...
Property | Description |
---|---|
chains (list of integer 0..7 ) | Radio chains to use for receiving signals. Defaults to all chains available to the corresponding radio hardware. |
client-isolation (no | yes) |
Default: no |
country (name of a country) | Determines, which regulatory domain restrictions are applied to an interface. Defaults to "United States". Note: It is important to set this value correctly to comply with local regulations and ensure interoperability with other devices. |
hide-ssid (no | yes) |
Default: no |
mode (ap | station) | Interface operation mode
|
rrm (no | yes) |
Default: yes |
ssid (string) | The name of the wireless network, aka the (E)SSID. No default value. |
tx-chains (list of integer 0..7) | Radio chains to use for transmitting signals. Defaults to all chains available to the corresponding radio hardware. |
tx-power (integer 0..40) | A limit on the transmit power (in dBm) of the interface. Can not be used to set power above limits imposed by the regulatory profile. Unset by default. |
...
Property | Description | ||
---|---|---|---|
authentication-types (list of wpa-psk, wpa2-psk, wpa-eap, wpa2-eap, wpa3-psk, owe, wpa3-eap, wpa3-eap-192) | Authentication types to enable on the interface. The default value is an empty list (no authenticaion, an open network). Configuring a passphrase, adds to the default list the wpa2-psk authentication method (if the interface is an AP) or both wpa-psk and wpa2-psk (if the interface is a station). Configuring an eap-username and an eap-password adds to the default list wpa-eap and wpa2-eap authentication methods. | ||
dh-groups (list of 19, 20, 21) | Identifiers of elliptic curve cryptography groups to use in SAE (WPA3) authentication. | ||
disable-pmkid (no | yes) | For interfaces in AP mode, disables inclusion of a PMKID in EAPOL frames. Disabling PMKID can cause compatibility issues with client devices which make use of it.
| ||
eap-accounting (no | yes) | Send accounting information to RADIUS server for EAP-authenticated peers. Default: no. | ||
| |||
eap-anonymous-identity (string) | Optional anonymous identity for EAP outer authentication. No default value. | ||
eap-certificate-mode (dont-verify-certificate | no-certificates | verify-certificate | verify-certificate-with-crl) | Policy for handling the TLS certificate of the RADIUS server.
| ||
eap-methods (list of peap, tls, ttls) | EAP methods to consider for authentication. Defaults to all supported methods. | ||
eap-password (string) | Password to use, when the chosen EAP method requires one. No default value. | ||
eap-tls-certificate (certificate) | Name or id of a certificate in the device's certificate store to use, when the chosen EAP authentication method requires one. No default value. | ||
eap-username (string) | Username to use when the chosen EAP method requires one. No default value. | ||
| |||
encryption (list of ccmp, ccmp-256, gcmp, gcmp-256, tkip)-256, tkip) | A list of ciphers to support for encrypting unicast traffic. Defaults to ccmp. | ||
| |||
ft (no | yes) | Whether to enable 802.11r fast BSS transitions. Default: no. | ||
ft-mobility-domain (integer 0..65535) | The fast BSS transition mobility domain ID. Default: 44484 (0xADC4). | ||
ft-nas-identifier (string of 2..96 hex characters) | Fast BSS transition PMK-R0 key holder identifier. Default: MAC address of the interface. | ||
ft-over-ds (no | yes) | Whether to enable fast BSS transitions over DS (distributed system). Default: no. | ||
ft-r0-key-lifetime (time interval 1s..6w3d12h15m) | Lifetime of the fast BSS transition PMK-R0 encryption key. Default: 600000s (~7 days) | ||
ft-reassociation-deadline (time interval 0..70s) | Fast BSS transition reassociation deadline. Default: 20s A list of ciphers to support for encrypting unicast traffic. Defaults to ccmp. | ||
group-encryption(ccmp | ccmp-256 | gcmp | gcmp-256 | tkip) | Cipher to use for encrypting multicast traffic. Defaults to ccmp. | ||
group-key-update (time interval 30s..1h) | Interval at which the group temporal key (key for encrypting broadcast traffic) is renewed. Defaults to 5 minutes. | ||
management-encryption (cmac | cmac-256 | gmac | gmac-256) | Cipher to use for encrypting protected management frames. Defaults to cmac. | ||
management-protection (allowed | disabled | required) | Whether to use 802.11w management frame protection. Incompatible with management frame protection in standard wireless package. Default value depends on value of selected authentication type (WPA (1) does not support MFP, while WPA3 requires it). | ||
owe-transition-interface (interface) | Name or internal id of an interface whose MAC address and SSID to advertise as the matching AP when running in OWE transition mode. Required for setting up open APs that offer OWE, but also work with older devices that don't support the standard. See configuration example below. | ||
passphrase (string of up to 63 characters) | Passphrase to use for PSK authentication types. Defaults to an empty string - "". WPA-PSK and WPA2-PSK authentication requires a minimum of 8 chars, while WPA3-PSK does not have minimum passphrase length. | ||
sae-anti-clogging-threshold ('disabled' | integer) | Due to SAE (WPA3) associations being CPU resource intensive, overwhelming an AP with bogus authentication requests makes for a feasible denial-of-service attack. This parameter provides a way to mitigate such attacks by specifying a threshold of in-progress SAE authentications, at which the AP will start requesting that client devices include a cookie bound to their MAC address in their authentication requests. It will then only process authentication requests which contain valid cookies. Default: disabled. | ||
sae-max-failure-rate ('disabled' | integer) | Rate of failed SAE (WPA3) associations per minute, at which the AP will stop processing new association requests. Defaults to disabled. | ||
sae-pwe (both | hash-to-element | hunting-and-pecking) | Methods to support for deriving SAE password element. Default: both. | ||
wps (disabled | push-button) |
|
...
Code Block | ||
---|---|---|
| ||
/interface/wifiwave2
set wifi1 disabled=no configuration.country=Latvia configuration.ssid=MikroTik security.authentication-types=wpa2-psk,wpa3-psk security.passphrase=8-63_characters |
...
Code Block | ||
---|---|---|
| ||
/interface/wifiwave2
add master-interface=wifi1 name=wifi1_owe configuration.ssid=MikroTik_OWE security.authentication-types=owe security.owe-transition-interface=wifi1 configuration.hide-ssid=yes
set wifi1 configuration.country=Latvia configuration.ssid=MikroTik security.authentication-types="" security.owe-transition-interface=wifi1_owe
enable wifi1,wifi1_owe |
...