...
This guide describes how to set up your MikroTik devices so you can use them with RadSec proxy and Orion Wifi, though the main configuration steps remain the same and will work with different providers as well:
This guide assumes that you have configured a radsecproxy with Orion Wifi credentials. Make sure to use the latest long-term or stable RouterOS releases.
It is important to set up a secure RADIUS connection between the wireless LAN controller and Orion Wifi.
Orion Wifi uses RADIUS over TLS (RadSec) to ensure end-to-end encryption of AAA traffic. This guide is made for scenarios where the RouterOS access point redirects AAA traffic to a RadSec proxy (radsecproxy) before the traffic is sent over the internet.
1) Configure the Radius client that points to radsecproxy.
Command line equivalent is “/radius add address=192.168.88.233 secret=yourSecret service=wireless”
Secret The secret should match the one configured on the radsecproxy, in this example “192.168.88.233” is a virtual machine running the proxy.
2) Create a wireless security profile that would perform 802.1x authentication
Command line equivalent is “/interface wireless security-profiles add authentication-types=wpa2-eap management-protection=allowed mode=dynamic-keys name=dot1x_profile supplicant-identity="" radius-eap-accounting=yes eap-methods=passthrough“.
3) The next step is configuring the wireless interface and assigning the created security profile. Press “Advanced mode” to see all the options.
Command line equivalent is: "/interface wireless set [ find default-name=wlan1 ] mode=ap-bridge security-profile=dot1x_profile wps-mode=disabled".
Make sure the correct country profile is configured. In this example, we are using “wlan1”, but the same command would work with other interfaces, or as “/interface wireless set wlan1”.
4) Configure interworking settings (hotspot 2.0 ). This step can only be done via command line: “/interface wireless interworking-profiles set name=Orion_Mikrotik domain-names=prod.dogwood120.net operator-names=Buttonwood:eng realms=prod.dogwood120.net:eap-tls roaming-ois=004096,005014,f4f5e8f5f4,baa2D00100,baa2d00000 venue-names=Buttonwood:eng venue=business-unspecified ”.
Set “venue” – venue type, “operator-names=” and ”venue-names”, “wan-uplink” and “wan-uplink” and other attributes as applicable. “domain-names” should be of hotspot 2.0 Operator.
5) Assign the interworking profile to the interface. This step can only be done via the command line, with the following command: “/interface wireless set wlan1 interworking-profile=Orion_MikroTik”.
If the radsecproxy is working, then clients with the appropriate Hotspot profile installed should be able to connect.