Mikrotik – RADIUS Wireless Authentication Guide

This is a step-by-step guide for configuring RADIUS authentication for Mikrotik Wireless, for Server 2008 R2-2016.

 

RADIUS allows you to use domain credentials for accessing a wireless network, rather than a static WPA2 PreShared Key that rarely changes. Important for keeping terminated employees out, by just disabling their Active Directory account, rather than having to change the entire PSK every time someone leaves. This guide merely handles the RADIUS authentication, it’s still up to you to protect your network, such as separating your wireless networks into different VLANs or subnets, and isolating networks as fits your environment. (e.g. RADIUS for private network, WPA2 PreShared Key for guest network).

Overview

Just having a SSID and PreShared Key is not secure, especially for HIPAA clients.

For more security, it is recommend to use RADIUS — your desktop Windows credentials, are also your WiFi credentials. If a user is terminated, just changing one user in Active Directory locks them out of the network.

 

The Mikrotik will need a static IP Address

IP > Addresses > + > 192.168.X.X/24

Configure RADIUS on Domain Controller

Install RADIUS

Server Manager > Add > Role or Feature >  Network Policy and Access Services (Include management tools).

Configure Active Directory

Server Manager > Tools > Activity Directory Users and Computers > Select OU (e.g. Company>Groups) > Action > Add New Group > WiFiUsers > Add Members (e.g. John, Bob, Alice). You could use any group, but since we are focused on strong-security, only give WiFi to those who need it.

Register Permissions

Start > cmd.exe > Right-Click > Run As Administrator

netsh nps add registeredserver

Add Trusted Client Device

Server Manager > Tools > Network Policy Server

RADIUS Clients and Servers > Clients > New

Enter name of device, and IP address of Mikrotik WiFi Controller or standalone access point.

Shared Secret > Click Generate > Generate, or use a manual Secret. Copy this down.

 

Add Policy

Server Manager > Tools > Network Policy Server

Policies > Connection Request Policies > Right-Click > New

Provide a Name (e.g. WiFiUsers)

Type of Network Access Server: Unspecified

Next

 

Conditions > Add > NAS Port Type

Common 802.1X connection tunnel types: Wireless – IEEE 802.11

Others: Wireless-Other

Next

Authentication > CHECK: Authenticate Requests on this server

 

Policies > Network Policies > Right-Click > New

Give it a name, enable, and Check: Grant Access

CHECK: Ignore user account dial in properties

Type of network access server: unspecified

Conditions > Add > Windows Groups > Add “AD Group Name”

Conditions > Add > NAS Port Type

Common 802.1X connection tunnel types: Wireless – IEEE 802.11

Others: Wireless-Other

Settings > IP Settings > CHECK: Client may request an IP address > OK.

 

Constraints: Authentication Methods:

  • Protected EAP > Select > Edit > If you do not have a publicly signed, FQDN SSL, just use “localhost”.
    • Wildcard SSLs do not work (clients will fail to connect), but you could use a FQDN SSLs (server.main.company.com). .LOCAL cannot get a publicly-signed SSL.
  • EAP-MSCHAPv2.

Customize DHCP (If your Windows DC is providing DHCP)

Due to Network Protection Access Policies being default enabled for DHCP, it will not hand out any IP address to just any client. We need to disable Network Access Protection on your IPv4 Scope.

Server Manager > Tools > DHCP > Expand > IPv4 > Right-Click > Properties > Network Access Protection > Disable on all scopes

Configure RADIUS on Mikrotik WiFi CAPSMAN Controller

:global RADIUSSharedSecret "YourUltraSecureRADIUSSecret"
:global DCIPAddress "192.168.1.5"
/radius add service=wireless address=$DCIPAddress secret=$RADIUSSharedSecret authentication-port=1812 accounting-port=1813
/ppp aaa set use-radius=yes accounting=yes
/caps-man security add name=RADIUSWiFi authentication-types=wpa2-eap encryption=aes-ccm eap-methods=passthrough eap-radius-accounting=yes

 Configure RADIUS on Mikrotik WiFi Standalone Access Point

:global RADIUSSharedSecret "YourUltraSecureRADIUSSecret"
:global DCIPAddress "192.168.1.5"
/radius add service=wireless address=$DCIPAddress secret=$RADIUSSharedSecret authentication-port=1812 accounting-port=1813
/ppp aaa set use-radius=yes accounting=yes
/interface wireless security-profiles set default authentication-types=wpa2-eap eap-methods=passthrough group-ciphers=aes-ccm radius-eap-accounting=yes mode=dynamic-keys group-key-update=1h

Now when you connect, pop in your username (domain\username) and password to login.

Leave a Reply

Your email address will not be published. Required fields are marked *