Date: Thu, 28 Mar 2024 17:27:44 +0200 (EET) Message-ID: <858944515.13099.1711639664798@help.mikrotik.com> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_13098_183244960.1711639664795" ------=_Part_13098_183244960.1711639664795 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
User Manager version 5 ( available for RouterOS v7 ) supports us= er authentication via the Extensible Authentication Protocol (EAP).
This guide will explain the steps needed to configure User Manager v5 as= the authentication server for MikroTik wireless access points with users b= eing offered PEAP and EAP-TLS authentication methods.
The guide assumes a standalone device running User Manager at the networ= k address 10.0.0.10 and 2 Access Points - one at 10.0.0.11 and the other at= 10.0.0.12
User Manager v5 can be found in the 'Extra packages' archive for the latest release of RouterOS v7.
Download the archive for the appropriate CPU architecture, extract it, u= pload the User Manager package to the router and reboot it.
When using secure EAP methods, the client device (supplicant) verifies t=
he identity of the authenication server before sending its own credentials =
to it.
For this to happen, the authentication server needs a TLS certificate.
This certificate should:
The EAP-TLS method requires the client device to have a TLS certificate = (instead of a password).
To be considered valid by User Manager, a client certificate must:
Finally, the WPA3 enterprise specification includes an extra secur= e mode, which provides 192-bit cryptographic security.
This mode requires using EAP-TLS with certificates that:
For the sake of brevity (and to showcase more of RouterOS' capabilities)= , this guide will show how to generate all the certificates on the device r= unning User Manager, but in a large scale enterprise environment, the authe= ntication server and client devices would each generate private keys and ce= rtificate signing requests locally, then upload CSRs to a certificate autho= rity for signing.
# Generating a Certifica= te Authority /certificate add name=3Dradius-ca common-name=3D"RADIUS CA" key-size=3Dsecp384r1 digest-= algorithm=3Dsha384 days-valid=3D1825 key-usage=3Dkey-cert-sign,crl-sign sign radius-ca ca-crl-host=3Dradius.mikrotik.test # Generating a server certificate for User Manager add name=3Duserman-cert common-name=3Dradius.mikrotik.test subject-alt-name= =3DDNS:radius.mikrotik.test key-size=3Dsecp384r1 digest-algorithm=3Dsha384 = days-valid=3D800 key-usage=3Dtls-server sign userman-cert ca=3Dradius-ca # Generating a client certificate add name=3Dmaija-client-cert common-name=3Dmaija@mikrotik.test key-usage=3D= tls-client days-valid=3D800 key-size=3Dsecp384r1 digest-algorithm=3Dsha384 sign maija-client-cert ca=3Dradius-ca # Exporting the public key of the CA as well as the generated client privat= e key and certificate for distribution to client devices export-certificate radius-ca file-name=3Dradius-ca # A passphrase is needed for the export to include the private key export-certificate maija-client-cert type=3Dpkcs12 export-passphrase=3D"tru= e zebra capacitor ziptie"
# Enabling User Manager = and specifying, which certificate to use /user-manager set enabled=3Dyes certificate=3Duserman-cert # Enabling CRL checking to avoid accepting revoked user certificates /certificate settings set crl-download=3Dyes crl-use=3Dyes # Adding access points /user-manager router add name=3Dap1 address=3D10.0.0.11 shared-secret=3D"Use a secure password g= enerator for this" add name=3Dap2 address=3D10.0.0.12 shared-secret=3D"Use a secure password g= enerator for this too" # Limiting allowed authentication methods /user-manager user group set [find where name=3Ddefault] outer-auths=3Deap-tls,eap-peap add name=3Dcertificate-authenticated outer-auths=3Deap-tls # Adding users /user-manager user add name=3Dmaija@mikrotik.test group=3Dcertificate-authenticated add name=3Dpaija@mikrotik.test group=3Ddefault password=3D"right mule accum= ulator nail"
# Configuring radius cli= ent /radius add address=3D10.0.0.10 secret=3D"Use a secure password generator for this"= service=3Dwireless timeout=3D1s /radius incoming set accept=3Dyes # Adding a security profile and applying it to wireless interfaces /interface/wireless/security-profile add name=3Dradius mode=3Ddynamic-keys authentication-types=3Dwpa2-eap /interface/wireless set [find] security-profile=3Dradius
# Configuring radius cli= ent /radius add address=3D10.0.0.10 secret=3D"Use a secure password generator for this = too" service=3Dwireless timeout=3D1s /radius incoming set accept=3Dyes # Configuring enabled authentication types. Can also be done via a security= profile, but note that interface properties, if specified, override profil= e properties /interface/wifiwave2 set [find] security.authentication-types=3Dwpa2-eap,wp= a3-eap
A wifiwave2 AP can also be configured to use the extra secure wpa3= -eap-192 mode, but note that it requires that all client devices support th= e GCMP-256 cipher and use EAP-TLS authentication.
When manually installing a CA in Windows, make sure to explicitly place = it in the 'Trusted Root Certification Authorities' certificate store. It wi= ll not be placed there automatically.
When connecting to a network with EAP authentication, Android devices as= k the user to specify a 'domain'. This refers to the expected domain of the= host name included in the RADIUS server's TLS certificate ( 'mikrotik.test= ' in our example).
By default, Android devices use the device's built-in root CA list for v= alidating the RADIUS server's certificate. When using your own CA, it needs= to be selected in the appropriate dropdown menu.
Apple iOS does not appear to actually trust a manually imported CA to au= thenticate RADIUS servers. The server certificate is marked as 'Not Trusted= ' unless the CA was imported using Apple's proprietary 'Configurator' utili= ty or an approved third party MDM tool.