Versions Compared

Old Version 128

changes.mady.by.user Normunds R.

Saved on

compared with

New Version Current

changes.mady.by.user Guntis G.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

PropertyDescription

authentication-types (list of wpa-psk, wpa2-psk, wpa-eap, wpa2-eap, wpa3-psk, owe, wpa3-eap, wpa3-eap-192)

Authentication types to enable on the interface.

The default value is an empty list (no authenticaion, an open network).

Configuring a passphrase, adds to the default list the wpa2-psk authentication method (if the interface is an AP) or both wpa-psk and wpa2-psk (if the interface is a station).

Configuring an eap-username and an eap-password adds to the default list wpa-eap and wpa2-eap authentication methods.

connect-groupstring )

APs within the same connect group do not allow more than 1 client device with the same MAC address. This is to prevent malicious authorized users from intercepting traffic intended to other users ('MacStealer' attack) or performing a denial of service attack by spoofing the MAC address of a victim.

Handling of new connections with duplicate MAC addresses depends on the connect-priority of AP interfaces involved.

By default, all APs are assigned the same connect-group.

connect-priority (accept-priority/hold-priority (integers))

Theese parameters determine, how a connection is handled if the MAC address of the client device is the same as that of another active connection to another AP.
If (accept-priority of AP2) < (hold-priority of AP1), a connection to AP2 wil cause the client to be dropped from AP1.
If (accept-priority of AP2) = (hold-priority of AP1), a connection to AP2 will be allowed only if the MAC address can no longer be reached via AP1.
If (accept-priority of AP2) > (hold-priority of AP1), a connection to AP2 will not be accepted.

If omitted, hold-priority is the same as accept-priority.
By default, APs, which perform user authentication, have higher priority (lower integer value), than open APs.

dh-groups (list of 19, 20, 21)

Identifiers of elliptic curve cryptography groups to use in SAE (WPA3) authentication.

disable-pmkid (no | yes)For interfaces in AP mode, disables inclusion of a PMKID in EAPOL frames. Disabling PMKID can cause compatibility issues with client devices which make use of it.
  • yes - Do not include PMKID in EAPOL frames.
  • no (default) - include PMKID in EAPOL frames.
eap-accounting (no | yes)Send accounting information to RADIUS server for EAP-authenticated peers. Default: no.


Note
Properties related to EAP, are only relevant to interfaces in station mode. APs delegate (passthrough) EAP authentication to the RADIUS server.


eap-anonymous-identity (string)Optional anonymous identity for EAP outer authentication. No default value.
eap-certificate-mode (dont-verify-certificate | no-certificates | verify-certificate | verify-certificate-with-crl)

Policy for handling the TLS certificate of the RADIUS server.

  • verify-certificate - require server to have a valid certificate. Check that it is signed by a trusted certificate authority.
  • dont-verify-certificate (default) - Do not perform any checks on the certificate.
  • no-certificates - Attempt to establish the TLS tunnel by performing anonymous Diffie-Hellman key exchange. To be used if the RADIUS server has no certificate at all.
  • verify-certificate-with-crl - Same as verify-certificate, but also checks if the certificate is valid by checking the Certificate Revocation List.
eap-methods (list of peap, tls, ttls)EAP methods to consider for authentication. Defaults to all supported methods.
eap-password (string)Password to use, when the chosen EAP method requires one. No default value.
eap-tls-certificate (certificate)Name or id of a certificate in the device's certificate store to use, when the chosen EAP authentication method requires one. No default value.
eap-username (string)Username to use when the chosen EAP method requires one. No default value.


Warning

Take care when configuring encryption ciphers.

All client devices MUST support the group encryption cipher used by the AP to connect, and some client devices (notably, Intel® 8260) will also fail to connect if the list of unicast ciphers includes any they don't support.


encryption (list of  ccmp, ccmp-256, gcmp, gcmp-256, tkip)

A list of ciphers to support for encrypting unicast traffic.

Defaults to ccmp.


Note

Properties related to 802.11r fast BSS transition only apply to interfaces in AP mode. Wifiwave2 interfaces in station mode do not support 802.11r.

For a client device to successfully roam between 2 APs, the APs need to be managed by the same instance of RouterOS. For information on how to centrally manage multiple APs, see CAPsMAN


ft (no | yes)

Whether to enable 802.11r fast BSS transitions ( roaming). Default: no.

ft-mobility-domain (integer 0..65535

The fast BSS transition mobility domain ID. Default: 44484 (0xADC4).

ft-nas-identifier (string of 2..96 hex characters)

Fast BSS transition PMK-R0 key holder identifier. Default: MAC address of the interface.

ft-over-ds (no | yes

 Whether to enable fast BSS transitions over DS (distributed system). Default: no.

ft-preserve-vlanid (no | yes )
  • no - when a client connects to this AP via 802.11r fast BSS transition, it is assigned a VLAN ID according to the access and/or interface settings
  • yes (default) - when a client connects to this AP via 802.11r fast BSS transition, it retains the VLAN ID, which it was assigned during initial authentication

The default behavior is essential when relying on a RADIUS server to assign VLAN IDs to users, since a RADIUS server is only used for initial authentication.

ft-r0-key-lifetime (time interval 1s..6w3d12h15m)

Lifetime of the fast BSS transition PMK-R0 encryption key. Default: 600000s (~7 days)

ft-reassociation-deadline (time interval 0..70s

Fast BSS transition reassociation deadline. Default: 20s.

group-encryption (ccmp | ccmp-256 | gcmp | gcmp-256 | tkip)

Cipher to use for encrypting multicast traffic.

Defaults to ccmp.

group-key-update (time interval)

Interval at which the group temporal key (key for encrypting broadcast traffic) is renewed. Defaults to 24 hours.

management-encryption (cmac | cmac-256 | gmac | gmac-256)

Cipher to use for encrypting protected management frames. Defaults to cmac.

management-protection (allowed | disabled | required)

Whether to use 802.11w management frame protection. Incompatible with management frame protection in standard wireless package.

Default value depends on value of selected authentication type. WPA2 allows use of management protection, WPA3 requires it.

owe-transition-interface (interface)

Name or internal id of an interface whose MAC address and SSID to advertise as the matching AP when running in OWE transition mode.

Required for setting up open APs that offer OWE, but also work with older devices that don't support the standard. See configuration example below.

passphrase (string of up to 63 characters)

Passphrase to use for PSK authentication types. Defaults to an empty string - "".

WPA-PSK and WPA2-PSK authentication requires a minimum of 8 chars, while WPA3-PSK does not have minimum passphrase length.

sae-anti-clogging-threshold ('disabled' | integer)

Due to SAE (WPA3) associations being CPU resource intensive, overwhelming an AP with bogus authentication requests makes for a feasible denial-of-service attack.

This parameter provides a way to mitigate such attacks by specifying a threshold of in-progress SAE authentications, at which the AP will start requesting that client devices include a cookie bound to their MAC address in their authentication requests. It will then only process authentication requests which contain valid cookies.

Default: 5.

sae-max-failure-rate ('disabled' | integer)Rate of failed SAE (WPA3) associations per minute, at which the AP will stop processing new association requests. Default: 40.
sae-pwe (both | hash-to-element | hunting-and-pecking)Methods to support for deriving SAE password element. Default: both.
wps (disabled | push-button)
  • push-button (default) - AP will accept WPS authentication for 2 minutes after 'wps-push-button' command is called. Physical WPS button functionality not yet implemented.
  • disabled - AP will not accept WPS authentication

...