MikroTik ROS v7 - OpenRoaming with RadSec

Configure RadSec (RADIUS over TLS) on MikroTik RouterOS v7 for secure OpenRoaming authentication with IronWifi. This guide provides detailed instructions for certificate installation, RadSec RADIUS configuration with TLS encryption, wireless security profiles, and Hotspot 2.0 interworking setup.

Quick Start

Enable RadSec and OpenRoaming in IronWifi Console
Download certificate bundle (4 files)
Upload and import certificates to MikroTik, mark CAs as trusted
Create RadSec RADIUS with radsec.ironwifi.com:2083
Create security and interworking profiles
Apply to wireless interface with Hotspot 2.0 enabled

Prerequisites

In MikroTik:

MikroTik device with RouterOS 7.x
Device supports 802.11u/Hotspot 2.0
Wireless interface configured and operational

In IronWifi Console (complete these first):

Create or select a Network in the IronWifi Console
Enable OpenRoaming from the dropdown menu
Enable RadSec from the dropdown menu
Download the certificate bundle (ZIP file containing 4 files: Root CA, Intermediate CA, client certificate, and private key)

Certificate Installation

Upload Certificates to MikroTik

Connect to MikroTik via WinBox or web interface
Go to Files
Upload all 4 files from the certificate bundle:
- iw-rsa-root-ca.cert.pem
- iw-rsa-radsec-signing-ca.cert.pem
- client.cert.pem
- client.key.pem

Import Certificates

Via WinBox/WebFig:

Go to System > Certificates
Click Import
Import iw-rsa-root-ca.cert.pem:
- Select file
- Click Import
- Mark as Trusted
Import iw-rsa-radsec-signing-ca.cert.pem:
- Select file
- Click Import
- Mark as Trusted
Import client.cert.pem:
- Select file
- Click Import
Import client.key.pem:
- Select file
- Passphrase: (leave empty or enter if set)
- Click Import
- This associates the key with the client certificate

Via CLI:

/certificate import file-name=iw-rsa-root-ca.cert.pem passphrase=""
/certificate import file-name=iw-rsa-radsec-signing-ca.cert.pem passphrase=""
/certificate import file-name=client.cert.pem passphrase=""
/certificate import file-name=client.key.pem passphrase=""

Set Certificates as Trusted

/certificate set [find name~"iw-rsa-root-ca"] trusted=yes
/certificate set [find name~"iw-rsa-radsec-signing-ca"] trusted=yes

Verify Certificates

/certificate print

You should see all certificates with the client certificate showing KT flags (Key + Trusted chain).

RadSec Configuration

Create RadSec RADIUS Profile

Via CLI:

/radius add \
    address=radsec.ironwifi.com \
    certificate=client.cert.pem_0 \
    protocol=radsec \
    secret="" \
    service=wireless \
    timeout=3s

Key Parameters:

address: IronWifi RadSec server
certificate: Your client certificate name (check exact name with /certificate print)
protocol: Must be radsec
secret: Empty for RadSec (uses certificates)

Configure AAA

/radius incoming set accept=yes

Wireless Configuration

Create Security Profile

/interface wireless security-profiles add \
    name=openroaming \
    mode=dynamic-keys \
    authentication-types=wpa2-eap \
    eap-methods=passthrough \
    tls-mode=dont-verify-certificate

Create Interworking Profile (802.11u)

/interface wireless interworking-profiles add \
    name=openroaming \
    internet=yes \
    asra=no \
    esr=no \
    uesa=no \
    hessid=00:00:00:00:00:00 \
    access-network-type=free \
    venue=business-unspecified \
    network-auth-type=acceptance-of-terms-and-conditions

Configure Hotspot 2.0 (Passpoint)

/interface wireless interworking-profiles set openroaming \
    domain-names=ironwifi.net,openroaming.org \
    roaming-ois=5A03BA0000,5A03BA0200,004096 \
    nai-realms="ironwifi.com;eap-ttls;credentials" \
    operator-names="eng:IronWifi"

Create Wireless Interface

/interface wireless set wlan1 \
    mode=ap-bridge \
    ssid="OpenRoaming" \
    security-profile=openroaming \
    interworking-profile=openroaming

