How to make Wi-Fi Mikrotik and TP-Link friends using RADIUS

I want to share my experience of using the new User Manager in Mikrotik ROS 7 for Wi-Fi. Much of the article is typical, but there are points found empirically.

The task is to cover a three-story building with Wi-Fi, connect about 100 users in stages with a small investment.

Everything started well – for a small object we bought Mikrotik – a RB750Gr3 router and several RB952 access points, which are at the same time managed switches. Configured CAPsMAN, with multiple SSIDs and VLANs, WPA2 PSK authorization with MAC verification via Access List, rate limiting via Quenes. It worked simply and stably. The disadvantage is that it is difficult to find out the MAC from the user, taking into account the “random MAC” option in the devices. But it is convenient to give access by MAC mask, for example, for identical laptops.

The arrangement of access points and channels are calculated in Ekahau for the expansion perspective.

One floor example
One floor example

To expand coverage, “sponsors” donated a lot of TP-Link TL-WR841 routers. Why TP-Link – don’t ask if they’re wrong … the principle of “give – take.” Do not use them and wait for normal equipment is not an option due to future sanctions “we give you, but you don’t need it?…”. The budget lives its own hard-to-explain life.

My first thought is to flash TP-Link DDWRT for VLAN support, but there are no firmwares for our hardware revision.

I had to come up with a “rake” for TP-Link integration. It is important to make a single simple authorization of users with a binding to the MAC, if possible, session accounting and speed limiting.

It is logical to use EAP and a single RADIUS server (it did not exist before, AD is not used in the organization). Just Mikrotik announced a new User Manager in Mikrotik ROS 7 with Wi-Fi EAP support. A lot has changed in the new version, there is really no documentation. TP-Link also supports Wi-Fi Enterprise (EAP).

RADIUS EAP
RADIUS EAP

RADIUS setting

  1. Update Mikrotik to ROS>7.

  2. Install the User Manager package.

    ROS 7.1 and User Manager
    ROS 7.1 and User Manager

  3. Create and sign a certificate

    Self signed certificate
    Self signed certificate

  4. Activate User Manager with our certificate

    User Manager
    User Manager

  5. Adding access points with EAP.

    Name – any intuitive. Secret – password is the same for the point, IP – point address.

    For CAPsMAN manager address
    For CAPsMAN manager address
    For TP-Link point address
    For TP-Link point address

Configuring CAPsMAN

I skip typical settings, there are nuances of EAP.

  1. Caller ID format – by MAC for linking devices to accounts

    caller ID
    caller ID

  2. Authorization on Radius – EAP end-to-end.

    EAP Authorization
    EAP Authorization

TP link setup

  1. It is important to update TP-Link and configure it as an Access Point with a static IP, enable WiFi in the VLAN, otherwise it refused to work. Disable the built-in DHCP, maybe it turns it on by itself.

  2. Authorization select WPA2 Enterprise. It is important to specify the RADIUS address from the same WiFi VLAN, it does not work with other subnets. The password that is in the User Manager.

    WPA2 Enterprise
    WPA2 Enterprise

Creating Accounts

  1. Create user accounts in User Manager. Caller ID specify Bind – to remember the MAC the first time you connect. This eliminates the need to search for MACs from users.

    Creating User
    Creating User

  2. The appearance of the MAC in the Caller ID field means successful user authorization.

  3. When changing the user’s device, manually reset the Caller ID to Bind.

Control points and users

  1. Controlling Authorization Requests in Router Statistics

    Request control
    Request control

  2. Unfortunately, there is no authorization control for users with such a zoo of equipment. When using Mikrotik, you can set up MAC Accounting and see user sessions.

  3. It is also not possible to limit traffic and speed in User Manager profiles for the same reasons.

Connecting Users

The user simply enters a username/password!

Eventually:

  • It turned out a single WiFi network with a single authorization.

  • I don’t touch on the quality indicators of WiFi – this is a separate issue, not for budget money)

  • It doesn’t matter what point the user is in the coverage area – the authorization is transparent.

  • Roaming is conditional – switching between CAPsMAN points is fast based on the signal level, between TP-Link is longer, but non-critical 1-2 seconds.

  • It does not matter what device is connected – smartphone, tablet, laptop.

  • Devices with unauthorized MACs are ignored. With random MACs, the Caller ID parameter is removed.

  • When deploying AD, user authorization can easily be reconfigured to NPS.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *