Versions Compared

Old Version 52

changes.mady.by.user Toms Filatovs

Saved on

compared with

New Version 60

changes.mady.by.user Toms Filatovs

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added descriptions for fast BSS transition parameters.

...

As of the release of RouterOS 7.1, this means it is compatible with 4 devices:

  1. hAP ac³ (non-LTE)*
  2. Audience*
  3. Audience LTE6 kit*
  4. RB4011iGS+5HacQ2HnD**
Note

*

...

  The wifiwave2 package is not compatible with CAPsMAN. And does not yet offer wireless meshing (4-address mode).

**

...

The 2.4GHz wireless interface on the RB4011iGS+5HacQ2HnD is not compatible with the wifiwave2 package. It will not be usable with the package installed.

Features

  • WPA3 authentication and OWE (opportunistic wireless encryption)
  • 802.11w standard management frame protection
  • MU-MIMO and beamforming
  • 400Mb/s maximum data rate in the 2.4GHz band for IPQ4019 interfaces

...

All other characters are used without interpreting them in any way. For examples, see default values.

Property

Description

called-format (format-string)

Format for the value of the Called-Station-Id RADIUS attribute, in AP's messages to RADIUS servers. Default:II-II-II-II-II-II:S

calling-format (format-string)Format for the value of the Calling-Station-Id RADIUS attribute, in AP's messages to RADIUS servers. Default: AA-AA-AA-AA-AA-AA
interim-update (time interval)Interval at which to send interim updates about traffic accounting to the RADIUS server. Default: 5m
mac-caching (time interval | 'disabled')

Length of time to cache RADIUS server replies, when MAC address authentication is enabled.
This resolves issues with client device authentication timing out due to (comparatively high latency of RADIUS server replies.

Default value: disabled.

name (string)A unique name for the AAA profile. No default value.
nas-identifier (string) Value of the NAS-Identifier attribute, in AP's messages to RADIUS servers. Defaults to the host name of the device (/system/identity).
password-format (format-string)

Format for value to use in calculating the value of the User-Password attribute in AP's messages to RADIUS servers when performing MAC address authentication.

Default value: "" (an empty string).

username-format (format-string)

Format for the value of the User-Name attribute in APs messages to RADIUS servers when performing MAC address authentication.

Default value : AA:AA:AA:AA:AA:AA

Channel properties

Properties in this category specify the desired radio channel.

...

PropertyDescription

chains (list of integer 0..7 )

Radio chains to use for receiving signals. Defaults to all chains available to the corresponding radio hardware.

client-isolation (no | yes)

  • yes - AP will not forward traffic between client devices connected to it
  • no -  AP will forward traffic between client devices connected to it

Default: no

country (name of a country)

Determines, which regulatory domain restrictions are applied to an interface. Defaults to "United States".

Note: It is important to set this value correctly to comply with local regulations and ensure interoperability with other devices.

hide-ssid (no | yes)

  • yes - AP does not include its SSID in beacon frames, and does not reply to probe requests that have broadcast SSID.

  • no - AP includes its SSID in the beacon frames, and replies to probe requests that have broadcast SSID.

Default: no

mode (ap | station)

Interface operation mode

  • ap (default) - interface operates as an access point
  • station - interface acts as a client device, scanning for access points advertising the configured SSID
ssid (string)The name of the wireless network, aka the (E)SSID. No default value.
tx-chains (list of integer 0..7)Radio chains to use for transmitting signals. Defaults to all chains available to the corresponding radio hardware.
tx-power (integer 0..40)A limit on the transmit power (in dBm) of the interface. Can not be used to set power above limits imposed by the regulatory profile. Unset by default.

...

PropertyDescription

authentication-types (list of wpa-psk, wpa2-psk, wpa-eap, wpa2-eap, wpa3-psk, owe, wpa3-eap, wpa3-eap-192)

Authentication types to enable on the interface.

The default value is an empty list (no authenticaion, an open network).

Configuring a passphrase, adds to the default list the wpa2-psk authentication method (if the interface is an AP) or both wpa-psk and wpa2-psk (if the interface is a station).

Configuring an eap-username and an eap-password adds to the default list wpa-eap and wpa2-eap authentication methods.

dh-groups (list of 19, 20, 21)

Identifiers of elliptic curve cryptography groups to use in SAE (WPA3) authentication.

disable-pmkid (no | yes)For interfaces in AP mode, disables inclusion of a PMKID in EAPOL frames. Disabling PMKID can cause compatibility issues with client devices which make use of it.
  • yes - Do not include PMKID in EAPOL frames.
  • no (default) - include PMKID in EAPOL frames.
eap-accounting (no | yes)Send accounting information to RADIUS server for EAP-authenticated peers. Default: no.


