MikroTik

dos CAPsMAN support WPA2-Enterprise to authenticate users with Active Directory ?
i know that i can use hotspot to use Radius, but i dont want to use it

I haven't tested it in CAPsMAN specifically, but it works in CAPsMAN exactly the same way that it works if you configure the wireless AP directly without using CAPsMAN. So, forget CAPsMAN entirely for a minute. If you have never set up WPA2 Enterprise on RouterOS before without CAPsMAN, I recommend you familiarize yourself with that first, and then re-implement it on CAPsMAN after you have it working. You select WPA2-EAP on the security profile, set an EAP mode of "passthrough", and then add/configure entries for your RADIUS servers with a service of "wireless".

Active Directory is LDAP-backed, and RouterOS cannot use LDAP as a source for AAA, so you will need to set up a RADIUS server first that can proxy requests between RouterOS and Active Directory. Again, if you haven't ever done this before, you need to get this tested and working first before you concern yourself with CAPsMAN. Once you have all of the necessary bits in place, adding CAPsMAN to the mix should be a piece of cake.

-- Nathan

another question.
i have 3 hotspot with one windows radius server now, i created 3 radius in Mikrotik and assign them to separate hotspot and created 3 groups in AD and their member have access in their hotspot
in this scenario which part i can assign a radius to securit cfg in CAPsMAN?

another question.
i have 3 hotspot with one windows radius server now, i created 3 radius in Mikrotik and assign them to separate hotspot and created 3 groups in AD and their member have access in their hotspot
in this scenario which part i can assign a radius to securit cfg in CAPsMAN?

Okay, so if I understand correctly, right now you are NOT using WPA-Enterprise at all, but are only using Hotspot, and you want to get away from using Hotspot? So you probably have 3 SSIDs and 3 separate Hotspots, one for each SSID, and you allow people in a certain group on the domain access to a certain SSID, and people in a different group on the domain access to a different SSID, and so on? And you separate the RADIUS requests from Hotspot to the different RADIUS clients by using 'split-user-domain' and/or 'radius-default-domain', but each RADIUS client points to the same RADIUS server IP address and just uses a different domain and/or realm?

You cannot configure different SSIDs on the same MikroTik router to use different RADIUS clients, like you can with Hotspot by using "domains". All wireless RADIUS requests from all SSIDs can be processed by any RADIUS client defined with 'service=wireless'. The only reason for having more than one RADIUS client is for redundancy (if one RADIUS server is down, try the next one), and the servers will be queried in the order that they appear in the RADIUS clients list. What you will have to do is determine which SSID somebody is trying to associate to on the RADIUS server itself, and then process the request against a certain AD group after that. RouterOS will send the SSID to the RADIUS server in the RADIUS check attribute called 'NAS-Port-ID'.

-- Nathan

Dear My Friend
let me explain more about my problem
we have :
one CAPsMAN and some CAPs, one windows radius server connected to Active Directory
SSID1 -> Authenticate with GROUP1 in AD
SSID2 -> Authenticate with GROUP2 in AD
SSID3 -> Authenticate with GROUP3 in AD
i can do it with HOTSPOT or one SSID, but in wpa2-enterprise ...........
could you please let me know what shall i do
i want to manage some CAPs with one CAPsMAN and create 3 SSID with WPA2-Enterprise assign to 3 groups in AD
regards
dana

I have setup CAPsMAN with WPA2-Enterprise and EAP to authenticate with AD. It works great. The only thing with your example is I do not think there is a way to make SSID1 authenticate Group1 and SSID2, etc. Maybe if there is a way to determine which SSID the RADIUS request is trying to auth on the Windows side?

We need that funcion too.

We have to authenticate users to different SSIDs with different Radius servers. MT plese code it !!!!

you need to use client-station-id in radius server side per each policy