MikroTik

Prepare certificates

To establish a valid RadSec connection, the MikroTik Access Points must trust the RADIUS Server Certificate and your RADIUS server must trust the RadSec Client Certificate. To achieve this, follow below steps:

Option 1: Using the SCEPman PKI

1. Download the root certificate of the CA that has issued your active RADIUS Server Certificate as described here. Since you are using SCEPman, that might be your SCEPman Root CA certfiicate.

2. Log on to your MikroTik device, then upload the certificate from step 1 above to the MikroTik device using the Files menu on the left.

3. Once uploaded, switch to your Terminal tab on the top right and execute the following command to import this certificate to MikroTik's certificate store:

/certificate import file-name="scepman-root.cer"

1. Generate a RadSec Client Certificate using SCEPman Certificate Master by navigating to the Client Certificate menu:

1. Once the RadSec Client Certificate is downloaded, extract the private key, e.g. using OpenSSL, as this will have to be imported to the access point separately:

openssl pkey -in yourfile.pem -out private.key

1. Upload both files, the certificate and the private key via the Files menu. Then import the certificate first and then the private key. During the import process the private key will merge with the certificate indicated by a letter 'K' as shown below.

Option 2: Using other PKIs

1. Download the root certificate of the CA that has issued your active RADIUS Server Certificate as described here.

2. Log on to your MikroTik device, then upload the certificate from step 1 above to the MikroTik device using the Files menu on the left.

3. Once uploaded, switch to your Terminal tab on the top right and execute the following command to import this certificate to MikroTik's certificate store:

/certificate import file-name="RADIUS Customer CA - Contoso.cer"

1. If you have not already generated RadSec Client Certificate for MikroTik AP, generate one as per the below example. For more information about creating certificates, click here.

Example:

/certificate add name=myCa common-name=myCa key-usage=key-cert-sign,crl-sign
/certificate add name=mikrotik-client common-name=mikrotik-client
/certificate sign mikrotik-client ca=myCa name=mikrotik-client

In the above example, the first line creates a root CA called myCa. The second line generates a client certificate for the MikroTik device, and the third line uses myCa (CA) to sign the mikrotik-client certificate generated in step 2. If all went well, you would end up with three certificates as shown below. Please ensure your MikroTik device trusts the relevant certificates (T flag in the green section). If that is not the case yet, set the flag using below command:

/certificate
set myCa trusted=yes
set "RADIUS Customer CA - Contoso.cer" trusted=yes

1. Export the root CA certificate (myCa) that has issued your RadSec Client Certificate above:

/certificate export-certificate myCa

1. Download it from the Files menu and then upload the file to your RADIUSaaS instance as described here and select RadSec under Use for. Once completed, continue configuring your MikroTik AP as per below and use Option 1 for certificates.

MikroTik Configuration

1. Switch back to your WebFig, add a new RADIUS profile and enter the following information:

1. Go to Wireless, add a new Security Profile and enter the following information:

1. Switch to your Wi-Fi Interfaces and assign your Security Profile to the interface.