...
Certain parameters in the table below take format-string as their value. In a format-string, certain characters are interpreted in the following way:'a' -
| Character | Interpretation |
|---|---|
| a | Hexadecimal character making up the MAC address of the client device in lower case |
...
| A |
...
| Hexadecimal character making up the MAC address of the client device in upper case |
...
| i |
...
| Hexadecimal character making up the MAC address of the AP's interface in lower case |
...
| I |
...
| (capital 'i') |
...
| Hexadecimal character making up the MAC address of the AP's interface in upper case |
...
| N |
...
| The entire name of the AP's interface (e.g. 'wifi1') |
...
| S |
...
| The entire SSID |
All other characters are used without interpreting them in any way. For examples, see default values
...
.
| Property | Description |
|---|---|
| called-format (format-string) | Format for the value of the Called-Station-Id RADIUS attribute, in AP's messages to RADIUS servers. Default:II-II-II-II-II-II:S |
| calling-format (format-string) | Format for the value of the Calling-Station-Id RADIUS attribute, in AP's messages to RADIUS servers. Default: AA-AA-AA-AA-AA-AA |
| interim-update (time interval) | Interval at which to send interim updates about traffic accounting to the RADIUS server. Default: 5m |
| mac-caching (time interval | 'disabled') | Length of time to cache RADIUS server replies, when MAC address authentication is enabled. This resolves issues with client device authentication timing out due to (comparatively high latency of RADIUS server replies. Default value: disabled. |
| name (string) | A unique name for the AAA profile. No default value. |
| nas-identifier (string) | Value of the NAS-Identifier attribute, in AP's messages to RADIUS servers. Defaults to the host name of the device (/system/identity). |
| password-format (format-string) | Format for value to use in calculating the value of the User-Password attribute in AP's messages to RADIUS servers when performing MAC address authentication. Default value: "" (an empty string). |
| username-format (format-string) | Format for the value of the User-Name attribute in APs messages to RADIUS servers when performing MAC address authentication. Default value : |
...
| Filtering parameters | |
|---|---|
| Parameter | Description |
| allow-signal-out-of-range (time period) | Modifies the signal-range parameter to still match established connections for a given length of time, even if their signal is outside the specified range. Default: 0s. |
| interface (interface|interface-list|'any') | Match if connection takes place on the specified interface or interface belonging to specified list. Default: any. |
| mac-address (MAC address) | Match if the client device has the specified MAC address. No default value. |
| mac-address-mask (MAC address) | Modifies the mac-address parameter to match if it is equal to the result of performing bit-wise AND operation on the client MAC address and the given address mask. Default: FF:FF:FF:FF:FF:FF (i.e. client's MAC address must match value of mac-address exactly) |
| signal-range (min..max) | Match if the strength of received signal from the client device is within the given range. Default: '-120..120' |
| ssid-regexp (regex) | Match if the given regular expression matches the SSID. |
| time (start-end,days) | Match during the specified time of day and (optionally) days of week. Default: 0s-1d |
| Action parameters | |
|---|---|
| Parameter | Description |
| action (accept|reject|query-radius) | Whether to authorize a connection
|
| passphrase (string) | Override the default passphrase with given value. No default value. |
| radius-accounting (no|yes) | Override the default RADIUS accounting policy with given value. No default value. |
Access rule examples
Only accept connections to guest network from nearby devices during business hours
MAC address authentication
Implemented through the query-radius action, MAC address authentication is a way to implement a centralized whitelist of client MAC addresses using a RADIUS server.
When a client device tries to associate with an AP, which is configured to perform MAC address authentication, the AP will send an access-request message to a RADIUS server with the device's MAC address as the user name and an empty password. If the RADIUS server answers with access-accept to such a request, the AP proceeds with whatever regular authentication procedure (passphrase or EAP authentication) is configured for the interface.
Access rule examples
Only accept connections to guest network from nearby devices during business hours
| Code Block | ||
|---|---|---|
| ||
| Code Block | ||
| ||
/interface/wifiwave2/access-list/print detail Flags: X - disabled 0 signal-range=-60..0 allow-signal-out-of-range=5m ssid-regexp="MikroTik Guest" time=7h-19h,mon,tue,wed,thu,fri action=accept 1 ssid-regexp="MikroTik Guest" action=reject |
...
Information about the capabilities of each radio can be gained by running the `/interface/wifiwave2/radio print detail` command.
Following is a list of radio parameters.
| Property | Description |
|---|---|
| 2g-channels (list of integers) | Frequencies supported in the 2.4GHz band. |
| 5g-channels (list of integers) | Frequencies supported in the 5GHz band. |
| bands (list of strings) | Supported frequency bands, wireless standards and channel widths. |
| ciphers (list of strings) | Supported encryption ciphers. |
| countries (list of strings) | Regulatory domains supported by the interface. |
| min-antenna-gain (integer) | Minimum antenna gain permitted for the interface. |
| phy-id (string) | A unique identifier. |
| radio-mac (MAC) | MAC address of the radio interface. Can be used to match radios to interface configurations. |
| rx-chains (list of integers) | IDs for radio chains available for receiving radio signals. |
| tx-chains (list of integers) | IDs for radio chains available for transmitting radio signals. |
...
The registration table contains read-only information about associated wireless devices.
...
| Parameter | Description |
|---|---|
| authorized (boolean) (A) | True when the peer has successfully authenticated. |
| bytes (list of integers) | Number of bytes in packets transmitted to a peer and received from it. |
| interface (string) | Name of the interface, which was used to associate with the peer. |
| mac-address (MAC) | The MAC address of the peer. |
| packets (list of integers) | Number of packets transmitted to a peer and received from it. |
| rx-rate (string) | Bitrate of received transmissions from peer. |
| signal (integer) | Strength of signal received from the peer (in dBm). |
| tx-rate (string) | Bitrate used for transmitting to the peer. |
| uptime (time interval) | Time since association. |
...