Complete Configuration Example

Here's a complete CLI configuration:

# Import certificates (after uploading to Files)
/certificate import file-name=iw-rsa-root-ca.cert.pem passphrase=""
/certificate import file-name=iw-rsa-radsec-signing-ca.cert.pem passphrase=""
/certificate import file-name=client.cert.pem passphrase=""
/certificate import file-name=client.key.pem passphrase=""

# Trust CA certificates
/certificate set [find name~"iw-rsa-root-ca"] trusted=yes
/certificate set [find name~"iw-rsa-radsec-signing-ca"] trusted=yes

# Configure RadSec RADIUS
/radius add \
    address=radsec.ironwifi.com \
    certificate=client.cert.pem_0 \
    protocol=radsec \
    secret="" \
    service=wireless \
    timeout=3s

/radius incoming set accept=yes

# Security profile
/interface wireless security-profiles add \
    name=openroaming \
    mode=dynamic-keys \
    authentication-types=wpa2-eap \
    eap-methods=passthrough

# Interworking profile
/interface wireless interworking-profiles add \
    name=openroaming \
    internet=yes \
    access-network-type=free \
    venue=business-unspecified \
    domain-names=ironwifi.net,openroaming.org \
    roaming-ois=5A03BA0000,5A03BA0200,004096 \
    nai-realms="ironwifi.com;eap-ttls;credentials" \
    operator-names="eng:IronWifi"

# Apply to wireless interface
/interface wireless set wlan1 \
    mode=ap-bridge \
    ssid="OpenRoaming" \
    security-profile=openroaming \
    interworking-profile=openroaming

Verification

Check RadSec Connection

/radius print
/radius monitor 0

Check Certificate Status

/certificate print detail

Enable Debug Logging

/system logging add topics=radius,debug,packet

View logs:

/log print where topics~"radius"

Test Authentication

Connect a Passpoint-enabled device
Check authentication in IronWifi Console
Monitor MikroTik logs for RADIUS exchanges

Troubleshooting

RadSec Connection Failed

Verify certificates imported correctly
```
/certificate print
```
Client cert should show KT flags

Check certificate trust

/certificate print detail where trusted=yes

Verify network connectivity
```
/tool ping radsec.ironwifi.com
```

Check port 2083 is open

/tool fetch url="https://radsec.ironwifi.com:2083" mode=https

Authentication Failures

Check RADIUS configuration
```
/radius print
```
Review debug logs
```
/log print where topics~"radius"
```

Verify interworking profile

/interface wireless interworking-profiles print

Common Errors

Error	Cause	Solution
"certificate verify failed"	CA not trusted	Set CA certificates as trusted
"connection refused"	Port blocked	Check firewall for port 2083
"no suitable certificate"	Wrong cert name	Verify certificate name in RADIUS config
"TLS handshake failed"	Certificate mismatch	Re-download and import certificates

Best Practices

Use RouterOS 7.x - Required for proper RadSec support
Keep certificates secure - Protect private key
Monitor expiration - Certificates expire, plan renewal
Test thoroughly - Verify with multiple devices
Enable logging - For troubleshooting during setup
Backup configuration - Save working config

OpenRoaming Overview - Main OpenRoaming configuration guide
RadSec Overview - Understanding RadSec technology
MikroTik Passpoint - Passpoint configuration details
MikroTik OpenRoaming - Alternative configuration guide
MikroTik RADIUS Configuration - General RADIUS setup

Quick Start​

Prerequisites​

In MikroTik:​

In IronWifi Console (complete these first):​

Certificate Installation​

Upload Certificates to MikroTik​

Import Certificates​

Set Certificates as Trusted​

Verify Certificates​

RadSec Configuration​

Create RadSec RADIUS Profile​

Configure AAA​

Wireless Configuration​

Create Security Profile​

Create Interworking Profile (802.11u)​

Configure Hotspot 2.0 (Passpoint)​

Create Wireless Interface​

Complete Configuration Example​

Verification​

Check RadSec Connection​

Check Certificate Status​

Enable Debug Logging​

Test Authentication​

Troubleshooting​

RadSec Connection Failed​

Authentication Failures​

Common Errors​

Best Practices​

Related Topics​