...
- Be valid and signed by an authority, which is trusted by the device running User Manager
- Have the user name in the Common Subject Alt Name (CN) fieldSAN) field. For backward compatibility, you can also add it in the CN field. For more information please see: https://datatracker.ietf.org/doc/html/rfc5216#section-5.2
Finally, the WPA3 enterprise specification includes an extra secure mode, which provides 192-bit cryptographic security.
...
Code Block | ||||
---|---|---|---|---|
| ||||
# Enabling User Manager and specifying, which certificate to use /user-manager set enabled=yes certificate=userman-cert # Enabling CRL checking to avoid accepting revoked user certificates /certificate settings set crl-download=yes crl-use=yes # Adding access points /user-manager router add name=ap1 address=10.0.0.11 shared-secret="Use a secure password generator for this" add name=ap2 address=10.0.0.12 shared-secret="Use a secure password generator for this too" # Limiting allowed authentication methods /user-manager user group set [find where name=default] outer-auths=eap-tls,eap-peap add name=certificate-authenticated outer-auths=eap-tls # Adding users /user-manager user add name=maija@mikrotik.test group=certificate-authenticated add name=paija@mikrotik.test group=default password="right mule accumulator nail" |
...
Code Block | ||||
---|---|---|---|---|
| ||||
# Configuring radius client
/radius
add address=10.0.0.10 secret="Use a secure password generator for this" service=wireless timeout=1s
/radius incoming
set accept=yes
# Adding a security profile and applying it to wireless interfaces
/interface/wireless/security-profile
add name=radius mode=dynamic-keys authentication-types=wpa2-eap
/interface/wireless
set [find] security-profile=radius |
...
Code Block | ||||
---|---|---|---|---|
| ||||
# Configuring radius client
/radius
add address=10.0.0.10 secret="Use a secure password generator for this too" service=wireless timeout=1s
/radius incoming
set accept=yes
# Configuring enabled authentication types. Can also be done via a security profile, but note that interface properties, if specified, override profile properties
/interface/wifiwave2 set [find] security.authentication-types=wpa2-eap,wpa3-eap |
...
When connecting to a network with EAP authentication, Android devices ask the user to specify a 'domain'. This refers to the expected top-level domain of the host name included in the RADIUS server's TLS certificate ( 'mikrotik.test' in our example).
...