Professional Documents
Culture Documents
Manual:Interface/Wireless
Wireless interface configuration
Basic settings
• master-interface (Text) : Name of wireless interface that has virtual-ap capability. Virtual AP interface will only
work if master interface is in ap-bridge, bridge or wds-slave mode. This property is only for virtual AP interfaces.
• mode (One of station, station-wds, ap-bridge, bridge, alignment-only, nstreme-dual-slave, wds-slave,
station-pseudobridge or station-pseudobridge-clone; default value: station) :
• Station modes:
• station - Basic station mode. Find and connect to acceptable AP.
• station-wds - Same as station, but create WDS link with AP, using proprietary extension. AP configuration
has to allow WDS links with this device. Note that this mode does not use entries in wds.
• station-pseudobridge - Same as station, but additionally perform MAC address translation of all traffic.
Allows interface to be bridged.
• station-pseudobridge-clone - Same as station-pseudobridge, but use station-bridge-clone-mac address to
connect to AP.
• AP modes:
• ap-bridge - Basic access point mode.
• bridge - Same as ap-bridge, but limited to one associated client.
• wds-slave - Same as ap-bridge, but scan for AP with the same ssid and establishes WDS link. If this link is
lost or cannot be established, then continue scanning. If dfs-mode is radar-detect, then APs with enabled
hide-ssid will not be found during scanning.
• Special modes:
• alignment-only - Put interface in a continuous transmit mode that is used for aiming remote antenna.
• nstreme-dual-slave - allow this interface to be used in nstreme-dual setup.
MAC address translation in pseudobridge modes works by inspecting packets and building table of
corresponding IP and MAC addresses. All packets are sent to AP with the MAC address used by
pseudobridge, and MAC addresses of received packets are restored from the address translation table. There is
single entry in address translation table for all non-IP packets, hence more than one host in the bridged
network cannot reliably use non-IP protocols. Note: Currently IPv6 doesn't work over Pseudobridge
Virtual AP interfaces do not have this property, they follow the mode of their master interface.
• ssid (Text, up to 32 characters long; default value is value of system/identity) : SSID (service set identifier) is a
name that identifies wireless network.
• frequency (Frequency value in MHz) : Channel frequency on which AP will operate.
Allowed values depend on selected band, and are restricted by country setting and wireless card capabilities.
This setting has no effect if interface is in any of station modes, or in wds-slave mode, or if DFS is active.
• band (One of 2.4ghz-b, 5ghz, 5ghz-turbo, 2.4ghz-b/g, 2.4ghz-g-turbo, 5ghz-10mhz, 5ghz-5mhz, 2ghz-10mhz,
2ghz-5mhz, 5ghz-11n, 2ghz-11n, 2.4ghz-onlyg)
• scan-list (Comma separated list of frequencies and frequency ranges, or default) : The default value is all
channels from selected band that are supported by card and allowed by the country and frequency-mode settings
(this list can be seen in info). For default scan list in 5ghz band channels are taken with 20MHz step, in
5ghz-turbo band - with 40MHz step, for all other bands - with 5MHz step. If scan-list is specified manually, then
all matching channels are taken. (Example: scan-list=default,5200-5245,2412-2427 - This will use the default
Manual:Interface/Wireless 2
value of scan list for current band, and add to it supported frequencies from 5200-5245 or 2412-2427 range.)
• antenna-mode (One of ant-a, ant-b, txa-rxb or rxa-txb) :
• ant-a - use only 'a' antenna
• ant-b - use only 'b' antenna
• txa-rxb - use antenna 'a' for transmitting, antenna 'b' for receiving
• rxa-txb - use antenna 'b' for transmitting, antenna 'a' for receiving
• wds-mode (One of disabled, static, dynamic, static-mesh or dynamic-mesh) : Controls how WDS links with other
devices (APs and clients in station-wds mode) are established.
• disabled does not allow WDS links.
• static only allows WDS links that are manually configured in wds
• dynamic also allows WDS links with devices that are not configured in wds, by creating required entries
dynamically. Such dynamic WDS entries are removed automatically after the connection with the other AP is
lost.
