Hi all,

I have configured a Mikrotik routerboard to have a wireless network that attempts to authenticate using EAP-TLS with a client certificate only, passed through to a radius server which verifies everything.

So far, the radius server seems to be working correctly, and the user is accepted, but the attempt by the iphone to connect doesn't ever complete. The little "busy" throbber keeps spinning and spinning on the iphone, and the connection is attempted over and over again. The iphone gives no error message or clue of any kind. The routerboard logs the following:

17:07:05 wireless,debug wlan-g-tls: 7C:C5:37:29:DB:21 attempts to associate
17:07:05 wireless,debug wlan-g-tls: 7C:C5:37:29:DB:21 not in local ACL, by default accept
17:07:05 wireless,info 7C:C5:37:29:DB:21@wlan-g-tls: connected
17:07:05 wireless,debug 7C:C5:37:29:DB:21@wlan-g-tls: got identity person@example.com
17:07:05 wireless,debug 7C:C5:37:29:DB:21@wlan-g-tls: EAP going to pass through
17:07:07 wireless,debug 7C:C5:37:29:DB:21@wlan-g-tls: EAP success from RADIUS
17:07:07 dhcp,info dhcp2 deassigned 10.0.1.2 from 7C:C5:37:29:DB:21
17:07:09 dhcp,info dhcp2 assigned 10.0.1.2 to 7C:C5:37:29:DB:21
17:08:05 wireless,info 7C:C5:37:29:DB:21@wlan-g-tls: disconnected, unknown reason (118:2)

Does anyone know what reason code "118:2" is? (Google doesn't).

The wireless interface is configured as follows:

1 name="wlan-g-tls" mtu=1500 mac-address=02:00:00:AA:00:00 arp=enabled
master-interface=wlan-g-public ssid="Mysterium" wds-mode=disabled
wds-default-bridge=none wds-ignore-ssid=no default-authentication=yes
default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0
hide-ssid=no security-profile=tls

The security profile is configured as follows:

1 name="tls" mode=dynamic-keys authentication-types=wpa-eap
unicast-ciphers=aes-ccm group-ciphers=aes-ccm wpa-pre-shared-key=""
wpa2-pre-shared-key="" supplicant-identity="foo"
eap-methods=passthrough tls-mode=no-certificates tls-certificate=none
static-algo-0=none static-key-0="" static-algo-1=none static-key-1=""
static-algo-2=none static-key-2="" static-algo-3=none static-key-3=""
static-transmit-key=key-0 static-sta-private-algo=none
static-sta-private-key="" radius-mac-authentication=no
radius-mac-accounting=no radius-eap-accounting=no interim-update=0s
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username
radius-mac-caching=disabled group-key-update=5m
management-protection=disabled management-protection-key=""

Can anyone confirm whether an iphone (iOS v5.0.1) works with mikrotik routeros v4.5 + EAP-TLS?

Regards,
Graham
--

try using WPA2-EAP instead of WPA-EAP.

I had originally tried wpa2-eap, and the iOS v5.0.1 phone had failed with the same effect.

I have now managed some more experimentation, a second iPhone4 running iOS v4.3.5 successfully connects, but for no clear reason the DHCP doesn't complete. If you attempt to renew the lease on the iOS v4.3.5 device, the routerboard says this:

06:41:05 dhcp,warning dhcp2 offering lease 10.0.1.6 for 7C:C5:37:2D:0B:24 without success

The message doesn't say what "without success" means (timed out? an explicit error was received? no idea). It does show that the routerboard can see packets from the iPhone, but the iPhone... not sure.

Trying this from a MacOSX machine running Snow Leopard has the same effect, the EAP-TLS successfully completes, but DHCP cannot get a lease.

Any further ideas?

The message "dhcp2 offering lease ... without success" was the key in this case, I needed to add an entry beneath "/ip dhcp-server network" for that specific DHCP pool, which for some reason was missing.