WayFi Setup Guide for MikroTik Devices Using Native RadSec: Secure Your Network Today
Step-by-step guide to configure MikroTik devices with WayFi using native RadSec support. Learn how to set up secure, encrypted RADIUS over TLS for seamless connectivity.
GUIDES
WayFi Wireless
1/28/20253 min read


WayFi Setup Guide for MikroTik Devices Using Native RadSec Support
Configuring your MikroTik devices to work seamlessly with WayFi’s RadSec (RADIUS over TLS) enables a secure and encrypted connection for AAA (Authentication, Authorization, and Accounting) traffic. This guide walks you through the steps to leverage MikroTik’s native RadSec support for a robust and reliable network setup.
Overview
MikroTik devices with native RadSec support can be integrated with WayFi for enhanced security and seamless connectivity. This setup ensures encrypted communication for RADIUS traffic and enables advanced network features like Hotspot 2.0 for better user experience.
Prerequisites
Before starting the configuration, ensure the following requirements are met:
1. RouterOS Version
Your MikroTik device must be running RouterOS 6.47.10 or later (long-term or stable release).
2. RadSec Certificate Bundle
Obtain the required certificates from WayFi support:
wayfi.radsec.cacert.pem (CA Certificate)
cert.pem (Client Certificate)
key.pem (Private Key)
3. NAS-ID Configuration
Set the NAS-ID to the MAC address of your Access Point (AP) for accurate identification within the WayFi system.
4. Interworking Profiles
For advanced interworking profile options, refer to the MikroTik Interworking Profiles Configuration Guide.
Step 1: Import RadSec Certificates
1. Access the Device
Use WinBox or the MikroTik command-line interface (CLI) to connect to your device.
2. Upload Certificates
Transfer the following certificate files to your MikroTik device:
wayfi.radsec.cacert.pem
cert.pem
key.pem
3. Import Certificates
Run these commands in the MikroTik CLI to import the certificates:
/certificate import file-name=wayfi.radsec.cacert.pem passphrase="" /certificate import file-name=cert.pem passphrase="" /certificate import file-name=key.pem passphrase=""
4. Verify Imported Certificates
To confirm that the certificates are properly imported, execute:
/certificate print
Ensure all certificates are listed and any with private keys have the K (private key) flag.
Step 2: Configure the RADIUS Client
Add the RADIUS Client
Run the following command, replacing <wayfi_radsec_server> with the RadSec server’s IP or FQDN (e.g., radius.wayfiwireless.com) and <shared_secret> with radsec:
/radius add address=<wayfi_radsec_server> service=wireless protocol=radsec certificate=cert.pem_0 secret=<shared_secret>
Step 3: Create a Wireless Security Profile
Configure the Security Profile
Run the following command to create a security profile for your WayFi connection:
/interface wireless security-profiles add name=wayfi_profile mode=dynamic-keys authentication-types=wpa2-eap eap-methods=passthrough management-protection=allowed radius-eap-accounting=yes supplicant-identity=""
Step 4: Configure the Wireless Interface
Assign the Security Profile
Replace wlan1 with the name of your wireless interface (if different):
/interface wireless set [ find default-name=wlan1 ] mode=ap-bridge security-profile=wayfi_profile wps-mode=disabled
Set Country Profile
Replace <your_country> with your country’s code (e.g., united states):
/interface wireless set wlan1 country=<your_country>
Step 5: Configure Hotspot 2.0 and Interworking Profile
Create Interworking Profile
Run the following command to create the interworking profile:
/interface wireless interworking-profile add name=WayFi_Hotspot domain-names=wayfi.io,hellohelium.com,freedomfi.com,openroaming.org,apple.openroaming.net,google.openroaming.net,ciscooneid.openroaming.net,samsung.openroaming.net network-type=public-chargeable operator-names=WayFi:eng realms=wayfi.io:eap-tls,hellohelium.com:eap-ttls,freedomfi.com:eap-ttls roaming-ois=8c1f646810,f4f5e8f5f4,baa2d00000,00500f,5a03ba0000,004096 venue=business-unspecified venue-names=WayFi:eng wan-downlink=50000 wan-uplink=50000 wan-status=up
Assign the Interworking Profile
Apply the profile to your wireless interface:
/interface wireless set wlan1 interworking-profile=WayFi_Hotspot
Step 6: Set the NAS-ID
Configure the NAS-ID
Replace <mac_address_of_ap> with the MAC address of your Access Point (e.g., 00:11:22:33:44:55):
/system identity set name=<mac_address_of_ap>
Step 7: Verify the Configuration
Monitor RADIUS Traffic
To check RADIUS communication, run:
/radius monitor
Check Active Wireless Connections
To view connected wireless clients, run:
/interface wireless registration-table print
Conclusion
By completing these steps, your MikroTik device will be securely integrated with WayFi using native RadSec capabilities. This configuration ensures encrypted AAA traffic and a seamless network experience for users. For advanced customization or troubleshooting, refer to the MikroTik Interworking Profiles Documentation.
FAQs
1. What is RadSec?
RadSec (RADIUS over TLS) is a secure protocol that encrypts AAA traffic between devices and the RADIUS server.
2. What RouterOS version is required for RadSec support?
RouterOS version 6.47.10 or later is required.
3. How do I obtain the RadSec certificate bundle?
Contact WayFi support to request the wayfi.radsec.cacert.pem, cert.pem, and key.pem files.
4. Why is the NAS-ID important?
The NAS-ID uniquely identifies your Access Point within the WayFi network, ensuring accurate authentication and accounting.
5. What is an Interworking Profile?
An interworking profile configures advanced features like Hotspot 2.0, roaming, and domain support for better network functionality.
6. How do I monitor the device's RADIUS traffic?
Use the /radius monitor command to check the status of RADIUS traffic.
By following this guide, you’ll ensure secure and seamless connectivity between your MikroTik device and WayFi’s network infrastructure.
WayFi Wireless
Helpful Pages
SUBSCRIBE TO OUR NEWSLETTER
© 2024 - 2025. All rights reserved.
Browser Extentions
TOOLS