MikroTik RB2011UiAS-2HnD WPA2 Enterprise

The problem with WPA2 Personal is that it uses a pre-shared key (PSK) for its authentication which is transmitted through the air as a hash. A few years ago having a really good pre-shared key and unique AP name might have been enough but with the availability of rainbow tables that are in to the terabytes of pre-computed hash values and the cloud services that are providing cheap WPA/WPA2 password cracking its becoming easier for attackers to gain access to your wireless networks.

A more secure way to do Wireless authentication is by using WPA2 Enterprise EAP-TLS authentication with certificates of a 4096 bit length to a RADIUS server backend. I am going to cover the WPA2 Enterprise wireless setup with EAP-TLS in this post and then do RADIUS configuration and wireless pass through authentication in another.

I am making the assumption you have already setup a Wireless AP. If not then follow the guide here to get one going.

Creating a connection with EAP-TLS on the MikroTik can sometimes be a bit buggy but most of the time its fine.

What i am using:

  • Board Name RB2011UiAS-2HnD
  • Software Version 6.27
  • Fedora 20 on MBP Retina

Make the certs

Most of the following is based off the MikroTik documentation found here.

First thing to do is create a personal CA and the SSL/TLS certificates that we are going to hand out to our clients. SSH in to your MikroTik, login as the admin user and run the following commands.

The key size should be large enough to make it very hard to brute force before it expires in the default 365 days. Generating the keys might take 10-20 seconds because of the size (4096 bits) but the wait is well worth the level of security.

/certificate
 add name=ca-template common-name=MyCA key-usage=key-cert-sign,crl-sign key-size=4096
 add name=router-tls-template common-name=router-tls key-size=4096
 add name=admin-template common-name=admin-client key-size=4096
 add name=client-template common-name=client key-size=4096

I am using the admin IP address of my MikroTik Router for the ca-crl-host which is 192.168.88.1 by default.

/certificate
sign number=0 ca-crl-host=192.168.88.1 name=MyCA 
sign ca=MyCA number=1 name=router-tls
sign ca=MyCA number=2 name=admin-client
sign ca=MyCA number=3 name=client

We now need to flag the certs we need to be trusted as trusted.

/certificate
set MyCA trusted=yes
set router-tls trusted=yes

Now we want to export the client certificates for installation on said clients. The export-passphrase config directive below is the pass phrase protecting your certificate so i would advise you make it nice and long and then add it to a password database for later use.

/certificate export-certificate MyCA
/certificate export-certificate admin-client export-passphrase=make_the_passphrase_something_fucking_long_and_crazy1
/certificate export-certificate client export-passphrase=make_the_passphrase_something_fucking_long_and_crazy2

Login to the Web Console and go to the Files menu item and download the certificates MyCA and client

Alt Text

Once we have the certificates install them in to clients. I am running Fedora 20 using NetworkManager on a MBP Retina

Alt Text

Now go back to the web interface and create a Security Profile under the Wireless Web config that looks like the following:

Alt Text

Alt Text

Once the Security Profile is complete you can now go back to the Wireless AP configuration page and change the Security Profile it is set to use with your new one if you need too.

Alt Text

You should now be able to authenticate to the wireless network with your installed certificate and cert pass phrase.

Once you have successfully connected you should see something like the following in /var/log/wpa_supplicant.log

wlp3s0: Trying to associate with 00:11:22:33:44:55 (SSID='YourSSID' freq=2422 MHz)
wlp3s0: Associated with 00:11:22:33:44:55
wlp3s0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlp3s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
wlp3s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
wlp3s0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/CN=MyCA'
wlp3s0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=admin-client'
wlp3s0: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
wlp3s0: WPA: Key negotiation completed with 00:11:22:33:44:55 [PTK=CCMP GTK=CCMP]
wlp3s0: CTRL-EVENT-CONNECTED - Connection to 00:11:22:33:44:55 completed [id=0 id_str=]

You can also create WirelessAP access-lists which will allow you to permit and deny devices based on criteria like MAC addresses (which i know can be changed via macchanger but one more layer for the ease of configuration does not hurt) and time of day. Information on how to do that here.