MikroTik ROS v7 OpenRoaming with RadSec

Configure OpenRoaming on MikroTik devices running RouterOS v7 with IronWifi RadSec authentication. This guide covers certificate import and trust configuration, RadSec RADIUS setup, wireless security profiles, interworking (802.11u) configuration, and Hotspot 2.0 deployment for global WiFi roaming.

Quick Start

Enable OpenRoaming and RadSec in IronWifi Console
Download and import certificate bundle to MikroTik
Create RadSec RADIUS profile pointing to radsec.ironwifi.com:2083
Create security profile with WPA2-EAP
Configure interworking profile with OIs: 5A03BA0000, 5A03BA0200, 004096
Apply profiles to wireless interface

Prerequisites

In MikroTik:

MikroTik device with wireless capability
RouterOS 7.x (7.1+ recommended)
Wireless interface configured and operational

In IronWifi Console (complete these first):

Create or select a Network in the IronWifi Console
Enable OpenRoaming from the dropdown menu
Enable RadSec from the dropdown menu
Download the certificate bundle (contains Root CA, Intermediate CA, client certificate, and private key)

Upload Certificates to MikroTik

Upload the certificates to your MikroTik device:

Via WinBox/WebFig

Go to Files
Upload all 4 certificate files from the bundle

Via CLI

# Transfer files via SCP or FTP
/tool fetch url="http://your-server/iw-rsa-root-ca.cert.pem" dst-path=iw-rsa-root-ca.cert.pem
/tool fetch url="http://your-server/iw-rsa-radsec-signing-ca.cert.pem" dst-path=iw-rsa-radsec-signing-ca.cert.pem
/tool fetch url="http://your-server/client.cert.pem" dst-path=client.cert.pem
/tool fetch url="http://your-server/client.key.pem" dst-path=client.key.pem

Import Certificates

The certificate bundle contains:

iw-rsa-root-ca.cert.pem - Root CA certificate
iw-rsa-radsec-signing-ca.cert.pem - Intermediate CA certificate
client.cert.pem - Client certificate
client.key.pem - Private key

# Import CA certificates
/certificate import file-name=iw-rsa-root-ca.cert.pem passphrase=""
/certificate import file-name=iw-rsa-radsec-signing-ca.cert.pem passphrase=""

# Import client certificate and key
/certificate import file-name=client.cert.pem passphrase=""
/certificate import file-name=client.key.pem passphrase=""

# Set CA certificates as trusted
/certificate set [find name~"iw-rsa-root-ca"] trusted=yes
/certificate set [find name~"iw-rsa-radsec-signing-ca"] trusted=yes

Verify certificates:

/certificate print

Configure RadSec

# Create RadSec connection
/radius
add address=radsec.ironwifi.com protocol=radsec \
    certificate=client.cert.pem_0 \
    service=wireless \
    authentication-port=2083 \
    accounting-port=2083 \
    secret="" \
    timeout=3s

Replace radsec.ironwifi.com with the RadSec server from your IronWifi console.

Wireless Security Profile

/interface wireless security-profiles
add name=openroaming-profile \
    authentication-types=wpa2-eap \
    mode=dynamic-keys \
    eap-methods=passthrough

Interworking Profile (802.11u)

/interface wireless interworking-profiles
add name=openroaming \
    access-network-type=free-public-network \
    internet=yes \
    asra=no \
    esr=no \
    uesa=no \
    venue-group=business \
    venue-type=unspecified-business \
    network-auth-type=acceptance-of-terms-and-conditions \
    ipv4-availability=public \
    ipv6-availability=not-available \
    hessid=auto

Hotspot 2.0 Profile

/interface wireless hotspot20-profiles
add name=openroaming \
    domain-names=ironwifi.net \
    operator-names="IronWifi:eng" \
    wan-metrics="symmetric,1,50000,50000,0,0"

NAI Realm Configuration

/interface wireless nai-realms
add profile=openroaming \
    realm=ironwifi.com \
    eap-methods="eap-ttls:non-eap-pap,non-eap-mschapv2;eap-tls:"

Add additional realms for OpenRoaming identity providers:

/interface wireless nai-realms
add profile=openroaming realm=openroaming.net eap-methods="eap-ttls:;eap-tls:"
add profile=openroaming realm=google.com eap-methods="eap-ttls:;eap-tls:"
add profile=openroaming realm=apple.com eap-methods="eap-ttls:;eap-tls:"

