Mikrotik WIFI: Difference between revisions

New Mikrotik WiFi which is highly configurable (perhaps too much) and requires extensive swearing for setup if multiple networks are needed.
At a certain point, it became just "WIFI", not "wifiwave2", so the menus have changed accordingly.
It is distinct from the traditional CAPsMAN mode (with the corresponding WIRELESS->CAPsMAN menu) which is still present and can still be used with non-AX devices.

On the controller, CAPsMAN must be enabled
WiFi menu → "Remote CAP" tab → CAPsMAN button: enable and assign it to the main bridge
On the CAPs: go to WiFiwave2 CAP menu → ENABLE and add the WiFi interfaces (usually one per radio) and the CAPSman address
Select the WiFi interfaces and under CONFIGURATION, set CAPSman as the manager
WARNING: WiFi interfaces must be added to the main bridge

WARNING2: even the dynamic ones (automatically generated from slave interfaces) must be added to the main bridge. To do this automatically, you need to create a LIST of all interfaces (or at least the dynamic ones) and add them to the bridge, otherwise nothing works properly.
There may already be an "all" list ready for this purpose. I lost 2 hours figuring this out :(
This must also be done on the remote CAPs.
WARNING3: for some reason, bridges are created with the same MAC which causes conflicts between APs. Disable auto-mac and enable admin-mac with an assigned MAC address
For deployment:

• completely wipe configuration
• import configuration from another AP (`export file=capconfig`), changing only the name, IP, and MAC of the bridge

Here’s where the mess starts.
The simplest path is to create a VLAN interface with the appropriate VLAN ID and assign it to the main bridge (on CAPSman)
If a virtual network is required on the controller assigned to that VLAN:

• create the VLAN interface (on the controller)
• create a bridge with VLAN PVID assigned to that VLAN. You can run a DHCP server with the appropriate pool on this bridge
• If the network needs to go out to the internet, create a srcnat rule with masquerade in the firewall
• VERY IMPORTANT: in bridge->ports, add the created VLAN interface and set the PVID in the VLAN tab, otherwise nothing will work
  

Warning: if the ALL group is active on the interfaces auto-added to bridge1, this operation cannot be performed because the interface already belongs to it. Temporarily disable the rule

• in the WiFi configuration, insert the correct PVID

WARNING: must be set selecting [FT] flag in the security section

It has been verified that it doesn't work with WPA3 on some recent Android devices (it's an Android issue)

Requires User Manager 5 to be active and configured

Just set up a network with security configured to authenticate via WPA2 EAP and WPA3 EAP

A user group must be created in User Manager:

/user-manager user group add name=certificate-authenticated outer-auths=eap-tls

Users must be added to that group (can also be done from the menu):

/user-manager user add name=fvettore@cifarelli.loc group=certificate-authenticated

To generate the CA (only once; used to sign certificates):

/certificate add name=radius-ca common-name="RADIUS CA" key-size=secp384r1 digest-algorithm=sha384 days-valid=1825 key-usage=key-cert-  sign,crl-sign
sign radius-ca

To generate a user certificate:

add name=fvettore-client-cert common-name=[fvettore@cifarelli.loc](mailto:fvettore@cifarelli.loc) key-usage=tls-client days-valid=800 key-size=secp384r1 digest-algorithm=sha384
sign fvettore-client-cert ca=radius-ca

To export the certificates:

export-certificate radius-ca file-name=radius-ca
export-certificate fvettore-client-cert type=pkcs12 export-passphrase="\*\*\*\*\*\*\*\*\*\*"

Exported certificates can be downloaded from the Files menu.
To import into Windows, double-click on the certificates (more or less default options)

Connect to the network and select “certificate authentication.”
If multiple certificates are installed on the client, select the one imported above.

Enable wireless in the options. User Manager 5 must be active and configured.

Create a certificate for User Manager (usage: tls-server) and sign it with a local CA.
Select it in [settings].
Optional: import the local CA certificate on the PC. Otherwise, a trust confirmation will be requested during connection.
Create a group (to which users will be assigned) with outer auths: EAPxxxx (all) and inner auths: TTLS MSCHAP2 and PEAP MSCHAP2. Add users and assign them to the group.

Create a network profile as desired.
Create a security profile with Authentication: WPAx EAP; Encryption: aes ccm; EAP Methods: passthrough; EAS accounting: yes
Enable the network

It should be enough to connect to the network: a prompt will appear to confirm the certificate (not issued by a trusted CA—see above) and then enter the username and password. It will take a while to verify and, if all goes well, it will connect.

CA certificate: trusted on first use.
Enter username and password.
Confirm certificate trust when prompted.

In the OTP Secret field, insert a Base32 HASH. You can generate one here: [1](https://emn178.github.io/online-tools/base32_encode.html)
For example, inserting `giovanni12` gives `M5UW65TBNZXGSMJS`.
The Base32 code will then be used in Google Authenticator to generate a token.
Test login by accessing the console