Note
Properties related to EAP, are only relevant to interfaces in station mode. APs delegate EAP authentication to the RADIUS server.


eap-anonymous-identity (string)Optional anonymous identity for EAP outer authentication. No default value.
eap-certificate-mode (dont-verify-certificate | no-certificates | verify-certificate | verify-certificate-with-crl)

Policy for handling the TLS certificate of the RADIUS server.

  • verify-certificate - require server to have a valid certificate. Check that it is signed by a trusted certificate authority.
  • dont-verify-certificate (default) - Do not perform any checks on the certificate.
  • no-certificates - Attempt to establish the TLS tunnel by performing anonymous Diffie-Hellman key exchange. To be used if the RADIUS server has no certificate at all.
  • verify-certificate-with-crl - Same as verify-certificate, but also checks if the certificate is valid by checking the Certificate Revocation List.
eap-methods (list of peap, tls, ttls)EAP methods to consider for authentication. Defaults to all supported methods.
eap-password (string)Password to use, when the chosen EAP method requires one. No default value.
eap-tls-certificate (certificate)Name or id of a certificate in the device's certificate store to use, when the chosen EAP authentication method requires one. No default value.
eap-username (string)Username to use when the chosen EAP method requires one. No default value.


Warning

Take care when configuring encryption ciphers.

All client devices MUST support the group encryption cipher used by the AP to connect, and some client devices (notably, Intel® 8260) will also fail to connect if the list of unicast ciphers includes any they don't support.


encryption (list of  ccmp, ccmp-256, gcmp, gcmp-256, tkip)

A list of ciphers to support for encrypting unicast traffic.

Defaults to ccmp.


Note

Properties related to 802.11r fast BSS transition only apply to interfaces in AP mode. Wifiwave2 interfaces in station mode do not support 802.11r.

The initial implementation of 802.11r introduced in RouterOS 7.4beta4 only supports fast transition of client devices between the interfaces which are local to each AP.


ft (no | yes)

Whether to enable 802.11r fast BSS transitions. Default: no.

ft-mobility-domain (integer 0..65535

The fast BSS transition mobility domain ID. Default: 44484 (0xADC4).

ft-nas-identifier (string of 2..96 hex characters)

Fast BSS transition PMK-R0 key holder identifier. Default: MAC address of the interface.

ft-over-ds (no | yes)  

 Whether to enable fast BSS transitions over DS (distributed system). Default: no.

ft-r0-key-lifetime (time interval 1s..6w3d12h15m)

Lifetime of the fast BSS transition PMK-R0 encryption key. Default: 600000s (~7 days)

ft-reassociation-deadline (time interval 0..70s

Fast BSS transition reassociation deadline. Default: 20s.

group-encryption(ccmp | ccmpgroup-encryption(ccmp | ccmp-256 | gcmp | gcmp-256 | tkip)

Cipher to use for encrypting multicast traffic.

Defaults to ccmp.

group-key-update (time interval 30s..1h)

Interval at which the group temporal key (key for encrypting broadcast traffic) is renewed. Defaults to 5 minutes.

management-encryption (cmac | cmac-256 | gmac | gmac-256)

Cipher to use for encrypting protected management frames. Defaults to cmac.

management-protection (allowed | disabled | required)

Whether to use 802.11w management frame protection. Incompatible with management frame protection in standard wireless package.

Default value depends on value of selected authentication type (WPA (1) does not support MFP, while WPA3 requires it).

owe-transition-interface (interface)

Name or internal id of an interface whose MAC address and SSID to advertise as the matching AP when running in OWE transition mode.

Required for setting up open APs that offer OWE, but also work with older devices that don't support the standard. See configuration example below.

passphrase (string of up to 63 characters)

Passphrase to use for PSK authentication types. Defaults to an empty string - "".

WPA-PSK and WPA2-PSK authentication requires a minimum of 8 chars, while WPA3-PSK does not have minimum passphrase length.

sae-anti-clogging-threshold ('disabled' | integer)

Due to SAE (WPA3) associations being CPU resource intensive, overwhelming an AP with bogus authentication requests makes for a feasible denial-of-service attack.

This parameter provides a way to mitigate such attacks by specifying a threshold of in-progress SAE authentications, at which the AP will start requesting that client devices include a cookie bound to their MAC address in their authentication requests. It will then only process authentication requests which contain valid cookies.