-mesh modes use different (better) method for establishing link between AP, that is not compatible with APs in
non-mesh mode. This method avoids one-sided WDS links that are created only by one of the two APs. Such
links cannot pass any data.
When AP or station is establishing WDS connection with another AP, it uses connect-list to check whether
this connection is allowed. If station in station-wds mode is establishing connection with AP, AP uses
access-list to check whether this connection is allowed.
If mode is station-wds, then this property has no effect.
• wds-default-bridge (none, or name of bridge interface) : When WDS link is established and status of the wds
interface becomes running, it will be added as a bridge port to the bridge interface specified by this property.
When WDS link is lost, wds interface is removed from the bridge. If wds interface is already included in a bridge
setup when WDS link becomes active, it will not be added to bridge specified by , and will (needs editing)
• wds-ignore-ssid (yes or no; default value: no) : By default, WDS link between two APs can be created only when
they work on the same frequency and have the same SSID value. If this property is set to yes, then SSID of the
remote AP will not be checked. This property has no effect on connections from clients in station-wds mode. It
also does not work if wds-mode is static-mesh or dynamic-mesh.
• default-authentication (yes or no, default value: yes) : For AP mode, this is the value of authentication for
clients that do not match any entry in the access-list. For station mode, this is the value of connect for APs that do
not match any entry in the connect-list.
• default-forwarding (yes or no; default value: yes) : This is the value of forwarding for clients that do not match
any entry in the access-list.
• default-ap-tx-limit : This is the value of ap-tx-limit for clients that do not match any entry in the access-list.
• default-client-tx-limit : This is the value of client-tx-limit for clients that do not match any entry in the
access-list.
• hide-ssid (yes or no; default value: no) :
• yes - AP does not include SSID the beacon frames, and does not reply to probe requests that have broadcast
SSID.
• no - AP includes SSID in the beacon frames, and replies to probe requests that have broadcast SSID.
This property has effect only in AP mode. Setting it to yes can remove this network from the list of wireless
networks that are shown by some client software. Changing this setting does not improve security of the
wireless network, because SSID is included in other frames sent by the AP.
• security-profile : Name of profile from security-profiles
Manual:Interface/Wireless 3
• compression (yes or no; default value: no) : Setting this property to yes will allow use of the hardware
compression. Wireless interface must have support for hardware compression. Connections with devices that do
not use compression will still work.
• interface-type (virtual-AP, Prism, or Atheros XXXXXX, where XXXXXX is the type of Atheros device; read-only
property) : This specifies type of wireless interface. Some properties have meaning only for certain types of
interfaces.
• wireless-protocol (default value: unspecified) specifies protocol used on wireless interface;
• unspecified - protocol mode used on previous RouterOS versions (v3.x, v4.x). Nstreme is enabled by old
enable-nstreme setting, Nv2 configuration is not possible.
• any : on AP - regular 802.11 Access Point or Nstreme Access Point; on station - selects Access Point without
specific sequence, it could be changed by connect-list rules.
• nstreme - enables Nstreme protocol (the same as old enable-nstreme setting).
• nv2 - enables Nv2 protocol.
• nv2 nstreme : on AP - uses first wireless-protocol setting, always Nv2; on station - searches for Nv2 Access
Point, then for Nstreme Access Point.
• nv2 nstreme 802.11 - on AP - uses first wireless-protocol setting, always Nv2; on station - searches for Nv2
Access Point, then for Nstreme Access Point, then for regular 802.11 Access Point.
Advanced settings
• frequency-mode (one of regulatory-domain, manual-txpower or superchannel) :
• regulatory-domain - Limit available channels and maximum transmit power for each channel according to the
value of country
• manual-txpower - Same as above, but do not limit maximum transmit power.
• superchannel - Conformance Testing Mode. Allow all channels supported by the card.
List of available channels for each band can be seen in /wireless info print. This mode allows you to test
wireless channels outside the default scan-list and/or regulatory domain. This mode should only be used in
controlled environments, or if you have a special permission to use it in your region. Before v4.3 this was
called Custom Frequency Upgrade, or Superchannel. Since RouterOS v4.3 this mode is available without
special key upgrades to all installations.
