Page 1 of 1
PEAP Help - Screenshots?
Posted: Fri May 28, 2010 6:04 pm
by rekholm
I am trying to implement PEAP over wireless here in our company, and am still having problems. It looks like the only way to make it work (fairly) seamlessly, is to create a Hotspot, use Radius auth, then route all of the traffic through that way. Am I wrong?
Since our company uses a Cisco ACS (Access Control Server), I'm a bit confused about how to set it all up. Ideally I would rather be able to use a Security Profile that says pass all requests to the ACS or Radius Server, and let the Mikrotik just be the middleman.
Is that possible? I'm pretty new, so I apologize now if this seams basic for some of you.
I'd like to think I have searched pretty much throughout the forum,and can't come up with a working solution.
Does anyone have some screenshots of how they set yours up?
Thanks to the community!!
Rod Ekholm
Re: PEAP Help - Screenshots?
Posted: Sat May 29, 2010 12:22 pm
by fewi
Go to /radius and set up the ACS server as a RADIUS server for the wireless service (rather than Hotspot or login). Then enable WPA or WPA2 in their Enterprise versions right on the AP for association and use PEAP.
Caveat: I don't use wireless on Mikrotik and don't know if it supports PEAP.
Re: PEAP Help - Screenshots?
Posted: Mon May 31, 2010 2:56 pm
by sergejs
Since our company uses a Cisco ACS (Access Control Server), I'm a bit confused about how to set it all up. Ideally I would rather be able to use a Security Profile that says pass all requests to the ACS or Radius Server, and let the Mikrotik just be the middleman.
Yes, it is what you need to configure on MikroTik AP, which should be middleman between RADIUS server and client [non-MikroTik].
Basic settings for the MikroTik AP wireless interface,
/interface wireless security-profiles add authentication-types=wpa2-eap eap-methods=passthrough
client should point to your RADIUS server.
Wireless client should have proper settings for used EAP method.
Re: PEAP Help - Screenshots?
Posted: Tue Jun 01, 2010 8:06 pm
by rekholm
sergejs -
When I do this config, they TYPE selected defaults to NONE. It sent me thru the network just fine,but never did hit the RADIUS, therefore, never really authenticating against it. I changed this to Dynamic, and get a "VALIDATING IDENTITY" on my wireless clients, but when I look at the Radius Status, it never seems to try and latch to the radius server.
Also, We don't use any sort of accounting here... do I need to have nay of the check boxes on the Radius tab checked? I was under the impression that is all I had to do, was have the shared secret in the RADIUS setup, and it should try to go.
Thanks.
Re: PEAP Help - Screenshots?
Posted: Wed Jun 02, 2010 7:58 am
by sergejs
Additionally you need to set enabled radius-mac-authentication.
Re: PEAP Help - Screenshots?
Posted: Wed Jun 02, 2010 5:32 pm
by rekholm
OK.. so Unless I'm not understanding something, if I set up MAC, It is no longer using PEAP! Or at least username/password type auth for domain. It has to pass USER/PASS to the RADIUS, which looks to see if that user has rights to access certain wireless systems.
If I have to put in the user's MAC's into a database, I may as well leave it open.
Re: PEAP Help - Screenshots?
Posted: Thu Jun 03, 2010 9:27 am
by sergejs
It should work without radius-mac-authentication, monitor /radius monitor <0> to find out whether any packets are send to RADIUS or not, when MAC RADIUS authentication is off.
When EAP authentication is used (eap-method=passthrough),
router should send these attributes in Access-Request,
Access-Request is send, which contains:
User-Name - EAP supplicant identity (suplicant-identity from security-profles)
Nas-Port-Id - interface name
Acct-Session-Id - session-id (when radius-eap-accounting=yes)
Acct-Multi-Session-Id - id, when radius-eap-accounting=yes, to distinguish different sessions, format "AA-AA-AA-AA-AA-AA-CC-CC-CC-CC-CC-CC-XX-XX-XX-XX-XX-XX-XX-XX", where AA - AP
mac-adress, CC - client mac address, XX unique number;
Calling-Station-Id - client MAC-address "XX-XX-XX-XX-XX-XX"
Called-Station-Id - AP MAC address and SSID "XX-XX-XX-XX-XX-XX:ssid";
Re: PEAP Help - Screenshots?
Posted: Tue Mar 05, 2024 11:15 am
by toniojst
It should work without radius-mac-authentication, monitor /radius monitor <0> to find out whether any packets are send to RADIUS or not, when MAC RADIUS authentication is off.
When EAP authentication is used (eap-method=passthrough),
router should send these attributes in Access-Request,
Access-Request is send, which contains:
User-Name - EAP supplicant identity (suplicant-identity from security-profles)
Nas-Port-Id - interface name
Acct-Session-Id - session-id (when radius-eap-accounting=yes)
Acct-Multi-Session-Id - id, when radius-eap-accounting=yes, to distinguish different sessions, format "AA-AA-AA-AA-AA-AA-CC-CC-CC-CC-CC-CC-XX-XX-XX-XX-XX-XX-XX-XX", where AA - AP
mac-adress, CC - client mac address, XX unique number;
Calling-Station-Id - client MAC-address "XX-XX-XX-XX-XX-XX"
Called-Station-Id - AP MAC address and SSID "XX-XX-XX-XX-XX-XX:ssid";
I have also problem with connection mikrotik as cliente to 802.1x. Problme is that mikrotik dont send the identity. Here is all images can i get help here:
viewtopic.php?p=1059141&hilit=wpa2+enterprise#p1059141