Default: disabled.

sae-max-failure-rate ('disabled' | integer)Rate of failed SAE (WPA3) associations per minute, at which the AP will stop processing new association requests. Defaults to disabled.
wps (disabled | push-button)
  • push-button (default) - AP will accept WPS authentication for 2 minutes after 'wps-push-button' command is called. Physical WPS button functionality not yet implemented.
  • disabled - AP will not accept WPS authentication

...

Code Block
languageros
/interface/wifiwave2
set wifi1 disabled=no configuration.country=Latvia configuration.ssid=MikroTik security.authentication-types=wpa2-psk,wpa3-psk security.passphrase=8-63_characters

...

Code Block
languageros
/interface/wifiwave2
add master-interface=wifi1 name=wifi1_owe configuration.ssid=MikroTik_OWE security.authentication-types=owe security.owe-transition-interface=wifi1 configuration.hide-ssid=yes
set wifi1 configuration.country=Latvia configuration.ssid=MikroTik security.authentication-types="" security.owe-transition-interface=wifi1_owe
enable wifi1,wifi1_owe

...

Enterprise wireless security with User Manager v5

Assigning VLAN tags to wireless traffic can be achieved by following the generic bridge VLAN example here.

Resetting configuration

Wifiwave2 interface configurations can be reset by using the 'reset' command.

...

Access list provides multiple ways of filtering and managing wireless connections.

RouterOS will check each new connection to see if its parameters match parameters specified in any access list rule. This will happen when a connection is established and periodically after that.

The rules are checked in the order they appear in the list. Only management actions specified in the first matching rule are applied to the connectionapplied to each connection.

Connections, which have been accepted by an access list rule, will be periodically checked, to see if they remain within the permitted time and signal-range. If they do not, they will be terminated.

Note

Take care when writing access list rules which reject clients. After being repeatedly rejected by an AP, a client device may start avoiding it.


Filtering parameters
ParameterDescription
allow-signal-out-of-range (time period
interface (interface | interface-list | 'any')Match if connection takes place on the specified interface or interface belonging to specified list. Default: any.
mac-address (MAC address)Match if the client device has the specified MAC address. No default value.
mac-address-mask (MAC address)

Modifies the

signal

mac-

range

address parameter to

still match established connections for a given length of time, even if their signal is outside the specified range.

Default: 0s.

interface (interface|interface-list|'any')Match if connection takes place on the specified interface or interface belonging to specified list. Default: any.mac-address (MAC address)Match if the client device has the specified MAC address. No default value.mac-address-mask (MAC address)

Modifies the mac-address parameter to match if it is equal to the result of performing bit-wise AND operation on the client MAC address and the given address mask.

Default: FF:FF:FF:FF:FF:FF (i.e. client's MAC address must match value of mac-address exactly)

signal-range (min..max)Match if the strength of received signal from the client device is within the given range. Default: '-120..120'ssid-regexp (regex)Match if the given regular expression matches the SSID.time (start-end,days)Match during the specified time of day and (optionally) days of week. Default: 0s-1d

match if it is equal to the result of performing bit-wise AND operation on the client MAC address and the given address mask.

Default: FF:FF:FF:FF:FF:FF (i.e. client's MAC address must match value of mac-address exactly)

signal-range (min..max)Match if the strength of received signal from the client device is within the given range. Default: '-120..120'
ssid-regexp (regex)Match if the given regular expression matches the SSID.
time (start-end,days)Match during the specified time of day and (optionally) days of week. Default: 0s-1d


Action parameters
ParameterDescription
allow-signal-out-of-range (time period | 'always')

The length of time which a connected peer's signal strength is allowed to be outside the range required by the signal-range parameter, before it is disconnected.

If the value is set to 'always', peer signal strength is only checked during association.

Default: 0s.

Action parametersParameterDescription

action (accept | reject | query-radius)

Whether to authorize a connection

  • accept -
new connections are accepted, established connections are maintained
  • connection is allowed
  • reject - connection is not allowed
reject - new connections are rejected, established connections are interrupted
  • query-radius -
new connections are accepted
  •   connection is allowed if MAC address authentication of the client's MAC address succeeds

Default: accept

passphrase (string)Override the default passphrase with given value. No default value.
radius-accounting (no | yes)Override the default RADIUS accounting policy with given value. No default value.

MAC address authentication

Implemented through the query-radius action, MAC address authentication is a way to implement a centralized whitelist of client MAC addresses using a RADIUS server.

...