• frequency-offset - allows to specify offset if the used wireless card operates at a different frequency than is
shown in RouterOS, in case a frequency converter is used in the card. So if your card works at 4000MHz but
RouterOS shows 5000MHz, set offset to 1000MHz and it will be displayed correctly. The value is in MHz and
can be positive or negative.
• country (either no_country_set, or name of a regulatory domain) : Limits available bands, frequencies and
maximum transmit power for each frequency. Also specifies default value of scan-list. Value no_country_set is
an FCC compliant set of channels.
• antenna-gain (default value: 0) : Antenna gain in dBi, used to calculate maximum transmit power according to
country limitations.
Manual:Interface/Wireless 4
2.4ghz-b 1 1 .. 11
5ghz 6 6 .. 54
2.4ghz-onlyg 6 1 .. 11 and 6 .. 54
2.4ghz-b/g 1 .. 11 1 .. 11 and 6 .. 54
2.4ghz-g-turbo 6 6 .. 54
Automatic adjustment does not work for WDS links that are manually configured as a bridge port.
• wmm-support (disabled, enabled or required) : Specifies whether to enable WMM.
• disconnect-timeout (time interval in the 0..15s range, in units of 10ms; default value: 3s) : This interval is
measured from third sending failure on the lowest data rate. At this point 3 * (hw-retries + 1) frame transmits on
the lowest data rate had failed.
During disconnect-timeout packet transmission will be retried with on-fail-retry-time interval. If no frame
can be transmitted successfully during diconnect-timeout, connection is closed, and this event is logged as
"extensive data loss". Successful frame transmission resets this timer.
• on-fail-retry-time (time interval in the 10ms..1s range, in 10ms units; default value: 100ms) : After third sending
failure on the lowest data rate, wait for this long before retrying.
• frame-lifetime (time in hundredths of a second; default value: 0) : Discard frames that have been queued for
sending longer than frame-lifetime. By default, when value of this property is 0, frames are discarded only after
connection is closed.
• preamble-mode (one of long, short or both; default value: both) : Short preamble mode is an option of 802.11b
standard that reduces per-frame overhead.
• On AP:
• long - Do not use short preamble.
• short - Announce short preamble capability. Do not accept connections from clients that do not have this
capability.
• both - Announce short preamble capability.
• On station:
• long - do not use short preamble.
• short - do not connect to AP if it does not support short preamble.
• both - Use short preamble if AP supports it.
• allow-sharedkey (yes or no; default value: no) : Allow WEP Shared Key cilents to connect. Note that no
authentication is done for these clients (WEP Shared keys are not compared to anything) - they are just accepted
at once (if access list allows that).
• station-bridge-clone-mac (MAC address) : This property has effect only in the station-pseudobridge-clone
mode.
Use this MAC address when connection to AP. If this value is 00:00:00:00:00:00, station will initially use
MAC address of the wireless interface.
As soon as packet with MAC address of another device needs to be transmitted, station will reconnect to AP
using that address.
• hw-retries (number 0..15; default value: 15) : Number of times sending frame is retried without considering it a
transmission failure.
Data rate is decreased upon failure and frame is sent again. Three sequential failures on lowest supported rate
suspend transmission to this destination for the duration of on-fail-retry-time. After that, frame is sent again.
The frame is being retransmitted until transmission success, or until client is disconnected after
disconnect-timeout. Frame can be discarded during this time if frame-lifetime is exceeded.
• hw-fragmentation-threshold (integer 256..3000 | disabled;) : Specifies maximum fragment size in bytes when
transmitted over wireless medium. 802.11 standard packet (MSDU in 802.11 terminology) fragmentation allows
packets to be fragmented before transmiting over wireless medium to increase probability of successful
transmission (only fragments that did not transmit correctly are retransmitted). Note that transmission of
fragmented packet is less efficient than transmitting unfragmented packet because of protocol overhead and
increased resource usage at both - transmitting and receiving party.
Manual:Interface/Wireless 6
Proprietary extensions
• radio-name (text) : Descriptive name of the device, that is shown in registration table entries on the remote
devices.
