...
- Be valid and signed by an authority, which is trusted by the device running User Manager
- Have the user name in the Common Subject Alt Name (CN) fieldSAN) field. For backward compatibility, you can also add it in the CN field. For more information please see: https://datatracker.ietf.org/doc/html/rfc5216#section-5.2
Finally, the WPA3 enterprise specification includes an extra secure mode, which provides 192-bit cryptographic security.
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
#Generating# Generating a Certificate Authority /certificate add name=radius-ca common-name="RADIUS CA" key-size=secp384r1 digest-algorithm=sha384 days-valid=1825 key-usage=key-cert-sign,crl-sign sign radius-ca ca-crl-host=radius.mikrotik.test #Generating# Generating a server certificate for User Manager add name=userman-cert common-name=radius.mikrotik.test subject-alt-name=DNS:radius.mikrotik.test key-size=secp384r1 digest-algorithm=sha384 days-valid=800 key-usage=tls-server sign userman-cert ca=radius-ca #Generating# Generating a client certificate add name=maija-client-cert common-name=maija@mikrotik.test key-usage=tls-client days-valid=800 key-size=secp384r1 digest-algorithm=sha384 sign maija-client-cert ca=radius-ca #Exporting# Exporting the public key of the CA as well as the generated client private key and certificate for distribution to client devices export-certificate radius-ca file-name=radius-ca export-certificate maija-client-cert type=pkcs12 passphrase="# A passphrase is needed for the export to include the private key export-certificate maija-client-cert type=pkcs12 export-passphrase="true zebra capacitor ziptie" |
Configuring User Manager
| Code Block | ||||
|---|---|---|---|---|
| ||||
# Enabling User Manager and specifying, which certificate to use /user-manager set enabled=yes certificate=userman-cert # Enabling CRL checking to avoid accepting revoked user certificates /certificate settings set crl-download=yes crl-use=yes # Adding access points /user-manager router add name=ap1 address=10.0.0.11 shared-secret="Use a secure password generator for this" add name=ap2 address=10.0.0.12 shared-secret="Use a secure password generator for this too" # Limiting allowed authentication methods /user-manager user group set [find where name=default] outer-auths=eap-tls,eap-peap add name=certificate-authenticated outer-auths=eap-tls # Adding users /user-manager user add name=maija@mikrotik.test group=certificate-authenticated add name=paija@mikrotik.test group=default password="right mule accumulator nail" |
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
# Configuring radius client /radius add address=10.0.0.10 secret="Use a secure password generator for this" service=wireless timeout=1s /radius incoming set accept=yes # Adding a security profile and applying it to wireless interfaces /interface/wireless/security-profile add name=radius mode=dynamic-keys authentication-types=wpa2-eap /interface/wireless set [find] security-profile=radius |
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
# Configuring radius client /radius add address=10.0.0.10 secret="Use a secure password generator for this too" service=wireless timeout=1s /radius incoming set accept=yes # Configuring enabled authentication types. Can also be done via a security profile, but note that interface properties, if specified, override profile properties /interface/wifiwave2 set [find] security.authentication-types=wpa2-eap,wpa3-eap |
...
When connecting to a network with EAP authentication, Android devices ask the user to specify a 'domain'. This refers to the expected top-level domain of the host name included in the RADIUS server's TLS certificate ( 'mikrotik.test' in our example).
...