I want to share my experience of using the new User Manager in Mikrotik ROS 7 for Wi-Fi. Much of the article is typical, but there are points found empirically.
The task is to cover a three-story building with Wi-Fi, connect about 100 users in stages with a small investment.
Everything started well – for a small object we bought Mikrotik – a RB750Gr3 router and several RB952 access points, which are at the same time managed switches. Configured CAPsMAN, with multiple SSIDs and VLANs, WPA2 PSK authorization with MAC verification via Access List, rate limiting via Quenes. It worked simply and stably. The disadvantage is that it is difficult to find out the MAC from the user, taking into account the “random MAC” option in the devices. But it is convenient to give access by MAC mask, for example, for identical laptops.
The arrangement of access points and channels are calculated in Ekahau for the expansion perspective.
To expand coverage, “sponsors” donated a lot of TP-Link TL-WR841 routers. Why TP-Link – don’t ask if they’re wrong … the principle of “give – take.” Do not use them and wait for normal equipment is not an option due to future sanctions “we give you, but you don’t need it?…”. The budget lives its own hard-to-explain life.
My first thought is to flash TP-Link DDWRT for VLAN support, but there are no firmwares for our hardware revision.
I had to come up with a “rake” for TP-Link integration. It is important to make a single simple authorization of users with a binding to the MAC, if possible, session accounting and speed limiting.
It is logical to use EAP and a single RADIUS server (it did not exist before, AD is not used in the organization). Just Mikrotik announced a new User Manager in Mikrotik ROS 7 with Wi-Fi EAP support. A lot has changed in the new version, there is really no documentation. TP-Link also supports Wi-Fi Enterprise (EAP).
Update Mikrotik to ROS>7.
Install the User Manager package.
Create and sign a certificate
Activate User Manager with our certificate
Adding access points with EAP.
Name – any intuitive. Secret – password is the same for the point, IP – point address.
I skip typical settings, there are nuances of EAP.
Caller ID format – by MAC for linking devices to accounts
Authorization on Radius – EAP end-to-end.
TP link setup
It is important to update TP-Link and configure it as an Access Point with a static IP, enable WiFi in the VLAN, otherwise it refused to work. Disable the built-in DHCP, maybe it turns it on by itself.
Authorization select WPA2 Enterprise. It is important to specify the RADIUS address from the same WiFi VLAN, it does not work with other subnets. The password that is in the User Manager.
Create user accounts in User Manager. Caller ID specify Bind – to remember the MAC the first time you connect. This eliminates the need to search for MACs from users.
The appearance of the MAC in the Caller ID field means successful user authorization.
When changing the user’s device, manually reset the Caller ID to Bind.
Control points and users
Controlling Authorization Requests in Router Statistics
Unfortunately, there is no authorization control for users with such a zoo of equipment. When using Mikrotik, you can set up MAC Accounting and see user sessions.
It is also not possible to limit traffic and speed in User Manager profiles for the same reasons.
The user simply enters a username/password!
It turned out a single WiFi network with a single authorization.
I don’t touch on the quality indicators of WiFi – this is a separate issue, not for budget money)
It doesn’t matter what point the user is in the coverage area – the authorization is transparent.
Roaming is conditional – switching between CAPsMAN points is fast based on the signal level, between TP-Link is longer, but non-critical 1-2 seconds.
It does not matter what device is connected – smartphone, tablet, laptop.
Devices with unauthorized MACs are ignored. With random MACs, the Caller ID parameter is removed.
When deploying AD, user authorization can easily be reconfigured to NPS.