This is a proprietary extension.
• area (text; default value is empty) : Identifies group of wireless networks. This value is announced by AP, and
can be matched in connect-list by area-prefix.
• update-stats-interval (disabled or time interval in the 10s..5h range; default value: disabled) : How often to
request update of signals strength and ccq values from clients.
Access to registration-table also triggers update of these values.
This is proprietary extension.
• proprietary-extensions (pre-2.9.25 or post-2.9.25; default value: post-2.9.25) : RouterOS includes proprietary
information in an information element of management frames. This parameter controls how this information is
included.
• pre-2.9.25 - This is older method. It can interoperate with newer versions of RouterOS. This method is
incompatible with some clients, for example, Centrino based ones.
• post-2.9.25 - This uses standardized way of including vendor specific information, that is compatible with
newer wireless clients.
Manual:Interface/Wireless 7
Atheros specific
• noise-floor-threshold (default or value in the -128..127 range) : This property is only effective for cards based on
AR5211 chipset.
• adaptive-noise-immunity (yes or no; default value: yes) : This property is only effective for cards based on
Atheros chipset.
• periodic-calibration (one of default, enabled or disabled) : Setting default enables periodic calibration if info
default-periodic-calibration property is enabled. Value of that property depends on the type of wireless card.
This property is only effective for cards based on Atheros chipset.
• periodic-calibration-interval (value in range 1..10000; default value: 60) : This property is only effective for
cards based on Atheros chipset.
Prism specific
• prism-cardtype (30mW, 100mW, 200mW) : Specify type of the installed wireless card.
802.11n specific
• ht-ampdu-priorities - frame priorities for which AMPDU sending (aggregating frames and sending using block
acknowledgement) should get negotiated and used. Using AMPDUs will increase throughput, but may increase
latency therefore may not be desirable for real-time traffic (voice, video). Due to this, by default AMPDUs are
enabled only for best-effort traffic.
• ht-amsdu-limit - max AMSDU that device is allowed to prepare when negotiated. AMSDU aggregation may
significantly increase throughput especially for small frames, but may increase latency in case of packet loss due
to retransmission of aggregated frame. Sending and receiving AMSDUs will also increase CPU usage.
• ht-amsdu-threshold - max frame size to allow including in AMSDU.
• ht-basic-mcs - Modulation and Coding Schemes [1] that every connecting client must support (refer to 802.11n
for MCS specification).
• ht-supported-mcs - Modulation and Coding Schemes that this device advertises as supported.
• ht-extension-channel - wether to use additional 20MHz extension channel and if it should be located below or
above control (main) channel. Extension channel allows 11n device to use 40MHz of spectrum in total thus
increasing max throughput.
• ht-guard-interval - whether to allow use of short guard interval (refer to 802.11n MCS specification to see how
this may affect throughput). "any" will use either short or long, depending on data rate, "long" will use long.
• ht-rxchains - which antennas to use for receive.
• ht-txchains - which antetnnas to use for transmit.
See also: 802.11n_Setup_Guide
Nv2
MikroTik has developed a new wireless protocol based on TDMA technology (Time Division Multiple Access) -
NV2 (Nstreme version 2).
TDMA is a channel access method for shared medium networks. It allows several users to share the same frequency
channel by dividing the signal into different time slots. The users transmit in rapid succession, one after the other,
each using his own time slot. This allows multiple stations to share the same transmission medium (e.g. radio
frequency channel) while using only a part of its channel capacity.
The most important benefits of Nv2 are:
• Increased speed
• More client connections in PTM environments
Manual:Interface/Wireless 8
• Lower latency
• No distance limitations
• No penalty for long distances
Starting from RouterOS v5.0beta5 you can configure Nv2 in the Wireless menu. Please take a look at the NV2
protocol implementation status. Nv2 protocol limit is 511 clients.
Nv2 settings
• nv2-qos sets the packet priority mechanism, firstly data from high priority queue is sent, then lower queue
priority data until 0 queue priority is reached. When link is full with high priority queue data, lower priority data
is not sent. Use it very carefully, setting works on AP
• frame-priority - manual setting that can be tuned with Mangle rules.
• default - default setting where small packets receive priority for best latency
• nv2-cell-radius (default value: 30); setting affects the size of contention time slot that AP allocates for clients to
initiate connection and also size of time slots used for estimating distance to client. When setting is too small,
clients that are farther away may have trouble connecting and/or disconnect with "ranging timeout" error.
Although during normal operation the effect of this setting should be negligible, in order to maintain maximum
performance, it is advised to not increase this setting if not necessary, so AP is not reserving time that is actually
never used, but instead allocates it for actual data transfer.
• on AP: distance to farthest client in km
• on station: no effect
• tdma-period-size (default value: 2) specifies TDMA period in milliseconds. It could help on the longer distance
links, it could slightly increase bandwidth, while latency is increased too.
Nv2 Troubleshooting
Increase throughput on long distance with tdma-period-size. In Every "period", the Access Point leaves part of the
time unused for data transmission (which is equal to round trip time - the time in which the frame can be sent and
received from the client), it is used to ensure that client could receive the last frame from Access Point, before
sending it's own packets to it. The longer the distance, the longer the period is unused.
For example, the distance between Access Point and client is 30km. Frame is sent in 100us one direction,
respectively round-trip-time is ~200us. tdma-period-size default value is 2ms, it means 10% of the time is unused.
When tdma-period-size is increased to 4ms, only 5% of time is unused. For 60km wireless link, round-trip-time is
400ms, unused time is 20% for default tdma-period-size 2ms, and 10% for 4ms. Bigger tdma-period-size value
increases latency on the link.
Access lists
Access list is used by access point to restrict allowed connections from other devices, and to control connection
parameters.
Operation
• Access list rules are checked sequentially.
• Disabled rules are always ignored.
• Only the first matching rule is applied.
• If there are no matching rules for the remote connection, then the default values from the wireless interface
configuration are used.
Manual:Interface/Wireless 9
• If remote device is matched by rule that has authentication=no value, the connection from that remote device is
rejected.
Configuration
Access list configuration is located in /interface wireless access-list console path, and "Access List" tab in the
WinBox "Wireless" window.
Match properties
• mac-address (default value: 00:00:00:00:00:00) : Rule matches client with the specified MAC address. Value
00:00:00:00:00:00 matches always.
• interface (Name of wireless interface, or all; default value: all) : Rules with interface=all are used for all
wireless interfaces. To make rule that applies only to one wireless interface, specify that interface as a value of
this property.
Connection properties
• authentication (yes or no) :
• no - Client association will always fail.
• yes - Use authentication procedure that is specified in the security-profile of the interface.
• forwarding (yes or no) :
• no - Client cannot send frames to other station that are connected to same access point.
• yes - Client can send frames to other stations on the same access point.
• ap-tx-limit (number, in bits per second; default value: 0) : Limit rate of data transmission to this client. Value 0
means no limit.
• client-tx-limit (number, in bits per second; default value: 0) : Ask client to limit rate of data transmission. Value
0 means no limit.
This is a proprietary extension that is supported by RouterOS clients.
Manual:Interface/Wireless 10
Connect lists
connect-list is used to assign priority and security settings to connections with remote access points, and to restrict
allowed connections. connect-list is an ordered list of rules. Each rule in connect-list is attached to specific wireless
interface, specified in the interface property of that rule (this is unlike access-list, where rules can apply to all
interfaces). Rule can match MAC address of remote access point, it's signal strength and many other parameters.
Operation
• connect-list rules are always checked sequentially, starting from the first.
• disabled rules are always ignored.
• Only the first matching rule is applied.
• If connect-list does not have any rule that matches remote access point, then the default values from the wireless
interface configuration are used.
• If access point is matched by rule that has connect=no value, connection with this access point will not be
attempted.
• If access point is matched by rule that has connect=yes value, connection with this access point will be attempted.
• In station mode, if several remote access points are matched by connect list rules with connect=yes value,
connection will be attempted with access point that is matched by rule higher in the connect-list.
• If no remote access points are matched by connect-list rules with connect=yes value, then value of
default-authentication interface property determines whether station will attempt to connect to any access
point. If default-authentication=yes, station will choose access point with best signal and compatible security.
• In access point mode, connect-list is checked before establishing WDS link with remote device. If access point is
not matched by any rule in the connect list, then the value of default-authentication determines whether WDS
link will be established.
Usage
Configuration Reference
Connect lists are configured under the /interface wireless connect-list path in the console, or in the "Connect List"
tab of the "Wireless" window in the WinBox.
Match properties
• interface (name of wireless interface; required) : Each rule in connect list applies only to one wireless interface
that is specified by this setting.
• area-prefix (text) : Rule matches if area value of AP (a proprietary extension) begins with value of area-prefix.
area value is a proprietary extension.
• mac-address (default value: 00:00:00:00:00:00) : Rule matches only AP with the specified MAC address. Value
00:00:00:00:00:00 matches always.
• ssid (text) : Rule matches access points that have this SSID. Empty value matches any SSID.
This property has effect only when station mode interface ssid is empty, or when access point mode interface
has wds-ignore-ssid=yes
Connection properties
• connect (yes or no) :
• yes - Connect to access point that matches this rule.
• no - Do not connect to any access point that matches this rule.
Security profiles
Security profiles are configured under the /interface wireless security-profiles path in the console, or in the
"Security Profiles" tab of the "Wireless" window in the WinBox. Security profiles are referenced by the wireless
interface security-profile parameter and security-profile parameter of the connect lists.
Basic properties
• mode (one of none, static-keys-optional, static-keys-required or dynamic-keys; default value: none) :
• none - Encryption is not used. Encrypted frames are not accepted.
• static-keys-required - WEP mode. Do not accept and do not send unencrypted frames.
Station in static-keys-required mode will not connect to an access point in static-keys-optional mode.
• static-keys-optional - WEP mode. Support encryption and decryption, but allow also to receive and send
unencrypted frames. Device will send unencrypted frames if encryption algorithm is specified as none.
Station in static-keys-optional mode will not connect to an access point in static-keys-required mode.
See also: static-sta-private-algo, static-transmit-key
• dynamic-keys - WPA mode.
• name : see generic properties
WPA properties
These properties have effect only when mode=dynamic-keys.
• authentication-types (multiple choice of wpa-psk, wpa2-psk, wpa-eap and wpa2-eap; default value is empty) :
Set of supported authentication types. Access point will advertise supported authentication types, and client will
connect to access point only if supports any of the advertised authentication types.
• unicast-ciphers (multiple choice of tkip, aes-ccm; default value is empty) : Access point advertises that it
supports specified ciphers. Client attempts connection only to access points that supports at least one of the
specified ciphers.
One of the ciphers will be used to encrypt unicast frames that are sent between access point and station.
• group-ciphers (multiple choice of tkip, aes-ccm; default value is empty) : Access point advertises one of these
ciphers, and uses it to encrypt all broadcast and multicast frames. Client attempts connection only to access points
that use one of the specified group ciphers.
• tkip - Temporal Key Integrity Protocol - encryption protocol, compatible with lagacy WEP equipment, but
enhanced to correct some of WEP flaws
• aes-ccm - more secure WPA encryption protocol, based on the reliable AES (Advanced Encryption Standard).
Networks free of WEP legacy should use only this
• group-key-update (time interval in the 30s..1h range; default value: 5m) : Controls how often access point
updates group key. This key is used to encrypt all broadcast and multicast frames.
This property has no effect in station mode.
• wpa-pre-shared-key, wpa2-pre-shared-key (text) : WPA and WPA2 pre-shared key mode requires all devices
in a BSS to have common secret key. Value of this key can be an arbitrary text.
Manual:Interface/Wireless 13
RouterOS also allows to override pre-shared key value for specific clients, using either private-pre-shared-key
property in the access-list, or the Mikrotik-Wireless-Psk attribute in the RADIUS MAC authentication response.
This is an extension.
These properties have effect only when authentication-types contains either wpa-psk or wpa2-psk.
wpa-pre-shared-key is used for wpa-psk authentication type. wpa2-pre-shared-key is used for wpa2-psk.
