versions for me are not very easy to diagnose/correct.
With FreeRADIUS (open source code) at least there is a lot of information and debug mode.

ROS6-ROS7 , might have different TLS version handling. And then the supported TLS versions in the AP matters.
Maybe @sindy can help here. See: viewtopic.php?t=173848 .
See also https://github.com/multiduplikator/mikrotik_EAP . I know it's more about the server side.
And https://freeradius-users.freeradius.nar ... on-too-low

Thanks, bpwl, for the links and ideas!

OK, I'll try to prepare a lab environment with MikroTIk station and MikroTik AP, sniff the air to check TLS versions and get back then.

I ran into the same problem when connecting RouterOS v7 CPE as station to v7 cAP ac controlled by CAPsMAN...

Works fine in ROS6 indeed.

Does adding [ logging topics = "radius,!packet" ] give extra information on the AP or station?

Have to correct this. Does not always work fine in ROS6.
My combination with a Draytek main router, used for RADIUS authentication, works fine with all known systems ... tablet,smartphone, PC, watch, ... IOS, Windows, Linux, Android.
But it fails with Mikrotik router as client on ROS 6.45.6 (a good one) and even with ROS 6.49.7, the latest ROS6
That Mikrotik router works fine on the Enterprise login from all my ISP providers with the PEAP client setup. (https://wiki.mikrotik.com/wiki/Manual:W ... FreeRADIUS)

What I diagnosed in the Draytek, is that it requires the "Supplicant Identity" in the Mikrotik client to match a registered user, what is not a usual requirement. This to avoid "RADIUS SRV: User-Name not found from user database" in the Draytek. But it still fails to get an "accept" from the Draytek Radius.

Why Draytek, and not Mikrotik ROS7 User-manager V5 ? A license limit that is way too strict in ROS7: 20 or 50 sessions, or License level 6 is needed.
Different sequence of methods negotiated between Radius server and client. ???

PS : further tests: Did the test with ROS 7.8 User Manager v5 as RADIUS server .... Error in the LOG file is: "EAP auth stopped for <""> reason: timeout + ssl: no common ciphers"

7.13 same error- lost connection, 802.1x authentication timeout

Maybe they fixed it ... 7.15 Stable release notes say:
*) eap - improved eap-peap, eap-mschap2 client authentication (dot1x/wireless/ipsec);

I hoped so as well when I saw the release notes for v7.15, but the issue persits for me.
Tried many different WiFi security profile settings (PEAP, EAP-TLS with certs. etc.), but it just doesn't work.

Mikrotik, would be great if this can be fixed soon. Thanks!

Hi!

I have same problem with RBwAPG-5HacD2HnD / 2011UAS-2HnD / RBD53iG-5HacD2HnD configured as station pseudobridge for wireless uplink. It works fine on RouterOS v6.49.x, but after upgrade to v7.14.3 connection failed with "802.1x authentication failed" on log. And there isn't any event log on windows radius server.

Hi again!

I have tested latest RouterOS 7.15.3 now on RBwAPG-5HacD2HnD with success - station is connected.