Please note that the below configuration was tested with RouterOS 6.47.4 and 6.49.11

To establish a valid TLS connection, your client has to know the RADIUS Server Certificate and your RADIUS Server needs to know your Client Certificate. To import your Server Certificate, follow these steps:

  1. Download your RADIUS Server Certificate as described here.

  2. Log on to your MikroTik device, then upload the RADIUS Server Certificate to the MikroTik device using the Files menu on the left.

  3. Once uploaded, switch to your Terminal tab on the top right and execute the following command to import this certificate to MikroTik's certificate store:

/certificate import file-name="RADIUS Customer CA - Contoso.cer"
  1. If you have not already gotten a certificate for your router, generate one as per the below example. For more information about creating certificates, click here.


/certificate add name=myCa common-name=myCa key-usage=key-cert-sign,crl-sign
/certificate add name=mikrotik-client common-name=mikrotik-client
/certificate sign mikrotik-client ca=myCa name=mikrotik-client

In the above example, the first line creates a self-signed certificate authority called myCa. The second line generates a device certificate for the MikroTik device, and the third line uses myCa (CA) to sign the mikrotik-client certificate generated in step 2. If all went well, you would end up with three certificates as shown below. If certificate does not have T flag (green section), then you need to set it as trusted before using it. See command below.

set myCa trusted=yes
set "RADIUS Customer CA - Contoso.cer" trusted=yes
  1. Export the root CA certificate (myCa) that has issued your RadSec client certificate above:

/certificate export-certificate myCa
  1. Download it from the Files menu and then upload the file to your RADIUS instance as a trusted RadSec connection certificate.

  2. Switch back to your WebFig, add a new RADIUS profile and enter the following information:

  • Use the IP address from your Server Settings page.

  • Protocol: radsec

  • Secret: radsec

  • Authentication Port: 2083

  • Accounting Port: 2083

  • Certificate: mikrotik-client (generated in step 4)

  1. Go to Wireless add a new Security Profile and enter the following information:

  • Name: on your behalf

  • Mode: dynamic keys

  • EAP Methods: passthrough

  • TLS Mode: verify certificate

  • TLS Certificate: the imported RADIUS Server certificate

  1. Switch to your WiFi Interfaces and apply your Security Profile to the interface.

Last updated