RADIUS properties
• radius-mac-authentication (yes or no; default value: no) : This property affects the way how access point
processes clients that are not found in the access-list.
• no - allow or reject client authentication based on the value of default-authentication property of the wireless
interface.
• yes - Query RADIUS server using MAC address of client as user name. With this setting the value of
default-authentication has no effect.
• radius-mac-accounting (yes or no; default value: no) : (needs editing)
• radius-eap-accounting (yes or no; default value: no) : (needs editing)
• interim-update (time interval; default value: 0) : When RADIUS accounting is used, access point periodically
sends accounting information updates to the RADIUS server. This property specifies default update interval that
can be overridden by the RADIUS server using Acct-Interim-Interval attribute.
• radius-mac-format (one of XX:XX:XX:XX:XX:XX, XXXX:XXXX:XXXX, XXXXXX:XXXXXX,
XX-XX-XX-XX-XX-XX, XXXXXX-XXXXXX, XXXXXXXXXXXX, XX XX XX XX XX XX; default value:
XX:XX:XX:XX:XX:XX) : Controls how MAC address of the client is encoded by access point in the User-Name
attribute of the MAC authentication and MAC accounting RADIUS requests.
• radius-mac-mode (one of as-username, as-username-and-password; default value: as-username) : By default
access point uses empty password, when sending Access-Request during MAC authentication. When this
property is set to as-username-and-password, access point will use the same value for User-Password attribute as
for the User-Name attribute.
• radius-mac-caching (either disabled or time interval; default value: disabled) : If this value is set to time interval,
the access point will cache RADIUS MAC authentication responses for specified time, and will not contact
RADIUS server if matching cache entry already exists. Value disabled will disable cache, access point will
always contact RADIUS server.
WEP properties
These properties have effect only when mode is static-keys-required or static-keys-optional. See section
"Wireless#Statically_configured_WEP_keys".
• static-key-0, static-key-1, static-key-2, static-key-3 (hexadecimal representation of the key. Length of key must
be appropriate for selected algorithm - see section "Statically configured WEP keys; default value is empty) :
(needs editing)
• static-algo-0, static-algo-1, static-algo-2, static-algo-3 (one of none, 40bit-wep, 104bit-wep, tkip or aes-ccm;
default value: none) : Encryption algorithm to use with the corresponding key.
• static-transmit-key (one of key-0, key-1, key-2 or key-3; default value: key-0) : Access point will use the
specified key to encrypt frames for clients that do not use private key. Access point will also use this key to
encrypt broadcast and multicast frames.
Client will use the specified key to encrypt frames if static-sta-private-algo=none.
If corresponding static-algo- property has value none, frame will be sent unencrypted (when
mode=static-keys-optional) or will not be sent at all (when mode=static-keys-required).
• static-sta-private-key (hexadecimal representation of the key. Length of key must be appropriate for selected
algorithm - see section "Statically configured WEP keys") : This property is used only in station mode. Access
point uses corresponding key either from private-key property of access-list, or from Mikrotik-Wireless-Enc-Key
attribute in RADIUS Access-Accept MAC authentication response.
• static-sta-private-algo (one of none, 40bit-wep, 104bit-wep, tkip or aes-ccm) : Encryption algorithm to use with
station private key. Value none disables use of the private key.
Manual:Interface/Wireless 15
This property is used only in station mode. Access point has to get corresponding value either from
private-algo property of access-list, or from Mikrotik-Wireless-Enc-Algo attribute in RADIUS Access-Accept
MAC authentication response.
Station private key replaces key 0 for unicast frames. Station will not use private key to decrypt broadcast
frames.
Operation details
Caching
Caching of RADIUS MAC authentication was added to support RADIUS authentication for clients that require from
the access point very quick response to the association request. Such clients time out before response from RADIUS
server is received. Access point caches authentication response for some time and can immediately reply to the
repeated association request from the same client.
References
[1] http:/ / en. wikipedia. org/ wiki/ IEEE_802. 11n-2009#Data_rates
Article Sources and Contributors 19