MikroTik
Please note that the below configuration was tested with RouterOS 6.47.4 and 6.49.11
To establish a valid TLS connection, your client has to know the RADIUS Server Certificate and your RADIUS Server needs to know your Client Certificate. To import your Server Certificate, follow these steps:
Download your RADIUS Server Certificate as described here.
Log on to your MikroTik device, then upload the RADIUS Server Certificate to the MikroTik device using the Files menu on the left.
Once uploaded, switch to your Terminal tab on the top right and execute the following command to import this certificate to MikroTik's certificate store:
If you have not already gotten a certificate for your router, generate one as per the below example. For more information about creating certificates, click here.
Example:
In the above example, the first line creates a self-signed certificate authority called myCa. The second line generates a device certificate for the MikroTik device, and the third line uses myCa (CA) to sign the mikrotik-client certificate generated in step 2. If all went well, you would end up with three certificates as shown below. If certificate does not have T flag (green section), then you need to set it as trusted before using it. See command below.
Export the root CA certificate (
myCa
) that has issued your RadSec client certificate above:
Download it from the Files menu and then upload the file to your RADIUS instance as a trusted RadSec connection certificate.
Switch back to your WebFig, add a new RADIUS profile and enter the following information:
Use the IP address from your Server Settings page.
Protocol: radsec
Secret: radsec
Authentication Port: 2083
Accounting Port: 2083
Certificate: mikrotik-client (generated in step 4)
Go to Wireless add a new Security Profile and enter the following information:
Name: on your behalf
Mode: dynamic keys
EAP Methods: passthrough
TLS Mode: verify certificate
TLS Certificate: the imported RADIUS Server certificate
Switch to your WiFi Interfaces and apply your Security Profile to the interface.
Last updated