Versions Compared

Old Version 3

changes.mady.by.user Toms Filatovs

Saved on

compared with

New Version Current

changes.mady.by.user Unknown User (0testing)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Add configuration lines to accept CoA messages from RADIUS server.

...

  1. Be valid and signed by an authority, which is trusted by the device running User Manager
  2. Have the user name in the Common Subject Alt Name (CN) fieldSAN) field. For backward compatibility, you can also add it in the CN field. For more information please see: https://datatracker.ietf.org/doc/html/rfc5216#section-5.2 

Finally, the WPA3 enterprise specification includes an extra secure mode, which provides 192-bit cryptographic security.

...

Code Block
languageros
titleCommands executed on device running User Manager
# Enabling User Manager and specifying, which certificate to use
/user-manager
set enabled=yes certificate=userman-cert
# Enabling CRL checking to avoid accepting revoked user certificates
/certificate settings
set crl-download=yes crl-use=yes
# Adding access points
/user-manager router
add name=ap1 address=10.0.0.11 shared-secret="Use a secure password generator for this"
add name=ap2 address=10.0.0.12 shared-secret="Use a secure password generator for this too"
# Limiting allowed authentication methods
/user-manager user group
set [find where name=default] outer-auths=eap-tls,eap-peap
add name=certificate-authenticated outer-auths=eap-tls
# Adding users
/user-manager user
add name=maija@mikrotik.test group=certificate-authenticated
add name=paija@mikrotik.test group=default password="right mule accumulator nail"

...

Code Block
languageros
titleCommands executed on ap1
# Configuring radius client
/radius
add address=10.0.0.10 secret="Use a secure password generator for this" service=wireless timeout=1s
/radius incoming
set accept=yes
# Adding a security profile and applying it to wireless interfaces
/interface/wireless/security-profile
add name=radius mode=dynamic-keys authentication-types=wpa2-eap
/interface/wireless
set [find] security-profile=radius

...

Code Block
languageros
titleCommands executed on ap2
# Configuring radius client
/radius
add address=10.0.0.10 secret="Use a secure password generator for this too" service=wireless timeout=1s
/radius incoming
set accept=yes
# Configuring enabled authentication types. Can also be done via a security profile, but note that interface properties, if specified, override profile properties
/interface/wifiwave2 set [find] security.authentication-types=wpa2-eap,wpa3-eap

...

When connecting to a network with EAP authentication, Android devices ask the user to specify a 'domain'. This refers to the expected top-level domain of the host name included in the RADIUS server's TLS certificate ( 'mikrotik.test' in our example).

...