WayFi Setup Guide for MikroTik Devices Using Native RadSec Support

Configuring your MikroTik devices to work seamlessly with WayFi’s RadSec (RADIUS over TLS) enables a secure and encrypted connection for AAA (Authentication, Authorization, and Accounting) traffic. This guide walks you through the steps to leverage MikroTik’s native RadSec support for a robust and reliable network setup.

Overview

MikroTik devices with native RadSec support can be integrated with WayFi for enhanced security and seamless connectivity. This setup ensures encrypted communication for RADIUS traffic and enables advanced network features like Hotspot 2.0 for better user experience.

Prerequisites

Before starting the configuration, ensure the following requirements are met:

1. RouterOS Version

Your MikroTik device must be running RouterOS 6.47.10 or later (long-term or stable release).

2. RadSec Certificate Bundle

Obtain the required certificates from WayFi support:

• wayfi.radsec.cacert.pem (CA Certificate)

• cert.pem (Client Certificate)

• key.pem (Private Key)

3. NAS-ID Configuration

Set the NAS-ID to the MAC address of your Access Point (AP) for accurate identification within the WayFi system.

4. Interworking Profiles

For advanced interworking profile options, refer to the MikroTik Interworking Profiles Configuration Guide.

Step 1: Import RadSec Certificates

1. Access the Device

Use WinBox or the MikroTik command-line interface (CLI) to connect to your device.

2. Upload Certificates

Transfer the following certificate files to your MikroTik device:

• wayfi.radsec.cacert.pem

• cert.pem

• key.pem

3. Import Certificates

Run these commands in the MikroTik CLI to import the certificates:

/certificate import file-name=wayfi.radsec.cacert.pem passphrase="" /certificate import file-name=cert.pem passphrase="" /certificate import file-name=key.pem passphrase=""

4. Verify Imported Certificates

To confirm that the certificates are properly imported, execute:

/certificate print

Ensure all certificates are listed and any with private keys have the K (private key) flag.

Step 2: Configure the RADIUS Client

Add the RADIUS Client

Run the following command, replacing <wayfi_radsec_server> with the RadSec server’s IP or FQDN (e.g., radius.wayfiwireless.com) and <shared_secret> with radsec:

/radius add address=<wayfi_radsec_server> service=wireless protocol=radsec certificate=cert.pem_0 secret=<shared_secret>

Step 3: Create a Wireless Security Profile

Configure the Security Profile

Run the following command to create a security profile for your WayFi connection:

/interface wireless security-profiles add name=wayfi_profile mode=dynamic-keys authentication-types=wpa2-eap eap-methods=passthrough management-protection=allowed radius-eap-accounting=yes supplicant-identity=""

Step 4: Configure the Wireless Interface

Assign the Security Profile

Replace wlan1 with the name of your wireless interface (if different):

/interface wireless set [ find default-name=wlan1 ] mode=ap-bridge security-profile=wayfi_profile wps-mode=disabled

Set Country Profile

Replace <your_country> with your country’s code (e.g., united states):

/interface wireless set wlan1 country=<your_country>

Step 5: Configure Hotspot 2.0 and Interworking Profile

Create Interworking Profile

Run the following command to create the interworking profile:

/interface wireless interworking-profile add name=WayFi_Hotspot domain-names=wayfi.io,hellohelium.com,freedomfi.com,openroaming.org,apple.openroaming.net,google.openroaming.net,ciscooneid.openroaming.net,samsung.openroaming.net network-type=public-chargeable operator-names=WayFi:eng realms=wayfi.io:eap-tls,hellohelium.com:eap-ttls,freedomfi.com:eap-ttls roaming-ois=8c1f646810,f4f5e8f5f4,baa2d00000,00500f,5a03ba0000,004096 venue=business-unspecified venue-names=WayFi:eng wan-downlink=50000 wan-uplink=50000 wan-status=up

Assign the Interworking Profile

Apply the profile to your wireless interface:

/interface wireless set wlan1 interworking-profile=WayFi_Hotspot

Step 6: Set the NAS-ID

Configure the NAS-ID

Replace <mac_address_of_ap> with the MAC address of your Access Point (e.g., 00:11:22:33:44:55):

/system identity set name=<mac_address_of_ap>

Step 7: Verify the Configuration

Monitor RADIUS Traffic

To check RADIUS communication, run:

/radius monitor

Check Active Wireless Connections

To view connected wireless clients, run:

/interface wireless registration-table print

Conclusion

By completing these steps, your MikroTik device will be securely integrated with WayFi using native RadSec capabilities. This configuration ensures encrypted AAA traffic and a seamless network experience for users. For advanced customization or troubleshooting, refer to the MikroTik Interworking Profiles Documentation.

FAQs

1. What is RadSec?
RadSec (RADIUS over TLS) is a secure protocol that encrypts AAA traffic between devices and the RADIUS server.

2. What RouterOS version is required for RadSec support?
RouterOS version 6.47.10 or later is required.

3. How do I obtain the RadSec certificate bundle?
Contact WayFi support to request the wayfi.radsec.cacert.pem, cert.pem, and key.pem files.

4. Why is the NAS-ID important?
The NAS-ID uniquely identifies your Access Point within the WayFi network, ensuring accurate authentication and accounting.

5. What is an Interworking Profile?
An interworking profile configures advanced features like Hotspot 2.0, roaming, and domain support for better network functionality.

6. How do I monitor the device's RADIUS traffic?
Use the /radius monitor command to check the status of RADIUS traffic.

By following this guide, you’ll ensure secure and seamless connectivity between your MikroTik device and WayFi’s network infrastructure.