Roaming Consortium OIs

Add OpenRoaming Organization Identifiers:

/interface wireless roaming-ois
add profile=openroaming oi=5A03BA0000
add profile=openroaming oi=5A03BA0200
add profile=openroaming oi=004096

OI descriptions:

5A03BA0000 - WBA OpenRoaming Settled
5A03BA0200 - WBA OpenRoaming Settlement-free
004096 - Cisco OpenRoaming

Apply Configuration to Wireless Interface

/interface wireless
set wlan1 \
    mode=ap-bridge \
    ssid="OpenRoaming" \
    security-profile=openroaming-profile \
    interworking-profile=openroaming \
    hotspot20-profile=openroaming

Complete Configuration Script

# ========== OpenRoaming Configuration ==========

# Import certificates (upload files first)
/certificate import file-name=iw-rsa-root-ca.cert.pem passphrase=""
/certificate import file-name=iw-rsa-radsec-signing-ca.cert.pem passphrase=""
/certificate import file-name=client.cert.pem passphrase=""
/certificate import file-name=client.key.pem passphrase=""

# Trust CA certificates
/certificate set [find name~"iw-rsa-root-ca"] trusted=yes
/certificate set [find name~"iw-rsa-radsec-signing-ca"] trusted=yes

# RadSec RADIUS
/radius
add address=radsec.ironwifi.com protocol=radsec \
    certificate=client.cert.pem_0 service=wireless \
    secret="" authentication-port=2083 accounting-port=2083

# Security Profile
/interface wireless security-profiles
add name=openroaming-profile authentication-types=wpa2-eap \
    mode=dynamic-keys eap-methods=passthrough

# Interworking (802.11u)
/interface wireless interworking-profiles
add name=openroaming access-network-type=free-public-network \
    internet=yes venue-group=business venue-type=unspecified-business

# Hotspot 2.0
/interface wireless hotspot20-profiles
add name=openroaming domain-names=ironwifi.net \
    operator-names="IronWifi:eng"

# NAI Realms
/interface wireless nai-realms
add profile=openroaming realm=ironwifi.com \
    eap-methods="eap-ttls:non-eap-pap;eap-tls:"
add profile=openroaming realm=openroaming.net eap-methods="eap-ttls:;eap-tls:"

# Roaming Consortium
/interface wireless roaming-ois
add profile=openroaming oi=5A03BA0000
add profile=openroaming oi=5A03BA0200
add profile=openroaming oi=004096

# Apply to interface
/interface wireless
set wlan1 mode=ap-bridge ssid="OpenRoaming" \
    security-profile=openroaming-profile \
    interworking-profile=openroaming \
    hotspot20-profile=openroaming

Verification

Check RadSec connection:

/radius print stats

Check wireless status:

/interface wireless print detail where name=wlan1

Check connected clients:

/interface wireless registration-table print

Troubleshooting

RadSec Connection Failed

Verify certificates are correctly imported
Check certificate validity dates
Ensure port 2083 is not blocked
Verify RadSec server hostname

Clients Don't Connect

Verify 802.11u settings
Check roaming consortium OIs
Ensure client has valid OpenRoaming credentials
Test with manual EAP configuration first

Authentication Fails

Check IronWifi authentication logs
Verify NAI realm configuration
Ensure user exists or auto-creation is enabled

OpenRoaming Overview - Main OpenRoaming configuration guide
RadSec Overview - Understanding RadSec technology
MikroTik Passpoint - Passpoint configuration details
MikroTik RadSec Guide - Detailed RadSec setup
MikroTik RADIUS Configuration - General RADIUS setup

Quick Start​

Prerequisites​

In MikroTik:​

In IronWifi Console (complete these first):​

Upload Certificates to MikroTik​

Via WinBox/WebFig​

Via CLI​

Import Certificates​

Configure RadSec​

Wireless Security Profile​

Interworking Profile (802.11u)​

Hotspot 2.0 Profile​

NAI Realm Configuration​

Roaming Consortium OIs​

Apply Configuration to Wireless Interface​

Complete Configuration Script​

Verification​

Troubleshooting​

RadSec Connection Failed​

Clients Don't Connect​

Authentication Fails​

Related Topics​